The first Linux Security Protection System stable release

The Linux Security Protection System (LinSec) is another project dedicated to the creation of secure Linux systems through the use of mandatory access controls. LinSec is not packaged as a full distribution, however; instead, it comes as a kernel patch and a set of useful utilities. The project has just announced its first stable release.

When you finish the (lengthy) process of installing LinSec on your system, you'll have the following:

• A strong capability-based system. The all-powerful root account is no more; instead, individual users and programs are empowered with just the priviliges they need to carry out their tasks. Capabilities are part of the standard Linux kernel, but they are not heavily used on most Linux systems.

• Filesystem access domains, so that particular users can be limited to certain parts of the filesystem.

• "IP labeling lists," which restrict who can connect to what port.

• Socket access control, allowing detailed control over which users and programs can connect to any particular socket.

LinSec has a lot of tools which can help in the creation of highly secure Linux systems. What it lacks, still, is any real solution to the administrative problem. Experience has shown that administrators have trouble keeping track of even the basic permissions bits on the many files in their systems. Capabilities add another 28 bits to deal with. The LinSec installation guide describes setting up capabilities as "the most daunting task" in the whole installation process for a reason. Capabilities and fine-grained privilege control are great ideas, but they are unlikely to see widespread adoption until the management issues have been dealt with.

---

(Log in to post comments)