gentoo-hardened November 2010 archive
Main Archive Page > Month Archives  > gentoo-hardened archives
gentoo-hardened: Re: [gentoo-hardened] Suggestion for kernel tre

Re: [gentoo-hardened] Suggestion for kernel tree: Pax + linux-vserver

From: klondike <franxisco1988_at_nospam>
Date: Thu Nov 04 2010 - 02:45:26 GMT
To: gentoo-hardened@lists.gentoo.org

El 04/11/10 00:26, Francesco R escribió:
> 2010/11/3 Ed W <lists@wildgooses.com <mailto:lists@wildgooses.com>>
>
> Just to run an idea up the flagpole...
>
> I have had good success with a slightly orthogonal approach to
> securing my servers. I run a hardened gentoo install, but with
> linux-vservers for the guests and additionally pax kernel patches.
>
> The motivation is that Pax has mitigated a reasonable proportion
> of recent kernel issues. On the userspace side, linux-vservers
> are something like chroot-on-steroids and make it very
> straightforward to ringfence user applications without quite going
> to a full virtualisation solution. (For those who don't know,
> Linux-vservers look and smell like a virtualisation solution, but
> they are implemented using a kind of chroot - lxc containers are
> re-implementing the same idea, but currently much less advanced)
>
> Up until now I have also been running kernels with the grsec
> patches, but merging those with linux-vserver is relatively
> complex since there is some overlap. Additionally it would appear
> that linux-vservers offer a large chunk of the protection that the
> grsec restrictions should offer. You loose the grsec RBAC system
> by going only PAX, but that doesn't quite work as expected with
> vservers, so I would think most users wouldn't implement that anyway
>
> So the proposal is to recognise another secure setup which is:
>
> - Minimal host installation + linux-vserver / pax kernel
> - Applications moved to lightweight vserver guests (go pretty much
> one application / webapp per guest)
>
> Who cares?
>
> Cheers
>
> Ed W
>
> I do care
> - Francesco Riosa
Hello Ed,

I was speaking on the matter with blueness and he said he won't mind
proxying you if you take care of a new ebuild (I suggested
hardened-vserver-sources for example) and the docs. On my side I can
help you a bit with the docs, specially with formatting and exposing
things in a newbie understandable way, though as I don't know about
vserver I won't be able to write those docs, sorry.

Take care
klondike