| 1 |
El 04/11/10 00:26, Francesco R escribió: |
| 2 |
> 2010/11/3 Ed W <lists@××××××××××.com <mailto:lists@××××××××××.com>> |
| 3 |
> |
| 4 |
> Just to run an idea up the flagpole... |
| 5 |
> |
| 6 |
> I have had good success with a slightly orthogonal approach to |
| 7 |
> securing my servers. I run a hardened gentoo install, but with |
| 8 |
> linux-vservers for the guests and additionally pax kernel patches. |
| 9 |
> |
| 10 |
> The motivation is that Pax has mitigated a reasonable proportion |
| 11 |
> of recent kernel issues. On the userspace side, linux-vservers |
| 12 |
> are something like chroot-on-steroids and make it very |
| 13 |
> straightforward to ringfence user applications without quite going |
| 14 |
> to a full virtualisation solution. (For those who don't know, |
| 15 |
> Linux-vservers look and smell like a virtualisation solution, but |
| 16 |
> they are implemented using a kind of chroot - lxc containers are |
| 17 |
> re-implementing the same idea, but currently much less advanced) |
| 18 |
> |
| 19 |
> Up until now I have also been running kernels with the grsec |
| 20 |
> patches, but merging those with linux-vserver is relatively |
| 21 |
> complex since there is some overlap. Additionally it would appear |
| 22 |
> that linux-vservers offer a large chunk of the protection that the |
| 23 |
> grsec restrictions should offer. You loose the grsec RBAC system |
| 24 |
> by going only PAX, but that doesn't quite work as expected with |
| 25 |
> vservers, so I would think most users wouldn't implement that anyway |
| 26 |
> |
| 27 |
> So the proposal is to recognise another secure setup which is: |
| 28 |
> |
| 29 |
> - Minimal host installation + linux-vserver / pax kernel |
| 30 |
> - Applications moved to lightweight vserver guests (go pretty much |
| 31 |
> one application / webapp per guest) |
| 32 |
> |
| 33 |
> Who cares? |
| 34 |
> |
| 35 |
> Cheers |
| 36 |
> |
| 37 |
> Ed W |
| 38 |
> |
| 39 |
> I do care |
| 40 |
> - Francesco Riosa |
| 41 |
Hello Ed, |
| 42 |
|
| 43 |
I was speaking on the matter with blueness and he said he won't mind |
| 44 |
proxying you if you take care of a new ebuild (I suggested |
| 45 |
hardened-vserver-sources for example) and the docs. On my side I can |
| 46 |
help you a bit with the docs, specially with formatting and exposing |
| 47 |
things in a newbie understandable way, though as I don't know about |
| 48 |
vserver I won't be able to write those docs, sorry. |
| 49 |
|
| 50 |
Take care |
| 51 |
klondike |
Archives