Firewall Wizards mailing list archives
Re: Web server security?
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 22 Jun 2004 11:01:02 -0400 (EDT)
On Tue, 22 Jun 2004, Crispin Cowan wrote:
Previously available only as a feature of Immunix OS, SubDomain is now available as a stand-alone product for Linux 2.6 systems via the LSM interface for pluggable security modules. In the near term, since Immunix requires Linux 2.6, that means SuSE 9.1.
I'm unlikely to do a major kernel version upgrade on my only personal Web server until I'm comfortable with 2.6. "Product" sounds like money, and for my personal sites, I'd rather spend time than money, especially if I end up with something that's redeployable for other reasons. I'm not all that enthused about the reported 2.6 syscall table changes, as it'll stop some of the ad-hoc kernel patching I've been doing with modules (or make the modules more complex and less easy to validate.) It'll also make me have to change my kernel code to do things I've been doing in modules...
I've got a kernel module that needs dusting off that doesn't allow daemons to execve, which makes things a little better for that last vector...SubDomain also controls the set of programs that any given program can exec, so preventing a daemon from exec'ing nastyness, or preventing Apache from exec'ing surprising things, is easy.
As I said, I'm using gcgi, so controlling things from my end isn't all that difficult, and I've already got the kernel module :) Since my way covers my resolver and any associated cruft I'm running for other reasons, I'm relatively happy with it- I'd just prefer to do a more formally proven model.
Nope, I'm going to put SSL on my personal server in an attempt to sell some of my photography, and I know the additional complexity is going to require more frequent updates.I don't follow. A strong MAC security policy should *reduce* the frequency of security updates. A *flexible* MAC security policy should
Right, but without MAC, I'm going to be updating my server more and more often, since I'm now bringing the entire OpenSSL swath of bugs onto the server. Once I start the commerce thing, I'll probably have to switch off of the good SSH as well, and go with the GNU replacement or OpenSSH, so again, more rapid changes than I'm used to. Likely I'll avoid OpenSSH for comfort reasons.
allow you to upload additional content without having to change the security policy; SubDomain lets you use regular expressions and recursion to allow access to, say, all of the .html and .jpg files in a specified directory tree. What is it you anticipate having to update frequently?
Apache and OpenSSL. I really like the idea of something like UML though, but I haven't benched it yet. For most of my stuff, performance isn't a big deal, but I've got one site that really wants performance, and until I can get it moved over somewhere, I'll design for that site. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Web server security? Paul D. Robertson (Jun 21)
- Re: Web server security? Steffen Kluge (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Mason (Jun 22)
- Re: Web server security? Crispin Cowan (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Steffen Kluge (Jun 23)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Steffen Kluge (Jun 22)