Re: read-only file systems

From: Silvex Security Team (security@ns1.silvex.com)
Date: 09/11/01


From: Silvex Security Team <security@ns1.silvex.com>
Message-Id: <200109110820.f8B8KarI011460@ns1.silvex.com>
Subject: Re: read-only file systems
To: HeathFla@reciprocal.com (Heather Flanagan)
Date: Tue, 11 Sep 2001 01:20:36 -0700 (PDT)

On 'touchy' solaris/linux systems (firewalls, servers) I always have

/ rw,suid
/usr ro,suid
/var rw,nosuid (noexec on linux)
/usr/local/bin ro,suid
/opt ro,suid
/tmp rw,nosuid (noexec on linux)
/home rw,nosuid (noexec on linux)

>
> I know /usr can be comfortably turned in to a read-only file system for
> particularly hardened systems - or at least I can't think of any reason why
> not. Can the same be done with / on Solaris 8?
>
> -heather f.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Heather Flanagan, GSEC UNIX Systems Administrator
> Reciprocal, Inc. (919) 462-4642
>



Relevant Pages

  • Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
    ... > McAffee A/V software wouldn't detect a worm in time to do any good. ... > noexec, and if you're really paranoid, mount /home noexec also. ... > pretty much kills any propagation vector for viruses. ... we've got the "Linux isn't 100% immune so Linux users should ...
    (Full-Disclosure)
  • Re: /tmp permissions
    ... Quoting dick hoogendijk: ... That should probably be on linux, because on my fbsd-6.1 box it's "rw" ... Most "kiddie scripts" will attempt to run items out of /tmp, by adding noexec you prevent items from executing out of the applied directory. ...
    (freebsd-questions)