Le jeudi 24 février 2011 à 03:28 +0100, Derrick Karpo a écrit :
Christophe I think this is a useful idea. I have been doing something
similar manually on our forensics machines in the office but it would
be much easier to just tasksel 'forensics' and call it a day. All of
your suggestions are good. Some other things that may be of value:
o disallow mounting of external swap partitions
o associate certain mime types (ie. txt, .doc) with read only
viewers (ie. browser, doc viewer)
o force journaled filesystems to loop mount (ie. 'ext3 -o ro,loop')
to prevent journal recovery
I don't have any experience with tasksel but if you are looking for
assistance I would be happy to help where I can.
Derrick
It sounds that they are good ideas too.
So here is what we have:
1) Installing all the forensics packages + a few useful
packages.
2) Disabling any automount feature of the different graphical
installers.
3) Adding an /etc/sudoers.d/forensic file to give the forensics
people
the ability to mount systems without being root and maybe
without password.
4) Allow more loop devices than 8
5) Modifiy initramfs in order to not modify disks at boot time.
6) disallow mounting of external swap partitions
7) associate certain mime types (ie. txt, .doc) with read only
viewers (ie. browser, doc viewer)
8) force journaled filesystems to loop mount (ie. 'ext3 -o
ro,loop') to prevent journal recovery
Now, we need someone with tasksel experience or to learn tasksel by
ourself.
--
Christophe Monniez christophe.monn...@fccu.be
___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/forensics-devel
