1 |
2010/11/3 Ed W <lists@××××××××××.com> |
2 |
|
3 |
> Just to run an idea up the flagpole... |
4 |
> |
5 |
> I have had good success with a slightly orthogonal approach to securing my |
6 |
> servers. I run a hardened gentoo install, but with linux-vservers for the |
7 |
> guests and additionally pax kernel patches. |
8 |
> |
9 |
> The motivation is that Pax has mitigated a reasonable proportion of recent |
10 |
> kernel issues. On the userspace side, linux-vservers are something like |
11 |
> chroot-on-steroids and make it very straightforward to ringfence user |
12 |
> applications without quite going to a full virtualisation solution. (For |
13 |
> those who don't know, Linux-vservers look and smell like a virtualisation |
14 |
> solution, but they are implemented using a kind of chroot - lxc containers |
15 |
> are re-implementing the same idea, but currently much less advanced) |
16 |
> |
17 |
> Up until now I have also been running kernels with the grsec patches, but |
18 |
> merging those with linux-vserver is relatively complex since there is some |
19 |
> overlap. Additionally it would appear that linux-vservers offer a large |
20 |
> chunk of the protection that the grsec restrictions should offer. You loose |
21 |
> the grsec RBAC system by going only PAX, but that doesn't quite work as |
22 |
> expected with vservers, so I would think most users wouldn't implement that |
23 |
> anyway |
24 |
> |
25 |
> So the proposal is to recognise another secure setup which is: |
26 |
> |
27 |
> - Minimal host installation + linux-vserver / pax kernel |
28 |
> - Applications moved to lightweight vserver guests (go pretty much one |
29 |
> application / webapp per guest) |
30 |
> |
31 |
> Who cares? |
32 |
> |
33 |
> Cheers |
34 |
> |
35 |
> Ed W |
36 |
> |
37 |
> I do care |
38 |
- Francesco Riosa |