Ah but I should have mentioned my boss is a stingy so and so who is definitely not keen on spending the kind of bucks that would give us such a cluster for that matter he's not even prepared to get me another box with the same hardware as the web or mail servers (dual xeon) to use as a test/development box. So pretty much all crp that hits the fan (such as the bios issue that made the system fans go off when over heating) is my problem to deal with at whatever time of day or night -- (wish I could say the pay was enough...)
-----Original Message----- From: xyon [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 25, 2006 12:37 PM To: [email protected] Subject: Re: [gentoo-server] (Hardened) Converting production Gentoomail/web server to hardened-sources is a great kernel to use. With all the GRSecurity and PaX options enabled it's quite a step above stock. RBAC (ACL) is a wonderful way to lock down the system, but takes a long time to get right. I would highly recommend mirroring your production environment with a dev environment to play with this feature. With your company's policy of 0 downtime, they have a load-balanced/cluster environment, correct? If so, rebooting one server shouldn't be a huge deal.. if they do not have a load-balanced/cluster environment, 0 downtime is going to be very difficult to maintain. Just my 2 cents. ;) On Wed, 2006-01-25 at 12:09 +0200, Jean Blignaut wrote: > (Hi I posted this before in the "portscanning worm?" thread but > thought that people might not have seen it there cause I've not had > any comments/replys?) > > > > I have often considered and even tried a couple of times to setup a > hardened box however I get confused between all the different options > and all the different implications. What with Selinux Grsecurity 1/2 > RSBAC PIE etc. etc. > > > > Also the kernel patching concerns me a bit, I would much rather not > have to search around an battle to patch kernels my self if at all > possible. > > I don't get to upgrade the kernel on my production servers very often > since company policy is 0 downtime. > > > > Also Because these are production servers in use by 1000s of customers > I would have to find a hardened kernel (or what ever) that would have > as small an impact on the current workings and config of the systems > involved. > > > > I have all my partitions formatted (and kernels built) with support > for security labels, but that's as far as I've gotten. Also the idea > of splitting up roots permissions into roles is an interesting > prospect but I've yet to find decent documentation on how to > implement/use POSIX ROLES > > > -- [email protected] mailing list -- [email protected] mailing list
