Slashdot Mirror
SELinux Panel at FOSE in Washington
Tony Stanco writes: "Newsforge has an article on what happened at the Security Enhanced Linux panel in Washington about certification under the Common Criteria for Information Technology Security Evaluation standard."
I like the term "Security Enhanced" instead of "Secure." The former is attainable, the latter is quite laughable to anyone in the know.
From the article:
"Microsoft is currently trying to get the EAL4 for its Windows 2000 OS, and Dean argues that for Linux to be competitive at places like government agencies, where security ratings are used as a big evaluation tool for buying technology products, SELinux also needs the EAL4 rating."
While I can certainly understand the value derived through attaining a prestigious security rating such as this and truly advocate this undertaking as I believe it will benefit OSS as a whole, I have a hard time believing that is a necessity in terms of staying competitive with M$ Windows.
With the rather suspect security record (to say the least...) of the Windows operating system, I could never fathom a security conscious sect of the government ever selecting Windows in lieu of a POSIX compliant OS such as Unix (or Linux, FreeBSD, etc...) that is designed specifically with security in mind. Even more, I would be quite suspect of any organization that would actually certify the operating system as being secure!!!
Though Windows 2000 may win in a consumer-based market or even that of a commercial world due to it many bug-ridden features, these same traits open it up for failure any truly security conscious environment...
At least, that would be my view on the matter...
Beer is proof that God loves us and wants us to be happy. -- Benjamin Franklin
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase
Stacking modules (loading more than one module at once) is problematic, because security policies are known to not be composable in general. However, if the modules have been designed to be stacked, then LSM will let you stack them.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase
Being a government contractor (Army) I totally welcome this.
I am in a NT shop and have a lonely Linux box that I managed to get in because I was able to show a couple of apps that the front office greensuiters thought were really neat and they said I could put one up (hooray!).
I was depending on providing more and more functionality as my sole method of bringing in more Linux, but now I can just go to the green suiters (who know NOTHING of technology) and say "Look, NSA did this".
Being good military men, I can hear them now "If it's good enough for NSA, no problem".
Like the poster on Newsforge said "I never thought I'd say this but 'Thanks NSA!'".
If you're in government and trying to push more open source, this may be just the 800 pound gorilla you need in your court.
NSA quite possibly may do more for open source in government than anyone. Sure is going to help my case out!
As hinted at in another post here, there's a difference between what's certified and what individual practioners would see as accurate. The reason is the individual practioner sees systems applied in real world scenarios and these don't necessarily have anything to do with certification standards. For instance, Cold Fusion and IIS problems are simply not a factor in evaluating the OS even though in the case of IIS it's arguable as to whether this should be.
Additionally, you need to understand just what is being evaluated at the different levels. As mentioned, WinNT was given C2 certification. Understand that this has everything to do with a particular feature set (fine grained ACLs primarily) and little to the with the penetrability of the system. Actual pen testing doesn't become a requirement until B1, IIRC.
The type of security that many are trying to achieve now (secure design, design verification, secure distribution, etc. i.e. security from the start) really doesn't come into play until A1 and that's the highest level of security deemed practicle in the TCSEC.
If you read the Orange book all the way through, what you'll see is that the majority of the security is intended to be achieved via mandatory access controls, subject and object labeling, and the careful application of these concepts. Each level has a new set of requirements for how much of the system is submitted to manadatory access control, whether the TCB (trusted computing base) is a subsystem of a greater insecure system, modularity and seperation of duties, etc. Much higher level system design issues and features, really. Until B2, B3, and really A1 IMHO there's only basic and passing concern with what we're coming to realize as the one true requirement of security engineering: security from the start. Secure design, verification, implementation, and review.
I haven't closely studied the Common Criteria and the handful of protection profiles yet, but I suspect you'd find the same or a similar issue. These are evaluation criteria and they tend to be focused on evaluating a stated set of features and capabilities. In high security environments product certification is not a replacement for careful product evaluation by the end user/customer any more than skills certification (e.g. Cisco, MS certs) is a replacement for careful interviewing and skills assessment by a hiring manager.
A lot of this suff is based on design documentation (and an analysisof the design), demonstration that the design was followed, and solid clear end-user documentation. I can't imagine a design that requires IE to be integrated with the OS will pass EAL4 certification, so they may end up purgering themselves durring the certification process. Too bad the certification documents don't need to be made public. I would strongly hope that nobody will EAL4 certify anything with I.E. integrated. It's track record seems to indicate that the design was not well reflected in the implementation. Keep an eye out, if the certified version of Win2K doesn't have I.E. integrated, maybe the DOJ can slap MS on the wrist one more time.
Solaris 8 has a special EAL4 version, but you (rightly) pay quite a premium for that version, as I understand it. In order to get something certified, you submit an exact copy of the system to be certified. If one bit (other than passwords, usernames, and groups) is different from what is certified (besides allowable changes specified in the certified end-user documentation), it's no longer EAL4 certified.
This is pretty hard-core stuff. THe previooous security record of Win2K doesn't really come into account, becuase the EAL version would be best described as aspecificconfiguration of an OS based on Win2K, not actually Win2K.
Debian is pretty hard core with quality standards. Bastille and Debian probably stand the best chance of beilng able to put together an EAL4 distro, but niether of them is that well off financially. RedHat has some quality issues, but should be able to put something together as good as the certified version of NT. I don't think the costs would be justified for RedHat right now, though. The chances are slim to none that you'll ever be able to serve web pages from an all-microsoft EAL4 system within a decade. I highly doubt that EAL4 version of Solaris 8 has a vebserver, at least one capable of dynamic content.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.