Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hoping somebody else has come across this type of problem, I have several RH linux blades on a remote site which use SAN drives for all their disc, what I need to do is to secure erase the systems own discs from within itself as I am not able to get a network boot working from the kickstart server (hardware issue), I am decommissioning the servers but need to securely wipe the SAN LUNs before handing them back to be allocated for other systems. I have checked with the SAN team and they cannot preform this task for me as they have no visibility of the LUNs/filesystems only the block devices, any suggestions would be welcome.
This is a bit "out of my league," but I was under the impression that SAN devices usually possess the ability to "secure-erase themselves." In other words, specifically for this purpose: you've pulled the devices but need to erase them before you can put them back into the stockroom, on eBay, or into the trash. I would be very surprised if such a useful feature were limited to "guv'mint grade" hardware intended only for applications such as ==OMITTED==.
"Secure erase" would, of course, be a "block-level operation," not a filesystem-level operation.
You are correct that the SAN would be able to secure erase themselves but only at a Block device level and not at the LUN/filesystem level that I need to, as there are other LUNs in the same block that are still required, so I need a way to securely wipe the data including the OS from the LUNs before handing them back to the SAN team. Is there a way to store say the commands that I would need in to system memory to preform the task and then shutdown the machine.
Interesting problem.
First off, you can do the secure equivalent of 'rm -rf'. That would wipe out the files, but you wouldn't be able to reboot. Dunno if that's absolutely essential to you, but I don't think it's a good solution anyway.
Second trick might be to try chrooting into a ram disk, and remounting the root partitions within that. I'm fairly sure it wouldn't work though. It's still mounted above, and chroot isn't a full blown 'new' boot. In a similar vein, I wonder if you could use 'kexec' to soft reboot the kernel into a ram disk?
Your best shot might be to reboot and use an initramfs to mount and wipe the SAN filesystems. Although initramfs's are usuually used to load modules and such at bootup, there's not reason you can't have them do anything you want (such as wiping the filesystems). Depending on your distro, there's probably a mkinitramfs package available to help you. Check this to get the general idea as to what can be achieved.
Finally, it might be easier to try to figure out how to get network booting working rather than messing around with the above. What's the problem with it?
Me, I'd just drop down to an "init 1", disable SELinux, unmount what I could and start wiping.
The non-O/S system LUNs shouldn't be a problem; why not just "dd if=/dev/zero ..." over the top of them. Depends on your "securely delete" requirement - but for in-house I'd consider that sufficient.
For the system itself you should be able to do similar - turn off as much logging as possible and zap it. I can't see why you'd need to go out to the disk itself for data whilst doing this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.