Re: NSA's Secure Linux Distribution

To: Debian-Devel <debian-devel@lists.debian.org>
Subject: Re: NSA's Secure Linux Distribution
From: Buddha Buck <bmbuck@14850.com>
Date: Fri, 22 Dec 2000 16:57:16 -0500
Message-id: <[🔎] 5.0.0.25.0.20001222164515.02c11e30@armstrong.cse.buffalo.edu>
In-reply-to: <[🔎] 20001222163827.C15851@capecodvacation.com>
References: <[🔎] EDFD2A95EE7DD31187350090279C67670143C401@THRESHER> <[🔎] EDFD2A95EE7DD31187350090279C67670143C401@THRESHER>

At 04:38 PM 12-22-2000 -0500, Jacob Kuntz wrote:

from the secret journal of Brent Fulgham (brent.fulgham@xpsystems.com):
> No doubt most of you have seen the NSA's secure linux posting
> on Slashdot this morning.
>
> Looking at:
> http://www.nsa.gov/selinux/docs.html
>
> there appears to be several utilities that have been updated
> to provide enhanced security.
>
> Should we be merging these patches into Debian, assuming they
> appear to be compatible with our policy, etc.?
>

unless we have a policy against security, it should be fine. :) it's all
gpl.

I'd take a close look at what they did before deciding to integrate theirpatches in.

The goals of the NSA in doing this may not be suitable for Debian. I'm nottalking about paranoia concerning the NSA putting back-doors intoeverything; I'm taking as given that they are being honest and upfrontabout what they are doing and why. But...

Here is a quote from their "overview" page(http://www.nsa.gov/selinux/index.html):

Security-enhanced Linux is not an attempt to correct any flaws that maycurrently exist in Linux. Instead, it is simply an example of howmandatory access controls that can confine the actions of any process,including a superuser process, can be added into Linux. The focus of thiswork has not been on system assurance or other security features such assecurity auditing, although these elements are also important for a securesystem.

In addition, while they provide 15 new or modified system utilities, theyalso provide 36 new system-calls, and require a custom kernel to handle thesystem.


On their to-do list are the following items:

Port the kernel patches to the latest 2.2 kernel
Port the kernel patches to the 2.4.0 kernel
Port the utility patches to the latest versions of the base utilities


so I'm not even sure we -could- apply their patches, even if we wanted to.

--
jacob kuntz
jpk@cape.com
underworld.net/~jake


--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: NSA's Secure Linux Distribution
  - From: jake@capecodvacation.com (Jacob Kuntz)

References:
- NSA's Secure Linux Distribution
  - From: Brent Fulgham <brent.fulgham@xpsystems.com>
- Re: NSA's Secure Linux Distribution
  - From: jake@capecodvacation.com (Jacob Kuntz)

Prev by Date: Re: NSA's Secure Linux Distribution
Next by Date: Re: libapache-asp-perl - perl Apache::ASP - Active Server Pages for Apache with mod_perl.
Previous by thread: Re: NSA's Secure Linux Distribution
Next by thread: Re: NSA's Secure Linux Distribution
Index(es):
- Date
- Thread