linux 如何增强安全性
Operating system security is (or at least should be) of critical importance to us all. However, the varying levels of security required differ for each systems administrator.
操作系统安全对我们所有人至关重要(至少应该如此)。 但是,每个系统管理员所需的安全级别各不相同。
For those who seek enhanced, tightened security control over their Linux systems, SELinux may be the answer. Standing for Security-Enhanced Linux, it is a result of research projects from the NSA (National Security Agency) in the US and focuses on mandatory access controls which offers powerful controls over users and devices as well as applications and services.
对于那些寻求对其Linux系统进行增强的严格控制的人来说,SELinux可能是答案。 它代表安全性增强的Linux,是来自美国国家安全局(NSA)的研究项目的成果,专注于强制性访问控制,该访问控制提供了对用户和设备以及应用程序和服务的强大控制。
SELinux is released as a set of kernel patches which wraps into an existing Linux installation. The NSA states they have tested it successfully only on Red Hat.
SELinux是作为一组内核补丁发布的,这些补丁包含在现有的Linux安装中。 NSA表示,他们仅在Red Hat上成功测试了它。
In thet same vein, the Red Hat community has just announced integration with SELinux into its latest test release of Fedora (core 2), the replacement for Red Hat’s Professional series of distributions which ended with version 9. Red Hat facilitates the Fedora project but does not officially support it. However, it is obvious the goal is to test out and find the best improvements that can then make there way into Red Hat’s official Enterprise Linux products.
同样,红帽社区刚刚宣布将与SELinux集成到其最新的Fedora测试版(核心2)中,该版本取代了以版本9结尾的红帽专业系列发行版。红帽为Fedora项目提供了便利,但确实不正式支持它。 但是,很明显,目标是测试并找到最佳的改进,然后才能将它们引入Red Hat的官方Enterprise Linux产品。
The NSA defines the difference between SELinux security and standard Linux security:
NSA定义了SELinux安全性和标准Linux安全性之间的区别:
“The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated. This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a “root” super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).”
“增强安全性的Linux内核实施强制性访问控制策略,将用户程序和系统服务器限制在执行工作所需的最小特权范围内。 以这种方式进行限制时,这些用户程序和系统守护程序在受到威胁时(例如,通过缓冲区溢出或配置错误)造成损害的能力就会降低或消除。 这种限制机制独立于传统的Linux访问控制机制运行。 它没有“根”超级用户的概念,也没有共享传统Linux安全机制的众所周知的缺点(例如,对setuid / setgid二进制文件的依赖)。”
More Information on: Security-Enhanced Linux
有关以下信息: 安全性增强的Linux
Red Hat Fedora and SELinux
红帽Fedora和SELinux
翻译自: https://www.sitepoint.com/security-enhanced-linux/
linux 如何增强安全性