Subject: virtualisation with grsecurity
I'm currently planing to setup some "hardened" servers using virtualisation.
Since only Linux is used, there are quite a few possibilities.
Apparmor was sorted out as the security part. SELinux is unknown to me and
seems to be quite laborious in setting it up and keeping it running.
grsecurity was already used by us on "physical servers" and seems to be a
quite nice approach.
But will it work nicely with some virtualisation software? Both projects
would need kernel patches.
After looking at some alternatives, xen and openvz or its commercial
counterpart virtuozzo seemed to be the most useful projects. As far as I
understood the ML-archive/forums, there was already someone working on
getting xen and grsecurity to work but only on AMD64 and finally stopped
until xen gets into the kernel (whenever that will be ;-) ). On the other
hand I already found some people trying to patch openvz and pax/grsecurity
into one hardened kernel. Will this work in the future? The PAX-team wrote
into the forums, they are only supporting the current kernel while openvz
wants to keep some stable one and only changes it quite infrequently.
Finally to sum it up: which virtualisation software would you suggest, when
I want to set up a "more secure than default"-system (grsecurity & co
favoured of course ;-) ).
Thank you very much for your time.