Beyond Jeff's suggestions, you may also be interested in the Immutable
Service Container project which is based upon OpenSolaris, Zones and
integrates many of the core security technologies:
http://kenai.com/projects/isc/pages/OpenSolaris
For example, the zone (global and non-global) hardening that is
performed conforms to the Center for Internet Security Guidance
as documented at:
http://wikis.sun.com/display/ISC/OpenSolaris+Security+Hardening
g
On 1/6/10 10:48 AM, Jeff Victor wrote:
On Wed, Jan 6, 2010 at 8:51 AM, David Browning wrote:
I built an Opensolaris media server and backup machine for my local network.
At some point I would like to add ampache to my setup. If you are not familiar,
it is a media server that will stream audio/video to client devices over the
internet.
Obviously this requires that this application be exposed to the big bad world.
So I would like to isolate this program as much as possible. I'm hoping to
leverage other's experience and knowledge to figure out which would be the best
way/approach to do this, so I'm not spinning my wheels down the wrong path.
David,
You might want to read
http://blogs.sun.com/JeffV/entry/shrink_wrap_security1 and
http://blogs.sun.com/JeffV/entry/zones_security, which also points to
a Sun BluePrint I co-authored. The blog and BP discuss methods to
harden zones, including preventing an intruder from modifying the OS,
i.e. leaving a Trojan horse behind, and applying resource controls to
minimize DoS attacks.
It's even possible to do both: Zones on VBox, or VBox in a zone:
http://blogs.sun.com/JeffV/entry/layered_virtualization .
--JeffV
Principal Field Technologist
Sun Microsystems, Inc.
___
zones-discuss mailing list
zones-discuss@opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org