From owner-freebsd-questions@FreeBSD.ORG Mon Dec 12 23:57:29 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A630C1065673 for ; Mon, 12 Dec 2011 23:57:29 +0000 (UTC) (envelope-from freebsd-questions@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 57E6D8FC15 for ; Mon, 12 Dec 2011 23:57:28 +0000 (UTC) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.179]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.unitedinsong.com.au (Postfix) with ESMTPSA id 988B25C24 for ; Tue, 13 Dec 2011 10:09:51 +1000 (EST) Message-ID: <4EE6943E.40400@herveybayaustralia.com.au> Date: Tue, 13 Dec 2011 09:54:38 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0.1) Gecko/20111109 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4EE32BB6.3020105@herveybayaustralia.com.au> <4EE38454.3020307@otenet.gr> <4EE3D1F0.60500@herveybayaustralia.com.au> <4989a3ebb7810ed26951cbbd23b7645c.squirrel@webmail.dabus.com> In-Reply-To: <4989a3ebb7810ed26951cbbd23b7645c.squirrel@webmail.dabus.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: 9.0 install and journaling X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2011 23:57:29 -0000 On 12/13/11 06:00, Eric S Pulley wrote: >> As for one big / partition- linux may be using it: and its their biggest >> failing! I've had a system lockup due to lack of space. Never a problem >> with bsd as logs will only fill up var, a user won't break it with >> filling up usr, etc. And root always stays protected! Its saved my life >> a number of times... I can quickly fill TB's of data in no time, and if >> something goes bang the logs can be a silent killer too. My 2c's anyway... >> _______________________________________________ >> > And along those lines for security of the system, this is the U.S. DoD > recommendations (well mandates really) including ZFS. Not that the DoD > doesn’t have security problems... but I’m not big fan of the one or two > mount point solution either… never understood why other OS packagers think > is okay to just dump it all under / > > Per the DISA STIG (Security Technical Implementation Guide) > > / (obviously) > / > /var > /tmp > / > > should all be separate mount points "The use of separate file systems for > different paths can protect the system from failures resulting from a file > system becoming full or failing"... > > in addition... > > All local file systems must employ journaling or another mechanism that > ensures file system consistency. > > Removable media, remote file systems, and any file system that does not > contain approved device files must be mounted with the "nodev" option. > > Removable media, remote file systems, and any file system that does not > contain approved setuid files must be mounted with the "nosuid" option. > > The nosuid option must be enabled on all NFS client mounts. > > and so on... you can find a copy of the UNIX STIG online and some of it is > just crazy paranoia and makes your life a pain, but there are a lot of > good practices in it too. > > I don't think any of it crazy paranoia. A PITA, maybe, but not paranoid. Do you have a link to the original of it?