We use it solely on 100s of our customer’s Unix computers. My suggestion (that not everyone agrees with) is to run it under inetd. Unix does not function without inetd (or related like xinetd). You don’t have to start or manage a server. It is dead reliable and when processes die it cleans it up and so forth. You connect to localhost on some port, have a configuration that directs it to the right place, off to the races.
I am not sure what you mean by container hardening. When connecting to localhost it never touches the network – the TCP/IP goes directly to the TCP/IP stack on the local machine.
I am really sure I don’t know what check out is :)
If you give me more info I can probably be of more use.
Eric
From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Brent Kimberley Sent: Wednesday, May 29, 2019 11:53 AM To: stunnel-users@stunnel.org Subject: [stunnel-users] RE stunnel process owner
Hi Dan.
Wondering what user people are running the stunnel process under on a unix server?
Any suggestions re container hardening & check-out (a la SCAP)?
Hi Eric.
container hardening?What are your resources controls and are they appropriate? (e.g. chroot. docker. hyervisor.) check outCheckout, posture and drift are characteristics of an operational system.
Using the operators manual, a driver should be able to examine(checkout) each major element of a vehicle so they can communicate their concerns/findings/issues from an absolute (posture) / or relative (drift) perspective. On Wednesday, May 29, 2019, 4:41:59 p.m. EDT, Eric Eberhard flash@vicsmba.com wrote:
<!--#yiv9769437719 _filtered #yiv9769437719 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv9769437719 {font-family:Wingdings;panose-1:5 0 0 0 0 0 0 0 0 0;} _filtered #yiv9769437719 {font-family:"Cambria Math";panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv9769437719 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv9769437719 #yiv9769437719 p.yiv9769437719MsoNormal, #yiv9769437719 li.yiv9769437719MsoNormal, #yiv9769437719 div.yiv9769437719MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;font-family:"Times New Roman", serif;}#yiv9769437719 a:link, #yiv9769437719 span.yiv9769437719MsoHyperlink {color:#0563C1;text-decoration:underline;}#yiv9769437719 a:visited, #yiv9769437719 span.yiv9769437719MsoHyperlinkFollowed {color:#954F72;text-decoration:underline;}#yiv9769437719 span.yiv9769437719EmailStyle17 {font-family:"Calibri", sans-serif;color:#1F497D;}#yiv9769437719 .yiv9769437719MsoChpDefault {font-size:10.0pt;} _filtered #yiv9769437719 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv9769437719 div.yiv9769437719WordSection1 {}--> We use it solely on 100s of our customer’s Unix computers. My suggestion (that not everyone agrees with) is to run it under inetd. Unix does not function without inetd (or related like xinetd). You don’t have to start or manage a server. It is dead reliable and when processes die it cleans it up and so forth. You connect to localhost on some port, have a configuration that directs it to the right place, off to the races.
I am not sure what you mean by container hardening. When connecting to localhost it never touches the network – the TCP/IP goes directly to the TCP/IP stack on the local machine.
I am really sure I don’t know what check out is J
If you give me more info I can probably be of more use.
Eric
From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Brent Kimberley Sent: Wednesday, May 29, 2019 11:53 AM To: stunnel-users@stunnel.org Subject: [stunnel-users] RE stunnel process owner
Hi Dan.
Wondering what user people are running the stunnel process under on a unix server?
Any suggestions re container hardening & check-out (a la SCAP)?
It's just an analogy - don't take it too far or it breaks down. On Wednesday, May 29, 2019, 7:14:06 p.m. EDT, Brent Kimberley brent_kimberley@rogers.com wrote:
Hi Eric.
container hardening?What are your resources controls and are they appropriate? (e.g. chroot. docker. hyervisor.) check outCheckout, posture and drift are characteristics of an operational system.
