| 1 |
2010/11/3 Ed W <lists@××××××××××.com> |
| 2 |
|
| 3 |
> Just to run an idea up the flagpole... |
| 4 |
> |
| 5 |
> I have had good success with a slightly orthogonal approach to securing my |
| 6 |
> servers. I run a hardened gentoo install, but with linux-vservers for the |
| 7 |
> guests and additionally pax kernel patches. |
| 8 |
> |
| 9 |
> The motivation is that Pax has mitigated a reasonable proportion of recent |
| 10 |
> kernel issues. On the userspace side, linux-vservers are something like |
| 11 |
> chroot-on-steroids and make it very straightforward to ringfence user |
| 12 |
> applications without quite going to a full virtualisation solution. (For |
| 13 |
> those who don't know, Linux-vservers look and smell like a virtualisation |
| 14 |
> solution, but they are implemented using a kind of chroot - lxc containers |
| 15 |
> are re-implementing the same idea, but currently much less advanced) |
| 16 |
> |
| 17 |
> Up until now I have also been running kernels with the grsec patches, but |
| 18 |
> merging those with linux-vserver is relatively complex since there is some |
| 19 |
> overlap. Additionally it would appear that linux-vservers offer a large |
| 20 |
> chunk of the protection that the grsec restrictions should offer. You loose |
| 21 |
> the grsec RBAC system by going only PAX, but that doesn't quite work as |
| 22 |
> expected with vservers, so I would think most users wouldn't implement that |
| 23 |
> anyway |
| 24 |
> |
| 25 |
> So the proposal is to recognise another secure setup which is: |
| 26 |
> |
| 27 |
> - Minimal host installation + linux-vserver / pax kernel |
| 28 |
> - Applications moved to lightweight vserver guests (go pretty much one |
| 29 |
> application / webapp per guest) |
| 30 |
> |
| 31 |
> Who cares? |
| 32 |
> |
| 33 |
> Cheers |
| 34 |
> |
| 35 |
> Ed W |
| 36 |
> |
| 37 |
> I do care |
| 38 |
- Francesco Riosa |
Archives