| 1 |
Just to run an idea up the flagpole... |
| 2 |
|
| 3 |
I have had good success with a slightly orthogonal approach to securing |
| 4 |
my servers. I run a hardened gentoo install, but with linux-vservers |
| 5 |
for the guests and additionally pax kernel patches. |
| 6 |
|
| 7 |
The motivation is that Pax has mitigated a reasonable proportion of |
| 8 |
recent kernel issues. On the userspace side, linux-vservers are |
| 9 |
something like chroot-on-steroids and make it very straightforward to |
| 10 |
ringfence user applications without quite going to a full virtualisation |
| 11 |
solution. (For those who don't know, Linux-vservers look and smell like |
| 12 |
a virtualisation solution, but they are implemented using a kind of |
| 13 |
chroot - lxc containers are re-implementing the same idea, but currently |
| 14 |
much less advanced) |
| 15 |
|
| 16 |
Up until now I have also been running kernels with the grsec patches, |
| 17 |
but merging those with linux-vserver is relatively complex since there |
| 18 |
is some overlap. Additionally it would appear that linux-vservers offer |
| 19 |
a large chunk of the protection that the grsec restrictions should |
| 20 |
offer. You loose the grsec RBAC system by going only PAX, but that |
| 21 |
doesn't quite work as expected with vservers, so I would think most |
| 22 |
users wouldn't implement that anyway |
| 23 |
|
| 24 |
So the proposal is to recognise another secure setup which is: |
| 25 |
|
| 26 |
- Minimal host installation + linux-vserver / pax kernel |
| 27 |
- Applications moved to lightweight vserver guests (go pretty much one |
| 28 |
application / webapp per guest) |
| 29 |
|
| 30 |
Who cares? |
| 31 |
|
| 32 |
Cheers |
| 33 |
|
| 34 |
Ed W |
Archives