Date: Sat, 15 Nov 2014 06:14:29 +0100 From: Robert Sevat <robert@indylix.nl> To: freebsd-questions@freebsd.org Subject: How much of freebsd can be made read-only in a jail Message-ID: <5466E135.80304@indylix.nl>
next in thread | raw e-mail | index | archive | help
Hey all, I've started using Ansible to make my life easier while managing a lot of jails. I've used ezjail up until now, but if I am using automation to manage them anyway, I might as well let Ansible setup the jails in an even more restrictive way. I am aware of the existence of bsdploy, but that uses ezjail and I'm aiming for an even more locked down system. goal: -make it impossible to install programs from inside the jail, only install them from outside the jail with pkg -j -make it impossible to edit any configuration files from inside the jail since that can be done from the host. So my question is, how much can be made read-only? And what needs to be kept writable at a minimum for this to work? /tmp /var/log (configure syslog server so logs don't need to be stored locally?) /var/tmp? /var/db? Anything I'm missing or other directories that should be writable? It will of course depend per application, but I only run one service per jail. So application specific exceptions will be made while configuring the jail in the ansible playbook. Maybe I'm overlooking something and this is a bad idea because $reason? Any other advice / tips? Thank you for your time! Kind Regards, Robert Sevat
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5466E135.80304>