lists at wildgooses
Feb 1, 2010, 5:33 AM
Post #2 of 6
On 01/02/2010 12:35, Hinnerk van Bruinehsen wrote:
> s one thing which disturbs me: Since Gentoo (and hardened
> Gentoo) is sourcebased, i'll need a complete toolchain to keep the
> system up to date.
> I don't like the idea of giving this tools to someone who might
> compromise the server.
> Is there a way to keep the toolchain on a thumbdrive or in an encrypted
> partition, so that a possible attacker can't use it, while I have still
> access to it? Does a how-to or a guide exist, which coud guide me
> through the process of setting it up correctly
You have a 90% working solution through compiling and distributing
binary packages. The constraints are that you need to sync your USE
flags and compile flags, or use multiple binary repositories.
I actually use something partially similar to keep a bunch of
linux-vservers in sync - I maintain a set of custom profiles which
inherit from the hardened profile and these are customised for each
server "type", eg I have a hardened-apache and a hardened-nginx and a
hardened-postfix, etc profile. I use linux-vservers so that I can have
very fine grained app installations and flexibility to swap hardware (eg
nearly all web applications get their own complete virtual machine...).
Largely the USE flags/compile flags are all set in my profiles, but I do
relax this a little bit as I allow toolchain on each vserver (which you
are avoiding, so vary your setup)
There are some limitations with binary packages in that new users don't
seem to get created correctly (see various history on the -embedded
list). This can be worked around in general, but just beware of that
One feature that I like but don't exploit about linux-vservers is that
in theory you can easily use the host tools to test/verify the guest
installation - this means double trouble if the host is compromised, but
potentially allows interesting avenues to detect compromised guests by
examining them from the host. Probably similar things can be done with
all other virtualisation solutions also.
Quick checklist is that whatever solution you pick it should DEFINITELY
include virtualised guest right from the word go...
I have found gentoo a very good fit for maintaining a long term
installation without the pain of re-installs which you eventually
encounter with Redhat/debian solutions. However, I would suggest that
the base level of experience required to manage the server is higher,
but the payoff is much greater control and ease of management. Over to
you to decide if these tradeoffs are manageable, but big thumbs up from
me for our needs.