From owner-freebsd-questions@FreeBSD.ORG Sat Jun 26 12:37:11 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1F3D16A4CE for ; Sat, 26 Jun 2004 12:37:11 +0000 (GMT) Received: from mta9.adelphia.net (mta9.adelphia.net [68.168.78.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FB0E43D2F for ; Sat, 26 Jun 2004 12:37:11 +0000 (GMT) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.71]) by mta9.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with SMTP id <20040626123649.BOLK23406.mta9.adelphia.net@barbish>; Sat, 26 Jun 2004 08:36:49 -0400 From: "JJB" To: "MICSKO Viktor" Date: Sat, 26 Jun 2004 08:36:49 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 In-Reply-To: Importance: Normal cc: freebsd-questions@freebsd.org Subject: RE: setting a disk read only X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jun 2004 12:37:11 -0000 Security Paranoia It's very important that you completely understand the impact of using the following command will have on your ability to make changes to your system. The simplest thing you can do is set the immutable flag on all system binaries and /etc config files with: chflags schg /bin/*(*) /sbin/*(*) /usr/bin/*(*) /usr/sbin/*(*) /etc/*(*) Setting the immutable flag on, means the files are marked as being protected from being written over. Once you execute the above command, no process can over write those files thus increasing the level of difficulty for the attacker and increasing the odds in your favor of the attacker leaving error messages in the system log. On the other hand you as root user can not make any changes to those file so marked either. Ever time you want to make changes you have to issue the command to turn off the immutable flag on all the same files. Use this command to do that: chflags noschg /bin/*(*) /sbin/*(*) /usr/bin/*(*) /usr/sbin/*(*) /etc/*(*) You can use "ls -lo" command to see the immutable flags of existing You could do this to any slice with chflags noschg /*(*) /usr/*(*) what ever -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of MICSKO Viktor Sent: Saturday, June 26, 2004 6:46 AM To: Matthew Seaman Cc: freebsd-questions@freebsd.org Subject: Re: setting a disk read only > > Is it possible to setting a *whole* disk read only? I mean the way linux > > does it with "hdparm -r 1 device". So adding an -o ro parameter to mount > > isn't enough, I want to be sure that the disk is unmodified. > > Hmmm... SCSI disks can be physically jumpered to be read-only. I > should think that ATA drives can be treated the same way. Consult the > manufacturers' data sheets for details. No, at least I've never seen it on any ATA drives. That's why I need a software solution. viktor _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"