This package adds functionality to an initramfs built by initramfs-tools. When installed and configured, the initramfs will mount an overlayfs filesystem on top of a read-only root volume.
EDIT: debsecan is another good one.
]]>HTH
]]>The script looks too complicated
That's the entire init script from Alpine's initramfs. The only bits that are needed are a few fstab lines — the mount commands in my link show what options are needed for that.
Thanks for the links, very useful.
EDIT: and in respect of Qubes and their "secure" virtualisation:
> Virtualization seems to have a lot of security benefits.
You've been smoking something really mind altering, and I think you
should share it.x86 virtualization is about basically placing another nearly full
kernel, full of new bugs, on top of a nasty x86 architecture which
barely has correct page protection. Then running your operating
system on the other side of this brand new pile of shit.You are absolutely deluded, if not stupid, if you think that a
worldwide collection of software engineers who can't write operating
systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes.You've seen something on the shelf, and it has all sorts of pretty
colours, and you've bought it.That's all x86 virtualization is.
Devarch wrote:immutability
How about overlayfs? Mount the root partition read-only with a writeable overlay that is lost on reboot.
Alpine uses overlayfs to run in RAM:
Yes, I'm using overlayfs
The script looks too complicated. There are much simplier solutions:
1. https://packages.debian.org/bullseye/bilibop uses overlayfs or aufs if aufs is in the kernel, easy to use
2. https://www.kicksecure.com/wiki/Grub-li … ng_started adds live boot entry
did not find smth similar for BSD family. They are using unionfs but I've no idea if it is useful and how to use it.
Also I do not understand the concept of "reasonably secure operating system" qubes. They are using systemd and have no immutability. All the logs, traces or malvares are persistent. Strange.
]]>immutability
How about overlayfs? Mount the root partition read-only with a writeable overlay that is lost on reboot.
Alpine uses overlayfs to run in RAM:
]]>Why don't I have /var/log/messages anymore,
not because I have noatime in fstab, and rsync installed.
I hope it's not a new feature.
tail -f /var/log/messages is handy.
I have a minimal console install, I'm being extremely careful, I havn't broken anything, I do that in a RefractaSS.
You might be running into this problem:
https://dev1galaxy.org/viewtopic.php?id=5096