[grsec] virtualisation with grsecurity

Rik Bobbaers Rik.Bobbaers at cc.kuleuven.be
Fri Aug 25 08:39:53 EDT 2006


Marcel Meyer wrote:
> Hello together,
> 
> I'm currently planing to setup some "hardened" servers using virtualisation. 
> Since only Linux is used, there are quite a few possibilities.
> 
> Apparmor was sorted out as the security part. SELinux is unknown to me and 
> seems to be quite laborious in setting it up and keeping it running. 
> grsecurity was already used by us on "physical servers" and seems to be a 
> quite nice approach.
> 
> But will it work nicely with some virtualisation software? Both projects 
> would need kernel patches.
> 
> After looking at some alternatives, xen and openvz or its commercial 
> counterpart virtuozzo seemed to be the most useful projects. As far as I 
> understood the ML-archive/forums, there was already someone working on 
> getting xen and grsecurity to work but only on AMD64 and finally stopped 
> until xen gets into the kernel (whenever that will be ;-) ). On the other 
> hand I already found some people trying to patch openvz and pax/grsecurity 
> into one hardened kernel. Will this work in the future? The PAX-team wrote 
> into the forums, they are only supporting the current kernel while openvz 
> wants to keep some stable one and only changes it quite infrequently.
> 
> Finally to sum it up: which virtualisation software would you suggest, when 
> I want to set up a "more secure than default"-system (grsecurity & co 
> favoured of course ;-) ).

if you want a different kind of virtualisation (a lot faster than xen, 
but on another level), you should look at:
http://linux-vserver.org/

the merged patches from grsecurity and linux-vserver are at:
http://ludit.kuleuven.be/software/vserver

i use it on a lot of different servers over here... really nice piece of 
software imho ;)

-- 
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT          -=- Tel: +32 485 52 71 50
Rik.Bobbaers at cc.kuleuven.be -=- http://harry.ulyssis.org

"Work hard and do your best, it'll make it easier for the rest"
-- Garfield

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm



More information about the grsecurity mailing list