Write once, read many (WORM) using Linux file system

Question

I have a requirement to write files to a Linux file system that can not be subsequently overwritten, appended to, updated in any way, or deleted. Not by a sudo-er, root, or anybody. I am attempting to meet the requirements of the financial services regulations for recordkeeping, FINRA 17A-4, which basically requires that electronic documents are written to WORM (write once, read many) devices. I would very much like to avoid having to use DVDs or expensive EMC Centera devices.

Is there a Linux file system, or can SELinux support the requirement for files to be made complete immutable immediately (or at least soon) after write? Or is anybody aware of a way I could enforce this on an existing file system using Linux permissions, etc?

I understand that I can set readonly permissions, and the immutable attribute. But of course I expect that a root user would be able to unset those.

I considered storing data to small volumes that are unmounted and then remounted read-only, but then I think that root could still unmount and remount as writable again.

I'm looking for any smart ideas, and worst case scenario I'm willing to do a little coding to 'enhance' an existing file system to provide this. Assuming there is a file system that is a good starting point. And put in place a carefully configured Linux server to act as this type of network storage device, doing nothing else.

After all of that, encryption on the files would be useful too!

score 3 · Answer 1 · answered Oct 26 '13 at 03:07

You can sort of do this with OpenAFS and read-only volumes. It's a lot of infrastructure to install to make it work however and might not meet the requirements.

http://www.openafs.org/

Basically, there is a writeable volume and one or more read-only copies of the volume. Until you release the writeable volume, the read-only copies are unchangeable to clients. Releasing the volume requires admin privileges.

It seems like any solution would require either specialized hardware or a network file system that duplicates the semantics of specialized hardware.

score 1 · Accepted Answer · answered Nov 02 '15 at 19:16

It seems that there is no way to do this without writing custom file system / kernel code.

A viable solution appears to be to use Amazon Glacier with WORM archive storage option. According to the AWS Official Blog at: https://aws.amazon.com/blogs/aws/glacier-vault-lock/

[...] a new Glacier feature that allows you to lock your vault with a variety of compliance controls that are designed to support this important records retention use case. You can now create a Vault Lock policy on a vault and lock it down. Once locked, the policy cannot be overwritten or deleted. Glacier will enforce the policy and will protect your records according to the controls (including a predefined retention period) specified therein.

You cannot change the Vault Lock policy after you lock it. However, you can still alter and configure the access controls that are not related to compliance by using a separate vault access policy. For example, you can grant read access to business partners or designated third parties (as sometimes required by regulation).

For me, this provides exactly what is needed without the expense of NetApp or EMC hardware, while appearing to meet the record retention requirements.

score 0 · Answer 3 · answered Jan 11 '14 at 18:51

If you simply need to access files from a system in which users cannot overwrite them you can mount a remote volume on which you have no write permission. Easiest way to do this is to mount a read-only samba/cifs share.

Otherwise if you need a way to allow users to write new files (that cannot be overwritten or modified) a solution is to mount an FTP path with FUSE curlftpfs.

You can set your proftpd directory with these directives:

AllowOverwrite off
<Limit WRITE>
  DenyAll
</Limit>
<Limit STOR>
  AllowAll
</Limit>

In this way new files can be stored in the mounted directory, but they cannot be anymore modified or removed.

links: CurlFtpFS, ProFTPD

score 0 · Answer 4 · answered Mar 27 '18 at 22:40

This is a variation on the "Infalible backup" problem and the only way to implement it is with multiple remote worm file systems that use and share checksums and do not have shared physical or administration access. This ensures everything is write once, duplicated, integrity provable, and in the case of a single block being erased, changed or corrupted, recoverable.

Plan9 or it's derivatives may impliment all of the required features. See Plan9 and Venti

Write once, read many (WORM) using Linux file system

4 Answers4