Re: BoS: amodload.tar.gz - dynamic SunOS modules

[blymn () awadi com au (Brett Lymn)]

According to der Mouse:
> What _will_ help is to make your boot disk physically read-only.  I
> have tried this with SunOS 4.1.x and NetBSD (with NFS-mounted root, not
> a real disk that's write protected, but the issues are the same).  The
> latter is relatively easy; the former is much harder but I think would
> be doable with a couple of binary patches to programs like mount that
> pigheadedly insist on writing into /etc.

StunOS mount only wants to write to /etc to update the mnttab file.
If you mount all the disks that you have when the partition is
writable, halt the system and then write protect the disk mount will
whine about not being able to update things but will still do the
mount.  Since all the info is in the mnttab anyway things work as
normal.

The real bear is convincing syslog to not create the socket log in
/dev.  It will not follow sym links when creating the socket, you need
to use the undocumented -p option to put the socket elsewhere and then
put a sym link in /dev that points at it.

> I've often wanted to set
> systems up this way, not because it hardens the system any with respect
> to initial compromise but because it hardens it a lot with respect to
> leaving trojans and other backdoors lying around.

We did put it into production for exactly these reasons....

--
Brett Lymn, Computer Systems Administrator, AWA Defence Industries
===============================================================================
  "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue.