The nsa created the first security enhanced linux kernel in 2000 and worked with apache on its accumulo data storage system. Security enhanced linux selinux, for instance, the standard for secured linux, started as an nsa project. Security enhanced linux, or selinux, is a package developed by the nsa. Securityenhanced linux selinux is a linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls mac. Iot rewards to outweigh risks for nsa signal magazine. National security agency central security service what. Securityenhanced linux red hat enterprise linux 6 red. Kernel korner nsa security enhanced linux linux journal.
If youre a software developer, the highly classified environment of the national security agency is a cool place to work, but until recently, it wasnt a place where public sharing was actively encouraged to say the least. Selinux development has transitioned to the linux and open source software developer community. Enhanced security an overview sciencedirect topics. With those systems, you can use security policies to limit the scope of what any one user can doeven privileged users.
Can enforce strong separation based on confidentiality, integrity, or purpose. Nsa officials say their code, known as security enhancements for android, isolates apps to prevent hackers and marketers from gaining access to personal or corporate data stored on a device. Now selinux security enhanced linux dramatically changes this. Architecture supports wide range of security policies. Nsa steps out of the shadows with open source software. Securityenhanced linux selinux is a linux kernel security module that provides the mechanism for supporting access control security policies, including united states department of defensestyle mandatory access controls mac. A reference implementation of this architecture was first integrated into a securityenhanced linux prototype system in order to demonstrate the value of flexible mandatory access controls and how such controls could be added to an operating system. With selinux, android can better protect and confine system services, control access. Jul 20, 2017 i can only speculate of course, but i assume its something like this. Selinux also known as selinux policy editor is an open source software project, a module for the linux kernel, providing various security functions and a mechanism for supporting. Selinux can enforce rules on files and processes in a linux system, and on their actions, based on defined policies. The national security agencys securityenhanced linux implements an architecture that separates enforcement from access policy decisions.
I am sure it wont be long before sceptics pull the surveillance enhanced linux out of the bag. Nsa develops and distributes configuration guidance for a wide variety of software, both open source and proprietary. Securityenhanced linux selinux is a linux kernel security module that provides a mechanism for supporting access control security policies. Linux is opensource and the kernel is believed to be under rather thorough scrutiny from competent programmers. Released in january 1998, it is written in the c programming language and has been a part of the linux mainline since 2003, when. Axis learning management system lms is powerful and affordable training software solution for companies of all sizes. We strive to provide nsa customers and the software development community the best possible security options for the most widely used products. Selinux defines access controls for the applications, processes, and files on a. Nsa security enhanced linux has its roots in the distributed trusted operating system dtos and flask flux advanced security kernel architecture. Selinux is built upon the linux security module lsm, a framework of hook functions and security state. Its architecture strives to separate enforcement of. Many companies and organizations have contributed to androids selinux implementation. As part of the android security model, android uses securityenhanced linux selinux to enforce mandatory access control mac over all processes, even processes running with rootsuperuser privileges linux capabilities.
Integrating flexible support for security policies into. The article provides software, network, and system monitoring recommendations for maintaining a secure oracle linux environment. Even if the wide coverage of the nsa s internal surveillance programs makes some people uneasy about anything attached to the agency. Nsa securityenhanced linux selinux semantic scholar. Welcome to the national security agencys open source software site. It was originally developed by the united states national security agency. Selinux is right in the middle of all this inspection. Securityenhanced linux selinux is a security module specifically made for the linux kernel, which enables features that support security policies for access control, including mandatory access control mac.
Securityenhanced linux red hat enterprise linux 6 red hat. Nifi implements concepts of flowbased programming and solves common data flow. Among free communitysupported gnulinux distributions, fedora was one. Putting a backdoor in linux implies the risk of allowing bad people from the nsa point of view to spy on us corporations through this backdoor. The companies secure computing corporation scc and mitre were directly involved in the development, along with a number of research laboratories. I can only speculate of course, but i assume its something like this.
