El 04/11/10 00:26, Francesco R escribió: > 2010/11/3 Ed W <[email protected] <mailto:[email protected]>> > > Just to run an idea up the flagpole... > > I have had good success with a slightly orthogonal approach to > securing my servers. I run a hardened gentoo install, but with > linux-vservers for the guests and additionally pax kernel patches. > > The motivation is that Pax has mitigated a reasonable proportion > of recent kernel issues. On the userspace side, linux-vservers > are something like chroot-on-steroids and make it very > straightforward to ringfence user applications without quite going > to a full virtualisation solution. (For those who don't know, > Linux-vservers look and smell like a virtualisation solution, but > they are implemented using a kind of chroot - lxc containers are > re-implementing the same idea, but currently much less advanced) > > Up until now I have also been running kernels with the grsec > patches, but merging those with linux-vserver is relatively > complex since there is some overlap. Additionally it would appear > that linux-vservers offer a large chunk of the protection that the > grsec restrictions should offer. You loose the grsec RBAC system > by going only PAX, but that doesn't quite work as expected with > vservers, so I would think most users wouldn't implement that anyway > > So the proposal is to recognise another secure setup which is: > > - Minimal host installation + linux-vserver / pax kernel > - Applications moved to lightweight vserver guests (go pretty much > one application / webapp per guest) > > Who cares? > > Cheers > > Ed W > > I do care > - Francesco Riosa Hello Ed,
I was speaking on the matter with blueness and he said he won't mind proxying you if you take care of a new ebuild (I suggested hardened-vserver-sources for example) and the docs. On my side I can help you a bit with the docs, specially with formatting and exposing things in a newbie understandable way, though as I don't know about vserver I won't be able to write those docs, sorry. Take care klondike
signature.asc
Description: OpenPGP digital signature
