lists at wildgooses.com
Sat Apr 12 04:21:33 MSD 2008
Cliff Wells wrote:
> On Fri, 2008-04-11 at 21:26 +0100, Ed W wrote:
>>> IMHO it's much easier to setup a VPS (e.g. OpenVZ) than to fiddle with
>>> most of the security frameworks (the most common question about SELinux
>>> is how to disable it). You get adequate isolation at minimal cost, and
>>> your app runs in a fairly standard environment.
>> Well actually you get no extra protection against your app being broken
>> into to, you just limit the damage caused.
> But that's pretty much the case no matter what you do. The security
> frameworks simply prevent a broken/hacked application from being used to
> further compromise the system. Using the example you gave earlier, to
> prevent a hacked PHP application from opening a network connection. They
> didn't prevent the PHP app from being hacked in the first place (nor
> could they).
Hmm, well I don't want to start a battle here, but I somewhat disagree.
In my mind a vserver just gives you a completely normal server with no
extra frills, but the point is that you can pare it down to the min
The hardening stuff reduces the *capabilities* at the *process* level.
So we can lock a particular process into only certain file systems and
reduce the ability to execute all executables (ok, filepermissions do
this also, but they are easy to misconfigure and hard to give proper
granularity compared with a MAC specification). The ability to limit
capabilities is very powerful though and can definitely be used to
reduce the possibility of an app being hacked at all.
Some of the other hardening features can reduce the susceptability of
applications to new exploits, eg stack overflows.
An overlooked part of grsec (and perhaps others) is mandatory logging of
events. For example segfaults are logged in syslog - this can be very
useful for detecting a hack attempt. You can even log execution of
certain binaries (filter out the known ones and you are left with an
"interesting" list which may allow you to detect a breakin)
> but in general the
> purpose of security frameworks such as SELinux and GRSEC is to limit the
> damage post-exploit.
Well they certainly do that - but remember the ability to reduce
*capabilities* also. You can pare an application back much more tightly
than you can with only file permissions. The two frameworks you mention
above allow you to really lock down a given binary very very tightly and
so I think it's fair to say that they dramatically reduce the chance of
an exploit as well as reducing the damage once one occurs?
A VPS in my mind really just gives you a much cleaner space to run each
app in and hence reduces the severity of a breach (perhaps reduces the
likely hood of a breach by having fewer services running, but that wasnt
the biggest attraction to me)
Anyway, both are useful to varying extents - I am certainly a big fan of
vservers and grsec to a lesser extent
More information about the nginx