SELinux (Security Enhanced Linux) is produced by, of all things, the United States National Security Agency. http://www.nsa.gov/selinux
Their home-page says it all.
If you stop and think about it, "regular Linux" has one important Achilles heel: too many things are "root or nothing."
A web-server might have to run as root
, in whole or in part, just
to be able to open TCP/IP port #80. In doing so, however, the potential exists that any rogue who can manage to get the web-server program to run as root
and to do something nasty .. has just done something nasty to your machine! All because your web-server needed to open port #80.
One of the solutions to this problem, as implemented in these so-called "hardened Linuxes," is to introduce the concept of a capability.
Now you can run your web-server as an ordinary joe, with no special powers at all except
that it has been granted an "OPEN_PORT_80" (say) capability.
Another weak-link in "regular" Linux is the somewhat primitive "user/group/anyone" "read/write/execute" permission-structure, a legacy of the earliest days of Unix on a PDP-8. Access Control Lists (ACLs)
enable you to assign more-specific file access rules.
These are a couple of examples of what is referred to as "hardening."
Also, "hardening" involves increasing awareness on the part of the system administrator
(that means you...
) as to what kinds of threats exist and how these various tools can be intelligently used to counter them. Pragmatically speaking, a lot of nasty things happen to people by pure chance: scripts are out there, trolling for IP-addresses of machines that "aren't paying attention" and exploiting them "just because they left the front door unlocked."