Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Question: would running qemu in chroot increase security?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
bedtime
n00b
n00b


Joined: 19 Dec 2012
Posts: 71

PostPosted: Thu Jun 08, 2017 12:16 pm    Post subject: Question: would running qemu in chroot increase security? Reply with quote

My situation:

I am running Gentoo hardened kernel with grsecurity as my base system. I have a Gentoo VM that runs in qemu with the '-sandbox on' parameter added. It is an .img file and can be run in persistent or temporary snapshot mode ('throw away' mode, as I like to call it.) It's working perfectly as of now. It uses hugepages for its memory.

Inside that Gentoo VM there are (or will be; I am compiling as I speak) separate chroot environments for large basic programs, such as firefox, thunderbird, and libreoffice.

Would having that Gentoo VM run in a chroot environment help to keep that VM more separate and secure from the base Gentoo system?

I want a VM system that is as separate and secure from the base system as possible.


Ideas or thoughts? I am new to this.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Thu Jun 08, 2017 6:47 pm    Post subject: Reply with quote

Security is a process, not a trash fire. You can't just pile up every buzzword you skim off page 50 of a google search and declare it "most secure". Understand what you're doing, what your threat model is, and start building from there.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42587
Location: 56N 3W

PostPosted: Thu Jun 08, 2017 7:10 pm    Post subject: Reply with quote

bedtime,

First you determine the threats you want to secure against.
Then you deploy layers of the security onion to defend against those threats.

Security is not absolute, the more layers you deploy, the harder it is for an attacker but to think that its impossible is deluding yourself.
The idea is to make attackers that want to add another host to their bot net, for example, give up and move on.
Also, there is a trade off between security and usability. You need to pick your tradeoff point there.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
bedtime
n00b
n00b


Joined: 19 Dec 2012
Posts: 71

PostPosted: Thu Jun 08, 2017 11:15 pm    Post subject: Reply with quote

Ant P. wrote:
Security is a process, not a trash fire. You can't just pile up every buzzword you skim off page 50 of a google search and declare it "most secure". Understand what you're doing, what your threat model is, and start building from there.

Security in linux is new to me, so it looks like I have some learning to do.

Quote:
First you determine the threats you want to secure against.
Then you deploy layers of the security onion to defend against those threats.

Security is not absolute, the more layers you deploy, the harder it is for an attacker but to think that its impossible is deluding yourself.
The idea is to make attackers that want to add another host to their bot net, for example, give up and move on.
Also, there is a trade off between security and usability. You need to pick your tradeoff point there.

I think I gave a misleading impression... As is, with the system automated, it is still convenient, but I could imagine how bogging it down too much can be more cumbersome than beneficial.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum