El 04/11/10 00:26, Francesco R escribió:
> 2010/11/3 Ed W <[email protected] <mailto:[email protected]>>
>
>     Just to run an idea up the flagpole...
>
>     I have had good success with a slightly orthogonal approach to
>     securing my servers.  I run a hardened gentoo install, but with
>     linux-vservers for the guests and additionally pax kernel patches.
>
>     The motivation is that Pax has mitigated a reasonable proportion
>     of recent kernel issues.  On the userspace side, linux-vservers
>     are something like chroot-on-steroids and make it very
>     straightforward to ringfence user applications without quite going
>     to a full virtualisation solution. (For those who don't know,
>     Linux-vservers look and smell like a virtualisation solution, but
>     they are implemented using a kind of chroot - lxc containers are
>     re-implementing the same idea, but currently much less advanced)
>
>     Up until now I have also been running kernels with the grsec
>     patches, but merging those with linux-vserver is relatively
>     complex since there is some overlap.  Additionally it would appear
>     that linux-vservers offer a large chunk of the protection that the
>     grsec restrictions should offer.  You loose the grsec RBAC system
>     by going only PAX, but that doesn't quite work as expected with
>     vservers, so I would think most users wouldn't implement that anyway
>
>     So the proposal is to recognise another secure setup which is:
>
>     - Minimal host installation + linux-vserver / pax kernel
>     - Applications moved to lightweight vserver guests (go pretty much
>     one application / webapp per guest)
>
>     Who cares?
>
>     Cheers
>
>     Ed W
>
> I do care
> - Francesco Riosa
Hello Ed,

I was speaking on the matter with blueness and he said he won't mind
proxying you if you take care of a new ebuild (I suggested
hardened-vserver-sources for example) and the docs. On my side I can
help you a bit with the docs, specially with formatting and exposing
things in a newbie understandable way, though as I don't know about
vserver I won't be able to write those docs, sorry.

Take care
klondike

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to