Solved mount_nullfs security implication

[fred974]

Hello,

I have setup ossec server on my FreeBSD Host and the ossec webui in my FreeBSD jail. As the ossec webui reads data from server's /usr/local/ossec-hids directory, I had to mount -t nullfs it into my jail.

mount_nullfs -o rw /usr/local/ossec-hids /local/jails/webjail/usr/local/ossec-hids/web

Could anyone tell me if making the above command permanent will create serious security concern?

Will it be possible to hack the FreeBSD host via this mount point?

Is there anything I could do to prevent it?

Thank you in advance for the feedback.

Fred

 

[SirDice]

Does it need to have read-write access or would read-only suffice? If possible try mounting it read-only, that should limit any security issues.

 

[fred974]

Hi SirDice, My understanding is that it does write to the /usr/local/ossec-hids/tmp directory. So I guess it needs read-write access.
Is there anything I can use within PF to minimize the risk?

At the moment the access to the ossec web interface is restricted via IP address + username and password.

 

[SirDice]

Is there anything I can use withing PF to minimize the risk?

There's no network involved with mount_nullfs(8).