[Aide] Newbie Questions

andre.lue-fook-sang@thomson.com andre.lue-fook-sang at thomson.com
Tue Apr 11 17:05:14 EEST 2006 

Gary,

Maybe you could help me with a problem I never found a solution to. On
solaris 8 and lower I had a custom made jail to run snort which works
fine. I could not however get snort to see any packets inside a solaris
zone on 10. The explanation I was given is something to the effect that
the interface inside the zone could not see packets that were not
destined for it.

Also, in solaris 8 I could run snort on a non-IP'ed as well as IP'ed
interface. I could not get either to work in solaris 10. Any input you
can provide is appreciated as my snort box still run on solaris 8.


Thanks
Andre

-----Original Message-----
From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi] On Behalf
Of Gary Gendel
Sent: Tuesday, April 11, 2006 8:42 AM
To: Aide user mailinglist
Subject: Re: [Aide] Newbie Questions


Pablo,

Solaris containers is inherently secure in as much as the "container"
(Zone) is completely isolated from the main OS.  The only writable files
are local to the container.  It is impossible to overwrite or add/remove
system files.  It's BSD Jails taken to another level.  The only way to
modify system files is from the main OS, which you can't get to from
within a container.  Once a zone is established, it has it's own network
stack, device stack, etc. You actually boot the zone to bring it up. So,
even though I wouldn't say there aren't exploitable vulnerabilities,
these should be contained to the container. (pun intended).  It is so
isolated, that people are running a guest OS inside a container
(Windows, Linux, BSD, etc.).  This work is called BrandZ.

I'm not an OS zealot, I just like impressive technology.  I'll use
whatever is the best suited for the tasks I need to perform.  Solaris
Containers (Zones) is extremely impressive.  It takes me all of 15
minutes to set up a zone and boot and it's amazingly light on the system
resources.  The other really striking technology from Sun that I'm
currently watching is the ZFS file system.  If they can work out the
last few performance kinks then I'm sold.  I believe the current
codebase for ZFS has been ported to Linux.

Pablo Virolainen wrote:
> On Mon, 10 Apr 2006, Gary Gendel wrote:
>
>   
>> You can take the paranoid approach (which is what I took).  I 
>> included everything except what I knew didn't matter (user's home 
>> directories, etc.).  Then I'd look at the reports generated by aide 
>> each day and selectively modify the attributes of those things that 
>> changed regularly.  It will take a few month to prune it down so it's

>> quiet, but then you've got a pretty inclusive system.  The drawback 
>> is that your database size is significant, but I sleep better at 
>> night.  I don't want to end up with a situation similar to what you 
>> discovered.
>>
>> BTW, though I don't use Linux regularly, you might see if there is 
>> something like BSD Jails or Solaris Containers available to run your 
>> web server in.  Then, if they do get in, the worst they can do is 
>> compromise your web server, not your system (not even root can modify

>> the system files from within a Solaris Container).  I have each 
>> service running in it's own Container, so any successful attack is 
>> limited to one service.
>>     
>
> About BSD Jail for linux has been implemented with LSM framework 
> http://kerneltrap.org/node/3823
>
> BSD Jail functionality for Linux gives 
> http://sourceforge.net/projects/linuxjail/
>
> So you trust that Solaris Container has no (exploitable) bugs?
>
> Pablo Virolainen _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>   

_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide

More information about the Aide mailing list