The flask architecture demonstrated in the selinux reference implementation has been ported to several other operating systems, including solaris, freebsd, and darwin, has been ported to the xen hypervisor, and has been applied to applications such as the x window system, gconf, dbus and postgresql. The nsas ultrasecure linux technology evolves for the. The hpc part of the nsa probably does not use any, having secure operating systems that are protected against viruses by not having webbrowsers and email clients, the two main a. As part of its information assurance mission now referred to as cybersecurity, the national. The architecture is general enough that different types of policies can be implemented, including rolebased access control rbac, type enforcement te, and multilevel security mls. Selinux is a set of kernel modifications and userspace tools that have been added to various linux distributions. Selinux development has transitioned to the linux and open source software. The nsa researchers worked on linux security modules to support type enforcement, rolebased access controls, and multilevel security in the v2. Linux system that lacks selinux support, you must have the ability to compile the software and also. Selinux emerged from research by the national security agency and implements classic strong security measures such as rolebased access. Nsas open source security enhanced linux by bill mccarty selinux.
It has been applied to the major subsystems of the linux kernel, including the integration of mandatory access controls for. As such, updates to these selinux webpages havent occurred since 2008. Securityenhanced linux selinux is an implementation of a mandatory access control mechanism in the linux kernel, checking for allowed operations after standard discretionary access controls are checked. Nsa has code running in the linux kernel and android eteknix. The nsa had an active role in developing selinux, that is security enhanced linux. The securityenhanced linux project selinux is an effort to add mandatory access control to the linux kernel, providing a level of security beyond the capabilities of traditional, discretionary unix permissions 8. Nsa s open source security enhanced linux by bill mccarty selinux. Security enhanced linux selinux is an implementation of a mandatory access control mechanism in the linux kernel, checking for allowed operations after standard discretionary access controls are checked. It is an implementation of flask operating system security architecture. If you are unsure how to answer this question, answer n. Selinux, using a security scheme known as domain type enforcement, can limit the impact of compromised applications or network services by separating applications from each other and from the. Four days ago, the 2nd public release of the nsas securityenhanced version of linux its not an. It is not a linux distribution, but rather a set of kernel modifications and userspace tools that can be added to.
It is a set of kernel modifications and userspace tools that can be added to various linux distributions. When a buggy script or other bug is exploited by a hacker it no longer means their success with your loss of system integrity control. Recently, hardware support for virtualization has become available on commodity processors, and is poised to replace software support. Open source and the national security agency, together again.
Selinux emerged from research by the national security agency and implements classic strongsecurity measures such as rolebased access. Dec 04, 2019 libselinux is a free and open source library software designed as part of the nsa s security enhanced linux software, also known as selinux, for linux kernelbased operating systems. Security enhanced linux selinux is a linux feature that provides the mechanism for supporting access control security policies, including united states department of defensestyle mandatory access controls, through the use of linux security modules lsm in the linux kernel. They are modules that the nsa created to improve the poor security of linux which was so ridiculously easy to hack that the nsa felt compelled to help out, so us users were not so extremely vulnerable. Nsa securityenhanced linux is a set of patches to the linux kernel and. Nsas open source security enhanced linux request pdf. Active retirement mode arm is an announcement that we are no longer. You will also need a policy configuration and a labeled filesystem. Can confine malicious or flawed applications and services. Open source and the national security agency, together.
The software was merged into the mainline linux kernel 2. May 25, 2004 the nsa researchers worked on linux security modules to support type enforcement, rolebased access controls, and multilevel security in the v2. Other nsa open source contributions include securityenhanced linux and securityenhanced linux in android, which support accesscontrol security policies. Nsa security enhanced linux is a set of patches to the linux kernel and utilities to provide a strong, flexible, mandatory access control mac architecture into the major subsystems of the kernel.
