Speaker
Description
Ever since the introduction of chroot() in the late 70s the concept of jailing locking down services have been a choice for the security minded to introduce damage prevention to their services. It's always better to write secure services rather than just locking them down, but it's not always possible, and the addition of jailing can be a good second line of defence against unknown vulnerabilities in your services.
The options for jailing have come a long way since the introduction of chroot() and in a modern Linux kernel there are multiple different and competing ways to lock down a certain service. Some of them, like namespaces, ways got popularized by container technologies like Docker, but most of them are useful in more contexts than just containers.
This will talk will give a overview of those technologies and how they can be added on to a service with the help of systemd without no or almost no changes to the service itself, making it especially helpful when trying to secure legacy services and third party code.
Length | 30 minutes |
---|