Fsprotect safeguards current file systems using a collection of scripts.
One of the benefits of using fsprotect is that it ensures that no changes to the filesystems are ever written to disk. This is achieved by mounting protected filesystems as read-only, which prevents damage in the event of an improper shutdown. The tool is also straightforward to use, requiring only a "fsprotect" parameter for the root filesystem and a list of filesystems to protect in the /etc/default/fsprotect file. In some cases, it can even help to speed up filesystem access.
However, there are some drawbacks to consider. Firstly, any changes made to protected filesystems cannot exceed a predefined limit (set by the user) in bytes. Additionally, since the tool makes extensive use of tmpfs, adequate swap space is required.
Fsprotect works by utilizing AUFS to combine two filesystems into one. For each protected filesystem, the tool combines the original filesystem with a tmpfs, forcing all changes to be written to the tmpfs rather than the disks. This ensures that any alterations are never written to disk, and instead, all changes are stored in the tmpfs. The protection process is relatively simple and involves creating directories for the filesystem and its associated tmpfs and aufs, followed by running a series of mount commands.
While the protection process for non-root filesystems is relatively straightforward, the procedure for securing the root filesystem is more involved. To achieve this, fsprotect uses an initramfs script that runs early in the boot process and exchanges the existing filesystem with an aufs.
Overall, fsprotect constitutes a powerful toolkit for safeguarding filesystems on Debian systems. Its use of AUFS, along with its simple init script, makes it a great choice for public computers, and it offers numerous benefits, including the ability to prevent damage during improper shutdowns. While there are some limitations to consider, overall, this is an excellent tool for anyone looking to secure their Debian system's filesystem.
Version 1.0.1: N/A