On Wed, Nov 18, 2009 at 03:01:01PM -0800, Ted Stern wrote: > OP here. I can't sell the idea of having automatic security updates > from outside the secure firewall, so change management needs a > different paradigm. > > I envision OS updates being done offline: once every couple of days > you plug your USB key into a secure workstation and write an updated > OS onto it. That could be coordinated with virus-checking and backing > up /home. > > So maybe there's a way to make the OS without it being read-only: you > could use that same docking time to scan the OS partition to check > logs and see whether any exploits have been attempted.
I haven't gone whole hog on the security aspects, so my approach is simular that noted above. I partition the drive with my working space on non-root partitions. Then on a regular basis I rebuild and install a new bootable root based on the latest packages. That process is scripted, so it consumes little of my time and only modest wall-clock time. -- Randolph Bentson [email protected]
