Date: Tue, 5 Oct 2004 11:22:47 -0600 From: Nathan Kinkade <nkinkade@ub.edu.bz> To: ted@milbaugh.com Cc: freebsd-questions@freebsd.org Subject: Re: Booting to CD and the handing off to HD Message-ID: <20041005172247.GC3633@gentoo-npk.bmp.ub> In-Reply-To: <2861cf0f041005092714662997@mail.gmail.com> References: <20041004163650.GM3633@gentoo-npk.bmp.ub> <20041005042331.14030.qmail@web53801.mail.yahoo.com> <20041005161249.GX3633@gentoo-npk.bmp.ub> <2861cf0f041005092714662997@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--ylUvUtShPtQAJVVd Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 05, 2004 at 12:27:54PM -0400, Theodore K. Milbaugh wrote: > On Tue, 5 Oct 2004 10:12:49 -0600, Nathan Kinkade <nkinkade@ub.edu.bz> wr= ote: > > On Mon, Oct 04, 2004 at 09:23:31PM -0700, Cristobal Miguelo wrote: > > > > > On Sun, Oct 03, 2004 at 08:58:05PM -0700, Cristobal Miguelo wrote: > > > > > Hello, > > > > > > > > I would like to have it completely automated: > > > > > > The machine goes down at 4am for the check and boots to cd, then the = cd > > > controls the hand-off to the hard drive. I'd like to have the BIOS > > > setup to only boot the cd and if the HD checks out ok, boot up the HD. > > > That way there is a slim chance that any security breach will last > > > beyond one night on my machine. I seriously doubt a security breach > > > will occur, but I want to close every door imaginable. > > > > > > Anything else that could be done? > > > > > > Thx > > > -C > > > > >=20 > > What is the reason that you find it necessary to reboot the machine to a > > CDROM every morning? Are you sure that there isn't a way to run your > > checks while booted to the harddisk? I am fairly sure that you will > > never find a way to have the BIOS selectively boot either the CDROM or > > the HD based on some OS specific factor, such as a successful check of > > the HD. I have a feeling that there may be a better way to accomplish > > your goal without a reboot to CDROM every morning. Will you tell the > > list more about what you are trying to accompish? > >=20 > > Nathan >=20 > Since the code that checks the HD is on a CD, it is unlikely to be > compromised. Any check in the running OS could be compromised, which > the poster wants to avoid. > Also, the BIOS will not be selectively booting to CD or HD, it will > only boot to the CD. The CD-based check of the HD will be booting the > disk if it checks out okay. > This still doesn't fully make sense to me. It seems to me that this is looking at security from the wrong direction. It is certainly a good thing to think about how one can mitigate the actions of a cracker after they have already got into the system. However, it seems like a better initial approach to focus on keeping crackers out in the first place, thereby obviating the need to go to extreme measures to avoid alterations to a file on the disk. As was already suggested, I would focus on keeping people out, and then use tools such securelevels, read-only mounted files systems and the like to help protect the system should someone happen to get in. Regarding booting to the CDROM or HD, I'm not sure I understand the difference between what you are saying and what I said in my previous reply. How can the CDROM "boot" the machine to the HD? If the machine reboots the BIOS will take control and boot the machine according to it's device priority. If there is a bootable CD in the CDROM device, and the BIOS is set to boot to the CDROM first, how can the machine be made to boot the HD prior to the CDROM? The only possible way I can think of would be to have the CDROM booted OS eject the CDROM tray before reboot, then have the HD booted OS close the CDROM tray again. Nathan --=20 PGP Public Key: pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xD8527E49 --ylUvUtShPtQAJVVd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBYthnO0ZIEthSfkkRAjm+AJ4wXZAWRXCTBHQIKhmE3egZmgmI/ACfY3ai 4qCKHVP9w8VGDzJllS4obLU= =XO9s -----END PGP SIGNATURE----- --ylUvUtShPtQAJVVd--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041005172247.GC3633>