[gentoo-security] Re: Mini Gentoo in VMWare

[gentoo-security] Re: Mini Gentoo in VMWare

[7v5w7go9ub0o]

>> Basically what I want to do is create a series of VERY tiny VMs that
>> are all independent of each other, which provide one service.  For
>> instance, I might put apache on one VM, and tomcat on another, and so
>> on.  Obviously, I would want their memory usage to be absolutely
>> minimized, seeing that I would like to run them all on one computer.
>> I would probably provide them 64M-128M of RAM each, for their specific
>> service.  Perhaps a little more if really required.

Lots of interest in VMs lately - Is this to increase security (isolating  
servers and components in case one is compromised)? Or perhaps you are  
isolating components for the purpose of evaluating them?

<snip>

> Nick[1] made a post about minimizing Gentoo a while back.
> But that topic was mainly about the disk usage.
> I suppose you would benefit from a system that uses the -Os flag to

<snip>

> But do you think vmware is fit for such a task?
> vmware is a big strain on resources itself.
> You might want to have a look at xen[2] instead.
>
> [1] http://thread.gmane.org/gmane.linux.gentoo.user/160899/focus=160903
> [2] http://www.xensource.com/xen/xen/index.html

Presuming that one is seeking greater security, how does xen compare with  
vmware in that regard?

Would a server in a VM actually be more secure than a server in a  
"hardened" chroot jail?

(though I'd guess that a hardened system would be the best basis for a  
server, VM or chroot; and the logical placement of a VM would be within a  
chroot jail?).

TIA


-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Mini Gentoo in VMWare

[Antoine Martin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> <snip>
> 
>> Nick[1] made a post about minimizing Gentoo a while back.
>> But that topic was mainly about the disk usage.
>> I suppose you would benefit from a system that uses the -Os flag to
Another useful approach is to use a custom disk image with just busybox
+ the software to run/test.

> Would a server in a VM actually be more secure than a server in a
> "hardened" chroot jail?
IMO yes, but since you can have both...

> (though I'd guess that a hardened system would be the best basis for a
> server, VM or chroot; and the logical placement of a VM would be within
> a chroot jail?).
A properly configured VM running in a hardened chroot is going to be
(almost) impossible to escape.

Note you can also contain your VMs with SELinux (both inside and out).
I've posted some pages on how to do this with UML here:
http://uml.nagafix.co.uk/SELinux/

Antoine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFS3pBrTBrLRG7eDcRAhCcAKCD/WOug/w7B+GN8TsmABB5UQA0LQCeOG04
MEZwfrAf9Ie/1WXWsU5gfeg=
=VVh9
-----END PGP SIGNATURE-----
-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-hardened] Re: [gentoo-security] Re: Mini Gentoo in VMWare

[Javi Moreno]

[-- Attachment #1: Type: text/plain, Size: 1461 bytes --]

Running a chroot jailed service in a chroot jailed VM...cool xD

It's kind of redundant but I don't know if it's worthy.

On 11/3/06, Antoine Martin <antoine@nagafix.co.uk> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > <snip>
> >
> >> Nick[1] made a post about minimizing Gentoo a while back.
> >> But that topic was mainly about the disk usage.
> >> I suppose you would benefit from a system that uses the -Os flag to
> Another useful approach is to use a custom disk image with just busybox
> + the software to run/test.
>
> > Would a server in a VM actually be more secure than a server in a
> > "hardened" chroot jail?
> IMO yes, but since you can have both...
>
> > (though I'd guess that a hardened system would be the best basis for a
> > server, VM or chroot; and the logical placement of a VM would be within
> > a chroot jail?).
> A properly configured VM running in a hardened chroot is going to be
> (almost) impossible to escape.
>
> Note you can also contain your VMs with SELinux (both inside and out).
> I've posted some pages on how to do this with UML here:
> http://uml.nagafix.co.uk/SELinux/
>
> Antoine
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFS3pBrTBrLRG7eDcRAhCcAKCD/WOug/w7B+GN8TsmABB5UQA0LQCeOG04
> MEZwfrAf9Ie/1WXWsU5gfeg=
> =VVh9
> -----END PGP SIGNATURE-----
> --
> gentoo-hardened@gentoo.org mailing list
>
>

[-- Attachment #2: Type: text/html, Size: 1984 bytes --]

Re: [gentoo-security] Re: Mini Gentoo in VMWare

[Brian G. Peterson]

> Basically what I want to do is create a series of VERY tiny VMs that
> are all independent of each other, which provide one service.  For
> instance, I might put apache on one VM, and tomcat on another, and
> so on.  Obviously, I would want their memory usage to be absolutely
> minimized, seeing that I would like to run them all on one computer.
> I would probably provide them 64M-128M of RAM each, for their
> specific service.  Perhaps a little more if really required.

Take a look at the Gentoo Network Appliance Project.  It can easily run in 
64MB of RAM for most tasks.  You can customize the image to take out 
services you don't need.  This has the added advantage of letting you 
maintain the configurations in a way that makes for easy provisioning of 
a new service/VM.

Regards,

   - Brian

-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Mini Gentoo in VMWare

[Kevin van Haaren]

--On November 3, 2006 12:04:33 PM -0500 7v5w7go9ub0o 
<7v5w7go9ub0o@gmail.com> wrote:

>
> Lots of interest in VMs lately - Is this to increase security (isolating
> servers and components in case one is compromised)? Or perhaps you are
> isolating components for the purpose of evaluating them?

there are additional benefits, mainly for enterprise use, such as being 
able to move the virtual server to a new box in case of failure of the 
first box. This is much cheaper than maintaining an identically configured 
second box. VMWare's high-end (not free) product can do this automatically 
if partnered with a SAN. Using SAN technology the second box could even be 
off-site, providing a virtually instant disaster recovery plan (just not a 
cheap one.)

You could even save the cost of redundant box by using Amazon's Elastic 
Compute Cloud as your redundancy. Keep a copy of the image on Amazon S3 
then fire up the image if the main one goes down.  Might be a bit slower 
but that beats being down.

Also snapshot technology is getting pretty cool, where you can take a 
snapshot, upgrade a virtual box, and if the upgrade fails just roll back to 
the snapshot. Beats a backup/restore cycle by a mile.

-- 
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: [gentoo-hardened] Re: Mini Gentoo in VMWare

[7v5w7go9ub0o]

On Sat, 04 Nov 2006 13:54:56 -0500, John Schember <j5483@yahoo.com> wrote:

> On Sat, 2006-11-04 at 13:40 -0500, Kwon wrote:
>> Can a hacked instance of VMWare bring down the entire system?
>
> Considering that VMware server uses kernel modules for operation on the
> host system. Also that it likes to run as root (I haven't checked to see
> if it can run as an unprivileged user) and that it wants to use
> xinetd... I would say that you should at least be careful with it.
>

Well, this gets at my original musing...... are you really safer with a  
grsecurity-hardened-chrooted VMware application (with root privileges,  
that uses at least some of the host's kernel) or a  
grsecurity-hardened-chrooted program with no privilege and only the  
additional executables necessary to keep it running.

And if the answer is yes, are you significantly safer?

In one sense there'd be a thicker layer between the host and the server,  
but in another sense the added complexity and root host privilege may add  
vulnerabilities?

(Sorry if this is foolish...... the answer seems less than obvious)



-- 
gentoo-security@gentoo.org mailing list