Dec 16, 2019 security enhanced linux selinux is a linux kernel security module that provides a mechanism for supporting access control security policies. The intensive search for a more secure operating system has often left everyday, production computers far behind their experimental, research cousins. Securityenhanced linux in android android open source project. May 30, 2012 the project involving the development of securityenhanced linux selinux, a system offering mandatory access control, was initiated inside the us national security agency nsa. When in december 2000, the nsa publicly announced the development and release of security enhanced linux, said weathersby, we recognized that opensource had tremendous potential within. Only supports coarsegrained privileges for programs. The nsa created securityenhanced linux, or selinux for short, by integrating this enhanced architecture into the linux operating system. Sonicwall eclass network security appliance nsa series solutions provide enterpriseperformance featuring tightly integrated intrusion prevention, antimalware protection and application intelligence, control and visualization. Selinux was originally a development project from the national security agency nsa, secure computing corporation scc and others. Integrating flexible support for security policies into the. Selinux embodies concepts that can be traced back to united states national security agency projects, including research on mandatory access control mac architecture based on type enforcement, which. Root access on a dac system gives the person or program access to all programs. For those out there thinking that nsa and open source go together as well as the combination of politics and thanksgiving dinner, this is not the first time the agency has worked with open source software. The nsa created security enhanced linux, or selinux for short, by integrating this enhanced architecture into the linux operating system.
Ldo is informational only and products in this phase are active and continue to sell support contracts. Security enhanced linux selinux is a linux kernel security module that provides the mechanism for supporting access control security policies, including united states department of defensestyle mandatory access controls mac. The android security model is based in part on the concept of application sandboxes. Mar 01, 2018 other nsa open source contributions include securityenhanced linux and securityenhanced linux in android, which support accesscontrol security policies. Securityenhanced linux in android android open source. This is the upstream repository for the security enhanced linux selinux userland libraries and tools. Security enhanced linux available at nsa site from. Better yet, selinux is available in widespread and popular distributions of the linux operating systemincluding for debian, fedora, gentoo, red hat enterprise linux, and suseall of it free and open source. Nov 26, 2014 for those out there thinking that nsa and open source go together as well as the combination of politics and thanksgiving dinner, this is not the first time the agency has worked with open source software. The linode kernel does not support selinux by default. It provides an enhanced mechanism to enforce the separation of information based on confidentiality. When in december 2000, the nsa publicly announced the development and release of securityenhanced linux, said weathersby, we recognized that opensource had tremendous potential within. Nsa national security agency developed selinux initially.
Please visit the selinux project github site for more uptodate information. Nsa securityenhanced linux is a set of patches to the linux kernel and some utilities to incorporate a strong, flexible mandatory access control mac architecture into the major subsystems of the kernel. The software listed below was developed within the national security agency and is available to the public for use. The software provided by this project complements the selinux features integrated into the linux kernel and is used by linux distributions. Opensource is no more antigovernment than it was communist when bill gates famously mangled opposition to intellectual property laws into communism. The national security agencys security enhanced linux implements an architecture that separates enforcement from access policy decisions. Securityenhanced linux selinux is a linux kernel security module that provides a. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats. Use security and management tools to scan for signs of compromise. That is precisely how selinux works in 20 with full support built in redhat linux distributions. Security configuration guidance national security agency. Nsa does not favor or promote any specific software product or business model. Jul 03, 20 nsa officials say their code, known as security enhancements for android, isolates apps to prevent hackers and marketers from gaining access to personal or corporate data stored on a device. Nsa releases first in series of open source software products.
The dtos project was a collaborative effort between the us national security agency nsa and secure computing corporation scc in the early and mid1990s. Last day order ldo is advanced notification that we intend to start the end of life process. The national security agency enlists computer security company network associates to help create a version of linux thats less vulnerable to attack. As noted above, nsa does not favor or promote any specific software product or platform. The nsa created the first securityenhanced linux kernel in 2000 and worked with apache on its accumulo data storage system. Api supports securityaware applications and application.
696 705 817 386 319 1401 18 1659 786 688 1386 95 793 1503 423 355 39 1553 723 1169 563 195 12 439 1468 1639 538 184 1285 590 752 249 476 1343 1376