On Wed, 05 Feb 2003 20:14, Benjamin Schuele wrote: > I would like to initiate a discussion about LIDS and chroot to setup a > secure server. In my opinion, a good customized LIDS is more reliable and > usable then chroot because of this reasons: > > Time to set up > I tooks a lot of time to get one programm running in a chroot environment, > and unsualy you have more then one programm running on a server.
If you modify the deb package of the program you want to chroot, then you should only need to pay that cost once, plus some extra maintenance work each time a new release of the package comes out. > Time to administrating > With chroot, you can't do only apt-get update && apt-get upgrade once for > installing security updates. This depends on some variables. If you've modified a debian package to add chroot related changes and installed that, then all you need to do is update the package from the latest upstream debian package, using the same process the the maintainer uses to update from the original upstream package. As for the libraries in the jail, if you install base and whatever additional dependencies you need into the jail, you just need to add apt and run apt-get update && apt-get upgrade inside each jail, periodically. Of course, we really want our jail to contain the bare minimum of dependent files, so we really want a script that will build and update a jail based on a list of all the fine grained dependancies required by the program being chrooted. Such a script can be run each time the service starts up, or from an 'update-jail' init script target. You can not only run apt once and just update the jails, but you can update them after changing common /etc files, too. > Security > If sombody gets a root shell in chroot, the securty is vanished Tricky if there is no shell in the jail. Very hard if your jail automatically disables CAP_SYS_CHROOT before starting the service, which is possible with the grsecurity patch, I think. > Again, this are my opinions, whats yours? Chroot jails and LIDS are orthoginal; they're like skin and white blood cells. And you want to use both, because LIDS might not detect the latest exploit for a given service, but it (and other monitoring methods) are likely to detect someone poking around in the jail of an exploited service before they can get very far (ie come back with an exploit for the jail). And it's so much easier to clean up an exploited service in a jail than it is to have to replace a whole machine after an exploit. The real question is should you use chroot/user space linux techniques to isolate services from one another, or should you use SE Linux? http://www.openwall.com/linux http://www.grsecurity.org/papers.php http://www.coker.com.au/selinux/ John
