| 1 |
On 01/02/2010 12:35, Hinnerk van Bruinehsen wrote: |
| 2 |
> s one thing which disturbs me: Since Gentoo (and hardened |
| 3 |
> Gentoo) is sourcebased, i'll need a complete toolchain to keep the |
| 4 |
> system up to date. |
| 5 |
> |
| 6 |
> I don't like the idea of giving this tools to someone who might |
| 7 |
> compromise the server. |
| 8 |
> |
| 9 |
> Is there a way to keep the toolchain on a thumbdrive or in an encrypted |
| 10 |
> partition, so that a possible attacker can't use it, while I have still |
| 11 |
> access to it? Does a how-to or a guide exist, which coud guide me |
| 12 |
> through the process of setting it up correctly |
| 13 |
|
| 14 |
You have a 90% working solution through compiling and distributing |
| 15 |
binary packages. The constraints are that you need to sync your USE |
| 16 |
flags and compile flags, or use multiple binary repositories. |
| 17 |
|
| 18 |
I actually use something partially similar to keep a bunch of |
| 19 |
linux-vservers in sync - I maintain a set of custom profiles which |
| 20 |
inherit from the hardened profile and these are customised for each |
| 21 |
server "type", eg I have a hardened-apache and a hardened-nginx and a |
| 22 |
hardened-postfix, etc profile. I use linux-vservers so that I can have |
| 23 |
very fine grained app installations and flexibility to swap hardware (eg |
| 24 |
nearly all web applications get their own complete virtual machine...). |
| 25 |
Largely the USE flags/compile flags are all set in my profiles, but I do |
| 26 |
relax this a little bit as I allow toolchain on each vserver (which you |
| 27 |
are avoiding, so vary your setup) |
| 28 |
|
| 29 |
There are some limitations with binary packages in that new users don't |
| 30 |
seem to get created correctly (see various history on the -embedded |
| 31 |
list). This can be worked around in general, but just beware of that |
| 32 |
small issue |
| 33 |
|
| 34 |
One feature that I like but don't exploit about linux-vservers is that |
| 35 |
in theory you can easily use the host tools to test/verify the guest |
| 36 |
installation - this means double trouble if the host is compromised, but |
| 37 |
potentially allows interesting avenues to detect compromised guests by |
| 38 |
examining them from the host. Probably similar things can be done with |
| 39 |
all other virtualisation solutions also. |
| 40 |
|
| 41 |
Quick checklist is that whatever solution you pick it should DEFINITELY |
| 42 |
include virtualised guest right from the word go... |
| 43 |
|
| 44 |
I have found gentoo a very good fit for maintaining a long term |
| 45 |
installation without the pain of re-installs which you eventually |
| 46 |
encounter with Redhat/debian solutions. However, I would suggest that |
| 47 |
the base level of experience required to manage the server is higher, |
| 48 |
but the payoff is much greater control and ease of management. Over to |
| 49 |
you to decide if these tradeoffs are manageable, but big thumbs up from |
| 50 |
me for our needs. |
| 51 |
|
| 52 |
Good luck |
| 53 |
|
| 54 |
Ed W |
Archives