Re: [fw-wiz] Web server security?
From: Crispin Cowan (crispin_at_immunix.com)
Date: 06/22/04
- Previous message: Mason: "Re: [fw-wiz] Web server security?"
- In reply to: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
- Reply: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
- Reply: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Paul D. Robertson" <paul@compuwar.net> Date: Tue, 22 Jun 2004 07:45:09 -0700
Paul D. Robertson wrote:
>>probably not worthwhile for "single-trick ponies", since its main
>>purpose is to isolate unrelated subsystems from each other (such as
>>keeping a hacked web server from messing with IMAP accounts).
>>
>>
>I prefer RSBAC for a bunch of reasons, but if someone's done the hard bit
>for SELinux, I'd do that instead. The core capability stuff is certainly
>interesting for generic kernels, but I'm really looking to lock down a
>server pretty well.
>
>
Immunix SubDomain can confine individual CGI Perl scripts and PHP pages
to a security domain, and can do it even if you are using mod_perl or
mod_php for performance. This substantially improves the security of a
single web site, even if serving that web site is the only function that
machine serves. http://www.immunix.com/products/features.php
Previously available only as a feature of Immunix OS, SubDomain is now
available as a stand-alone product for Linux 2.6 systems via the LSM
interface for pluggable security modules. In the near term, since
Immunix requires Linux 2.6, that means SuSE 9.1.
>I've got a kernel module
>that needs dusting off that doesn't allow daemons to execve, which makes
>things a little better for that last vector...
>
>
SubDomain also controls the set of programs that any given program can
exec, so preventing a daemon from exec'ing nastyness, or preventing
Apache from exec'ing surprising things, is easy.
>Nope, I'm going to put SSL on my personal server in an attempt to sell
>some of my photography, and I know the additional complexity is going to
>require more frequent updates.
>
I don't follow. A strong MAC security policy should *reduce* the
frequency of security updates. A *flexible* MAC security policy should
allow you to upload additional content without having to change the
security policy; SubDomain lets you use regular expressions and
recursion to allow access to, say, all of the .html and .jpg files in a
specified directory tree. What is it you anticipate having to update
frequently?
Crispin
-- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Mason: "Re: [fw-wiz] Web server security?"
- In reply to: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
- Reply: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
- Reply: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
