Slashdot Mirror
IBM Clinches Security Certification for Linux
Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.
What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.
So what the hell was going on before?
Glad to see they aren't letting SCO scare them away from giving Linux their support time after time
Just because the government can consider buying Linux, doesn't mean it will. After all, Microsoft has got a pretty firm hold on the burecrats in charge.
I hate liberals. If you are a liberal, do not reply.
What are the ratings and how does other common OS's score? Anybody know?
How small a thought it takes to fill a whole life
CNN.com has this story too.
What this means is that government can consider Linux when making purchasing decisions.
I thought they already could and have in most cases. Now they have the extra bit of paper which says its ok to use it though.
Linux got the highest rating possible.
Would you expect anything less?
Microsoft set out to get Win2K certified and only completed the process last October according to .
Linux now has the upper hand because MS does not yet have XP certified.
Hey, you really cant go wrong with a open source, GPL'ed operating system where drivers are wrote by guys from NASA (Thanks Mr. Becker), and your security ACL's are wrote by the Spooks (heh, thanks NoSuchAgency ;-).
It REALLY beats closed source OS'es (for govt's) as even our own MS of America wont let us see the code because it's "dangerous". However showing the Chinese is A-OK.
Gotta makes you think: what would our gov't choose if they didnt have their hand in MS'es pocket?
According to this article, Red Hat and Oracle are working on gaining the same level of certification by the end of the year.
So what I want to know is anything with the Linux kernel good to use, or just SUSE? Call me nuts, but I thought that different distributions using the Linux kernel could be pretty damn different as far as security and stability go.
Please spare me of all the "BSD SUCKS" and "BSD IS DEAD" flames. Kthx.
/.) -- why doesn't it get more corporate love?
Ignoring the fact that IBM markets Linux and not BSD, why haven't corporations made genuine efforts to get it accepted in environments such as the government. The article doesn't make it clear whether or not they're talking about serving or usability.
It seems to me that if they're talking about security and such, there's still a bit to be left desired. Additionally, SuSE is by no means the most standard (IMO, it's the most backward) distribution of Linux.
I'd be interested in learning why more companies don't take a look into BSD environments. The security is there. The license is TOTALLY unrestrictive. It's stable, secure, well documented and well accepted (except on
www.sitetronics.com/wordpress
I mean, look at all the other level 4 assurance level OSs here . Of course, Windows 2k has had this certification since last year AND Microsoft has prepared a nice guide for ensuring compliance to the common criteria guides for the Windows Sysadmin. I'm very glad that Linux will be able to compete with Windows on a bureaucratic level as well as on technical merit, but perhaps there is a slight overreacction from the part of the /. editors?
Mother is the best bet and don't let Satan draw you too fast.
I'm a sysadmin for a large government data center. We've been using Linux in production for years, and we always purchase boxed distributions, even some preconfigured(!) machines from Dell. Government regulations do, however, prevent me from ordering Windex and Duster. These are considered janitorial supplies, and there is no justification in Information Systems procuring these items. So frankly, I'm not sure what all the fuss is about. Things look a lot different on the ground.
Does this mean that it is safe/legal to use linux on a machine used to store medical information, in compliance with HIPPA and other mandated privacy policies ?
The EAL2+ assurance level achieved is NOT the highest rating possible by a long, long shot - it's actually close to the lowest. But, it's a great start.
IBM and SuSE say they're working on a higher level CAPP evaluation, which roughly equates to the old C2 TCSEC criteria.
...but what does it mean in the end? Nothing at all, since MS is branded onto the forearms and foreheads of most politicians? Or will Linux become the next tool for monitoring it's citizens? Hopefully neither. Hopefully, instead, big businesses like Red Hat and Suse(through IBM) will begin lobbying the government with the same strength and voracity that MS and others have been for years. Then we can begin to see some real change, even if we have to use some of the same slimy tactics.
what kind of items are covered in the Common Criteria?
