> > Does anyone here have some advice/idea/experience on how to do > > immutable systems with OpenBSD? > > If you're new to OpenBSD, it would be much better to get some > experience with a 'regular' installation first.
Ok, I think you're right. I didn't realize how BSD is different from Linux, so I'll try to get used to it before doing anything more advanced. > Essentially everything you are asking about is _possible_ But still, if you have some tracks, even if it requires advanced knowledge, don't hesitate to share them, so I can use them later, once I'm ready. > As far as checking hashes, I frequently use aide (Advanced Intrusion > Detection Environment) > Some other things I do: > [...] Thanks, noted! Can be usefull in case I need SSH, not to get cryptominers... > I don't have any interest and so much experience in immutable Linux > but I suspect that it's largely a false sense of security. Useful for > if you break your system but in the same turn like live kernel updates > also useful to an attacker to infiltrate your system without detection > and/or remove their tracks too. Most attacks only affect memory > anyway. It's a more advanced idea for example to try and break windows > update with plausible deniability than persist something detectable. Yeah, maybe persistent storage isn't that of a security flaw, maybe immutability is a false sense of security (this can be dangerous: many flaws are due to humans thinking they are 100% safe). However, as you mentioned, it's still a usefull feature to avoid breaking the system, or for determinism. Maybe a good side effect of not having immutability is that I will not longer be able to *temporarily install obscure outdated packages from community-maintained repos just for testing* (AUR malwares let's go!). --- Pattled Buquor (still no idea what's going on)