Using the operators manual, a driver should be able to examine(checkout) each major element of a vehicle so they can communicate their concerns/findings/issues from an absolute (posture) / or relative (drift) perspective. On Wednesday, May 29, 2019, 4:41:59 p.m. EDT, Eric Eberhard flash@vicsmba.com wrote:
#yiv5677230787 #yiv5677230787 -- filtered {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;}#yiv5677230787 filtered {font-family:Wingdings;panose-1:5 0 0 0 0 0 0 0 0 0;}#yiv5677230787 filtered {panose-1:2 4 5 3 5 4 6 3 2 4;}#yiv5677230787 filtered {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv5677230787 p.yiv5677230787MsoNormal, #yiv5677230787 li.yiv5677230787MsoNormal, #yiv5677230787 div.yiv5677230787MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;font-family:New serif;}#yiv5677230787 a:link, #yiv5677230787 span.yiv5677230787MsoHyperlink {color:#0563C1;text-decoration:underline;}#yiv5677230787 a:visited, #yiv5677230787 span.yiv5677230787MsoHyperlinkFollowed {color:#954F72;text-decoration:underline;}#yiv5677230787 span.yiv5677230787EmailStyle17 {font-family:sans-serif;color:#1F497D;}#yiv5677230787 .yiv5677230787MsoChpDefault {font-size:10.0pt;}#yiv5677230787 filtered {margin:1.0in 1.0in 1.0in 1.0in;}#yiv5677230787 div.yiv5677230787WordSection1 {}#yiv5677230787 We use it solely on 100s of our customer’s Unix computers. My suggestion (that not everyone agrees with) is to run it under inetd. Unix does not function without inetd (or related like xinetd). You don’t have to start or manage a server. It is dead reliable and when processes die it cleans it up and so forth. You connect to localhost on some port, have a configuration that directs it to the right place, off to the races.
I am not sure what you mean by container hardening. When connecting to localhost it never touches the network – the TCP/IP goes directly to the TCP/IP stack on the local machine.
I am really sure I don’t know what check out is J
If you give me more info I can probably be of more use.
Eric
From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Brent Kimberley Sent: Wednesday, May 29, 2019 11:53 AM To: stunnel-users@stunnel.org Subject: [stunnel-users] RE stunnel process owner
Hi Dan.
Wondering what user people are running the stunnel process under on a unix server?
Any suggestions re container hardening & check-out (a la SCAP)?
If checkout is the verb then checklist would be the noun. google <airplane of choice> checklist.
On Wednesday, May 29, 2019, 9:17:35 p.m. EDT, Brent Kimberley brent_kimberley@rogers.com wrote:
It's just an analogy - don't take it too far or it breaks down. On Wednesday, May 29, 2019, 7:14:06 p.m. EDT, Brent Kimberley brent_kimberley@rogers.com wrote:
Hi Eric.
container hardening?What are your resources controls and are they appropriate? (e.g. chroot. docker. hyervisor.) check outCheckout, posture and drift are characteristics of an operational system.
Using the operators manual, a driver should be able to examine(checkout) each major element of a vehicle so they can communicate their concerns/findings/issues from an absolute (posture) / or relative (drift) perspective. On Wednesday, May 29, 2019, 4:41:59 p.m. EDT, Eric Eberhard flash@vicsmba.com wrote:
#yiv2870092233 -- filtered {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;}#yiv2870092233 filtered {font-family:Wingdings;panose-1:5 0 0 0 0 0 0 0 0 0;}#yiv2870092233 filtered {panose-1:2 4 5 3 5 4 6 3 2 4;}#yiv2870092233 filtered {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv2870092233 p.yiv2870092233MsoNormal, #yiv2870092233 li.yiv2870092233MsoNormal, #yiv2870092233 div.yiv2870092233MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;font-family:New serif;}#yiv2870092233 a:link, #yiv2870092233 span.yiv2870092233MsoHyperlink {color:#0563C1;text-decoration:underline;}#yiv2870092233 a:visited, #yiv2870092233 span.yiv2870092233MsoHyperlinkFollowed {color:#954F72;text-decoration:underline;}#yiv2870092233 span.yiv2870092233EmailStyle17 {font-family:sans-serif;color:#1F497D;}#yiv2870092233 .yiv2870092233MsoChpDefault {font-size:10.0pt;}#yiv2870092233 filtered {margin:1.0in 1.0in 1.0in 1.0in;}#yiv2870092233 div.yiv2870092233WordSection1 {}#yiv2870092233 We use it solely on 100s of our customer’s Unix computers. My suggestion (that not everyone agrees with) is to run it under inetd. Unix does not function without inetd (or related like xinetd). You don’t have to start or manage a server. It is dead reliable and when processes die it cleans it up and so forth. You connect to localhost on some port, have a configuration that directs it to the right place, off to the races.
I am not sure what you mean by container hardening. When connecting to localhost it never touches the network – the TCP/IP goes directly to the TCP/IP stack on the local machine.
I am really sure I don’t know what check out is J
If you give me more info I can probably be of more use.
Eric
From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Brent Kimberley Sent: Wednesday, May 29, 2019 11:53 AM To: stunnel-users@stunnel.org Subject: [stunnel-users] RE stunnel process owner
Hi Dan.
Wondering what user people are running the stunnel process under on a unix server?
Any suggestions re container hardening & check-out (a la SCAP)?
-
Brent Kimberley -
Eric Eberhard