From owner-freebsd-isp Thu Jul 12 14:14: 6 2001 Delivered-To: freebsd-isp@freebsd.org Received: from cx175057-a.ocnsd1.sdca.home.com (cx175057-a.ocnsd1.sdca.home.com [24.13.23.40]) by hub.freebsd.org (Postfix) with ESMTP id 0108C37B401 for ; Thu, 12 Jul 2001 14:13:57 -0700 (PDT) (envelope-from bri@sonicboom.org) Received: from Brian (cx175057-b.ocnsd1.sdca.home.com [24.13.23.147]) by cx175057-a.ocnsd1.sdca.home.com (8.11.1/8.11.1) with SMTP id f6CLDsA84157; Thu, 12 Jul 2001 14:13:55 -0700 (PDT) (envelope-from bri@sonicboom.org) Message-ID: <005101c10b17$51c67b00$3324200a@sonicboom.org> From: "Brian" To: "Bart Silverstrim" , References: <20010711170336.B84178@krijt.livens.net> <20010711123133.A21587@pitr.tuxinternet.com> <20010712123523.G53408@jake.akitanet.co.uk> <007c01c10b14$5462d820$0100a8c0@sosbbs.com> Subject: Re: gcc on production server Date: Thu, 12 Jul 2001 14:12:07 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There are some articles on sans.org that talk about making /usr read only on a solaris system. Perhaps some portions of http://www.sans.org/newlook/resources/hard_solaris.htm, especially the step by step at the bottom could be used, at least from an idea perspective. I know its Solaris but ideas can be grafted. Bri ----- Original Message ----- From: "Bart Silverstrim" To: Sent: Thursday, July 12, 2001 1:50 PM Subject: Re: gcc on production server > > ----- Original Message ----- > From: "Paul Robinson" > To: "Hug Me" > Cc: > Sent: Thursday, July 12, 2001 7:35 AM > Subject: Re: gcc on production server > > > On Jul 11, Hug Me wrote: > > >> if you are REALLY worried about security, get a drive that has a jumper > you > >> can change to read only, put your operating system on it, move the > jumper > > > >Ummmm... that's not clever. That's stupid. So, you're an ISP. If you're > >running this system, exactly how do you deliver mail, allow users to change > >webpages, etc? Oh yeah, and just out or curiosity, what happens to /var and > >/tmp ? As one colleague just replied when I read that paragraph to him > >"that's not an OS - it's a coaster". I hope it keeps your coffee warm. > > Why not use two drives, one read only with the OS on it, one with multiple > partitions to mount to /var and /tmp, , /home...stuff like that...or > some variation of that theme? > > I toyed with the idea of trying to make bootable CD's for the key system > files and such before, should work in a similar manner to what is basically > described above (although performance from the read operations would be > terrible) if I actually had the time and extra hardware to dedicate to > making system laid out to create a "image" and make a slave drive on another > system with a CD-R drive :-) Gotta admit, that would make it terribly > difficult to crack into and lay trojaned system binaries... > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.264 / Virus Database: 136 - Release Date: 7/3/01 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message