Just thought it might be intersting for some:
NSA (National Security Agency) distributes a modified version of RedHat Linux with a lot of security enhancements. It is called SELinux and it can be found at http://www.nsa.gov/selinux
Just thought it might be intersting for some:
NSA (National Security Agency) distributes a modified version of RedHat Linux with a lot of security enhancements. It is called SELinux and it can be found at http://www.nsa.gov/selinux
1 rule of the Samurai Code: if you have nothing to say, don't say anything at all!
Actually, this is just a kernel and other components. They have only tested it on RedHat systems, but it should work with any major distribution.
Just a kernel?
yeah, and from what I can tell, they haven't made a lot of changes either. Pretty boring actually for the NSA. They just improved the file protection to be a lot stricter. I would have thought they would have done some real "OpenBSD style" buffer overflow/vulnerability checking, etc. It's probably worth downloading if you intend to upgrade your kernel. I've heard ppl say they didn't have compatibility problems with it.
They have added some accessc controls to SElinux, RBAC, and MAC, as you may know this is pretty good, i'm no linux guru or security expert but if say for example apache was exploited, they would be stuck on apaches access level not being able to elevate their priledges etc.
i think its a good idea.
I use SELinux kernel & i think it's quite good from what i understand about it .
Yes it does help stop buffer overflows, it runs applications with minimal priveledges needed, They've implemented access controls such as RBAC(role based access contros) & MAC(mandatory access controls), and have gotten rid of DAC(the files are at the users descretion e.g. they can change who owns,reads the file etc)yeah, and from what I can tell, they haven't made a lot of changes either. Pretty boring actually for the NSA. They just improved the file protection to be a lot stricter. I would have thought they would have done some real "OpenBSD style" buffer overflow/vulnerability checking, etc. It's probably worth downloading if you intend to upgrade your kernel. I've heard ppl say they didn't have compatibility problems with it.
The root account can be totally locked down, meaning even if root was gained no priledges will be added. The Mailing list's are very good, i'm sure somebody would be willing to answer some of your questions.quote from selinux faq
It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).
That quote speaks for itself.quote from selinux faq
While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole.
Though it's only tested on redhat 7.2 systems, people have managed to run it on mandrake & slackware, but i bet those were the real hardcore linux guruz, who hack away at the keyboard all night I use SELinux kernel & i think it's quite good from what i understand about it .
Yes it does help stop buffer overflows, it runs applications with minimal priveledges needed, They've implemented access controls such as RBAC(role based access contros) & MAC(mandatory access controls), and have gotten rid of DAC(the files are at the users descretion e.g. they can change who owns,reads the file etc)yeah, and from what I can tell, they haven't made a lot of changes either. Pretty boring actually for the NSA. They just improved the file protection to be a lot stricter. I would have thought they would have done some real "OpenBSD style" buffer overflow/vulnerability checking, etc. It's probably worth downloading if you intend to upgrade your kernel. I've heard ppl say they didn't have compatibility problems with it.
The root account can be totally locked down, meaning even if root was gained no priveledges will be added. The Mailing list's are very good, i'm sure somebody would be willing to answer some of your questions.quote from selinux faq
It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).
That quote speaks for itself.quote from selinux faq
While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole.
Though it's only tested on redhat 7.2 systems, people have managed to run it on mandrake & slackware, but i bet those were the real hardcore linux guruz who hack away at the keyboard all night .
Don't trust it!!! Ok, its been created by the NSA - THAT IS THE GIVE AWAY! I bet that they made this modified version of Red Hat to either collect data from your computer regarding issues regarding "national security", or something more sinister...