Re: LIDS vers. chroot
On Wed, 05 Feb 2003 20:14, Benjamin Schuele wrote:
> I would like to initiate a discussion about LIDS and chroot to setup a
> secure server. In my opinion, a good customized LIDS is more reliable and
> usable then chroot because of this reasons:
>
> Time to set up
> I tooks a lot of time to get one programm running in a chroot environment,
> and unsualy you have more then one programm running on a server.
If you modify the deb package of the program you want to chroot, then you
should only need to pay that cost once, plus some extra maintenance work
each time a new release of the package comes out.
> Time to administrating
> With chroot, you can't do only apt-get update && apt-get upgrade once for
> installing security updates.
This depends on some variables. If you've modified a debian package to add
chroot related changes and installed that, then all you need to do is update
the package from the latest upstream debian package, using the same process
the the maintainer uses to update from the original upstream package.
As for the libraries in the jail, if you install base and whatever additional
dependencies you need into the jail, you just need to add apt and run apt-get
update && apt-get upgrade inside each jail, periodically.
Of course, we really want our jail to contain the bare minimum of dependent
files, so we really want a script that will build and update a jail based on
a list of all the fine grained dependancies required by the program being
chrooted. Such a script can be run each time the service starts up, or from
an 'update-jail' init script target. You can not only run apt once and just
update the jails, but you can update them after changing common /etc files,
too.
> Security
> If sombody gets a root shell in chroot, the securty is vanished
Tricky if there is no shell in the jail. Very hard if your jail automatically
disables CAP_SYS_CHROOT before starting the service, which is possible with
the grsecurity patch, I think.
> Again, this are my opinions, whats yours?
Chroot jails and LIDS are orthoginal; they're like skin and white blood
cells. And you want to use both, because LIDS might not detect the latest
exploit for a given service, but it (and other monitoring methods) are likely
to detect someone poking around in the jail of an exploited service before
they can get very far (ie come back with an exploit for the jail). And it's
so much easier to clean up an exploited service in a jail than it is to have
to replace a whole machine after an exploit.
The real question is should you use chroot/user space linux techniques to
isolate services from one another, or should you use SE Linux?
http://www.openwall.com/linux
http://www.grsecurity.org/papers.php
http://www.coker.com.au/selinux/
John
Reply to: