Red Hat Seeks to Deliver Most Secure Linux

Jack writes "ITO is running a story on Red Hat's plan to become the most secure Linux platform. From the article: "Red Hat officially joined The National Information Assurance Partnership to bring an improved level of security and assurance to Linux. This means that the next version of Red Hat Enterprise Linux will contain kernel and Security Enhanced Linux policy enhancements, developed by IBM, Red Hat, TCS, NSA and the community.""

Secure operating systems...

First off, I should let it be known that I am a BSD fan, and not a Linux one. However, despite my many issues with Red Hat and Fedora Core, they have been integrating some really cool stuff of late, things I had wanted to have easy access to in a open source operating system for some time, such as the SELinux functionality.

It's absolutely fantastic work they are doing; making SELinux a default in their systems in meaningful ways, while at the same time, doing their damndest to make it as transparent as possible to the everyday user. No one else is doing that. OpenBSD are the kings of UNIX quality control, but they offer nothing in the way of mandatory access controls. FreeBSD has comparable technology in the form of the TrustedBSD MAC Framework (which is excelant), but they are not yet offering security policies that are transparent to ordinary users of the system, and like SELinux in most distributions that support it, it's a pain to set up correctly.

Now if only they (Fedora especially) would ship a basic "desktop install" on *one* CD image instead of requiring 2-4 CDs, my major gripes with their software would go away completely. This kind of hardcore but transparent security is most definately needed by everybody today, and right now, only Red Hat and the Fedora Project are providing it. As much as I prefer the saner development methodologies and more well thought out kernel architectures provided by the various BSDs, in an online world as inherrently dangerous as our own, employing an operating system that supports these security technologies is the only real way to go.

Come on FreeBSD! What are you waiting for? Keep up the (mostly) good work Fedora people!

Re:But SELinux SUCKS for enterprise

[sabat]

Sure you can do it. Samba and Apache just have to be part of the same security domain. Study up, boy.

Re:Missed a link :)

[Cally]

Interesting. I've been playing with OpenBSD at home for a few years, long enough to encounter the well-known 'challenging' areas (upgrades. And coping with two separate toolchains is fun :) Meanwhile I've been given some Fedora Core 4 machines to admin at work. I knew RH had the SELinux extensions but never used them. Where to start? I ended up with the FC3 SELinux FAQ at redhat.com, which makes it clear that it needs a fair amount of care and attention, especially during the time I call "the coming of the great admin learning curve" - well, this admin anyway :) A thought has struck me: has anyone got past the initial setup, false-positive squishing and crossing off log entries as you fix or reconfig stuff, to a stable machine, then either (a) first discovered attacks (successful or not) via SELinux alerting mechanisms, or (b) got useful, or even just interesting, evidence of naughty activity via SEL logs, etc?

Knowing my machines are bulletproof is great, and all, but if one of my users is deliberately doing something s/he shouldn't, I want to know about it!