Askng aabout Jail Tunning and not needed services in jailed system

[Ulaş Saygın]

Hi,

I would like to ask people about jail configuration.

in jail some services dont need to be working.

which services you generally close because of performance and not need of it in jailed system. would like to share your experience?

in the past , i saw gist and tweet about this but i couldnt find it now.

if someone knows it, can you share it? it will be very helpful.

any advice about the jails for hardening or tunning are welcome.

thank you.

[Shawn Webb]

Hey Ulas,

On Thu, Feb 17, 2022 at 07:27:47AM -0800, Ulaş Saygın wrote:
> Hi,
> I would like to ask people about jail configuration.
> in jail some services dont need to be working.
> which services you generally close because of performance and not need of
> it in jailed system. would like to share your experience?

Can you list which services aren't working for you? I use jails quite
heavily and haven't had any issues. But I might not be running what
you're running. ;-)

>
> in the past , i saw gist and tweet about this but i couldnt find it now.
> if someone knows it, can you share it? it will be very helpful.
>
> any advice about the jails for hardening or tunning are welcome.

Jails shouldn't be relied upon for security. They're great for logical
separation of services (separating a database server from a web
server, for example.)

Jail (in)security comes from two main factors:

1. Jails share the same leaky, vulnerable kernel.
2. Jails don't prevent or mitigate exploitation.

HardenedBSD has done some work in addressing point number 1, but that
work is largely incomplete. Completing that work would take *A LOT* of
work, including completely rewriting certain base system utilities
(sockstat, fstat, etc.)

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

[Ulaş Saygın]

Thank you for your answer and details. it is good to know things about jail and other security issues.

17 Şubat 2022 Perşembe tarihinde saat 18:45:39 UTC+3 itibarıyla Shawn Webb şunları yazdı:

Hey Ulas,

On Thu, Feb 17, 2022 at 07:27:47AM -0800, Ulaş Saygın wrote:
> Hi,
> I would like to ask people about jail configuration.
> in jail some services dont need to be working.
> which services you generally close because of performance and not need of
> it in jailed system. would like to share your experience?

Can you list which services aren't working for you? I use jails quite
heavily and haven't had any issues. But I might not be running what
you're running. ;-)

yes maybe :-) you may give advise about it :-), i am planing to use databases postgresql , mysql, web servers like nginx, h20 web server, mail servers postfix,dovecot,

as proxy for jails interactions to outside world , i wanted to use envoy as proxy server but it seems it is not possible to use on freebsd and hardenedbsd too.

envoy needs to be updated on port tree and envoy developers thinks that their build system is important and if without bazel build , envoy may be will not work properly.

now i am thinking to use haproxy :) these are my services i would like to use in jails but i am little bit tired of problems about compiling ports and lack of updates about ports tree.

is there any good way to use latest versions of ports doing by myself. but it seems very hard because every port needs more attention than one person can have.

but i am open to possible jail solutions :)

 

>
> in the past , i saw gist and tweet about this but i couldnt find it now.
> if someone knows it, can you share it? it will be very helpful.
>
> any advice about the jails for hardening or tunning are welcome.

Jails shouldn't be relied upon for security. They're great for logical
separation of services (separating a database server from a web
server, for example.)

Jail (in)security comes from two main factors:

1. Jails share the same leaky, vulnerable kernel.
2. Jails don't prevent or mitigate exploitation.

HardenedBSD has done some work in addressing point number 1, but that
work is largely incomplete. Completing that work would take *A LOT* of
work, including completely rewriting certain base system utilities
(sockstat, fstat, etc.)

Thanks,

what exactly do jails? i mean it only seems seperating services from main system but not prevent or mitigate exploitation.

only benefit is, not causing problems to main system when you have problem with services?

[Ulaş Saygın]

sorry to say, jails i think it is not complete system. it still needs work to do something better.

for example, i am not able to set ip address on rc.conf because it is working.

jail is not acting like seperated system. rc.conf does not seems like it.

is there any specific reason for it.

or just incomplete work of jail system?

23 Şubat 2022 Çarşamba tarihinde saat 02:05:35 UTC+3 itibarıyla Ulaş Saygın şunları yazdı:

[Ulaş Saygın]

Finally i found what i am looking for :) from my old notes. happy day.

https://twitter.com/allanjude/status/1314293390419390465

https://gist.github.com/dlangille/ce60ac76b69f267a3f1de33495a338fc

anyone would like to share experience about these settings or other useful ideas. i would like see and it will be noted in here for other peoples' benefit also.

Ulaş Saygın <ulassa...@gmail.com>, 23 Şub 2022 Çar, 02:07 tarihinde şunu yazdı: