[ale] Help with server setup
Jim Kinney
jim.kinney at gmail.com
Tue Sep 15 16:22:11 EDT 2009
you remove the chattr command from /sbin once you are done marking
your system all read-only just before the reboot.
On Tue, Sep 15, 2009 at 2:42 PM, Ed Cashin <ecashin at noserose.net> wrote:
> On Tue, Sep 15, 2009 at 10:56 AM, Steve Brown <braino420 at gmail.com> wrote:
>> On Tue, Sep 15, 2009 at 8:25 AM, Ed Cashin <ecashin at noserose.net> wrote:
>>>
>>> When I was in that situation, I used FreeBSD, which has an immutable
>>> files feature. With Linux you could get a similar effect by customizing
>>> a live CD, so that the server runs off read-only media, so that a reboot
>>> could undo any malicious attempts to take over the server. Just a
>>> thought.
>>
>> Linux has immutable files also, using the chattr +i command.
>
> Last time I tried to use these, I ran into a lack of support from the
> kernel. In FreeBSD, you can arrange things so that even root cannot
> alter the immutable property of the files or cause them to be modified.
>
> They called that feature "secure levels", I think. With console access,
> you could cause the O.S. to boot into a lower secure level (with no
> networking turned on). Then you
> could use chattr to remove the immutability and modify the files.
>
> But
> when I was looking into this (around 2000), Linux didn't have something
> like that. For me, a file isn't immutable from a security standpoint
> if root can use chattr to
> remove the immutability while the system is in production.
>
> I've been keeping my eyes open, but I might have missed it if a
> feature like that has come along since then. I'd like to hear about
> it if anybody has heard of a feature that could disallow root from
> removing the immutability of files while the system is in production.
>
> --
> Ed Cashin <ecashin at noserose.net>
> http://noserose.net/e/
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
--
--
James P. Kinney III
Actively in pursuit of Life, Liberty and Happiness
More information about the Ale
mailing list