On Fri, 18 May 2007 18:16:03 -0400 "Clint M. Sand" <[EMAIL PROTECTED]> wrote:
> On Fri, May 18, 2007 at 08:47:21PM +1000, Timothy Wilson wrote: > > Had you thought about mounting certain areas as read only? > > For example, /etc, /local can be mounted as read only. When you want > > to make changes, such as installing a new package or whatever, just > > remount the file systems read/write. > > You can also use jails. > > > > Timothy > > > I think the point is that if someone roots your machine because you are > running a vulnerable service, they can't really install rootkits and > things if your binaries are on a filesystem that CAN'T be remounted r/w. > > If you just mount your harddisks (or portions like /etc) ro and someone > roots your box, they just re-mount it, install rootkit, then re-mount > back ro. Does nothing really. Of course, they could just "chflags schg *". That way, an attacker couldn't just remove the schg flags from the files he wants to modify. The big advantage to using a CD or DVD is that one could create the CD/DVD from a more secure site while leaving the live site running. When ready to upgrade, just change the CD or DVD and reboot. Eric Johnson
