[grsec] virtualisation with grsecurity
Rik Bobbaers
Rik.Bobbaers at cc.kuleuven.be
Fri Aug 25 08:39:53 EDT 2006
Marcel Meyer wrote:
> Hello together,
>
> I'm currently planing to setup some "hardened" servers using virtualisation.
> Since only Linux is used, there are quite a few possibilities.
>
> Apparmor was sorted out as the security part. SELinux is unknown to me and
> seems to be quite laborious in setting it up and keeping it running.
> grsecurity was already used by us on "physical servers" and seems to be a
> quite nice approach.
>
> But will it work nicely with some virtualisation software? Both projects
> would need kernel patches.
>
> After looking at some alternatives, xen and openvz or its commercial
> counterpart virtuozzo seemed to be the most useful projects. As far as I
> understood the ML-archive/forums, there was already someone working on
> getting xen and grsecurity to work but only on AMD64 and finally stopped
> until xen gets into the kernel (whenever that will be ;-) ). On the other
> hand I already found some people trying to patch openvz and pax/grsecurity
> into one hardened kernel. Will this work in the future? The PAX-team wrote
> into the forums, they are only supporting the current kernel while openvz
> wants to keep some stable one and only changes it quite infrequently.
>
> Finally to sum it up: which virtualisation software would you suggest, when
> I want to set up a "more secure than default"-system (grsecurity & co
> favoured of course ;-) ).
if you want a different kind of virtualisation (a lot faster than xen,
but on another level), you should look at:
http://linux-vserver.org/
the merged patches from grsecurity and linux-vserver are at:
http://ludit.kuleuven.be/software/vserver
i use it on a lot of different servers over here... really nice piece of
software imho ;)
--
harry
aka Rik Bobbaers
K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
Rik.Bobbaers at cc.kuleuven.be -=- http://harry.ulyssis.org
"Work hard and do your best, it'll make it easier for the rest"
-- Garfield
Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
More information about the grsecurity
mailing list