2010/11/3 Ed W <li...@wildgooses.com>
> Just to run an idea up the flagpole... > > I have had good success with a slightly orthogonal approach to securing my > servers. I run a hardened gentoo install, but with linux-vservers for the > guests and additionally pax kernel patches. > > The motivation is that Pax has mitigated a reasonable proportion of recent > kernel issues. On the userspace side, linux-vservers are something like > chroot-on-steroids and make it very straightforward to ringfence user > applications without quite going to a full virtualisation solution. (For > those who don't know, Linux-vservers look and smell like a virtualisation > solution, but they are implemented using a kind of chroot - lxc containers > are re-implementing the same idea, but currently much less advanced) > > Up until now I have also been running kernels with the grsec patches, but > merging those with linux-vserver is relatively complex since there is some > overlap. Additionally it would appear that linux-vservers offer a large > chunk of the protection that the grsec restrictions should offer. You loose > the grsec RBAC system by going only PAX, but that doesn't quite work as > expected with vservers, so I would think most users wouldn't implement that > anyway > > So the proposal is to recognise another secure setup which is: > > - Minimal host installation + linux-vserver / pax kernel > - Applications moved to lightweight vserver guests (go pretty much one > application / webapp per guest) > > Who cares? > > Cheers > > Ed W > > I do care - Francesco Riosa
