AW: RE: [CentOS] read only root file system

Fri May 2 22:33:49 UTC 2008
Torsten Luettgert <t.luettgert at>

On Fri, 2008-05-02 at 19:22 +0200, Marc Rebischke wrote:
> I am looking at having a read only box, it will not use a swap
> partition.
> Any recommendations?

I built a diskless, CD-based firewall some time ago which works fine.
Of course you still need some writable directories, i.e.
/var/run, /var/lock, /var/lib/dhcpd, /var/named, /tmp,
/var/empty/sshd/etc and /var/net-snmp. This can be achieved by using
layered filesystems and a ramdisk. If you want to follow that path, I'd
recommend using aufs, see

> Well, i tried two possibilities years ago..
> 1.) : 
> There are SCSI-Disks with jumpers for
> "Write Protect" , so you have a real
> Hardware write-protection.

which would work as good as using a CD.

> 2.) :
> Have a look at (Open)BSD's "Immutable Flag"-Feature. (Well, i hope you all love
> OpenBSD?) ;-) But....don't get nervous while setting up the box...

There is an immutable flag for ext2/3 (see setfattr(1)), but it can
easily be removed once root access is gained, so I'd not recommend it.
Host-based intrusion detection systems (integrit, aide, tripwire) can
help you discover any manipulations, but I'd go for a CD or
write-protected disks to be on the safe side.