[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LIDS vers. chroot



On Wed, 05 Feb 2003 20:14, Benjamin Schuele wrote:
> I would like to initiate a discussion about LIDS and chroot to setup a
> secure server. In my opinion, a good customized LIDS is more reliable and
> usable then chroot because of this reasons:
>
> Time to set up
> I tooks a lot of time to get one programm running in a chroot environment,
> and unsualy you have more then one programm running on a server.

If you modify the deb package of the program you want to chroot, then you 
should only need to pay that cost once, plus some extra maintenance work 
each time a new release of the package comes out.

> Time to administrating
> With chroot, you can't do only apt-get update && apt-get upgrade once for
> installing security updates.

This depends on some variables. If you've modified a debian package to add 
chroot related changes and installed that, then all you need to do is update 
the package from the latest upstream debian package, using the same process 
the the maintainer uses to update from the original upstream package.

As for the libraries in the jail, if you install base and whatever additional
dependencies you need into the jail, you just need to add apt and run apt-get 
update && apt-get upgrade inside each jail, periodically. 

Of course, we really want our jail to contain the bare minimum of dependent 
files, so we really want a script that will build and update a jail based on 
a list of all the fine grained dependancies required by the program being 
chrooted. Such a script can be run each time the service starts up, or from
an 'update-jail' init script target. You can not only run apt once and just 
update the jails, but you can update them after changing common /etc files, 
too.

> Security
> If sombody gets a root shell in chroot, the securty is vanished

Tricky if there is no shell in the jail. Very hard if your jail automatically 
disables CAP_SYS_CHROOT before starting the service, which is possible with 
the grsecurity patch, I think.

> Again, this are my opinions, whats yours?

Chroot jails and LIDS are orthoginal; they're like skin and white blood 
cells. And you want to use both, because LIDS might not detect the latest 
exploit for a given service, but it (and other monitoring methods) are likely 
to detect someone poking around in the jail of an exploited service before 
they can get very far (ie come back with an exploit for the jail). And it's 
so much easier to clean up an exploited service in a jail than it is to have 
to replace a whole machine after an exploit. 

The real question is should you use chroot/user space linux techniques to 
isolate services from one another, or should you use SE Linux?

http://www.openwall.com/linux
http://www.grsecurity.org/papers.php
http://www.coker.com.au/selinux/

John



Reply to: