From owner-freebsd-questions@FreeBSD.ORG Tue Dec 13 16:55:01 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 828271065672 for ; Tue, 13 Dec 2011 16:55:01 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id 3FCF88FC0C for ; Tue, 13 Dec 2011 16:55:01 +0000 (UTC) Received: from pps.filterd (ltcfislmsgpa03 [127.0.0.1]) by ltcfislmsgpa03.fnfis.com (8.14.4/8.14.4) with SMTP id pBDGQZ0g018515; Tue, 13 Dec 2011 10:55:00 -0600 Received: from smtp.fisglobal.com ([10.132.206.31]) by ltcfislmsgpa03.fnfis.com with ESMTP id 11p9xcr825-39 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 13 Dec 2011 10:55:00 -0600 Received: from dtwin (10.14.152.39) by smtp.fisglobal.com (10.132.206.31) with Microsoft SMTP Server (TLS) id 14.1.323.3; Tue, 13 Dec 2011 10:54:39 -0600 From: Devin Teske To: "'Da Rock'" , References: <4EE32BB6.3020105@herveybayaustralia.com.au> <4EE38454.3020307@otenet.gr> <4EE3D1F0.60500@herveybayaustralia.com.au> <4989a3ebb7810ed26951cbbd23b7645c.squirrel@webmail.dabus.com> <4EE6943E.40400@herveybayaustralia.com.au> In-Reply-To: <4EE6943E.40400@herveybayaustralia.com.au> Date: Tue, 13 Dec 2011 08:54:23 -0800 Message-ID: <006a01ccb9b7$df4f1f40$9ded5dc0$@fisglobal.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQIaTP0Ww/XzDMFQN7I1i1Dohb1TNgHC2PDbAYy6fusBzVCa+wHze5sNAW6AjMKU+t5CUA== Content-Language: en-us X-Originating-IP: [10.14.152.39] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.5.7110, 1.0.211, 0.0.0000 definitions=2011-12-13_03:2011-12-13, 2011-12-12, 1970-01-01 signatures=0 Cc: Subject: RE: 9.0 install and journaling X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2011 16:55:01 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd- > questions@freebsd.org] On Behalf Of Da Rock > Sent: Monday, December 12, 2011 3:55 PM > To: freebsd-questions@freebsd.org > Subject: Re: 9.0 install and journaling > > On 12/13/11 06:00, Eric S Pulley wrote: > >> As for one big / partition- linux may be using it: and its their > >> biggest failing! I've had a system lockup due to lack of space. Never > >> a problem with bsd as logs will only fill up var, a user won't break > >> it with filling up usr, etc. And root always stays protected! Its > >> saved my life a number of times... I can quickly fill TB's of data in > >> no time, and if something goes bang the logs can be a silent killer too. My 2c's > anyway... > >> _______________________________________________ > >> > > And along those lines for security of the system, this is the U.S. DoD > > recommendations (well mandates really) including ZFS. Not that the DoD > > doesn't have security problems... but I'm not big fan of the one or > > two mount point solution either. never understood why other OS > > packagers think is okay to just dump it all under / > > > > Per the DISA STIG (Security Technical Implementation Guide) > > > > / (obviously) > > / > > /var > > /tmp > > / > > > > should all be separate mount points "The use of separate file systems > > for different paths can protect the system from failures resulting > > from a file system becoming full or failing"... > > > > in addition... > > > > All local file systems must employ journaling or another mechanism > > that ensures file system consistency. > > > > Removable media, remote file systems, and any file system that does > > not contain approved device files must be mounted with the "nodev" option. We're seeing in 8.1-RELEASE that "nodev" is an invalid option for NFS mounts that causes your system to boot into single-user mode. Is this still the case in 9.0-RC2/3 or has the option been re-added? "nodev" was a valid option in 4.11-RELEASE, not sure why it was removed (and/or made invalid). -- Devin > > > > Removable media, remote file systems, and any file system that does > > not contain approved setuid files must be mounted with the "nosuid" option. > > > > The nosuid option must be enabled on all NFS client mounts. > > > > and so on... you can find a copy of the UNIX STIG online and some of > > it is just crazy paranoia and makes your life a pain, but there are a > > lot of good practices in it too. > > > > > I don't think any of it crazy paranoia. A PITA, maybe, but not paranoid. > > Do you have a link to the original of it? > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.