Press Release: November 12, 2004
"SELinux": Stave Off the Zero-Day Vulnerability Threat (Straight from the NSA)
Sebastopol, CA--There are few things as critical to a system administrator's work as security. According to Bill McCarty, author of SELinux: NSA's Open Source Security Enhanced Linux (O'Reilly $39.95), as the number and variety of software vulnerabilities and attacks continue to accelerate, security is probably the most important topic in computing today. But the ongoing search for a more secure operating system has often left everyday production computers far behind their experimental research cousins. SELinux (Security Enhanced Linux) dramatically changes this situation.
McCarty, who has been tracking SELinux on his technology radar for several years, previously had not considered it a workable solution for the typical sys admin. "It didn't seem easy enough, or robust enough, for dependable use by Linux system administers," he recalls.
But recently SELinux has come of age. "I now believe that SELinux is the most important computing technology for Linux users that I've seen in the last several years," states McCarty. "Obviously, others agree that SELinux is important and useful: SELinux has been incorporated into Fedora Core, Gentoo, and SUSE Linux." In addition, the new Red Hat Enterprise Linux 4, expected to release in first quarter 2005, will be a fully supported Linux distribution featuring SELinux.
SELinux emerged from research by the National Security Agency and implements classic strong-security measures such as role-based access controls, mandatory access controls, and fine-grained transitions and privilege escalation following the principle of least privilege. It compensates for the inevitable buffer overflows and other weaknesses in applications by isolating them and preventing flaws in one application from spreading to others. The scenarios that cause the most cyber-damage these days--when someone gets a toe-hold on a computer through a vulnerability in a local networked application, such as a web server, and parlays that toe-hold into pervasive control over the computer system--are prevented on a properly administered SELinux system.
The key, of course, lies in the words "properly administered." A system administrator for SELinux needs a wide range of knowledge, such as the principles behind the system, how to assign different privileges to different groups of users, how to change policies to accommodate new software, and how to log and track what is going on. And this is where SELinux is invaluable.
"Readers learn how to install, initially configure, and maintain Linux systems using SELinux. Properly configured SELinux systems are expected to be highly resistant to compromise," says McCarty. His goal in writing the book was to demystify SELinux for everyday users: "It's not written for experienced SELinux policy developers and other geniuses, as much as I respect them and appreciate their contributions to SELinux. Instead, the book is written for the typical system administrator who's trying to figure out how to keep bad guys out of the systems for which he or she is responsible.
Topics in the book include:
With SELinux, a high-security computer is within reach of any system administrator. If you want an effective means of securing your Linux system--and who doesn't?--this book provides the means.
- Chapter 4, "Using and Administering SELinux"
- More information about the book, including table of contents, index, author bio, and samples
- A cover graphic in JPEG format
For almost 40 years, O’Reilly Media has provided technology and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through the company’s Safari training and learning platform and at O’Reilly conferences. As a SaaS learning platform, Safari delivers highly topical and comprehensive technology and business learning solutions to millions of users across enterprise, consumer, and university channels. For more information visit oreilly.com.
Return to: O'Reilly Press Room