Hardened SELinux Gentoo + Xen & Apache: workable?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Hardened SELinux Gentoo + Xen & Apache: workable?

Wandering.Womble@gmail.com
Hi there-

I'd like to set up a hobby web-server, and I'd appreciate any
thoughts/feedback from this community on what I'm planning- below.

The server will be for two domains.  I'd like them to be as
independant of each other as possible, running on the same machine.
I'd like the maintainance to be as straight-forward as possible.
There's also a small chance one of the domains may end up on it's own
hardware one day.  The machine will be on the end of a cable modem, in
a DMZ, running it's own secondary firewall- probably using shorewall.

I've looked at chroots, jails, vserver patches, bsd, solaris- with
only the later having any support for managing software installed
inside the 'jail'.  But I couldn't find an answer to if solaris zones
can also manage manually installed software- I'm guessing not (there
are no solaris packages for lots of web apps.)

Then I read about Xen- and thought that could be reasonable;
virtualize the machine, install two instances of the OS; disk is
cheap, and although everything will have to be down twice (updates
etc), at least I can use the standard package management tools.

My thinking is that up-to-date SELinux + hardened gcc + apache +
mod_security is enough of a headache that the majority of script
kiddies/crackers won't be bothered.  Anyone who can get through that
I'm never going to notice- I know I won't make time to run something
like tripwire often enough to be that useful, and even if I did, if
someone gets through the above, they're very likely to be smart enough
to hide the evidence so I don't notice for a long time (if ever.)
Again, this is for a hobby server- one domain for family pics, etc,
the other for something like trac for me and some friends to have fun
with with some hobby development.

First question- does the above sound reasonable?

So my next decision will be a distribution.  I see two choices:
1. fedora core
2. Gentoo hardened (SELinux variant)

I prefer 2- RedHat is very good, but rpm gave me so many headaches I
switched to Debian, then to gentoo (as I learnt more.)  On the other
hand, I get the impression that RedHat is actively integrating both
Xen and SELinux into their mainline releases, and I believe they also
use a hardened gcc (not 100% sure about that), and I'm sure things
have improved since last I used RedHat.  There are also quite a few
documents on the web describing how to make Xen work on fedora-
although so far it looks like most people are turning of SELinux in
the guest domains(!)

Second question: does anyone have a SELinux hardened gentoo Xen host
domain successfully running SELinux hardened gentoo guests?  I'm
assuming if you get that working, getting apache running is relatively
simple ;-)

(I want a hardened OS in both places as at the moment I think the host
domain will have to forward packets to the right guest; I'll probably
differentiate the domains by port numbers- the joy of only having a
single public IP address.)

Final questions:
Is the following a reasonable summary of the steps required?
1. downloading the 2005.1 hardened liveCD
2. follow the guidebook, install using a stage three tarball
3. rsync emerge update to the equivalent of a stage 2 installation
4. emerge Xen, build the Xen host kernel
5. reboot to hardened SELinux + Xen - check things are running
6. reboot into permissive mode, so I can chroot and create a guest domain OS
7. repeat steps 2 & 3 in chroot
8. compile Xen hardened SELinux guest kernel
9. reboot into normal secure mode
10. configure Xen and start the first guest domain with the image and
kernel created in steps 6-8
11. start the guest domain- test to ensure it boots/works
12. stop the guest domain
13. duplicate & backup the guest domain image.
14. configure the second guest domain
15. start both guest domains, and then do the normal work of
configuring the three environments

What steps/issues am I missing?  (e.g. I think I saw something about
having to use the non-hardened gcc to compile Xen- is that correct?)

Or are there a lot of steps missing in the above- would I better to
use RedHat for the moment?

And if anyone is interested, I'm happy to document it all/work with
others to make a sort of recipe- assuming this type of configuration
is of interest to anyone else.

Thanks in advance,

Julian

--
[hidden email] mailing list

Reply | Threaded
Open this post in threaded view
|

Re: Hardened SELinux Gentoo + Xen & Apache: workable?

Ewald Wasscher
[hidden email] wrote:

> Hi there-
>
> I'd like to set up a hobby web-server, and I'd appreciate any
> thoughts/feedback from this community on what I'm planning- below.
>
> The server will be for two domains.  I'd like them to be as
> independant of each other as possible, running on the same machine.
> I'd like the maintainance to be as straight-forward as possible.
> There's also a small chance one of the domains may end up on it's own
> hardware one day.  The machine will be on the end of a cable modem, in
> a DMZ, running it's own secondary firewall- probably using shorewall.
>
> I've looked at chroots, jails, vserver patches, bsd, solaris- with
> only the later having any support for managing software installed
> inside the 'jail'.  But I couldn't find an answer to if solaris zones
> can also manage manually installed software- I'm guessing not (there
> are no solaris packages for lots of web apps.)
>
> Then I read about Xen- and thought that could be reasonable;
> virtualize the machine, install two instances of the OS; disk is
> cheap, and although everything will have to be down twice (updates
> etc), at least I can use the standard package management tools.
>
> My thinking is that up-to-date SELinux + hardened gcc + apache +
> mod_security is enough of a headache that the majority of script
> kiddies/crackers won't be bothered.

AFAIK the grsecurity patch can't be applied to the current xen-sources,
so you'll lose quite some of the protection of the hardened gcc without
pax (grsecurity).

>   Anyone who can get through that
> I'm never going to notice- I know I won't make time to run something
> like tripwire often enough to be that useful, and even if I did, if
> someone gets through the above, they're very likely to be smart enough
> to hide the evidence so I don't notice for a long time (if ever.)
> Again, this is for a hobby server- one domain for family pics, etc,
> the other for something like trac for me and some friends to have fun
> with with some hobby development.
>
> First question- does the above sound reasonable?
>  

Te me it does. Have you thought about using mod_deflate or mod_gzip it
will save some of your precious upstream bandwidth.

Now I have to hurry to work, maybe more answers in the evening.

--
Ewald Wasscher


PGP Key Fingerprint: D3FE ED15 03B0 8385 DD5D 95CE F866 9E37 28E8 1D69

--
[hidden email] mailing list

Reply | Threaded
Open this post in threaded view
|

Re: Hardened SELinux Gentoo + Xen & Apache: workable?

Wandering.Womble@gmail.com
Thanks Ewald-
and thanks for the reminders re mod_deflate/mod_gzip :-)

Look forward to seeing some more comments from you- if you have time.

Regards
Julian

On 11/28/05, Ewald Wasscher <[hidden email]> wrote:

> [hidden email] wrote:
> > Hi there-
> >
> > I'd like to set up a hobby web-server, and I'd appreciate any
> > thoughts/feedback from this community on what I'm planning- below.
> >
> > The server will be for two domains.  I'd like them to be as
> > independant of each other as possible, running on the same machine.
> > I'd like the maintainance to be as straight-forward as possible.
> > There's also a small chance one of the domains may end up on it's own
> > hardware one day.  The machine will be on the end of a cable modem, in
> > a DMZ, running it's own secondary firewall- probably using shorewall.
> >
> > I've looked at chroots, jails, vserver patches, bsd, solaris- with
> > only the later having any support for managing software installed
> > inside the 'jail'.  But I couldn't find an answer to if solaris zones
> > can also manage manually installed software- I'm guessing not (there
> > are no solaris packages for lots of web apps.)
> >
> > Then I read about Xen- and thought that could be reasonable;
> > virtualize the machine, install two instances of the OS; disk is
> > cheap, and although everything will have to be down twice (updates
> > etc), at least I can use the standard package management tools.
> >
> > My thinking is that up-to-date SELinux + hardened gcc + apache +
> > mod_security is enough of a headache that the majority of script
> > kiddies/crackers won't be bothered.
>
> AFAIK the grsecurity patch can't be applied to the current xen-sources,
> so you'll lose quite some of the protection of the hardened gcc without
> pax (grsecurity).
>
> >   Anyone who can get through that
> > I'm never going to notice- I know I won't make time to run something
> > like tripwire often enough to be that useful, and even if I did, if
> > someone gets through the above, they're very likely to be smart enough
> > to hide the evidence so I don't notice for a long time (if ever.)
> > Again, this is for a hobby server- one domain for family pics, etc,
> > the other for something like trac for me and some friends to have fun
> > with with some hobby development.
> >
> > First question- does the above sound reasonable?
> >
>
> Te me it does. Have you thought about using mod_deflate or mod_gzip it
> will save some of your precious upstream bandwidth.
>
> Now I have to hurry to work, maybe more answers in the evening.
>
> --
> Ewald Wasscher
>
>
> PGP Key Fingerprint: D3FE ED15 03B0 8385 DD5D 95CE F866 9E37 28E8 1D69
>
> --
> [hidden email] mailing list
>
>

--
[hidden email] mailing list