Firewall Wizards mailing list archives
Re: Web server security?
From: Steffen Kluge <kluge () fujitsu com au>
Date: Tue, 22 Jun 2004 11:01:52 +1000
On Tue, 2004-06-22 at 08:33, Paul D. Robertson wrote:
Has anyone on the list played with RSBAC (preferably) or SELinux and Apache Web servers, and has any configurations they can share? I think I'm more interested in MAC compartments than RBAC, but if someone else has done the major groundwork, I'd like to have a head start.
Quite a bit of the SELinux groundwork done so far has made it into Fedora Core 2, apparently. I eagerly went to check it out when it was released. Upon further delving into the matter, I found that the SELinux community reckons they're adding value mainly in situations where you run various different services on a single machine. They seem to think SELinux is probably not worthwhile for "single-trick ponies", since its main purpose is to isolate unrelated subsystems from each other (such as keeping a hacked web server from messing with IMAP accounts). I tend to set up my Internet exposed servers to run exactly one service (plus SSH, not exposed to the outside world), and strip them down accordingly. I concluded that SELinux isn't going to be worth the trouble in these cases. If you are concerned about web-only servers you might end up reaching the same conclusion. Cheers Steffen.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Web server security? Paul D. Robertson (Jun 21)
- Re: Web server security? Steffen Kluge (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Mason (Jun 22)
- Re: Web server security? Crispin Cowan (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Steffen Kluge (Jun 23)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Steffen Kluge (Jun 22)