[PLUG] Linux "Lockdown" feature?
OR Linux Jobs
oregonlinuxjobs at gmail.com
Wed Oct 2 17:20:46 UTC 2019
I'm not sure if my comment is relevant but taking a chance.
If you are referring to linux servers for web hosting.
Most web hosting services use containers that don't offer any access to the
kernel.
They use a shared kernel managed by the host.
For example, OpenVZ and Virtuozzo containers.
There is a very real threat of root level hacks and compromises, but, they
don't have anything to do with the OS.
When I worked with web hosting, we found rooted containers all the time.
Mostly having to do with PHP vulnerabilities and relaxed shell access
through SSH
Neil
On Wed, Oct 2, 2019 at 8:44 AM <alan at clueserver.org> wrote:
>
>
> > "Back then, even if Linux systems were employing secure boot mechanisms,
> > there were still ways that malware could abuse drivers, root accounts,
> and
> > user accounts with special elevated privileges to tamper with the
> kernel's
> > code, and by doing so, gain boot persistence and a permanent foothold on
> > infected systems."
> >
> > https://www.zdnet.com/article/linux-to-get-kernel-lockdown-feature/
> >
> > This seems like the long time coming of generally agreed upon good thing.
> > I
> > generally understand what this does, but I'm not a kernel or sw dev and
> so
> > I don't know the full implications of this.
> >
> > Anyone doing security or dev work who has some concerns or sees more
> > goodness with this?
>
> It will be interesting to see what it breaks. I expect we will find a few
> apps that read /dev/kmem for "reasons" that will not be happy.
>
> I will be building a test spin then, and if, I can get my Skylake board
> working.
>
>
> Q: Why do programmers confuse Halloween and Christmas?
> A: Because OCT 31 == DEC 25.
>
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list