On 21 Nov 2002, 10:52:15, Oliver Elphick wrote: > > > On Thu, 2002-11-21 at 10:36, Hiroki Horiuchi wrote: > > I am trying to make the root filesystem including /usr subdirectory > > read-only. But, if I set the mount option of / to ro, system cannot boot. > > Making only /usr read-only is not enought for me. > > Cannot root filesystem be read-only? > > In effect, no. > > For example, /etc must be in the root filesystem and mount writes to > /etc/mtab
There is a very good document on improving the out-of-the-box security of a Debian system that you can install via apt-get install harden-doc. Then open /usr/share/doc/harden-doc/html/securing-debian-howto/index.html in your web-browser and have a read. One of their suggestions is to put /usr, /usr/share, /var, /var/tmp, /var/log, and /var/account on separate partitions, each with different options in /etc/fstab, mounting them, variously, ro, noexec, nosuid, nodev, etc. . . . The only headache in doing this is that apt-get install and apt-get upgrade need write access and exec privs on some of these areas, so you have to configure pre and post apt-get commands. As an earlier post indicated, the remounting after apt-get doesn't always work . . . so you typically have to get in the habit of going into single-user mode for any apt-get activities (not always possible on a multi-user production system that you want to run an apt-get upgrade on to install new revs with security patches . . . ). If you search the Debian package directories for harden, you'll find a collection of docs and utilities to assist you in securing your system. Also, Bastille was nearly ready with a port to Debian a few months ago. I haven't used it, but it gets quite good reviews for being able to identify weaknesses. Good luck. madmac > > Perhaps you could arrange to have a RAM disk for root? (See initrd.) > -- Doug MacFarlane [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
