1 |
El 04/11/10 00:26, Francesco R escribió: |
2 |
> 2010/11/3 Ed W <lists@××××××××××.com <mailto:lists@××××××××××.com>> |
3 |
> |
4 |
> Just to run an idea up the flagpole... |
5 |
> |
6 |
> I have had good success with a slightly orthogonal approach to |
7 |
> securing my servers. I run a hardened gentoo install, but with |
8 |
> linux-vservers for the guests and additionally pax kernel patches. |
9 |
> |
10 |
> The motivation is that Pax has mitigated a reasonable proportion |
11 |
> of recent kernel issues. On the userspace side, linux-vservers |
12 |
> are something like chroot-on-steroids and make it very |
13 |
> straightforward to ringfence user applications without quite going |
14 |
> to a full virtualisation solution. (For those who don't know, |
15 |
> Linux-vservers look and smell like a virtualisation solution, but |
16 |
> they are implemented using a kind of chroot - lxc containers are |
17 |
> re-implementing the same idea, but currently much less advanced) |
18 |
> |
19 |
> Up until now I have also been running kernels with the grsec |
20 |
> patches, but merging those with linux-vserver is relatively |
21 |
> complex since there is some overlap. Additionally it would appear |
22 |
> that linux-vservers offer a large chunk of the protection that the |
23 |
> grsec restrictions should offer. You loose the grsec RBAC system |
24 |
> by going only PAX, but that doesn't quite work as expected with |
25 |
> vservers, so I would think most users wouldn't implement that anyway |
26 |
> |
27 |
> So the proposal is to recognise another secure setup which is: |
28 |
> |
29 |
> - Minimal host installation + linux-vserver / pax kernel |
30 |
> - Applications moved to lightweight vserver guests (go pretty much |
31 |
> one application / webapp per guest) |
32 |
> |
33 |
> Who cares? |
34 |
> |
35 |
> Cheers |
36 |
> |
37 |
> Ed W |
38 |
> |
39 |
> I do care |
40 |
> - Francesco Riosa |
41 |
Hello Ed, |
42 |
|
43 |
I was speaking on the matter with blueness and he said he won't mind |
44 |
proxying you if you take care of a new ebuild (I suggested |
45 |
hardened-vserver-sources for example) and the docs. On my side I can |
46 |
help you a bit with the docs, specially with formatting and exposing |
47 |
things in a newbie understandable way, though as I don't know about |
48 |
vserver I won't be able to write those docs, sorry. |
49 |
|
50 |
Take care |
51 |
klondike |