-----Original Message-----
From: Ted Byers
To: openSuSE List
Subject: [opensuse] Sandboxes or jails on OpenSuse? How? Or is it
possible on OpenSuse Linux
Date: Wed, 6 Nov 2013 22:06:41 -0500
I was talking with a UNIX admin today about security, and he
recommended a strategy involving what are temed jails on FreeBSD. He
did say, he has limited experience on Suse and Ubuntu.
Hence, my question for this community.
What do security experts working on Suse (or Ubuntu if you have
experience with that - I have one box running Suse and one running
Ubuntu so info related to either would be useful to me).
He said the core idea is to put applications and/or users in a kind of
jail, or a seriously constrained environment, so that they can do no
harm to the system on which the applicatin is running, or which the
user is using. This sounds like a great idea, reminiscient of the
original security model Sun developed for the first Java Applets.
-----Original Message-----
Hi Ted,
Remember with regards to security, there isn't a holy grail, eg a single
solution that fits for all.
It's more like an onion, layers upon layers upon layers.
And regarding weeping: all security comes at a costs, the higher lever
you want, the more you have to invest in (more complicated)
installation-procedure, cpu-power and user-interaction.
To be more to the point. Apparmor and selinux do provide additional
security, but for for the faint-harted.
You can separete functionalities into dedicated virtual machines. And
even then, XEN provides a better isolation then LXC or KVM, but at a
performance costs. And even in a VM, you can make jails.
Security is not only proper identification/authentication but much more,
like availability (DOS).
Some functionalities you certainly do not want to share hardware one.
For instance, my CA i fon't trust to _any_ hardware, so i keep mine on a
bootable stick in a vault.
And with respect to user-interaction: at one end of the spectrum you
might do guest-user-accounts, single-sign-on. While at the other end,
lengthy passwords for different functionalities. Multi-level
authentication.
Much can/has been said/written on the subject.
Too few take it seriously.
Hans
--
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse+owner@opensuse.org