[Beowulf] Security issues

Joe Landman landman at scalableinformatics.com
Mon Oct 27 07:52:40 PDT 2008 

Marian Marinov wrote:
> On Friday 24 October 2008 20:15:10 Leif Nixon wrote:
>> "B. Vincent Diepeveen" <diep at xs4all.nl> writes:
>>> Now you post here a big story on how your Rocks got hacked. Do i
>>> conclude it correctly the
>>> problem is that you ran a default Rocks kernel?
>> The basic problem seems to be bad account hygiene.
>>
>> That's a hard problem. Users will forever be borrowing each other's
>> accounts, making it difficult to contain security breaches.
> 
> But if you build a good infrastructure jailing the users within one directory 
> with access to files that do not affect the underlaing OS you will have 
> better chance of leaving such attacks out of your systems.

Well, there has been a discussion in the past about using chroot jails 
for security.  My current understanding after following these threads a 
year or more ago, is that chroot jails are not, in fact, designed with 
security in mind, and shouldn't be relied upon as a security feature. 
In fact, there were some chroot tunneling exploits posted a while ago 
that suggest that chroot for security may be as much security theatre as 
hard-to-guess-say-speak passwords.

> A scheme like that is when all of your users are chrooted to their home 
> folders with the OS for each user mounted from a read-only image. This way it 
> becomes harder for attackers to penetrate the OS security.

Harder, possibly.  Impossible?  no.

> Also a good security addition will be adding SELinux, RSBAC or GRSecurity to 
> the kernel and actually using any of these.

SElinux has been annoying, even overtly frustrating to use.

The things that bother me are there appear to be real things you can do 
to secure systems (layers), and there is security theatre.  Sadly, most 
people happily talk about security theatre as if it were real security.

The best statement I have heard about security is that it is a process, 
not a feature/function.  You can't add more security by adding a 
product.  You can by changing they way something is used.

We are in the process of altering how this user uses their cluster.  In 
doing so, we are disabling a number of attack vectors.  Does this make 
their machine more secure?  No.  It is important to understand, that 
closing some doors may leave other hidden ones open.  So what we try to 
do is create layers such that in the event we screw up, the damage is 
contained.

> 
> Regards
> Marian Marinov
> Head of System Operations at Siteground.com
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf


-- 
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics LLC,
email: landman at scalableinformatics.com
web  : http://www.scalableinformatics.com
        http://jackrabbit.scalableinformatics.com
phone: +1 734 786 8423 x121
fax  : +1 866 888 3112
cell : +1 734 612 4615

More information about the Beowulf mailing list