General security questions about Suse Linux/RSBAC/Systrace
Hello, At our local university we want to set up a server for our faculty, which is intended to run under Suse Linux. It will offer the following services: Webserver (Apache; it will host the websites of the faculty and the associated chairs as the main webserver), Fileserver (Samba; for the people, maintaining their websites on the server), Small Database-Server (MySQL; mainly used for dynamic websites) and a nameserver (Bind, or another more secure variant). The hardware is a dual-xeon server from IBM (xSeries) with 2 GB RAM, a RAID 5 consisting of 3 146 GB HDDs (since some of the material to be stored on this machine is multimedia-stuff (mainly videos), we decided for bigger HDDs) and the other "usual" components. Only the system administrators (me and my two colleagues) and a few very trusted persons have direct shell access to the server. The webmasters of the chairs get access to their documents via samba. Our small server-network is protected by a seperate firewall-server, running under OpenBSD. The first question regards the operating system of the new server:
From the available money we could by an SLES 8 or Suse Linux Professional 8.2. The question here is, does the SLES 8 offer substantially better security functions than Suse Professional ? All information we could find, was describing the SLES in general but rarely mentioning the security functions in detail. Since we intend to use RSBAC or Systrace to improve the security on the server, and since both need to modify the kernel (for which you should use a new, clean kernel according to the docs), it would also be good to know, what of the security functions offered by the SLES will work with such a modified kernel.
The next question concerns RSBAC and Systrace: According to several articles in magazines and the internet, RSBAC and Systrace seem quite interesting for improving security and limiting the damage of potential attacks, but, the question is: Are these security solutions appropriate for our application, or are they way to big ? Since I and my colleagues are still students, who maintain the faculty servers on a 90 hour-per-month basis (normally we work substantially more than the contractually agreed 90 hours ;-)) and since the handover to our successors shouldn't get too difficult (for us and for them ;)), the security system should be too complicated in the handling. Perhaps some you can give us hints for our questions from your experience. Thank you very much for your help With best regards, Patrique Wolfrum
participants (1)
-
Patrique Wolfrum