Just to run an idea up the flagpole...
I have had good success with a slightly orthogonal approach to securing
my servers. I run a hardened gentoo install, but with linux-vservers
for the guests and additionally pax kernel patches.
The motivation is that Pax has mitigated a reasonable proportion of
recent kernel issues. On the userspace side, linux-vservers are
something like chroot-on-steroids and make it very straightforward to
ringfence user applications without quite going to a full virtualisation
solution. (For those who don't know, Linux-vservers look and smell like
a virtualisation solution, but they are implemented using a kind of
chroot - lxc containers are re-implementing the same idea, but currently
much less advanced)
Up until now I have also been running kernels with the grsec patches,
but merging those with linux-vserver is relatively complex since there
is some overlap. Additionally it would appear that linux-vservers offer
a large chunk of the protection that the grsec restrictions should
offer. You loose the grsec RBAC system by going only PAX, but that
doesn't quite work as expected with vservers, so I would think most
users wouldn't implement that anyway
So the proposal is to recognise another secure setup which is:
- Minimal host installation + linux-vserver / pax kernel
- Applications moved to lightweight vserver guests (go pretty much one
application / webapp per guest)
Who cares?
Cheers
Ed W
