Re: Web server security?

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 22 Jun 2004, Crispin Cowan wrote:

> Previously available only as a feature of Immunix OS, SubDomain is now
> available as a stand-alone product for Linux 2.6 systems via the LSM
> interface for pluggable security modules. In the near term, since
> Immunix requires Linux 2.6, that means SuSE 9.1.

I'm unlikely to do a major kernel version upgrade on my only personal Web
server until I'm comfortable with 2.6.

"Product" sounds like money, and for my personal sites, I'd rather spend
time than money, especially if I end up with something that's redeployable
for other reasons.  I'm not all that enthused about the reported 2.6
syscall table changes, as it'll stop some of the ad-hoc kernel patching
I've been doing with modules (or make the modules more complex and less
easy to validate.)  It'll also make me have to change my kernel code to do
things I've been doing in modules...

> > I've got a kernel module
> > that needs dusting off  that doesn't allow daemons to execve, which makes
> > things a little better for that last vector...
> SubDomain also controls the set of programs that any given program can
> exec, so preventing a daemon from exec'ing nastyness, or preventing
> Apache from exec'ing surprising things, is easy.

As I said, I'm using gcgi, so controlling things from my end isn't all
that difficult, and I've already got the kernel module :)  Since my way
covers my resolver and any associated cruft I'm running for other reasons,
I'm relatively happy with it- I'd just prefer to do a more formally proven
model.

> > Nope, I'm going to put SSL on my personal server in an attempt to sell
> > some of my photography, and I know the additional complexity is going to
> > require more frequent updates.
> I don't follow. A strong MAC security policy should *reduce* the
> frequency of security updates. A *flexible* MAC security policy should

Right, but without MAC, I'm going to be updating my server more and more
often, since I'm now bringing the entire OpenSSL swath of bugs onto the
server.  Once I start the commerce thing, I'll probably have to switch off
of the good SSH as well, and go with the GNU replacement or OpenSSH, so
again, more rapid changes than I'm used to.  Likely I'll avoid OpenSSH
for comfort reasons.

> allow you to upload additional content without having to change the
> security policy; SubDomain lets you use regular expressions and
> recursion to allow access to, say, all of the .html and .jpg files in a
> specified directory tree. What is it you anticipate having to update
> frequently?

Apache and OpenSSL.  I really like the idea of something like UML though,
but I haven't benched it yet.  For most of my stuff, performance isn't a
big deal, but I've got one site that really wants performance, and until I
can get it moved over somewhere, I'll design for that site.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards