O'Reilly's "SELINUX" by Bill McCarty Shows the Future of Linux Security

Posted by tadelste on Dec 15, 2004 3:19 AM EDT
O'Reilly & Company; By Tom Adelstein
Mail this story
Print this story

O'Reilly sub-titles this excellent book, "Beating the 0-Day Vulnerability Threat". But, author Bill McCarty gives readers the best summary of the Linux security model you may ever find.

Much publicity exists around NSA's open-source Security Enhanced Linux. People have discussed it in articles, at various conferences, in presentations and user group meetings. I made a few attempts in the early days to have it work on a server or two myself. After many frustrations, the closest I ever got to a working version was Mark Westerman's laptop at the Boston University Linux Desktop Conference in November 2003.

Today, Security Enhanced Linux does not seem so esoteric thanks to the work of many open-source developers and Bill McCarty, a Professor of Information Technology at Azusa Pacific University. Bill explains the Linux security model in well organized and understandable language. I zipped through his book before I read his credentials. Otherwise, I might have just by-passed it.

The author has some hefty credentials, which you can see at his O'Reilly author's Web site . But don't let that keep you away from his book. He's a master when it comes to making things simple and understandable. His directions are clear and follow a step by step methodology.

Security Enhanced Linux enforces a mandatory access control model of security. This differs from the discretionary model used in UNIX and Linux operating system. SE Linux policies confine user programs and system services to the least privilege they require to do their jobs.

SE Linux confines users, programs, and system services in the event the system becomes compromised. In the event someone exploits a system, he or she can only go so far before hitting a barrier. This reduces and/or eliminates the damage an intruder can create.

In theory, the idea of sectioning off users, services and programs makes perfect sense. In practice, making SE Linux work has been difficult. Fortunately, Bill McCarty's book helps you understand the SE Linux model, install the necessary components and troubleshoot any problems that might arise. Add a nice section on administering SE Linux and you have a complete manual to make you a SE Linux specialist.

The Future of Linux Now

O'Reilly's "SELINUX" arrived on the bookshelves in late October 2004, so it's a brand new offering. Typically, when I buy a new technical book, it has been out-of-date by the time I start reading it. Fortunately, that was not the case with McCarty's book.

Once I began reading "SELINUX", I wanted to get a server up and running quickly. According to Bill, I had several distributions from which to choose. As I visited the links suggested in the book, I was surprised to see how they existed exactly as he described them.

You can chose from Fedora, Red Hat RHEL 4 (beta), SuSE 8.2, Debian and Gentoo. You can also compile your own kernel from the sources. Last time I looked, none of these distributions had any support --official or not -- for SE Linux except Fedora Core II and it had problems.

The NSA security model has existed for a few decades. Fortunately, NSA decided to implement that model in Linux. It makes Linux a candidate for the most secure DoD Trusted Computer Security Evaluation Criteria (TCSEC). And it's available in a free and open-source operating system.

If you want to see what the future of secure computing will be like, you can see it today. For the highly technical Linux administrators, I recommend Gentoo's implementation. For those wanting an easier install, go with Fedora.

You Need a Manual

Regardless of which distribution you choose, you'll still need an administrator's guide. Generally, I get mine off the Internet. I'll hunt and gather material and use a binder to put things together. I'll even index and create my own table of contents. I've spent way too much money on Linux books over the years and have been disappointed. So, to get me to buy a Linux book is tough.

But that's not the case with "SELINUX". In good conscience I can strongly recommend putting Bill McCarty's book next to your computer. He knows so much about security and about Security Enhanced Linux that you'll want that knowledge with you. Additionally, he articulates the subject so well that you will enjoy reading the book cover to cover. That's a strong recommendation for any technical book.

With "SELINUX" you will find the standard body of information and knowledge you need in less than 200 readable pages. That's a breakthrough for a Linux book! But somehow, I think it's par for the course with Bill McCarty and his O'Reilly editors.

Respectfully submitted

Tom Adelstein

» Read more about: Story Type: Reviews; Groups: Fedora, Gentoo, Kernel, Red Hat

« Return to the newswire homepage

Subject Topic Starter Replies Views Last Post
Bill Mccarty's profile and O'Reilly books. tadelste 1 1,506 Dec 15, 2004 1:57 PM

You cannot post until you login.