Every year, with the end of the academic period, I make a clone of the main moodle site and I keep it in read-only mode as a kind of historical archive containing a snapshot of the former year. This is what I do to make Moodle 2.7 read only. It's not very well tested, so do it under your own responsibility:
Step 1: Backup DB
To do that, you can use mysqldump utility:
mysqldump moodle27_db | gzip -c > moodle27_db.sql.gz
In case you need to restore it later, you can do the following:
gunzip -c moodle27_db.sql.gz | mysql moodle27_db
Additionally, it could be interesting to backup moodledata directory.
Step2: Restrict student rol (5) to view only
With the following changes in the Moodle database, students will only be able to view things inside courses, but they won't be able to view their own submissions or answers to questionnaires. Additionally, we will prevent users from editing their own profile and changing their passwords, if we consider that it is necessary.
You can check students capabilities before doing any changes:
SELECT * FROM mdl_role_capabilities WHERE roleid = 5;
To downgrade student role capabilities:
UPDATE mdl_role_capabilities
SET permission = -1000
WHERE roleid = 5 AND capability IN (
'enrol/self:unenrolself',
'mod/assign:view',
'mod/assignment:view',
'mod/quiz:reviewmyattempts',
'mod/chat:chat',
'mod/data:viewentry',
'mod/feedback:view',
'mod/chat:chat',
'mod/data:viewentry',
'mod/feedback:view',
'mod/forum:viewdiscussion',
'mod/glossary:view',
'mod/wiki:viewpage',
'mod/wiki:viewcomment',
'mod/workshop:view',
'moodle/blog:view',
'moodle/comment:view');
UPDATE mdl_role_capabilities
SET permission = -1000
WHERE roleid = 7 AND capability = 'moodle/user:editownprofile';
UPDATE mdl_role_capabilities
SET permission = -1000
WHERE roleid = 7 AND capability = 'moodle/user:changeownpassword';
Step 3: Downgrade editingteacher role (3) capabilities to simple teacher role (4) capabilities
The following will allow teachers to view everithing, including students submissions or answers to questionnaires, while preventing them from changing courses or grades.
UPDATE mdl_role_assignments
SET roleid = 4
WHERE roleid = 3;
UPDATE mdl_role_capabilities
SET permission = -1000
WHERE roleid = 4 AND capability NOT LIKE "%view%";
Step 4: Write protect file storage directory
I don't think this is necessary but, for additional protection, you can change moodledata permissions if you want:
cd /var/moodledata/
chmod 550 filedir
cd filedir
find -type f -exec chmod 440 {} \;
find -type d -exec chmod 550 {} \;