Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: Web server security?
From: Crispin Cowan <crispin () immunix com>
Date: Tue, 22 Jun 2004 07:45:09 -0700
Paul D. Robertson wrote:


probably not worthwhile for "single-trick ponies", since its main
purpose is to isolate unrelated subsystems from each other (such as
keeping a hacked web server from messing with IMAP accounts).

I prefer RSBAC for a bunch of reasons, but if someone's done the hard bit
for SELinux, I'd do that instead.  The core capability stuff is certainly
interesting for generic kernels, but I'm really looking to lock down a
server pretty well.
Immunix SubDomain can confine individual CGI Perl scripts and PHP pages to a security domain, and can do it even if you are using mod_perl or mod_php for performance. This substantially improves the security of a single web site, even if serving that web site is the only function that machine serves. http://www.immunix.com/products/features.php
Previously available only as a feature of Immunix OS, SubDomain is now available as a stand-alone product for Linux 2.6 systems via the LSM interface for pluggable security modules. In the near term, since Immunix requires Linux 2.6, that means SuSE 9.1. 


I've got a kernel module
that needs dusting off  that doesn't allow daemons to execve, which makes
things a little better for that last vector...
SubDomain also controls the set of programs that any given program can exec, so preventing a daemon from exec'ing nastyness, or preventing Apache from exec'ing surprising things, is easy. 


Nope, I'm going to put SSL on my personal server in an attempt to sell
some of my photography, and I know the additional complexity is going to
require more frequent updates.
I don't follow. A strong MAC security policy should *reduce* the frequency of security updates. A *flexible* MAC security policy should allow you to upload additional content without having to change the security policy; SubDomain lets you use regular expressions and recursion to allow access to, say, all of the .html and .jpg files in a specified directory tree. What is it you anticipate having to update frequently? 

Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]