Stave Off the Zero-Day Vulnerability Threat (Straight from the NSA) O’Reilly Releases “SELinux”
Sebastopol, CA–There are few things as critical to a system administrator’s work as security. According to Bill McCarty, author of “SELinux: NSA’s Open Source Security Enhanced Linux” (O’Reilly $39.95), as the number and variety of software vulnerabilities and attacks continue to accelerate, security is probably the most important topic in computing today. But the ongoing search for a more secure operating system has often left everyday production computers far behind their experimental research cousins. SELinux (Security Enhanced Linux) dramatically changes this situation.
McCarty, who has been tracking SELinux on his technology radar for several years, previously had not considered it a workable solution for the typical sys admin. “It didn’t seem easy enough, or robust enough, for dependable use by Linux system administers,” he recalls.
But recently SELinux has come of age. “I now believe that SELinux is the most important computing technology for Linux users that I’ve seen in the last several years,” states McCarty. “Obviously, others agree that SELinux is important and useful: SELinux has been incorporated into Fedora Core, Gentoo, and SUSE Linux.” In addition, the new Red Hat Enterprise Linux 4, expected to release in first quarter 2005, will be a fully supported Linux distribution featuring SELinux.
SELinux emerged from research by the National Security Agency and implements classic strong-security measures such as role-based access controls, mandatory access controls, and fine-grained transitions and privilege escalation following the principle of least privilege. It compensates for the inevitable buffer overflows and other weaknesses in applications by isolating them and preventing flaws in one application from spreading to others. The scenarios that cause the most cyber-damage these days–when someone gets a toe-hold on a computer through a vulnerability in a local networked application, such as a web server, and parlays that toe-hold into pervasive control over the computer system–are prevented on a properly administered SELinux system.
The key, of course, lies in the words “properly administered.” A system administrator for SELinux needs a wide range of knowledge, such as the principles behind the system, how to assign different privileges to different groups of users, how to change policies to accommodate new software, and how to log and track what is going on. And this is where “SELinux” is invaluable.
“Readers learn how to install, initially configure, and maintain Linux systems using SELinux. Properly configured SELinux systems are expected to be highly resistant to compromise,” says McCarty. His goal in writing the book was to demystify SELinux for everyday users: “It’s not written for experienced SELinux policy developers and other geniuses, as much as I respect them and appreciate their contributions to SELinux. Instead, the book is written for the typical system administrator who’s trying to figure out how to keep bad guys out of the systems for which he or she is responsible.
Topics in the book include:
-A readable and concrete explanation of SELinux concepts and the SELinux security model
-Installation instructions for numerous distributions
-Guidelines for basic system and user administration
-A detailed dissection of the SELinux policy language
-Examples and guidelines for altering and adding policies
With “SELinux,” a high-security computer is within reach of any system administrator. If you want an effective means of securing your Linux system–and who doesn’t?–this book provides the means.
Chapter 4, “Using and Administering SELinux,” is available online at:
For more information about the book, including table of contents, index, author bio, and samples, see:
For a cover graphic in JPEG format, go to:
ISBN 0-596-00716-7, 238 pages, $39.95 US, $57.95 CA
O’Reilly Media, Inc. is the premier information source for leading-edge computer technologies. The company’s books, conferences, and web sites bring to light the knowledge of technology innovators. O’Reilly books, known for the animals on their covers, occupy a treasured place on the shelves of the developers building the next generation of software. O’Reilly conferences and summits bring alpha geeks and forward-thinking business leaders together to shape the revolutionary ideas that spark new industries. From the Internet to XML, open source, .NET, Java, and web services, O’Reilly puts technologies on the map. For more information: http://www.oreilly.com