Re: Web server security?

[Steffen Kluge <kluge () fujitsu com au>]

On Tue, 2004-06-22 at 08:33, Paul D. Robertson wrote:
> Has anyone on the list played with RSBAC (preferably) or SELinux and
> Apache Web servers, and has any configurations they can share?  I think
> I'm more interested in MAC compartments than RBAC, but if someone else has
> done the major groundwork, I'd like to have a head start.

Quite a bit of the SELinux groundwork done so far has made it into
Fedora Core 2, apparently. I eagerly went to check it out when it was
released.

Upon further delving into the matter, I found that the SELinux community
reckons they're adding value mainly in situations where you run various
different services on a single machine. They seem to think SELinux is
probably not worthwhile for "single-trick ponies", since its main
purpose is to isolate unrelated subsystems from each other (such as
keeping a hacked web server from messing with IMAP accounts).

I tend to set up my Internet exposed servers to run exactly one service
(plus SSH, not exposed to the outside world), and strip them down
accordingly. I concluded that SELinux isn't going to be worth the
trouble in these cases.

If you are concerned about web-only servers you might end up reaching
the same conclusion.

Cheers
Steffen.

Attachment: signature.asc
Description: This is a digitally signed message part