# Best place to install libraries: jails or host?



## lalebarde (May 24, 2013)

Hi all,

I am working on the development of a SaaS based on FreeBSD with its jailing capabilities. I will have a few jails, some needing the same libraries. I wonder, on a security point of view, where I should preferably install these libraries:

Once in the host before seting up the jail template. Pros: the library cannot be modified from the jail. Cons:?
In each jail. Pros: I can detect an attacker from a host based IDS if he manages to modify the library, and move the jail to a _honey pot state_ - that means deconnecting the attacked jail from the real service, letting the attacker play with it and recording facts, and replacing the jail with a clean clone. The attacker IP is recorded in a say _firewall honeypot list_. Cons:?


----------



## fonz (May 24, 2013)

I think the disadvantages in both cases are fairly small: installing on the host and sharing between jails is a bit more difficult to set up, whereas installing in each jail requires that you update each jail individually and takes a bit more disk space.

If you like the honeypot setup and you build the libraries from source, you could also create a build jail for that and let it build packages. That might make updating the jails a bit easier.


----------

