Security: Difference between revisions

Line 85:

* [https://archive.fosdem.org/2020/schedule/event/kernel_address_space_isolation/attachments/slides/3889/export/events/attachments/kernel_address_space_isolation/slides/3889/Address_Space_Isolation_in_the_Linux_Kernel.pdf 2020 IBM Presentation on Address Space Isolation in the Linux Kernel] - Containers within VMs are a norm for security in the cloud. Addressing ongoing work to improve isolation of containers and VMs.

* [https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html An EPYC escape: Case-study of a KVM breakout] - Detailing first known non-userspace vulnerability enabling guest-to-host breakout.

==== Systemd Hardening ====

It is possible to increase the isolation of Systemd services by using hardening options. For example, adding <code>PrivateNetwork=yes</code> option in a Systemd unit removes access to the host network.

For more information, please see [[Systemd_Hardening]].

=== Networking ===

@@ Line 85: / Line 85: @@
 * [https://archive.fosdem.org/2020/schedule/event/kernel_address_space_isolation/attachments/slides/3889/export/events/attachments/kernel_address_space_isolation/slides/3889/Address_Space_Isolation_in_the_Linux_Kernel.pdf 2020 IBM Presentation on Address Space Isolation in the Linux Kernel] - Containers within VMs are a norm for security in the cloud. Addressing ongoing work to improve isolation of containers and VMs.
 * [https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html An EPYC escape: Case-study of a KVM breakout] - Detailing first known non-userspace vulnerability enabling guest-to-host breakout.
+==== Systemd Hardening ====
+It is possible to increase the isolation of Systemd services by using hardening options. For example, adding <code>PrivateNetwork=yes</code> option in a Systemd unit removes access to the host network.
+For more information, please see [[Systemd_Hardening]].
 === Networking ===