From: Michael Pasdziernik (mpasdziernik_at_web.de)
Date: Thu 04 Dec 2003 - 23:01:40 GMT
Hi Herbert, Hi Alex, Hi all,
Am Donnerstag, 4. Dezember 2003 18:53 schrieb Herbert Poetzl:
> On Thu, Dec 04, 2003 at 12:24:18PM -0500, Alex Klymov wrote:
> > Hello Michael,
> >
> > Thursday, December 4, 2003, 11:41:57 AM, you wrote:
> >
> > MP> Hi vServer-Admins,
> >
> > MP> Trying to use vserver with other pax, grsecurity or
> > MP> the openwall patches does not work.
> > MP> But security demands are rising.
>
> some questions should be, how long will 2.4 be
> used and does 2.6 satisfy those needs ...
I remember some trouble with versions of the first
2.4.x releases, so I think it is better to not bring kernel 2.6
on production servers until 2.6.8 or perhaps 2.6.10.
What do you think?
> > MP> So, does anyone know any kernel enhancements that
> > MP> work with vserver?
>
> basically many security enhancements work with
> vserver, some need less, others need more manual
> fixing ...
That's my problem, since I have absolutly so knowledge in kernel
programming, I can't do manual fixing.
> > MP> Features I am searching for are:
> >
> > MP> - Randomized Features (TCP ISN, PIDs, IP IDs, TCP source ports)
> > MP> - Protection against Stack-attacks
> > MP> - Confusing OS-fingerprints
> > MP> - Auditing Features (like in grsecurity)
> > MP> - Restrictions for /tmp
> > MP> - And every other stuff that enhances security!
>
> I have no problem in adding enhancements (as optional
> patches) to the vserver patchsets, but it will be
> required to test and document this stuff too, so if
> you, and others, are willing to test this, I have no
> problem with rediffing it ...
That would be great! It would complete the security approach of the vserver
concept. Because at the moment, I allways have to ponder: "For this special
server, what gives more security? grsecurity or vserver?". Its allways a
compromise.
So, what can I do to help? How can I test this methodically?
> see
> http://vserver.13thfloor.at/Experimental/patch-2.4.23-vs1.00-grsec-1.9.12.d
>iff
> http://vserver.13thfloor.at/Stuff/patch-2.4.23-pre7-grsec-1.9.12.diff.bz2
> (both untested)
Is this in addition to the vserver-patch or contains this vserver and
grsecurity?
> others did adaptations of grsec to vserver which might
> be tested and/or in use ...
>
> > MP> Thank you a lot for your help!
> > MP> Michael
> >
> > I was able to "marry" vserver with grsecurity 2.0rc3.
> > My first priority was network security increasing - I
> > didn't try PaX and process protection but I don't see
> > the reason why it won't be working.
Thats what has my first priority, too. So what have you done to
marry this two genial patches?
> > from the sources perspective it should not conflict with
> > vserver functionality as long as you are not using ACLs
> > feature (which uses system capabilities vserver is
> > dependant on).
>
> I don't see such an issue in the ACL stuff either, but
> it will require some changes to vserver to work ..
> (as I said, if there is demand _and_ folks doing the
> testing, which _is_ a hard job, if it comes to things
> like security, I'm willing to support those patches)
Tell me more about that hard job : )
ciao
Michael
> > Can somebody confirm/correct me if I'm wrong?
>
> sorry, can't confirm, as I believe you are right! 8-)
>
> best,
> Herbert
>
> > --
> > Alex mailto:al3x__at_gmx.net
> > 12:15:01 PM Thursday, December 4, 2003 EDT
> >
> > _______________________________________________
> > Vserver mailing list
> > Vserver_at_list.linux-vserver.org
> > http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver