gentoo-hardened November 2010 archive
Main Archive Page > Month Archives  > gentoo-hardened archives
gentoo-hardened: Re: [gentoo-hardened] Suggestion for kernel tre

Re: [gentoo-hardened] Suggestion for kernel tree: Pax + linux-vserver

From: Francesco R <vivo75_at_nospam>
Date: Wed Nov 03 2010 - 23:26:20 GMT
To: gentoo-hardened@lists.gentoo.org

2010/11/3 Ed W <lists@wildgooses.com>

> Just to run an idea up the flagpole...
>
> I have had good success with a slightly orthogonal approach to securing my
> servers. I run a hardened gentoo install, but with linux-vservers for the
> guests and additionally pax kernel patches.
>
> The motivation is that Pax has mitigated a reasonable proportion of recent
> kernel issues. On the userspace side, linux-vservers are something like
> chroot-on-steroids and make it very straightforward to ringfence user
> applications without quite going to a full virtualisation solution. (For
> those who don't know, Linux-vservers look and smell like a virtualisation
> solution, but they are implemented using a kind of chroot - lxc containers
> are re-implementing the same idea, but currently much less advanced)
>
> Up until now I have also been running kernels with the grsec patches, but
> merging those with linux-vserver is relatively complex since there is some
> overlap. Additionally it would appear that linux-vservers offer a large
> chunk of the protection that the grsec restrictions should offer. You loose
> the grsec RBAC system by going only PAX, but that doesn't quite work as
> expected with vservers, so I would think most users wouldn't implement that
> anyway
>
> So the proposal is to recognise another secure setup which is:
>
> - Minimal host installation + linux-vserver / pax kernel
> - Applications moved to lightweight vserver guests (go pretty much one
> application / webapp per guest)
>
> Who cares?
>
> Cheers
>
> Ed W
>
> I do care
- Francesco Riosa