Re: How can I make root filesystem read-only?
On 21 Nov 2002, 10:52:15, Oliver Elphick wrote:
>
>
> On Thu, 2002-11-21 at 10:36, Hiroki Horiuchi wrote:
> > I am trying to make the root filesystem including /usr subdirectory
> > read-only. But, if I set the mount option of / to ro, system cannot boot.
> > Making only /usr read-only is not enought for me.
> > Cannot root filesystem be read-only?
>
> In effect, no.
>
> For example, /etc must be in the root filesystem and mount writes to
> /etc/mtab
There is a very good document on improving the out-of-the-box security of
a Debian system that you can install via apt-get install harden-doc. Then
open /usr/share/doc/harden-doc/html/securing-debian-howto/index.html in your
web-browser and have a read.
One of their suggestions is to put /usr, /usr/share, /var, /var/tmp, /var/log,
and /var/account on separate partitions, each with different options in /etc/fstab,
mounting them, variously, ro, noexec, nosuid, nodev, etc. . . .
The only headache in doing this is that apt-get install and apt-get upgrade
need write access and exec privs on some of these areas, so you have to configure
pre and post apt-get commands. As an earlier post indicated, the remounting
after apt-get doesn't always work . . . so you typically have to get in the
habit of going into single-user mode for any apt-get activities (not always
possible on a multi-user production system that you want to run an apt-get
upgrade on to install new revs with security patches . . . ).
If you search the Debian package directories for harden, you'll find a collection
of docs and utilities to assist you in securing your system.
Also, Bastille was nearly ready with a port to Debian a few months ago.
I haven't used it, but it gets quite good reviews for being able to identify
weaknesses.
Good luck.
madmac
>
> Perhaps you could arrange to have a RAM disk for root? (See initrd.)
>
--
Doug MacFarlane
madmac@covad.net
Reply to: