Re: 9.0 install and journaling
On 12/13/11 06:00, Eric S Pulley wrote:
>> As for one big / partition- linux may be using it: and its their biggest
>> failing! I've had a system lockup due to lack of space. Never a problem
>> with bsd as logs will only fill up var, a user won't break it with
>> filling up usr, etc. And root always stays protected! Its saved my life
>> a number of times... I can quickly fill TB's of data in no time, and if
>> something goes bang the logs can be a silent killer too. My 2c's anyway...
>> _______________________________________________
>>
> And along those lines for security of the system, this is the U.S. DoD
> recommendations (well mandates really) including ZFS. Not that the DoD
> doesn急 have security problems... but I観 not big fan of the one or two
> mount point solution either蔠never understood why other OS packagers think
> is okay to just dump it all under /
>
> Per the DISA STIG (Security Technical Implementation Guide)
>
> / (obviously)
> /<home directories)>
> /var
> /tmp
> /<location of audit files>
>
> should all be separate mount points "The use of separate file systems for
> different paths can protect the system from failures resulting from a file
> system becoming full or failing"...
>
> in addition...
>
> All local file systems must employ journaling or another mechanism that
> ensures file system consistency.
>
> Removable media, remote file systems, and any file system that does not
> contain approved device files must be mounted with the "nodev" option.
>
> Removable media, remote file systems, and any file system that does not
> contain approved setuid files must be mounted with the "nosuid" option.
>
> The nosuid option must be enabled on all NFS client mounts.
>
> and so on... you can find a copy of the UNIX STIG online and some of it is
> just crazy paranoia and makes your life a pain, but there are a lot of
> good practices in it too.
>
>
I don't think any of it crazy paranoia. A PITA, maybe, but not paranoid.
Do you have a link to the original of it?
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 19 之 25 篇):