[ISN] Linux Gets Security Boost from NSA

From: InfoSec News (isn@private)
Date: Wed Feb 25 2004 - 02:10:59 PST

  • Next message: InfoSec News: "[ISN] CIA to issue cyberterror intelligence estimate"

    http://www.internetnews.com/dev-news/article.php/3317331
    
    By Sean Michael Kerner 
    February 24, 2004 
    
    Most stories about government deployments of Linux involve a
    distributor helping various federal and municipal agencies install the
    open source operating system. But in this case, a federal agency is
    helping Linux.
    
    The U.S. National Security Agency (NSA), also known as the codemakers
    and codebreakers cryptologic division within the Department of
    Defense, has helped to harden Linux with newly-released Security
    Enhanced Linux (SELinux) kernel modifications.
    
    The latest release, which updates the base kernel to 2.6.3 and 2.4.24,
    contains numerous significant improvements to security in the open
    source operating system. The SELinux improvements mark a major
    breakthrough for Linux. Because of the NSA's contributions to the
    kernel, the new security features will now show up in mainstream
    distributions of Linux.
    
    "Conditional policies are significant and also networking hooks were
    added, which makes SElinux all that much more powerful," Joshua
    Brindle, hardened Gentoo Linux Project Leader and the NSA's SELinux
    contributor, told internetnews.com.
    
    "They also exported AVC (define) controls to userland to facilitate
    strong X-based access control and privilege separation," he added.
    
    SELinux was released by the NSA under the GNU GPL open source license.  
    SELinux is essentially a Linux Kernel with a number of utilities that
    provide enhanced security functionality. But the critical component of
    SELinux is how it implements and handles mandatory access controls.
    
    "SELinux is important because mandatory access controls are essential
    to limiting access to daemons and users to only what they need. It
    also solves the age-old almighty powerful superuser problem in Linux,"  
    Gentoo's Brindle told internetnews.com.
    
    "We stress however that it isn't an end-all solution, that it must be
    combined with additional layers of protection."
    
    Debian, Gentoo and Red Hat Fedora's latest test release of Fedora Core
    2 all currently make some use of SELinux. Red Hat also plans to
    incorporate SELinux into its next Red Hat Enterprise Linux release
    
    This "marks an important milestone in what enterprises globally feel
    is an important issue," Red Hat spokesperson Leigh Day said of the
    SELinux update. "One of the first issues we hear from our customers
    when talking with them about solution requirements is security," she
    told internetnews.com. "Were pleased to be working with the NSA to
    bring SELinux to our distribution. We will incorporate SELinux fully
    in our next release of RHEL 4."
    
    The Security-enhanced Linux kernel enforces mandatory access control
    policies that confine user programs and system servers to the minimum
    amount of privilege they require to do their jobs.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Feb 25 2004 - 05:21:01 PST