The magazine of the Melbourne PC User Group Security Enhanced Linux Major Keary |
Security Enhanced Linux, generally known as SELinux, is a product of the American National Security Agency (NSA) and is open source. As one would expect, O'Reilly is the first publisher to release a book on the subject, SELINUX: NSA's Open Source Security Enhanced Linux. The first part provides an excellent introduction to the subject for general readers interested in understanding SELinux — what it does and how it does it. The rest of the book deals with installation, configuration, testing, and so on; it is an in-depth technical disucssion of many issues and requirs more than a passing familiarity with Linux.
Red Hat and SUSE have announced an intention to support SELinux in their respective commercial distributions and it is already a component of Fedora Core 2. Gentoo Linux specifically supports SELinux, but a tarball has to be downloaded, unpacked, and compiled. Packages are available for distros that use RPM, such as Red Hat and SUSE, but — at the time of the book's writing — Red Hat Enterprise Server does not yet officially support SELinux. Debian and GNU/Linux (and their variants) can also be SELinix-enabled.
SELinux has built into it "mechanisms that protect against attacks exploiting software vulnerabilities, including 0-day vulnerabilities. In particular, SELinux implements role-based access control and sandboxing". The sandbox technique has been around for a long time and is used in a number of applicationsto protect the system from malicious code.
The '0' in 0-day is numeric zero, but the term is pronounced 'oh-day'. Virus attacks do not present a significant threat to Linux systems, but general readers are more likely to appreciate the virus-attack model in a description of 0-day. A window of vulnerability exists between the time a virus is released into the wild and the application of a prophylactic patch to their respective anti-virus software. Once released a virus has to be detected, reported, and a counter measure devised, disseminated, and applied. The anti-virus industry has developed a rapid response to virus incidents that reduces, but does not eliminate, the window of vulnerability.
The response cycle is different when a software vendor discovers a product is vulnerable to non-virus attack. It is not as simple as adding a new signature to a .dat file. A patch has to be developed, end users have to be notified, the patch has to be distributed, and each end user has to apply it. However, such patches don't always work, and they may result in unexpected consequences (such as creating new vulnerabilities). When an end-user receives a patch it has to be authenticated, tested, and installed. All that takes time during which the window is wide open. Some vendors save up the known vulnerabilities and incorporate the patches in a big bang service pack.
Known vulnerabilities for which no patch is available (still in development,
testing, or not yet released) are called 0-day vulnerabilities — 'oh days' for
short. Some vendors issue a vulnerability warning before distributing, or even
developing, a patch. That effectively informs would-be attackers that an
opportunity exists.
SELinux is designed to cope with all forms of attack, including 0-day
vulnerabilities. The book discusses in considerable technical depth how SELinux
works and how it is implemented and configured. It is not
something that is installed, like a firewall, and forgotten until an update is
notified.
Following the discussions of what SELinux is and how it works the book explains
installation procedures for various distros, administration, monitoring, and
development of security policies.
The intended audience for this title is someone who is "responsible for the
management of one or more sensitive hosts"; for those in that category this is
an essential resource. It should also satisfy the needs of anyone who is well
versed in Linux and who wants to develop an in-depth understanding of SELinux.
|
Bill McCarty: SELinux ISBN 0-596-00716-7 Published by O'Reilly, 238 pp., RRP $74.95 incl. GST |
 |
For those interested there are online SELinix demonstration systems. Try any of
these sites for information: ,
http://selinus.dev.gentoo.org,
http://www,coker.com.au/selinux/play.html and
http://selinux.simplyacquatics.com.
Reprinted from the November 2005 issue of PC Update, the magazine of Melbourne PC User Group, Australia