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Suddenly I'm just starting to love IBM more and more these days :-)
So does that mean that a specific version of Suse is certified, and nothing else? So what about Red Hat etc? Or future Suse versions? I presume they'd have to get another certification (probably easier after Suse got the 1st one, but anyway).
first off, the certification validates that they can consider this spacific distro of linux on certain IBM machines for *secret* uses. They certainly could have (and most likely have) used linux on other types of applications and such, but they couldn't say, set up a linux box on a secret LAN or mission critical applications.
EAL2 != Security
CC EAL<n>
I would like to have EAL5 or better...
IBM has gotten Linux certified
Correction -- they got SuSE Linux certified. This only applies to SuSE. Incidentally, it cost them $500,000.
Linux got the highest rating possible
No it didn't. FUD. According to this story...
Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software was under testing for better-security ratings.
In fact, I'd suggest people look at the story in the Inquirer linked above -- it gives a little more information as well as some light commentary.
The article seems to imply that only Linux running on IBM computers and SuSE Linux have been certified. Is the certification *any* distro running on IBM and SuSE running on *any* computer or is it just SuSE running on IBM?
Linux was certified as providing only "low to moderate" security, compared with the same group's certification as "moderate to high" last year of the security of Microsoft's Windows 2000 software. Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.
I would guess that IBM wanted to go for the faster, cheaper rating first and wait to get it certified higher. Common Criteria testing is expensive and time-consuming. It isn't a statement on Linux, it says more about how much got spent this time around.
if you're curious about some of the history of microsoft and the certication of windows for government work, click here, and look elsewhere for the story of ed curry. its been linked to here on slashdot before.
if you want to know more about what the eal4 certification that windows 2000 sp3 currently has, click here.
...vividly encapsulates that post-Watergate/pre-punk/coked-up moment when you could trust no one, least of all yourself.
I'm not sure that the government adopting OSS is such a good idea. I mean when something doesn't work who is held accountable? Linus? Alan? ...?
At least with proprietary technology there is the promise of accoutability [*] in the product.
[*] Yes I know this would mean Microsoft. DA damnit!
Tom
Someday, I'll have a real sig.
All that SuSE is that it was certified EAL2+. While this is a measure of how deeply something was tested (and EAL2 is not the best on the list), it does not define the threat. As in: "What security target was used ?". A security target will tell us (among other things) information about the skill of the attacker and the environment. "Can be hacked by the NSA in their offices in one year" as opposeded to "Can be hacked by the cleaning lady in two minutes."
is it too late for the dept. of homeland surveillance to switch or are they satisfied with the security that can be broken by a midi file?
what did m$ get on this anyways?
!(^((ri)|(mp))aa$)
I know the agency I work at follows these ridiculous regulations only when they fall in line with what they were planning on purchasing anyway. For example, most of the security products we use are not FIPS 140-1 compliant anyway. Who cares?
This will carry a lot of weight to any argument with a PHB or similar.
J.
You're only jealous cos the little penguins are talking to me.
Being that Linux is ever evolving and in a constant state of change, wouldn't that mean constant recertification ?
SuSE got the lowest possible passing rating, not the highest.
As someone else mentioned, IBM probrably went for the cheapest testing first.
But that does not change the fact that you deliberately told an untruth.
If Linux only got Low2Moderate - and Windows2k got Moderate2High. Are there any off the shelf OS's that rank equal or better to win2k or is Windows2k the only one out there? Thinking of all the security breaches in Windows2k a Low2Moderate score does not impress me nor does Microsoft when it comes to Security.
more liek BSOD am i rite??
P.S. a/s/l?
As often, article writers are a bit egocentrics. Did you know there are several governments in here ?
To the article author: I give you 1 troll point
Isn't it interesting how in slightly over a decade, IBM has gone from being sworn enemy of geeks all over the world, to best ally?
What will we be thinking about Microsoft in 10 or 15 years?
Sig.i>
Their press release.
From that release...
SuSE Linux Enterprise Server 8 has achieved Common Criteria Security running on IBM eServer xSeries.
Linux got the highest rating possible
The highest rating for linux is Bill Gates using it (secretly at home)!
I want my karma, and I want it now!
More like....
In Soviet Russia... (Score: -100, Tired old joke that none likes)
SECURITY clinches YOU!!
