Slashdot Mirror
SELinux Panel at FOSE in Washington
Tony Stanco writes: "Newsforge has an article on what happened at the Security Enhanced Linux panel in Washington about certification under the Common Criteria for Information Technology Security Evaluation standard."
Stacking modules (loading more than one module at once) is problematic, because security policies are known to not be composable in general. However, if the modules have been designed to be stacked, then LSM will let you stack them.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase
According to the NSA Commercial Product Evaluations for Trusted Systems CD (September 2001), Windows NT service pack 6 with the C2 security patch is the spec on the M$ Product.
According to the documentation, not only does the product have to pass muster, but the company must have the financial viability to support the testing. The financial health of the company must be good enough so that there are no serious doubts about its long term existence. Apparently the NSA doesn't want to certify a product, bring it into deployment and then have the company fold. That I can see being the biggest hold back to a Linux Distro being certified.
All this information is free on the web. Do a search for rainbow series on google and you will find a link to the nsa site. There's also a number you can call and get a copy of the specs sent to you on cd on Uncle Sam's dime.
"Draw them in with the prospect of gain, take them by confusion." Sun Tzu
As hinted at in another post here, there's a difference between what's certified and what individual practioners would see as accurate. The reason is the individual practioner sees systems applied in real world scenarios and these don't necessarily have anything to do with certification standards. For instance, Cold Fusion and IIS problems are simply not a factor in evaluating the OS even though in the case of IIS it's arguable as to whether this should be.
Additionally, you need to understand just what is being evaluated at the different levels. As mentioned, WinNT was given C2 certification. Understand that this has everything to do with a particular feature set (fine grained ACLs primarily) and little to the with the penetrability of the system. Actual pen testing doesn't become a requirement until B1, IIRC.
The type of security that many are trying to achieve now (secure design, design verification, secure distribution, etc. i.e. security from the start) really doesn't come into play until A1 and that's the highest level of security deemed practicle in the TCSEC.
If you read the Orange book all the way through, what you'll see is that the majority of the security is intended to be achieved via mandatory access controls, subject and object labeling, and the careful application of these concepts. Each level has a new set of requirements for how much of the system is submitted to manadatory access control, whether the TCB (trusted computing base) is a subsystem of a greater insecure system, modularity and seperation of duties, etc. Much higher level system design issues and features, really. Until B2, B3, and really A1 IMHO there's only basic and passing concern with what we're coming to realize as the one true requirement of security engineering: security from the start. Secure design, verification, implementation, and review.
I haven't closely studied the Common Criteria and the handful of protection profiles yet, but I suspect you'd find the same or a similar issue. These are evaluation criteria and they tend to be focused on evaluating a stated set of features and capabilities. In high security environments product certification is not a replacement for careful product evaluation by the end user/customer any more than skills certification (e.g. Cisco, MS certs) is a replacement for careful interviewing and skills assessment by a hiring manager.
A lot of this suff is based on design documentation (and an analysisof the design), demonstration that the design was followed, and solid clear end-user documentation. I can't imagine a design that requires IE to be integrated with the OS will pass EAL4 certification, so they may end up purgering themselves durring the certification process. Too bad the certification documents don't need to be made public. I would strongly hope that nobody will EAL4 certify anything with I.E. integrated. It's track record seems to indicate that the design was not well reflected in the implementation. Keep an eye out, if the certified version of Win2K doesn't have I.E. integrated, maybe the DOJ can slap MS on the wrist one more time.
Solaris 8 has a special EAL4 version, but you (rightly) pay quite a premium for that version, as I understand it. In order to get something certified, you submit an exact copy of the system to be certified. If one bit (other than passwords, usernames, and groups) is different from what is certified (besides allowable changes specified in the certified end-user documentation), it's no longer EAL4 certified.
This is pretty hard-core stuff. THe previooous security record of Win2K doesn't really come into account, becuase the EAL version would be best described as aspecificconfiguration of an OS based on Win2K, not actually Win2K.
Debian is pretty hard core with quality standards. Bastille and Debian probably stand the best chance of beilng able to put together an EAL4 distro, but niether of them is that well off financially. RedHat has some quality issues, but should be able to put something together as good as the certified version of NT. I don't think the costs would be justified for RedHat right now, though. The chances are slim to none that you'll ever be able to serve web pages from an all-microsoft EAL4 system within a decade. I highly doubt that EAL4 version of Solaris 8 has a vebserver, at least one capable of dynamic content.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.