[svlug] Security question: read-only drive

[Dagmar d'Surreal]

On Tue, 6 Feb 2001, Drew Bertola wrote:

> I want to lock down a system so that no one can install a root kit in
> any useful way.  I know it's possible to boot of of read-only media,
> and I have a SCSI HDD which can be set read-only.
> 
> Does anyone have experience with this?  What would my directory layout
> be?  I know I have to put /etc on the root partition, and /etc has to
> be writable (to accomodate mtab, ssh_random_seed, etc.), so what would
> I want to put on the read-only disk?

Whoohoo!  I never could get anyone in Nashville interested in trying
this.  I've done it a few times, and recommended it as a fast way to raise
the bar in a harsh fashion on script kiddies.  There are plenty of people
out there who can do live binary patching in memory, but that's plenty in
the global sense.

There are also small (but useable) flash disks that can accommodate a
modest filesystem for holding the OS as well made by Sandisk that a few
vendors are using in their turnkey products.  These are a little pricey
for expermenting with compared to $40 for an old full-height Seagate
drive, but nice for a finished product.

Filesystems you will need to keep writeable are /tmp, /var, and /etc (it
can be eliminated as writeable, but it's a major pain, better to rebuild
the important stuff so that it looks for it's configuration files in
*non*writable places other than /etc, like /usr/etc).  Everything under
/usr can be quite non-writeable (samba will need a little special
attention) and everything in /lib *should* be on a non-writeable
partition.  The biggest problem you'll run into will be dealing with /etc
and /lib, and I never came up with what could be construed as a "clean"
solution (ugly ugly source file hacking and slashing). You will likely
wind up recompiling most of what passes for your start up binaries (some
people don't normally make /bin/sh wholly static.  Hello /lib issues.) to
suit your own needs, since most distros aren't quite ready to be dropped
on partially non-writeable hardware.

About the only thing specific I can recommend is patience.  I managed to
get one up and working with the majority of everything in non-writeable
space, but didn't have a journaling filesystem at the time that could
handle having the power killed on the machine on a regular basis because
the only way to be 100% sure the integrity checker gets run when it should
is to cold boot repeatedly (goodbye massive uptimes).  I didn't go much
further than the experimental machine because I estimated I could spend
probably half the time straighening out the rest of the writeable parts
and come back to the other bits later.  I also had to make the hard
decision of doing some bizarre (for a machine with hard drives, yes) stuff
with ramdisks to get a little workspace and invoking mke2fs to simply wipe
out and rebuild the writeable parts on each boot, meaning no state
information would be preserved between boots.  A mostly non-writeable
configuration is still fairly good for making a firewall, and that sort of
thing will fit on even a small non-writeable drive, with configuration
files fitting nicely on a non-writeable (but more easily changeable to a
writeable state) floppy disk.

Last note, LS-120 drives are handy for some things other than making
Maxell's advertising department look bad.  ;)