1 |
Just to run an idea up the flagpole... |
2 |
|
3 |
I have had good success with a slightly orthogonal approach to securing |
4 |
my servers. I run a hardened gentoo install, but with linux-vservers |
5 |
for the guests and additionally pax kernel patches. |
6 |
|
7 |
The motivation is that Pax has mitigated a reasonable proportion of |
8 |
recent kernel issues. On the userspace side, linux-vservers are |
9 |
something like chroot-on-steroids and make it very straightforward to |
10 |
ringfence user applications without quite going to a full virtualisation |
11 |
solution. (For those who don't know, Linux-vservers look and smell like |
12 |
a virtualisation solution, but they are implemented using a kind of |
13 |
chroot - lxc containers are re-implementing the same idea, but currently |
14 |
much less advanced) |
15 |
|
16 |
Up until now I have also been running kernels with the grsec patches, |
17 |
but merging those with linux-vserver is relatively complex since there |
18 |
is some overlap. Additionally it would appear that linux-vservers offer |
19 |
a large chunk of the protection that the grsec restrictions should |
20 |
offer. You loose the grsec RBAC system by going only PAX, but that |
21 |
doesn't quite work as expected with vservers, so I would think most |
22 |
users wouldn't implement that anyway |
23 |
|
24 |
So the proposal is to recognise another secure setup which is: |
25 |
|
26 |
- Minimal host installation + linux-vserver / pax kernel |
27 |
- Applications moved to lightweight vserver guests (go pretty much one |
28 |
application / webapp per guest) |
29 |
|
30 |
Who cares? |
31 |
|
32 |
Cheers |
33 |
|
34 |
Ed W |