Now as windows advocates were forced to admit, a security rating is about as useful(/useless) as a TPC-C benchmark. It's a test under controlled circumstances and the real world is never this controlled - but it does compare apples to apples. No serious advocate of either would blindly consider the other to be utterly secure or unsecure; but I think the /. editors have jumped the gun both factually (it's not the highest rating possible, it's the lowest rating possible) and enthusiastically. I mean, would this story have made it if the headline read "Linux finally achieves a security rating lower than Windows 2000"?
Windows XP and 2003 are currently under testing but it takes time so please don't reveal your ignorance by announcing that Linux must be more secure than either of those since they haven't been certified yet. XP is every bit as secure and more than Windows 2000 and 2003 is far more secure than any other Windows release. That they'll be certified is not a question but just a matter of time.
Flame away - the karma rating here is meaningless as it's nearly effortless to get "Excellent" and maintain it.
Excuse the pedantry, but doesn't this mean SuSE running on IBM boxes got certified, not Linux per se?
--
This sig is inoffensive.
and basically just stands for "structurally tested", so keep your feet on the ground.
s .html
Win2K got EAL4; the levels go up to EAL7
Here are short descriptions:
http://commoncriteria.org/docs/EAL
(sorry, don't know how to turn this into a link...)
*BSD might as well be dead to the commercial and government enterprises. Until you see the likes of Dell and IBM slapping FreeBSD on their shiny metal systems, your run-of-the-mill IT buyer will still regard the OS as something whose name simply rings a bell or is the answer to an IT-related trivia question.
I work at a gov't site. We have plenty of systems in production and dev environments running Linux, in part because the project managers were able to use the Dell fed contract to get those servers with Linux. So, Linux is recognized by those buyers as a legitimate OS for business use. I can certainly slap SomeBSD on those machines, but whoops, the Oracle vendor said Linux was good, but not this SomeBSD.
When BSD is embraced by top-level vendors, companies will consider it.
So long, michael. Don't let the door hit you...
Linux got the highest rating possible.
... it's subscription only, but here's some details:
Is this right? Because that's not how the Wall Street Journal (subscription only) reported it today:
SuSE Linux got a Level 2 certification, which he [Jonathan Eunice, principal analyst at market researcher Illuminata] said "isn't particularly detailed." Microsoft Corp. has a Level 4 certification, which involves "substantially more detailed" investigation by testing labs.
The Wall Street Journal gave this big play
To get the certification, IBM enlisted SuSE, which distributes one of the leading versions of Linux. Mr. Donofrio said IBM paid less than $500,000 to get the certification at a independent testing center in Germany run by atsec information security GmbH. [IBM's senior vice president of technology and manufacturing, Nicholas] Donofrio said the security certification required few changes. It simply assured that Linux didn't have weaknesses that could be exploited by hackers, such as failing to really erase information on command. The certification included approval of the process SuSE uses to upgrade the software without introducing new security risks.
In a statement, the Defense Information Systems Agency said it was "pleased" that Linux has attained the certification.
Jonathan Eunice, principal analyst at market researcher Illuminata, Nashua, N.H., said the certification is significant, because "competitors have openly said Linux would never get to this level of security."
The initial certification is for Linux running on servers using Intel Corp. microprocessors. Mr. Eunice said SuSE Linux got a Level 2 certification, which he said "isn't particularly detailed." Microsoft Corp. has a Level 4 certification, which involves "substantially more detailed" investigation by testing labs. IBM said it would sponsor security testing for Linux software running on other servers it makes, including its mainframes.
There's a NY Times story on the subject here (and a good SCO one on the Red Hat legal case following it).
Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.
WTF does Linux's mascot have to do with being under testing for better ratings? Is the reporter trying to convey the impression that Linux is isn't serious business since it has a cute mascot instead of a corporate logo?
Wrong place in the article to put that bit.
According to the press release the certification covers the `SuSE Linux Enterprise Server 8 on IBM eServer xSeries', i.e. a specific SuSE product running on a specific family of servers. And nothing else. Read also this bit.
From the article:
Linux, running on IBM computers using Intel Corp.'s (Nasdaq:INTC - news) chips, received the Common Criteria certification
What would BSD get then? This rating goes to 11?
