Hacker News new | ask | show | jobs
by goodpoint 1582 days ago
> You can log and send metrics from your app over a network

That's far from enough. It's conceptually and practically wrong to rely on the application to monitor itself.

> IDS makes no sense when you don't have logins and such

On the contrary, there is plenty that IDS can do for webapps.
1 comments
eyberg 1582 days ago
I'm not sure anyone would advocate the application to monitor itself. Many companies have entire teams of people that have to deal with keeping machines up and they get paid big bucks to do so.

As for the IDS question/statement - can you explain in more detail? Are you talking about file integrity checks or? Unikernels don't have the concept of users or shells or remote login or many of the things that an IDS would actually be looking at.

If it was something such as an attacker overwriting a shared library and you want to monitor or ensure that can't happen both of those operations are feasible in unikernels.

link
goodpoint 1581 days ago
File integrity checks are from the 1990ies. There are various domain-specific HIDS, most of them closed source, that observe the runtime behavior of applications.

Also a lot of hardware and VM management software that perform remote administration functions, e.g. asset tracking, reacting to low batteries on UPSes, monitoring network health...

It's absurd to think that a whole OS worth of code should be jammed into the application or the unikernel. That's what traditional kernels are for.

link