[Aide] Newbie Questions

Gary Gendel gary at genashor.com
Tue Apr 11 15:42:01 EEST 2006


Solaris containers is inherently secure in as much as the "container"
(Zone) is completely isolated from the main OS.  The only writable files
are local to the container.  It is impossible to overwrite or add/remove
system files.  It's BSD Jails taken to another level.  The only way to
modify system files is from the main OS, which you can't get to from
within a container.  Once a zone is established, it has it's own network
stack, device stack, etc. You actually boot the zone to bring it up. So,
even though I wouldn't say there aren't exploitable vulnerabilities,
these should be contained to the container. (pun intended).  It is so
isolated, that people are running a guest OS inside a container
(Windows, Linux, BSD, etc.).  This work is called BrandZ.

I'm not an OS zealot, I just like impressive technology.  I'll use
whatever is the best suited for the tasks I need to perform.  Solaris
Containers (Zones) is extremely impressive.  It takes me all of 15
minutes to set up a zone and boot and it's amazingly light on the system
resources.  The other really striking technology from Sun that I'm
currently watching is the ZFS file system.  If they can work out the
last few performance kinks then I'm sold.  I believe the current
codebase for ZFS has been ported to Linux.

Pablo Virolainen wrote:
> On Mon, 10 Apr 2006, Gary Gendel wrote:
>> You can take the paranoid approach (which is what I took).  I included
>> everything except what I knew didn't matter (user's home directories,
>> etc.).  Then I'd look at the reports generated by aide each day and
>> selectively modify the attributes of those things that changed
>> regularly.  It will take a few month to prune it down so it's quiet, but
>> then you've got a pretty inclusive system.  The drawback is that your
>> database size is significant, but I sleep better at night.  I don't want
>> to end up with a situation similar to what you discovered.
>> BTW, though I don't use Linux regularly, you might see if there is
>> something like BSD Jails or Solaris Containers available to run your web
>> server in.  Then, if they do get in, the worst they can do is compromise
>> your web server, not your system (not even root can modify the system
>> files from within a Solaris Container).  I have each service running in
>> it's own Container, so any successful attack is limited to one service.
> About BSD Jail for linux has been implemented with LSM framework
> http://kerneltrap.org/node/3823
> BSD Jail functionality for Linux gives
> http://sourceforge.net/projects/linuxjail/
> So you trust that Solaris Container has no (exploitable) bugs?
> Pablo Virolainen
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide

More information about the Aide mailing list