Bill McCarty

Selinux

NSA's Open Source Security Enhanced Linux

• Broschiertes Buch

Produktbeschreibung

The intensive search for a more secure operating system has often left everyday, production computers far behind their experimental, research cousins. Now SELinux (Security Enhanced Linux) dramatically changes this. This best-known and most respected security-related extension to Linux embodies the key advances of the security field. Better yet, SELinux is available in widespread and popular distributions of the Linux operating system--including for Debian, Fedora, Gentoo, Red Hat Enterprise Linux, and SUSE--all of it free and open source.SELinux emerged from research by the National Security Agency and implements classic strong-security measures such as role-based access controls, mandatory access controls, and fine-grained transitions and privilege escalation following the principle of least privilege. It compensates for the inevitable buffer overflows and other weaknesses in applications by isolating them and preventing flaws in one application from spreading to others. The scenarios that cause the most cyber-damage these days--when someone gets a toe-hold on a computer through a vulnerability in a local networked application, such as a Web server, and parlays that toe-hold into pervasive control over the computer system--are prevented on a properly administered SELinux system.The key, of course, lies in the words "properly administered." A system administrator for SELinux needs a wide range of knowledge, such as the principles behind the system, how to assign different privileges to different groups of users, how to change policies to accommodate new software, and how to log and track what is going on. And this is where SELinux is invaluable. Author Bill McCarty, a security consultant who has briefed numerous government agencies, incorporates his intensive research into SELinux into this small but information-packed book. Topics include: A readable and concrete explanation of SELinux concepts and the SELinux security model Installation instructions for numerous distributions Basic system and user administration A detailed dissection of the SELinux policy language Examples and guidelines for altering and adding policiesWith SELinux, a high-security computer is within reach of any system administrator. If you want an effective means of securing your Linux system--and who doesn't?--this book provides the means.

Produktdetails

• Verlag: O'Reilly Media
• Seitenzahl: 238
• Erscheinungstermin: 16. November 2004
• Englisch
• Abmessung: 237mm x 180mm x 19mm
• Gewicht: 430g
• ISBN-13: 9780596007164
• ISBN-10: 0596007167
• Artikelnr.: 13150936

Autorenporträt

Bill McCarty is a Professor of Information Technology at Azusa Pacific University, Azusa, California. Bill is also the author of over fifteen technical books and numerous papers and presentations. He serves as editor of the Honeynet Files department of the journal IEEE Security and Privacy, and directs the Azusa Pacific University Honeynet Research Project, which is affiliated with the Honeynet Project's Honeynet Research Alliance. Bill has briefed members of US organizations such as the CIA, DISA, FBI, NASA, and NSA, and non-US organizations such as the UK's CESG and GHQ, on his honeynet research. He has worked with the FBI to prevent and detect computer crimes.

Inhaltsangabe

Preface
Organization of This Book
Conventions Used in This Book
Using Code Examples
How to Contact Us
Acknowledgments
Chapter 1: Introducing SELinux
1.1 Software Threats and the Internet
1.2 SELinux Features
1.3 Applications of SELinux
1.4 SELinux History
1.5 Web and FTP Sites
Chapter 2: Overview of the SELinux Security Model
2.1 Subjects and Objects
2.2 Security Contexts
2.3 Transient and Persistent Objects
2.4 Access Decisions
2.5 Transition Decisions
2.6 SELinux Architecture
Chapter 3: Installing and Initially Configuring SELinux
3.1 SELinux Versions
3.2 Installing SELinux
3.3 Linux Distributions Supporting SELinux
3.4 Installation Overview
3.5 Installing SELinux from Binary or Source Packages
3.6 Installing from Source
Chapter 4: Using and Administering SELinux
4.1 System Modes and SELinux Tuning
4.2 Controlling SELinux
4.3 Routine SELinux System Use and Administration
4.4 Monitoring SELinux
4.5 Troubleshooting SELinux
Chapter 5: SELinux Policy and Policy Language Overview
5.1 The SELinux Policy
5.2 Two Forms of an SELinux Policy
5.3 Anatomy of a Simple SELinux Policy Domain
5.4 SELinux Policy Structure
Chapter 6: Role-Based Access Control
6.1 The SELinux Role-Based Access Control Model
6.2 Railroad Diagrams
6.3 SELinux Policy Syntax
6.4 User Declarations
6.5 Role-Based Access Control Declarations
Chapter 7: Type Enforcement
7.1 The SELinux Type-Enforcement Model
7.2 Review of SELinux Policy Syntax
7.3 Type-Enforcement Declarations
7.4 Examining a Sample Policy
Chapter 8: Ancillary Policy Statements
8.1 Constraint Declarations
8.2 Other Context-Related Declarations
8.3 Flask-Related Declarations
Chapter 9: Customizing SELinux Policies
9.1 The SELinux Policy Source Tree
9.2 On the Topics of Difficulty and Discretion
9.3 Using the SELinux Makefile
9.4 Creating an SELinux User
9.5 Customizing Roles
9.6 Adding Permissions
9.7 Allowing a User Access to an Existing Domain
9.8 Creating a New Domain
9.9 Using Audit2allow
9.10 Policy Management Tools
9.11 The Road Ahead
Security Object Classes
SELinux Operations
SELinux Macros Defined in src/policy/macros
SELinux General Types
SELinux Type Attributes
Colophon

Rezensionen

"Sicherheit und kein Ende! Fakt ist, dass es "da draußen" in der Tat reale Bedrohungen gibt und dass sich die Lage eher verschlechtern als Verbessern wird. Der O'Reilly-Verlag hat einmal mehr auf diese Situation reagiert und einen neuen sicherheitsrelevanten Titel veröffentlicht. [...]

Mit SELinux steht eine gute durchdachte und ausgereifte Sicherheitslösung zur Verfügung. Vor diesem Hintergrund dürfte es kaum verwunderlich sein, dass die Lektüre besonders für Administratoren spannend ist. Wenn Ihnen umgehend Schlagworte wie Buffer Overflows, Denial of Service, Exploits und dergleichen mehr in den Sinn kommen, liegen Sie genau richtig. Dennoch versucht Bill McCarty in verständlicher Art und Weise auch den normalen Leser anzusprechen. SELinux ist mittlerweile Bestandteil wichtiger Distributionen wie Fedora Core, Gentoo und SuSE Linux. Red Hat Enterprise Linux 4 wird SELinux ebenfalls enthalten." - Thomas Kaufmann, Entwickler Magazin, 06/2005

"Das Buch kann als die derzeitige Referenz zum Thema SELinux angesehen werden. (...) Bei der Entwicklung von SELinux als Forschungsprojekt hatte die Funktionalität eindeutig Vorrang vor der Benutzbarkeit, so daß man ohne tiefergehendes Verständnis der Materie, wie es in diesem Buch vermittelt wird, ein SELinux-System praktisch nicht betreiben kann. Vor allem die Kapitel über die Policy-Sprache, sowie die Anhänge sind als Nachschlagewerk unverzichtbar.

Das Buch ist verständlich geschrieben, die komplexen Zusammenhänge werden gut erklärt." - Linux Usergroup der Studentensiedlung Freiburg, 03/05

"Fazit: Mit SELinux kann man die Sicherheit eines Servers deutlich erhöhen. Allerdings ist die Servererweiterung ales andere als Plug and Play. Wer SELinux einsetzen will, muss die Konzepte dahinter verstehen. Die Informationen dazu kann man sich im Internet zusammensuchen. Weit einfacher, schneller und besser beschrieben erledigt das SELinux von Bill McCarty." - www.it-administrator.de, 01/2005, Elmar Tötök