From owner-freebsd-questions@FreeBSD.ORG Sun Jun 27 06:44:28 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5329916A4CE for ; Sun, 27 Jun 2004 06:44:28 +0000 (GMT) Received: from smtp3.adl2.internode.on.net (smtp3.adl2.internode.on.net [203.16.214.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id B01B043D2F for ; Sun, 27 Jun 2004 06:44:27 +0000 (GMT) (envelope-from malcolm.kay@internode.on.net) Received: from beta.home (ppp34-240.lns1.adl1.internode.on.net [150.101.34.240])i5R6i7HY063098; Sun, 27 Jun 2004 16:14:07 +0930 (CST) From: Malcolm Kay Organization: at home To: Barbish3@adelphia.net, "MICSKO Viktor" Date: Sun, 27 Jun 2004 16:14:06 +0930 User-Agent: KMail/1.5.4 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200406271614.06896.malcolm.kay@internode.on.net> cc: freebsd-questions@freebsd.org Subject: Re: setting a disk read only X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jun 2004 06:44:28 -0000 On Saturday 26 June 2004 22:06, JJB wrote: > Security Paranoia > It's very important that you completely understand the impact of > using the following command will have on your ability to make > changes to your system. > > The simplest thing you can do is set the immutable flag on all > system binaries and /etc config files with: > > chflags schg /bin/*(*) /sbin/*(*) /usr/bin/*(*) /usr/sbin/*(*) > /etc/*(*) > It seems to me that mounting all partitions from the disk as read only would achieve rather more; and more simply. But neither protects against direct writes to the raw device. And if you are really paranoid about this I think the only solution is a hardware switch. I suspect the linux 'hdparm' also has its limitations; only a hardware switch can protect against software bugs or a successful invasion. > Setting the immutable flag on, means the files are marked as being > protected from being written over. Once you execute the above > command, no process can over write those files thus increasing the > level of difficulty for the attacker and increasing the odds in your > favor of the attacker leaving error messages in the system log. On > the other hand you as root user can not make any changes to those > file so marked either. > > Ever time you want to make changes you have to issue the command to > turn off the immutable flag on all the same files. Use this command > to do that: > > chflags noschg /bin/*(*) /sbin/*(*) /usr/bin/*(*) /usr/sbin/*(*) > /etc/*(*) > > You can use "ls -lo" command to see the immutable flags of existing > > You could do this to any slice with chflags noschg /*(*) /usr/*(*) > what ever > Malcolm