From owner-freebsd-questions@FreeBSD.ORG Tue Dec 13 15:10:08 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3D74106564A for ; Tue, 13 Dec 2011 15:10:08 +0000 (UTC) (envelope-from pulley@dabus.com) Received: from aegir.dabus.com (aegir.dabus.com [173.14.229.218]) by mx1.freebsd.org (Postfix) with ESMTP id 980E78FC14 for ; Tue, 13 Dec 2011 15:10:08 +0000 (UTC) Received: from aegir.dabus.com (localhost.dabus.com [127.0.0.1]) by aegir.dabus.com (Processor) with ESMTP id E18365F2CD for ; Tue, 13 Dec 2011 08:10:06 -0700 (MST) DomainKey-Signature: a=rsa-sha1; b=QEMnj2iY45c7vwcHKhpsWQdH73x1wOp0RMZ3omWBfNJFVydHunVIZySBwtrkw245pc0TQN9w7XOp1w4B+xotLALUJcc15QaMfA+TDrKdvyuPPiDP+zOLo9JNOVV4zVlEgKqNycKTF9szSGXf08pGEVMekJpRQJXBVtI7oUhHZ3M=; c=nofws; d=dabus.com; q=dns; s=aegir1 Received: from [192.168.10.3] (unknown [192.168.10.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by aegir.dabus.com (Dabus) with ESMTPSA id 886C35F2B1 for ; Tue, 13 Dec 2011 08:10:05 -0700 (MST) Date: Tue, 13 Dec 2011 08:10:09 -0700 From: Eric S Pulley To: freebsd-questions@freebsd.org Message-ID: <8B656B09F7042883DDF10EA6@[192.168.10.3]> In-Reply-To: <4EE6943E.40400@herveybayaustralia.com.au> References: <4EE32BB6.3020105@herveybayaustralia.com.au> <4EE38454.3020307@otenet.gr> <4EE3D1F0.60500@herveybayaustralia.com.au> <4989a3ebb7810ed26951cbbd23b7645c.squirrel@webmail.dabus.com> <4EE6943E.40400@herveybayaustralia.com.au> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Re: 9.0 install and journaling X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2011 15:10:09 -0000 --On Tuesday, December 13, 2011 09:54:38 AM +1000 Da Rock=20 wrote: > On 12/13/11 06:00, Eric S Pulley wrote: >>> As for one big / partition- linux may be using it: and its their = biggest >>> failing! I've had a system lockup due to lack of space. Never a problem >>> with bsd as logs will only fill up var, a user won't break it with >>> filling up usr, etc. And root always stays protected! Its saved my life >>> a number of times... I can quickly fill TB's of data in no time, and if >>> something goes bang the logs can be a silent killer too. My 2c's >>> anyway... _______________________________________________ >>> >> And along those lines for security of the system, this is the U.S. DoD >> recommendations (well mandates really) including ZFS. Not that the DoD >> doesn=E2=80=99t have security problems... but I=E2=80=99m not big fan of = the one or >> two mount point solution either=E2=80=A6 never understood why other OS >> packagers think is okay to just dump it all under / >> >> Per the DISA STIG (Security Technical Implementation Guide) >> >> / (obviously) >> / >> /var >> /tmp >> / >> >> should all be separate mount points "The use of separate file systems = for >> different paths can protect the system from failures resulting from a >> file system becoming full or failing"... >> >> in addition... >> >> All local file systems must employ journaling or another mechanism that >> ensures file system consistency. >> >> Removable media, remote file systems, and any file system that does not >> contain approved device files must be mounted with the "nodev" option. >> >> Removable media, remote file systems, and any file system that does not >> contain approved setuid files must be mounted with the "nosuid" option. >> >> The nosuid option must be enabled on all NFS client mounts. >> >> and so on... you can find a copy of the UNIX STIG online and some of it >> is just crazy paranoia and makes your life a pain, but there are a lot = of >> good practices in it too. >> >> > I don't think any of it crazy paranoia. A PITA, maybe, but not paranoid. > > Do you have a link to the original of it? Sure, Lots more there than just UNIX too. I find that the newer "SRG" xml files=20 are easier to just load into a browsers and read the recommendations rather = than pouring through the big sections in the STIGs. Or just do the checklists. There are no *BSD specific ones but the the=20 generic UNIX STIG works good (probably because at this point *BSD is=20 basically the reference implementation of UNIX or at least it should be...=20 damn Linux)