On Sat, 18 Oct 2003 07:07, Adam ENDRODI wrote: > To stay on topic, I'm for keeping /usr and /usr/local read-only, > because really nothing should update them except for a few > programs under controlled circumstances (that's what makes > the enforcment of this policy cheap). In addition, it might > help you notice an intrusion.
Unless you have a good auditing setup (none of the various auditing modules are available in Debian) then you probably won't notice an automated attack that is blocked by having a read-only file system. The attack may continue hitting you regularly until you remount it rw for an upgrade, at which time the attack will succeed. If you want security for such things then use SE Linux, systrace, RSBAC, or GRSEC. Don't waste time with ro mounts of /usr. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
