security question.

Ed W lists at wildgooses.com
Sat Apr 12 04:21:33 MSD 2008 

Cliff Wells wrote:
> On Fri, 2008-04-11 at 21:26 +0100, Ed W wrote:
>
>   
>>> IMHO it's much easier to setup a VPS (e.g. OpenVZ) than to fiddle with
>>> most of the security frameworks (the most common question about SELinux
>>> is how to disable it).  You get adequate isolation at minimal cost, and
>>> your app runs in a fairly standard environment.
>>>   
>>>       
>> Well actually you get no extra protection against your app being broken 
>> into to, you just limit the damage caused.
>>     
>
> But that's pretty much the case no matter what you do.  The security
> frameworks simply prevent a broken/hacked application from being used to
> further compromise the system.  Using the example you gave earlier, to
> prevent a hacked PHP application from opening a network connection. They
> didn't prevent the PHP app from being hacked in the first place (nor
> could they).
>   

Hmm, well I don't want to start a battle here, but I somewhat disagree. 

In my mind a vserver just gives you a completely normal server with no 
extra frills, but the point is that you can pare it down to the min 
software required

The hardening stuff reduces the *capabilities* at the *process* level.  
So we can lock a particular process into only certain file systems and 
reduce the ability to execute all executables (ok, filepermissions do 
this also, but they are easy to misconfigure and hard to give proper 
granularity compared with a MAC specification).  The ability to limit 
capabilities is very powerful though and can definitely be used to 
reduce the possibility of an app being hacked at all.

Some of the other hardening features can reduce the susceptability of 
applications to new exploits, eg stack overflows.

An overlooked part of grsec (and perhaps others) is mandatory logging of 
events. For example segfaults are logged in syslog - this can be very 
useful for detecting a hack attempt.  You can even log execution of 
certain binaries (filter out the known ones and you are left with an 
"interesting" list which may allow you to detect a breakin)

> but in general the
> purpose of security frameworks such as SELinux and GRSEC is to limit the
> damage post-exploit. 

Well they certainly do that - but remember the ability to reduce 
*capabilities* also.  You can pare an application back much more tightly 
than you can with only file permissions.  The two frameworks you mention 
above allow you to really lock down a given binary very very tightly and 
so I think it's fair to say that they dramatically reduce the chance of 
an exploit as well as reducing the damage once one occurs?

A VPS in my mind really just gives you a much cleaner space to run each 
app in and hence reduces the severity of a breach (perhaps reduces the 
likely hood of a breach by having fewer services running, but that wasnt 
the biggest attraction to me)

Anyway, both are useful to varying extents - I am certainly a big fan of 
vservers and grsec to a lesser extent

Ed W

More information about the nginx mailing list