Firewall Wizards mailing list archives
Re: Web server security?
From: Crispin Cowan <crispin () immunix com>
Date: Tue, 22 Jun 2004 07:45:09 -0700
Paul D. Robertson wrote:
Immunix SubDomain can confine individual CGI Perl scripts and PHP pages to a security domain, and can do it even if you are using mod_perl or mod_php for performance. This substantially improves the security of a single web site, even if serving that web site is the only function that machine serves. http://www.immunix.com/products/features.phpprobably not worthwhile for "single-trick ponies", since its main purpose is to isolate unrelated subsystems from each other (such as keeping a hacked web server from messing with IMAP accounts).I prefer RSBAC for a bunch of reasons, but if someone's done the hard bit for SELinux, I'd do that instead. The core capability stuff is certainly interesting for generic kernels, but I'm really looking to lock down a server pretty well.
Previously available only as a feature of Immunix OS, SubDomain is now available as a stand-alone product for Linux 2.6 systems via the LSM interface for pluggable security modules. In the near term, since Immunix requires Linux 2.6, that means SuSE 9.1.
SubDomain also controls the set of programs that any given program can exec, so preventing a daemon from exec'ing nastyness, or preventing Apache from exec'ing surprising things, is easy.I've got a kernel module that needs dusting off that doesn't allow daemons to execve, which makes things a little better for that last vector...
I don't follow. A strong MAC security policy should *reduce* the frequency of security updates. A *flexible* MAC security policy should allow you to upload additional content without having to change the security policy; SubDomain lets you use regular expressions and recursion to allow access to, say, all of the .html and .jpg files in a specified directory tree. What is it you anticipate having to update frequently?Nope, I'm going to put SSL on my personal server in an attempt to sell some of my photography, and I know the additional complexity is going to require more frequent updates.
Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Web server security? Paul D. Robertson (Jun 21)
- Re: Web server security? Steffen Kluge (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Mason (Jun 22)
- Re: Web server security? Crispin Cowan (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Steffen Kluge (Jun 23)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Steffen Kluge (Jun 22)