Re: 9.0 install and journaling
--On Tuesday, December 13, 2011 09:54:38 AM +1000 Da Rock=20
<freebsd-questions@herveybayaustralia.com.au> wrote:
> On 12/13/11 06:00, Eric S Pulley wrote:
>>> As for one big / partition- linux may be using it: and its their =
biggest
>>> failing! I've had a system lockup due to lack of space. Never a problem
>>> with bsd as logs will only fill up var, a user won't break it with
>>> filling up usr, etc. And root always stays protected! Its saved my life
>>> a number of times... I can quickly fill TB's of data in no time, and if
>>> something goes bang the logs can be a silent killer too. My 2c's
>>> anyway... _______________________________________________
>>>
>> And along those lines for security of the system, this is the U.S. DoD
>> recommendations (well mandates really) including ZFS. Not that the DoD
>> doesn=E2=80=99t have security problems... but I=E2=80=99m not big fan of =
the one or
>> two mount point solution either=E2=80=A6 never understood why other OS
>> packagers think is okay to just dump it all under /
>>
>> Per the DISA STIG (Security Technical Implementation Guide)
>>
>> / (obviously)
>> /<home directories)>
>> /var
>> /tmp
>> /<location of audit files>
>>
>> should all be separate mount points "The use of separate file systems =
for
>> different paths can protect the system from failures resulting from a
>> file system becoming full or failing"...
>>
>> in addition...
>>
>> All local file systems must employ journaling or another mechanism that
>> ensures file system consistency.
>>
>> Removable media, remote file systems, and any file system that does not
>> contain approved device files must be mounted with the "nodev" option.
>>
>> Removable media, remote file systems, and any file system that does not
>> contain approved setuid files must be mounted with the "nosuid" option.
>>
>> The nosuid option must be enabled on all NFS client mounts.
>>
>> and so on... you can find a copy of the UNIX STIG online and some of it
>> is just crazy paranoia and makes your life a pain, but there are a lot =
of
>> good practices in it too.
>>
>>
> I don't think any of it crazy paranoia. A PITA, maybe, but not paranoid.
>
> Do you have a link to the original of it?
Sure,
<http://iase.disa.mil/stigs/>
Lots more there than just UNIX too. I find that the newer "SRG" xml files=20
are easier to just load into a browsers and read the recommendations rather =
than pouring through the big sections in the STIGs.
<http://iase.disa.mil/stigs/downloads/zip/unclassified_os-srg-unix_v1r1_fin=
alsrg.zip>
Or just do the checklists. There are no *BSD specific ones but the the=20
generic UNIX STIG works good (probably because at this point *BSD is=20
basically the reference implementation of UNIX or at least it should be...=20
damn Linux)
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 21 之 25 篇):