Security-Enhanced Linux Moving into Mainstream
Much publicity exists around NSA's open-source Security Enhanced Linux. People have discussed it in articles, at various conferences, in presentations and user group meetings. I made a few attempts in the early days to have it work on a server or two myself. After many frustrations, the closest I ever got to a working version was Mark Westerman's laptop at the Boston University Linux Desktop Conference in November 2003.
Security Enhanced Linux enforces a mandatory access control model of security. This differs from the discretionary model used in UNIX and Linux operating system. SE Linux policies confine user programs and system services to the least privilege they require to do their jobs.
SE Linux confines users, programs, and system services in the event the system becomes compromised. In the event someone exploits a system, he or she can only go so far before hitting a barrier. This reduces and/or eliminates the damage an intruder can create.
In theory, the idea of sectioning off users, services and programs makes perfect sense. In practice, making SE Linux work has been difficult.
Today, you can chose from Fedora, Red Hat RHEL 4, Debian and Gentoo. You can also compile your own kernel from the sources. Last time I looked, none of these distributions had any support --official or not -- for SE Linux except Fedora Core II and it had problems.
The NSA security model has existed for a few decades. Fortunately, NSA decided to implement that model in Linux. It makes Linux a candidate for the most secure DoD Trusted Computer Security Evaluation Criteria (TCSEC). And it's available in a free and open-source operating system.
If you want to see what the future of secure computing will be like, you can see it today. For the highly technical Linux administrators, I recommend Gentoo's implementation. For those wanting an easier install, go with Fedora.
You Need a Manual
Regardless of which distribution you choose, you'll still need an administrator's guide. Generally, I get mine off the Internet. I'll hunt and gather material and use a binder to put things together. I'll even index and create my own table of contents. I've spent way too much money on Linux books over the years and have been disappointed. So, to get me to buy a Linux book is tough.
One book I have acquired is Bill McCarty SELinux NSA's Open Source Security Enhanced Linux from O'Reilly. Other than this book, most of what you will need to gain knowledge of SELinux comes form the projects themselves:
Getting Started with SE Linux HOWTO: the new SE Linux a sourceforge project written by Faye Coker 18 March 2004.
Gentoo's SELinux Howto
NSA SELinux main website
NSA SELinux FAQ
SELinux community page
Writing SE Linux policy HOWTO
|Subject||Topic Starter||Replies||Views||Last Post|
|Long way to go yet||R_U_TRUSTIFIED||0||1,650||Dec 19, 2005 4:25 AM|
You cannot post until you login.