If you were blocking sigs, you wouldn't have to read this.
1) CC != Security, CC == Trust. EAL2 is close to the lowest level of evaluation and if my recollection of the eval levels is correct (it's been a while), EAL2 basically says that somebody somewhere might be able to find the documentation behind all the code if they went looking for it. Win 2k got EAL4 which is a full code and documentation review.
2) When you put a product into CC you define a protection profile, the weight and value of the evaluation is based upon the complexity of that profile. It would be useful to see the profile for this eval. It is possible (in theory at least) to get a product through CC by defining a profile that outlines what happens when you click on the "Red Hat". The more you exclude the more quickly you get through the process, but conversely the less interesting the evaluation is to government.
3) For those of you that feel this steals a march over WinXP, be aware that WinXP is in evaluation and the protection profiles that it is being evaluated under are public. Microsoft are doing a far more extensive job with XP than IBM did with Linux. When a Government procurement organisation comes to buy product, even for systems classified as SECRET, the fact that a product is in evaluation is generally enough, this is certainly true outside of the US.
Don't get me wrong, this is a great start and will certainly spread a lot of marketing fud but it does not mean a great deal to the government community. If anything it will raise a series of questions about why Microsoft's so called 'in secure' product can achieve EAL4 when the Open Source Linux offering can only scratch through EAL2.
Tread carefully.
This http://www.sfgate.com/cgi-bin/article.cgi?f=/news/ archive/2003/08/04/financial0031EDT0009.DTL
article explains the issue in more detail.
Nope, we won't slashdot Yahoo. But we may slashdot their rating system :)
There's that "Rate This Message" on the bottom. Just everyone pick "5" and the news will make to the "highest rated" and possibly to top headlines of Yahoo news.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Very true that it got C2 certification, but if I recall correctly only when external drives where removed and the PC was not hooked up to a network.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Hehe.. In your face, Scott McCollum! Put *that* in your narrow little pipe and smoke it!
(and for those of you who dunno who our dear friend Scott is, he's a 'writer' for WorldTechTribune.com makes a habit of writing screed after screed of his anti-Linux and anti-open source opinions (and tries to pass them off as news half the time). I wouldn't hate his guts so much if his arguments made sense, but he just basically sits there spouting nothing but FUD and thinly disguised pro-MS propaganda, and when OSS advocates react with proper indignation to his bull, he has the sheer gall to act all shocked and point at their emails and go 'Look, see, they're attacking me for no reason, it just goes to prove those dirty Open Source hippies are nothing but savages!'. Also, he wrote a couple of articles about how Win2K had gotten this same certification when Linux didn't have it yet, and then he went on to proclaim that Linux would *never* get this certification because it was inherently insecure and flawed, unlike his beloved Win2K. So, from IBM with love, fuck you, Scott McCollum.)
"Two things are infinite: the universe, and human stupidity. And I'm not sure about the first one." - Albert Einstein
the Common Criteria web site and have a look?
I want to drag this out as long as possible. Bring me my protractor.
I'm not sure what it means by the "higest rating possible," but I do know that Level 2 security clearance is what you need in order to take orders and be a real DoD contracter. This is the level that I believe Raytheon's ICCC division (the ones that program the missiles) and other companies such as Boeing work on. The divisons themselves have to be certified in order to work on projects, and since about last year the gov't has started to push their contracters to do this, it makes sense that this finally happened.
This doesn't really open the way for other companies to use Linux, I don't think, but perhaps this will get other compeanies to do this as well. More competition can't hurt, right?
"Time is long and life is short, so begin to live while you still can." -EV
Actually if you want to be nitpicky about HIPPA, there really doesn't exist *ANY* computer (and never has nor ever will) secure enough to store patient medical data, yet HIPPA *requires* you to do all your data communication electronically. Go figure.
