CME-501

Read-Only Root Filesystem

Isolate OS/Kernel High Confidence

Description

Mounts root filesystem as read-only, preventing persistent modification of system binaries, libraries, and configuration. Writable areas are confined to specific tmpfs or overlay mounts.

CVSS Vector Impacts

Metric Transition Rationale
Integrity (I) H L Cannot persistently modify system files even with root access
Availability (A) H L System recovers original state on reboot

CWE Relationships

CWE-284

Verification

Check mount options for root filesystem

$ mount | grep 'on / ' | grep 'ro,'
# Expected: ro,
Platform: linux
← CME-407: Data-at-Rest Encryption (LUKS/dm-crypt) CME-502: noexec on /tmp and /dev/shm →