Best place to install libraries: jails or host?

[lalebarde]

Hi all,

I am working on the development of a SaaS based on FreeBSD with its jailing capabilities. I will have a few jails, some needing the same libraries. I wonder, on a security point of view, where I should preferably install these libraries:

• Once in the host before seting up the jail template. Pros: the library cannot be modified from the jail. Cons:?
• In each jail. Pros: I can detect an attacker from a host based IDS if he manages to modify the library, and move the jail to a honey pot state - that means deconnecting the attacked jail from the real service, letting the attacker play with it and recording facts, and replacing the jail with a clean clone. The attacker IP is recorded in a say firewall honeypot list. Cons:?

 

[fonz]

I think the disadvantages in both cases are fairly small: installing on the host and sharing between jails is a bit more difficult to set up, whereas installing in each jail requires that you update each jail individually and takes a bit more disk space.

If you like the honeypot setup and you build the libraries from source, you could also create a build jail for that and let it build packages. That might make updating the jails a bit easier.