Hacker News new | ask | show | jobs
by oolongCat 3505 days ago
So I am confused, how does any of this increase attacker cost? Cant you do the same thing at the OS level already? Wouldn't making the dir read only do the same thing?

If your data gets stolen and your website defaced what's the use of immutability? I mean you can always run a diff tool against the current code on the server with the code you have on your repo right?
2 comments
viraptor 3505 days ago
> how does any of this increase attacker cost?

Because it forces the attacker to write a specific payload for your service. Standard, reused "drop shell.php and register IP" will not work anymore. And realistically if the target of the attack was a WordPress installation, it will likely be a trivial, automated script.

> Cant you do the same thing at the OS level already?

Yes, you can. Even better, split execution privileges from file privileges, then make it read only, then put a grsec/apparmor/selinux profile on the service. It's not docker specific, but docker does make read only service a little bit easier.

> Wouldn't making the dir read only do the same thing?

Yeah, but who would do that old school thing. Docker security! :-(

link
dgoldstein0 3505 days ago
it's pretty hard to diff filesystems that aren't designed for it. Either you need to lock the whole filesystem somehow - e.g. by taking it offline - or you have to deal with the fact that other processes are reading/writing as you scan the filesystem, which is rather difficult to reason about.

And it's not just about diffing your code with your repo - that only works if the attacker tried to attack your code. What about other running processes? New files on the system containing malicious code, outside of the paths you usually deploy code to? what about new, unexpected cron jobs?

Overall, it could become a pretty complex job. A filesystem with some intrinsic snapshotting makes this a lot easier.

link
Senji 3505 days ago
COW by default file systems which provide a "snapshot at time x" can help with this. NTFS can do it with shadowcopy.
link
icebraining 3505 days ago
You can also use lvm snapshots, which work with any filesystem.
link