Immutable USB stick

lgrant · Tuesday at 10:23 PM

I would like to make an immutable USB-based FreeBSD installation, kind of like the Linux-based Parted Magic, where I can know that whatever happens while testing a machine will not affect the USB stick.

I have not tried this before, so I am trying to make sure I understand the steps involved. Here is what I think I need:

1) Make root read-only
2) Make /var and /tmp memory filesystems
3) Make /home and /root memory filesystems
4) Have a startup script that copies /home for the user ID I am and using, as well as /root,
to the memory filesystem versions.

Am I getting close?

Thank you for the assistance.

Phishfry · Wednesday at 2:44 AM

Alot of what you want here can be done with Poudriere Image.

Make a MFS image or NanoBSD style.

poudriere-image

man.freebsd.org

USB+MFS type or firmware type

lgrant · Wednesday at 3:48 AM

Looks interesting. I will check it out. Thank you.

cy@ · Wednesday at 5:03 AM

Or you could use securelevels. The security(7) man page provides a brief description. You can google freebsd securelevel to find some howtos. Basically enable the immutable flag on any file/directory you might want protected. Set the securelevel to 1 in order to disable anyone from disabling the immutable flag. Securelevel 2 will disable direct access to disks. Securelevel 3 disables any changes to your existing firewall rules. Changes, like upgrades, need to be performed in single user state before the securelevel is enabled.

I don't know anyone who uses securelevels as this severely restricts maintainability.

rootbert · Wednesday at 9:29 AM

you could use a sdcard and even use the hardware-lock

Immutable USB stick

lgrant

Phishfry

poudriere-image

lgrant

cy@

rootbert