I was talking with a UNIX admin today about security, and he recommended a strategy involving what are temed jails on FreeBSD. He did say, he has limited experience on Suse and Ubuntu. Hence, my question for this community. What do security experts working on Suse (or Ubuntu if you have experience with that - I have one box running Suse and one running Ubuntu so info related to either would be useful to me). He said the core idea is to put applications and/or users in a kind of jail, or a seriously constrained environment, so that they can do no harm to the system on which the applicatin is running, or which the user is using. This sounds like a great idea, reminiscient of the original security model Sun developed for the first Java Applets. I asked him about virtual machines, and he said they are a viable option, but carry significant computational burden as well as well disciplined administration that routinely takes frequent snapshots of the virtual machines (either Oracle's virtual box, or VMware). He did say, though, that you can readily create a template VM and clone it. But he preferred the FreeBSD idea of a jail. I am especially sensitive about computational load, as, as a developer, I insist that any site I work on has a response time of less than 5 seconds (from the time the user has requested a page to the time it has finished loading. I asked him about the utility of apparmour, but he said that in his experience it causes a lot more trouble than it is worth, causing more major issues than it has a hope of fixing (but he wasn't specific). Indeed, every tiime I find what looks like a viable option, the reviews I see pan it, describing it as a waste of time, recommending instead purchase of expensive software or subscription services. And then there are a numbeer of sites that contain blurbs about the best 5 or 10 security products, but their write-up is so shallow that there is no evidence provided that the proucts recommended actually do anything useful. How, then, is a non-specialist supposed to find out what will actually provide the safety sought? He had nothing to say about the utility of mod-security2 in securing web applications. This became an issue today as one of the websites a colleague maintains was hacked today (he has a fix in place, but wants to know what more can be done to prevent problems in the future - and neither of us is really an administer, he programs largely in PHP and I in Perl, and C++). We both know how to write our code so as to reduce risk of attack, but we want to know what we can do in terms of configuring Apache, and the OS we're running on, to reduce the risk further. In an ideal world, hackers would be able to hack into our site, but when they do so, they get locked in a virtual jail or sandbox, so they are given the illusion thay their attack is succeeding, but the sandbox prevents them from doing any harm, and ideally logs all their activities for forensic analysis (and possibly going so far as to identify the machine they're using and it's location). In practical terms, though, especially since I have no budget, what open source products are available, and what are the best recommended practices, that will ensure this. Or am I stuck with relying on my own abilities, and that of my colleagues, for developing secure code? Are their any security experts out there who can advise on this matter? Thanks Ted -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org