Just a thought recommended to me by RedHat last year.
Run SELinux :
Cdlt, DaveSELinux can enforce the access rights of every user, application, process, and file
within a Red Hat system to a degree previously unavailable in enterprise operating
systems. It ensures that any application behaves as intended with very low
performance overhead. (For more Information, see Red Hat Enterprise Linux Security
Series: SELinux)
Link: http://www.redhat.com/f/pdf/RHEL_Security_WP_web.pdf
--------
YBA wrote:Hello,
I was running apache for a number of years using fully blown chroot environment, mostly on RHEL (using "chroot" binary as a base). Recently, I have faced a requirement to wrap it up into rpm, which is not an easy task, considering all up to date libs, dependencies, etc.
As chrootdir directive seems to appeared only in 2.2.9 (?), part of mod_unixd, my question is how one could compare it to fully blown chroot environment, looking at it from security point of view. Would that be the same or are there any drawbacks on "chrootdir" side?
Also, I used to see information about mod_chroot, module, but this seem to disappeared at some point. I believe this module is not maintained any more for this purpose (at least google does not seem to know about it any more)?
All comments on this would be most appreciated.
Cheers.
S.
|