--On Tuesday, December 13, 2011 09:54:38 AM +1000 Da Rock
<freebsd-questi...@herveybayaustralia.com.au> wrote:
On 12/13/11 06:00, Eric S Pulley wrote:
As for one big / partition- linux may be using it: and its their biggest
failing! I've had a system lockup due to lack of space. Never a problem
with bsd as logs will only fill up var, a user won't break it with
filling up usr, etc. And root always stays protected! Its saved my life
a number of times... I can quickly fill TB's of data in no time, and if
something goes bang the logs can be a silent killer too. My 2c's
anyway... _______________________________________________
And along those lines for security of the system, this is the U.S. DoD
recommendations (well mandates really) including ZFS. Not that the DoD
doesn’t have security problems... but I’m not big fan of the one or
two mount point solution either… never understood why other OS
packagers think is okay to just dump it all under /
Per the DISA STIG (Security Technical Implementation Guide)
/ (obviously)
/<home directories)>
/var
/tmp
/<location of audit files>
should all be separate mount points "The use of separate file systems for
different paths can protect the system from failures resulting from a
file system becoming full or failing"...
in addition...
All local file systems must employ journaling or another mechanism that
ensures file system consistency.
Removable media, remote file systems, and any file system that does not
contain approved device files must be mounted with the "nodev" option.
Removable media, remote file systems, and any file system that does not
contain approved setuid files must be mounted with the "nosuid" option.
The nosuid option must be enabled on all NFS client mounts.
and so on... you can find a copy of the UNIX STIG online and some of it
is just crazy paranoia and makes your life a pain, but there are a lot of
good practices in it too.
I don't think any of it crazy paranoia. A PITA, maybe, but not paranoid.
Do you have a link to the original of it?
Sure,
<http://iase.disa.mil/stigs/>
Lots more there than just UNIX too. I find that the newer "SRG" xml files
are easier to just load into a browsers and read the recommendations rather
than pouring through the big sections in the STIGs.
<http://iase.disa.mil/stigs/downloads/zip/unclassified_os-srg-unix_v1r1_finalsrg.zip>
Or just do the checklists. There are no *BSD specific ones but the the
generic UNIX STIG works good (probably because at this point *BSD is
basically the reference implementation of UNIX or at least it should be...
damn Linux)
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
