On Wed, 2002-07-31 at 09:29, Ray Olszewski wrote: > At 06:11 PM 7/31/02 +0530, S Mohan wrote: > >I want to create in such a manner that every time the configuration has > >to be changed, the system has to be taken off the network, make > >writeable, config changes made and turned back to read only. Changes can > >be made only from console as root after remounting the fs as rw. > > > If I understand what you want to accomplish, LEAF is not the best place for > you to start. The LEAF standard is to boot from some medium into a RAM disk > and run from there. I don't believe there is any hardware way to make a RAM > disk read only. >
Actually, it seems to me that Oxygen's capabilities support could get part of the way there. Granted you still don't have read-only RAM disk, but you do have potential to lock the kernel down into pretty unusable territory. > Security efforts here have focused on making the boot medium read-only > secure. Among the solutions in use are: > > 1. a floppy with the WP tab in place (obvious) > 2. burning the configuration to a CD (Dachstein includes > instructions). > 3. using an IDE-emulator that has a physical WP switch added > (check the list archives from, I think, last April). > > But securing the boot medium in any of these ways is not the same as > securing the root filesystem. For that, you need a fundamentally different > approach -- doable, but LEAF is not the natual place to start from. > Again, I think LEAF is a good place to start from because of its stripped nature. Much easier to define what a LEAF distro needs than to define Mandrake or Debian. > > >This will avoid rootkit hacks and buffer overflow hacks which gives the > >marauder a root shell. They normally install a set of programs which > >replicates itself. Vulnerabilitites known in BIND, OpenSSH, Apache etc. > >He cannot write and hence cannot hack. Alternatively, I plug in the HDD/ > >memory stick into another system, mount it and change the config files. > >Take it out and plug it into the other machine again. > > > >Mohan <snip> Liberal use of chroot could also be a good place to explore... -- Jack Coates Monkeynoodle: A Scientific Venture... ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
