Re: [Vserver] Is the VServer the right thing for me?
Hi Arjen, Is there a tool (like testme.sh) that tests the common (maybe also uncommon) possibilities of misconfigurations (like the capabilities and chroot-exploids) from inside the VServer? You should have a look at the bastille linux project, as far as I know this is a script that can harden but also (taken from http://www.bastille-linux.org/) snip Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works. /snip (I don't think running it inside a vserver will be an issue since I understood it should not be able to escape the context its running in.) hm ... after a short overview, i dont't think its what i want ... I've tried to run it on Suse 9.2 ... unsupported at the moment And inside my vserver it doesn't recognize the OS (how could it be ... its an LFS http://www.linuxfromscratch.org ;-)) Thanks for the tip - it an interesting project, will try it asap on a Suse 9.1 :-)) Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Is the VServer the right thing for me?
Hi NG, Hi Herbert, Is there a tool (like testme.sh) that tests the common (maybe also uncommon) possibilities of misconfigurations (like the capabilities and chroot-exploids) from inside the VServer? not yet, but sounds like something useful to me ... ok, lets do some brainstorming (comment: i'm no vserver specialist nor can i write programs on linux): Output could be like this: --- # vserver test enter [...] context id is now ... [...] # vcapcheck Checking environment ... conextid is: 4711 [OK] effective userid is: 0 [OK] real userid is: 0 [OK] effective groupid is: 0[OK] real groupid is: 0 [OK] Checking posix capabilities ... i have CAP_CHOWN [OK] i have CAP_KILL[OK] [...] i have CAP_LINUX_IMMUTABLE[WARN] if you have locked some files because of unification, you should assign the immutable-flag to an vps. to remove this capability edit ... i dont have CAP_NET_BROADCAST[OK] i have CAP_SYS_BOOT [ERROR] Warning: any vserver can reboot the read server i dont have CAP_MKNOD [OK] Checking the Network Separation ... determining if someone other listens on my ip [WARN] on port 22 (ssh) listens someone other, maybe the host is configured to listen on 0:0:0:0 trying to listen on localhost: no success [OK] [...] Trying to break out the chroot-jail ... ... to access the hosts files: no success [OK] ... to access other vservers: success [ERROR] [...] Trying to mount hda/sda/...: no success [OK] Checking dev-directory: nothing suspicious found [OK] Checking proc-fs [WARN] found kmem-entry [...] Checking for the usable RAM space [512MB] Checking for available disk space [10 G] if the vserver is on the same partition as the real server you should verify that the vserver can't grab all disk space available [...] --- hm ... this list will get very long ... but i think its very useful when configuring a vserver ... ... Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Is the VServer the right thing for me?
This would be a great script, just reading the items that you wrote made me curious about some things in my setup and would like to test them out, but manually it would be a chore on several of them of course. micah On Fri, 29 Apr 2005, Oliver Dietz wrote: Hi NG, Hi Herbert, Is there a tool (like testme.sh) that tests the common (maybe also uncommon) possibilities of misconfigurations (like the capabilities and chroot-exploids) from inside the VServer? not yet, but sounds like something useful to me ... ok, lets do some brainstorming (comment: i'm no vserver specialist nor can i write programs on linux): Output could be like this: --- # vserver test enter [...] context id is now ... [...] # vcapcheck Checking environment ... conextid is: 4711 [OK] effective userid is: 0 [OK] real userid is: 0 [OK] effective groupid is: 0[OK] real groupid is: 0 [OK] Checking posix capabilities ... i have CAP_CHOWN [OK] i have CAP_KILL[OK] [...] i have CAP_LINUX_IMMUTABLE[WARN] if you have locked some files because of unification, you should assign the immutable-flag to an vps. to remove this capability edit ... i dont have CAP_NET_BROADCAST[OK] i have CAP_SYS_BOOT [ERROR] Warning: any vserver can reboot the read server i dont have CAP_MKNOD [OK] Checking the Network Separation ... determining if someone other listens on my ip [WARN] on port 22 (ssh) listens someone other, maybe the host is configured to listen on 0:0:0:0 trying to listen on localhost: no success [OK] [...] Trying to break out the chroot-jail ... ... to access the hosts files: no success [OK] ... to access other vservers: success [ERROR] [...] Trying to mount hda/sda/...: no success [OK] Checking dev-directory: nothing suspicious found [OK] Checking proc-fs [WARN] found kmem-entry [...] Checking for the usable RAM space [512MB] Checking for available disk space [10 G] if the vserver is on the same partition as the real server you should verify that the vserver can't grab all disk space available [...] --- hm ... this list will get very long ... but i think its very useful when configuring a vserver ... ... Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Is the VServer the right thing for me?
Hi, how secure is a vserver? I'm working on an opensource project (mainly a php website but also a mailserver and a few scripts are needed) and i should give some people access to a linux-server (apache-configuration and such things). I've only one server and that's my productive one - i don't want to give anyone access to it. Would you give anyone (that you don't know realy good) root-access to a (correctly configured) vserver, when the host-system is a sensible productive system? Thanks for every answer, Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Is the VServer the right thing for me?
hi Oliver, Would you give anyone (that you don't know realy good) root-access to a (correctly configured) vserver, when the host-system is a sensible productive system? As there are a lot of companys outside who sell vServer's on their systems I think - yes you can ;) vServer has mulitple securitty features to prevent people from breaking out of a context - I dont know if there is no way, but at least there is no known one at the moment Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Is the VServer the right thing for me?
Hi Oliver, Would you give anyone (that you don't know realy good) root-access to a (correctly configured) vserver, when the host-system is a sensible productive system? As there are a lot of companys outside who sell vServer's on their systems I think - yes you can ;) ok, that a good point/answer :-)) vServer has mulitple securitty features to prevent people from breaking out of a context - I dont know if there is no way, but at least there is no known one at the moment I'm trying a few days now to get the infomarions from all the papers on linux-vserver.org together ... but it's realy hard to find the red line through all that ... so i'm not realy sure if i've done all correct and if my vserver is secure (i'm no real linux-inside) isolated ... Is there a tool (like testme.sh) that tests the common (maybe also uncommon) possibilities of misconfigurations (like the capabilities and chroot-exploids) from inside the VServer? Thanks! Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Is the VServer the right thing for me?
On Wed, Apr 27, 2005 at 06:49:21PM +0200, Oliver Dietz wrote: Hi Oliver, Would you give anyone (that you don't know realy good) root-access to a (correctly configured) vserver, when the host-system is a sensible productive system? As there are a lot of companys outside who sell vServer's on their systems I think - yes you can ;) ok, that a good point/answer :-)) vServer has mulitple securitty features to prevent people from breaking out of a context - I dont know if there is no way, but at least there is no known one at the moment I'm trying a few days now to get the infomarions from all the papers on linux-vserver.org together ... but it's realy hard to find the red line through all that ... so i'm not realy sure if i've done all correct and if my vserver is secure (i'm no real linux-inside) isolated ... Is there a tool (like testme.sh) that tests the common (maybe also uncommon) possibilities of misconfigurations (like the capabilities and chroot-exploids) from inside the VServer? not yet, but sounds like something useful to me ... any volunteers? best, Herbert Thanks! Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver