Re: audit failed writes to read-only file-system?

From: Bear G (afu@coyotesong.com)
Date: 02/27/02 

From: Bear G <afu@coyotesong.com>
Date: Wed, 27 Feb 2002 22:55:29 GMT

Dustin Puryear wrote:
>
> I am running Red Hat 6.2 and will be mounting /, /usr, and a few other
> file systems read-only on our web servers.

I won't say that you can't mount / read-only, but that's only because
the
fastest way to be called a fool is to make blanket statements like that.
:-)
The problem is that you need to keep /etc writable, but if you make /etc
a
separate partition then it's not mounted when the kernel updates some
key files on it.

As for making /usr read-only, this is only marginally useful since
any attacker can easily remount /usr. The same criticism applies to
the ext2 immutable bit. These practices are more useful as a speed
bump to prevent you from making a stupid mistake than to stop anyone
but a wannabe attacker.

If you really want the partition to be immutable, you have a couple
options. The first is to NFS-mount a partition that is exported RO.
It should go without saying that all of the NFS, RPC and portmapper
daemons should only listen to a second, "internal" NIC.

The second is to burn a CD-R and mount it. To avoid the limitations
of ISO9660 and to provide multiple partitions on a single disc you can
use the loopback filesystem - your /etc/fstab would have something
like

   /dev/hdc /cdrom auto auto,ro,... # mount the CD-R first
   /cdrom/usr /usr ext2 auto,ro,loop,.. # mount /usr

This would require you to burn a new CD-R whenever you update files.

Relevant Pages