[Discuss] virtual servers and security problems

Edward Ned Harvey blu at nedharvey.com
Fri Nov 11 11:25:00 EST 2011 

Everyone knows software is imperfect.  Even when you're fully patched and
following good practices, somebody can hack your apache (or whatever) and
that's why we layer on additional security such as selinux (or whatever.)  I
was recently called to examine a publicly facing production web server on
fully patched centos 5, and I found somebody had successfully attacked it
just by requesting a mangled URL, which launches arbitrary commands outside
of apache's normal behavior.  This is the sort of thing selinux is supposed
to catch and prevent...  But selinux is disabled.

 

When you install rhel/centos/whatever using an iso (or whatever) it prompts
you to enable/disable selinux and so forth, but a lot of the
paravirtualization install processes don't run the "normal" system
installer, and neglect this vital security setup, and you end up with a
system lacking selinux.

 

I am asking, all you folks out there running lots of different
virtualization providers - Which providers, under which conditions, DON'T
mess up selinux?

 

Here are my current data points:

 

You can check the status of selinux with the command:  sestatus

If it's disabled, I definitely don't recommend simply turning it on.  Do it
on a test system, because it's sure to mess things up dramatically.

 

On ESX, since it's fully virtualized and the guest OS is installed from the
ISO, the normal guest OS install process applies, and selinux works
perfectly.

 

On Amazon, since it's paravirtualized, and most image building guides tell
you to "create a filesystem, copy in these files..." and stuff like that,
selinux is almost always neglected.  Maybe always.  I have not tried
enabling selinux after creating a machine on amazon - maybe it works maybe
not.

 

On rackspace, the default images they make available for you don't have
selinux, and if you try to enable it, it fails.  They have some special
process you can follow, 

with the assistance of a support rep, to create some other sort of image
which supports selinux.  I have not tried it yet, so I can't testify to
whether it's good or not.

 

I formerly used prgmr - And based on memory - I am almost totally certain
they do it right.  Can anybody confirm?

 

What other virtualization hosts are people using?

More information about the Discuss mailing list