topic Re: CD/DVD WRITE DISABLE in Operating System - HP-UX

CD/DVD WRITE DISABLE

john guardian — Wed, 08 Dec 2010 18:08:41 GMT

If a system has a writable CD/DVD, is there an EASY method for root to permanently disable that facility, IE: via specific device file changes and/or any other mods?

Please be specific.

Thx.

Re: CD/DVD WRITE DISABLE

Matti_Kurkela — Wed, 08 Dec 2010 19:55:29 GMT

To disallow CD/DVD writing, simply don't create a /dev/rscsi/c#t#d# device for the CD/DVD burner. You cannot burn CDs without that device, and HP-UX won't create it automatically for you: root must always create that device manually, or using a script that comes with the CD burning software.

If someone has already created that device node, remove it, or set its permissions to root access only.

You seem to be trying to prepare a HP-UX system for processing some sort of sensitive information. Would you like some friendly advice?

(Whoa, I think I was channeling Clippy there. Anyway...)

You should keep in mind that physical access (the ability to poke the server with fingers and tools) to the server will trump most software security mechanisms. If you are planning to handle sensitive information, putting the server behind locked doors should be your *first* step.

Once your server is physically accessible by trusted personnel only, the problem of a writable CD/DVD should also be mostly solved: a writable CD/DVD drive is not useful to an unauthorized person if he/she cannot insert a blank CD/DVD.

When thinking about software-level security mechanisms, you should remember this: *anything* root can do, root can also undo. The OS cannot protect the system against a malicious person who has real root access, because with root access the malicious person can disable or override the protection mechanisms of the OS.

MK

Re: CD/DVD WRITE DISABLE

Steven Schweda — Wed, 08 Dec 2010 20:10:04 GMT

Define "permanently".

> Please be specific.

You first. What is your actual requirement?
The best actual solution may be to lock the
door, not to try to hobble the software, and
keep it hobbled "permanently". (Or did you
intend to run a cron job to check on this
stuff every few minutes to make sure that no
one has removed the hobbles?)

http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1459606

Spreading the same problem across multiple
threads may not be the best path to the best
solution. (My first thought on reading this
post was, "What about the USB ports?".)

Re: CD/DVD WRITE DISABLE

KathyL1 — Thu, 09 Dec 2010 00:19:05 GMT

We have a similar requirement and our solution it to only ever install read-only CD/DVD drives in our servers.

Re: CD/DVD WRITE DISABLE

Steven Schweda — Thu, 09 Dec 2010 03:59:26 GMT

> [...] our solution [...]

Some years ago, I had occasion to visit a
certain government-operated facility which
employed armed guards and labyrinthine
hallways. It was a "medium motel": The
media check in, but they don't check out.

Physical security has its limitations, too
(like, say, a trusted senior employee with a
9-track tape under his coat), but it's
probably wiser to be aware of those
limitations than it is to believe that
there's some simple technical fix to a very
complex problem, and then relax.

Re: CD/DVD WRITE DISABLE

Tim Nelson — Thu, 09 Dec 2010 22:23:54 GMT

but there is a simple way........

physically remove the CD/DVD RW hardware from the server

Re: CD/DVD WRITE DISABLE

Steven Schweda — Thu, 09 Dec 2010 23:24:10 GMT

> but there is a simple way........
>
>
> physically remove the CD/DVD RW hardware
> from the server

Simple, but not particularly effective, if a
user can plug in his own USB-interface drive.
(Or SCSI, or ...)

Everything's complicated. (If you don't
think so, then think more. Or better. But,
"If you don't think too good, don't think too
much.")

Re: CD/DVD WRITE DISABLE

Autocross.US — Thu, 03 Feb 2011 20:05:53 GMT

Kinda late to this post, but i've just run across a similar requirement on some Linux systems to disable CD/DVD write access.

This was accomplished by removing read/execute permissions on the following executables that perform these write operations:

chmod 770 /usr/bin/cdrecord
chmod 770 /usr/bin/growisofs

You may want to start with these and then check for other programs that do this and restrict read/execute to them as well.

Re: CD/DVD WRITE DISABLE

Torsten. — Thu, 03 Feb 2011 20:14:21 GMT

I'm not sure where the issue is.

If you want to write to a CD, you must have physical access to the CD drive to insert a media.

Restrict the physical access like everyone is doing.

Since you usually need to be root to have write access, don't allow root access to others.

Any action done by root to prevent write access can be reverted by "another" root user.

However, IMHO to allow any kind of network access is much more dangerous ... ;-)

Re: CD/DVD WRITE DISABLE

john guardian — Thu, 03 Feb 2011 20:31:56 GMT

All input was appreciated. Ultimately, the physical devices were removed as I had originally advised my mgmt to do.

Thx to all who responded.

Re: CD/DVD WRITE DISABLE

Torsten. — Thu, 03 Feb 2011 20:45:17 GMT

Please allow this question:

Is this requirement made by non-technical management alerted by some articles in newspapers about swiss bank account data sold to several european governments on CD-Rs?

LOL!

If anyone would like to get some data from the server with bad intentions, I think the very last choice would be to burn them on the server itself ...

just my 2 cents ...