[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LKM Trojan



On Tue, Jun 15, 2004 at 04:34:43PM -0000, bja@Illinois.DynDNS.Org wrote:
> Second, explore the options to your filesystems. Certain filesystems, /,
> for example, can be mounted ro (read-only) with little effort. /var and

It's a good idea to mount / as ro anyway and to leave /boot not
mounted at all.  This helps keep the partitions preserved in case the
system goes down in a hard crash.

> /tmp are probably separate filesystems anyway. All linux filesystems that
> I know of support the noexec option. Adding this on /home is a very good
> way, basic way to keep exectuable files out of your /home. This won't stop

You may want to be careful if you opt to set the noexec option on
/home.  No, the care has nothing to do with your security; rather,
your users may be a little tweaked to know that they can't install
newer versions of programs in their homedirs that they use often.
This also brings up the issue of user trust.

The filesystem you **do** want to use the noexec option on, however,
is /tmp.

-- 
Nathaniel Reindl

"Du weisst doch, dass du es lesen willst, und mach was du musst, weil
es das einzige Ding wird, das du machen wirst."

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.