Read-only filesystems

Perhaps the ultimate in directory tree structuring is where trusted files that are seldom changed are placed on their own filesystem and mounted as read-only. This virtually ensures that their contents cannot be modified during normal system operation. This technique is often used for large collections of executable files for trusted programs.

If modification of a file is required, the filesystem can be remounted as writable in a more protected context (for example in single-user mode or on a separate, more protected machine). It is recommended that programs be used to scan the filesystem for correct configuration (for example, proper DAC, MIC and MAC labels) after such updates.

In addition, the DAC, MIC, and MAC information cannot be altered on a read-only filesystem. Once the filesystem is properly configured, this should protect against security penetration schemes that attempt to alter the DAC information and/or MIC and MAC labels.