I am looking at having a read only box, it will not use a swap partition. Any recommendations?
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Barry Brimer Sent: Friday, May 02, 2008 8:21 AM To: CentOS mailing list Subject: Re: [CentOS] read only root file system
I am looking at having a read only box, it will not use a swap
partition.
Any recommendations?
Why bother with a hard drive at all? Customize a Live CD/DVD and remove the hard drive alltogether.
We are using read only media, but it is not a cdrom/dvd.
Barry _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited.
On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron jpyeron@pdinc.us wrote:
I am looking at having a read only box, it will not use a swap partition. Any recommendations?
You'll need to break out your hard drive into multiple partitions, as there are certain portions of the file system that need to be writable such as /var and /home. I setup systems in this manner to make them more difficult to subvert, I'd suggestion searching for topics such as "linux file system hardening".
When you do need to do maintenance, such as package management, you'll need to remount the root file system as writable which will likely require a reboot.
Brett
in the /etc/fstab
define ro in the permissions field of the entry where the / partition is defined
----- Original Message ----- From: "Brett Serkez" bserkez@gmail.com To: "CentOS mailing list" centos@centos.org Sent: Friday, May 02, 2008 5:58 PM Subject: Re: [CentOS] read only root file system
On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron jpyeron@pdinc.us wrote:
I am looking at having a read only box, it will not use a swap
partition.
Any recommendations?
You'll need to break out your hard drive into multiple partitions, as there are certain portions of the file system that need to be writable such as /var and /home. I setup systems in this manner to make them more difficult to subvert, I'd suggestion searching for topics such as "linux file system hardening".
When you do need to do maintenance, such as package management, you'll need to remount the root file system as writable which will likely require a reboot.
Brett _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Brett Serkez wrote:
On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron jpyeron@pdinc.us wrote:
I am looking at having a read only box, it will not use a swap partition. Any recommendations?
You'll need to break out your hard drive into multiple partitions, as there are certain portions of the file system that need to be writable such as /var and /home. I setup systems in this manner to make them more difficult to subvert, I'd suggestion searching for topics such as "linux file system hardening".
What do you do with /etc/mtab - where the system clearly wants to write into when you mount/unmount stuff?
Cheers,
Ralph
On Fri, May 2, 2008 at 9:38 AM, Ralph Angenendt ra+centos@br-online.de wrote:
Brett Serkez wrote:
On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron jpyeron@pdinc.us wrote:
I am looking at having a read only box, it will not use a swap partition. Any recommendations?
You'll need to break out your hard drive into multiple partitions, as there are certain portions of the file system that need to be writable such as /var and /home. I setup systems in this manner to make them more difficult to subvert, I'd suggestion searching for topics such as "linux file system hardening".
What do you do with /etc/mtab - where the system clearly wants to write into when you mount/unmount stuff?
Make it a soft-link to /var or other writable file system, perhaps /etc/mtab -> /var/etc/mtab.
For the most part the Linux/UNIX file system is broken up into well defined areas, but alas, exceptions need to be dealt with.
Brett
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Brett Serkez Sent: Friday, May 02, 2008 9:43 AM To: CentOS mailing list Subject: Re: [CentOS] read only root file system
On Fri, May 2, 2008 at 9:38 AM, Ralph Angenendt ra+centos@br-online.de wrote:
Brett Serkez wrote:
On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron jpyeron@pdinc.us
wrote:
I am looking at having a read only box, it will not use a swap
partition.
Any recommendations?
You'll need to break out your hard drive into multiple partitions, as there are certain portions of the file system that need to be
writable
such as /var and /home. I setup systems in this manner to make them more difficult to subvert, I'd suggestion searching for topics such
as
"linux file system hardening".
What do you do with /etc/mtab - where the system clearly wants to write into when you mount/unmount stuff?
Make it a soft-link to /var or other writable file system, perhaps /etc/mtab -> /var/etc/mtab.
For the most part the Linux/UNIX file system is broken up into well defined areas, but alas, exceptions need to be dealt with.
Resources to help with the exceptions????
I am mounting /tmp as a ramfs, all of these items can go there.
I am trying to minimize introduction of non-rhel / centos packages and minimized deviation from modifications outside of the packages.
So this will eliminate UnionFS as an option.
Current idea about /var/log is to setup syslog to output over some port (tcp, udp, serial, etc...)
Brett _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited.
On Fri, 2008-05-02 at 15:38 +0200, Ralph Angenendt wrote:
Brett Serkez wrote:
On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron jpyeron@pdinc.us wrote:
I am looking at having a read only box, it will not use a swap partition. Any recommendations?
You'll need to break out your hard drive into multiple partitions, as there are certain portions of the file system that need to be writable such as /var and /home. I setup systems in this manner to make them more difficult to subvert, I'd suggestion searching for topics such as "linux file system hardening".
What do you do with /etc/mtab - where the system clearly wants to write into when you mount/unmount stuff?
ln -s /proc/mounts /etc/mtab
There are some "gotchas" if you have some loopback mounts instituted by the mount command. Since /proc/mounts is a symlink to self-mounts, maybe pointing directly there would work too.
Cheers,
Ralph
<snip sig stuff>
HTH
On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron jpyeron@pdinc.us wrote:
I am looking at having a read only box, it will not use a swap partition. Any recommendations?
Here is a slide deck from a presentation Rick Troth has done on read only root file systems.
http://linuxvm.org/present/SHARE110/S9216rt.pdf
Might be some helpful bits of information in there for you.
Good luck! Jeffrey
-
Barry Brimer -
Brett Serkez -
gopinath -
Jason Pyeron -
Jeffrey Tadlock -
Ralph Angenendt -
William L. Maltby