Date: Sun, 27 Jun 2004 16:14:06 +0930 From: Malcolm Kay <malcolm.kay@internode.on.net> To: Barbish3@adelphia.net, "MICSKO Viktor" <candiru@bazmag.hu> Cc: freebsd-questions@freebsd.org Subject: Re: setting a disk read only Message-ID: <200406271614.06896.malcolm.kay@internode.on.net> In-Reply-To: <MIEPLLIBMLEEABPDBIEGMEDOGEAA.Barbish3@adelphia.net> References: <MIEPLLIBMLEEABPDBIEGMEDOGEAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday 26 June 2004 22:06, JJB wrote: > Security Paranoia > It's very important that you completely understand the impact of > using the following command will have on your ability to make > changes to your system. > > The simplest thing you can do is set the immutable flag on all > system binaries and /etc config files with: > > chflags schg /bin/*(*) /sbin/*(*) /usr/bin/*(*) /usr/sbin/*(*) > /etc/*(*) > It seems to me that mounting all partitions from the disk as read only would achieve rather more; and more simply. But neither protects against direct writes to the raw device. And if you are really paranoid about this I think the only solution is a hardware switch. I suspect the linux 'hdparm' also has its limitations; only a hardware switch can protect against software bugs or a successful invasion. > Setting the immutable flag on, means the files are marked as being > protected from being written over. Once you execute the above > command, no process can over write those files thus increasing the > level of difficulty for the attacker and increasing the odds in your > favor of the attacker leaving error messages in the system log. On > the other hand you as root user can not make any changes to those > file so marked either. > > Ever time you want to make changes you have to issue the command to > turn off the immutable flag on all the same files. Use this command > to do that: > > chflags noschg /bin/*(*) /sbin/*(*) /usr/bin/*(*) /usr/sbin/*(*) > /etc/*(*) > > You can use "ls -lo" command to see the immutable flags of existing > > You could do this to any slice with chflags noschg /*(*) /usr/*(*) > what ever > Malcolm
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406271614.06896.malcolm.kay>