Hey Ulas,
On Thu, Feb 17, 2022 at 07:27:47AM -0800, Ulaş Saygın wrote:
> Hi,
> I would like to ask people about jail configuration.
> in jail some services dont need to be working.
> which services you generally close because of performance and not need of
> it in jailed system. would like to share your experience?
Can you list which services aren't working for you? I use jails quite
heavily and haven't had any issues. But I might not be running what
you're running. ;-)
>
> in the past , i saw gist and tweet about this but i couldnt find it now.
> if someone knows it, can you share it? it will be very helpful.
>
> any advice about the jails for hardening or tunning are welcome.
Jails shouldn't be relied upon for security. They're great for logical
separation of services (separating a database server from a web
server, for example.)
Jail (in)security comes from two main factors:
1. Jails share the same leaky, vulnerable kernel.
2. Jails don't prevent or mitigate exploitation.
HardenedBSD has done some work in addressing point number 1, but that
work is largely incomplete. Completing that work would take *A LOT* of
work, including completely rewriting certain base system utilities
(sockstat, fstat, etc.)
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc