Gentoo Archives: gentoo-hardened

From: Ed W <lists@××××××××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Re: to chroot or not to chroot
Date: Sun, 06 Sep 2009 09:26:57
Message-Id: 4AA3805E.8080705@wildgooses.com
In Reply to: Re: [gentoo-hardened] Re: to chroot or not to chroot by RijilV
RijilV wrote:
> 2009/6/10 7v5w7go9ub0o <7v5w7go9ub0o@×××××.com>: > >> FWIW, I jail/chroot everything that connects to the net; e.g. browsers, >> mail client, tor client, DNS server, nmap, snort, dhcpcd ..... >> everything. >> > > What are you using to do your chrooting? > > .r' > >
Can I recommend the excellent linux-vserver project? It's a bit more heavyweight than you were looking for, but basically makes it super simple to spin up what feel like fully virtualised machines. Weight-wise it's somewhere between a full virtualisation solution and a chroot (in fact it's kind of a wrapper around a chroot to make it feel like a full machine instance). If you are really keen though you can use the unification utility and effectively hard-link many jails together which gives you a very, very lightweight way to run up many instances of a process. Personally I wouldn't boot up a server without using at least this... If you just want to harden apache then also look at mod_security which can give you a chroot and also quite a decent "software firewall" that may well help. grsecurity (or other rbac) could additionally be used to constrain the damage a cgi script could cause Good luck Ed W