I'm in the middle of setting up a supposedly-HIPPA-compliant system right now for a small city government clinic. It's a Windows 2000 server because the insurance claims processing software they bought requires MS SQL Server. It will reside on an isolated network segment with all it's workstations, and do it's online claims processing thru a second hardware encrypting NIC that then goes thru a Linux box that's set up with kernel 2.4.x iptables firewall rules before getting out to the Internet to transmit the insurance stuff to the claims processing center. They're demanding that I sign off on this arrangement being secure and HIPPA compliant, but I refuse to sign unless they purchase a private frame relay line connection between their office and the claims processing center instead of using their internet connection, but they're too cheap to pay for a private line so I guess they're just gonna have to run the system without my official signoff, and communicate over the internet, which I still think is insecure as hell even with the encryption and strict firewall.
Judging from another article it's only the SuSE Linux Enterprise Server 8 in combination with a Intel-based xSerie-server from IBM.
The real question is whether people will feel safe to use it. It's not yet level 4 certified like w2k or HP-UX but then again a certificate doesn't mean your product is safe.
Btw, my belief is they still have some work to be done, but they 'll get there.
Linux received it's evaluation at a level of EAL2; according to the CC guidelines, this is "structurally tested" and means that it should "not demand more effort on the part of the developer that is consistent with good commercial practice"; applicable where "a low to moderate level of independently assured security" is required.
Windows 2K received an EAL4+, according to NIAP's evaluated product list; which is *supposed* to show it was "methodically designed, tested, and reviewed". This is probably about on par with the old Orange Book (TCSEC) C3 it used to have. EAL4 does "not require substantial specialist knowledge" and is the "highest level in which it is likely to be economically feasible to retrofit in an existing product line." It's intended that an EAL4 system shows "low-level design for the Target of Evaluation (ToE)"; with testing that supports "independent search for obvious vulnerabilities."
That being said, having an EAL2 or EAL4 will probably not get you into a job that involves holding classified data.
All of this is accessible from , the CC website.
This announcement means only one thing. IBM would not have gone through this trouble unless there were a few large contracts (DARPA/DOD) that will underwrite the expense in the future. Think I'll buy a few more shares of IBM stock today.
"Curiosity killed the cat, but for a while I was a suspect."- Steven Wright
You can read lots more about this by choosing from the links in the rejected post below. Also, it's important to note that EAL2 is NOT the highest Common Criteria certification level. The Common Criteria for Information Technology Security Evaluation v2.1 describes the security assurance requirements and EALs in detail. For a look at the details read about the Evaluation Assurance Levels at NIST.
IBM, SuSE Linux Get Common Criteria Security Certification
Linux has reached a new milestone: IBM and SuSE Linux have received the Common Criteria Security Certification from the U.S. government (mirror), specifically from the Defense Information Security Agency (DISA) arm of the Pentagon. 'Right now it is the only Linux distribution available that has this. This certification is used as a standard by 14 countries including the U.S. and Canada,' says the SuSE U.S. general manager. Linux Enterprise Server 8 is certified at Evaluation Assurance Level 2+ EAL2 with the companies jointly pursuing a Controlled Access Protection Profile EAL3 certification by year-end, then on to EAL4. More details at CNet, AP via Detnews/CNN and Reuters/Forbes. It looks like they beat Red Hat to the punch.
The Common Criteria evaluation scale runs from
EAL1 to EAL7.
Linux just got an EAL2. Windows has an EAL4.
Any number of UNIX flavors have EAL4 evaluations.
None of them are "high security".
Security only starts to get serious at EAL5, and
you don't get real serious penetration resistance until EAL6 or EAL7.
on pending Linux contracts with the US government can be found here.
IBM and SuSE Linux Earn First Security Certification of Linux
ARMONK, N.Y. and Oakland, CA, August 5, 2003 -- IBM and SuSE Linux today
announced that the two companies have achieved the first ever security
certification of Linux, taking the critical next step in the maturation of
Linux and enabling the adoption of Linux by governments and companies around
the world for mission critical environments.
IBM and SuSE Linux have achieved Common Criteria Security Certification for
SuSE Linux Enterprise Server 8 running on IBM eServer xSeries. The Common
Criteria (CC) is an internationally recognized ISO standard (ISO 15408) used
by the Federal government and other organizations to assess security and
assurance of technology products. The CC provides a standardized way of
expressing security requirements and defines the respective set of rigorous
criteria by which the product will be evaluated. It is widely recognized
among IT professionals, government agencies, and customers as a seal of
approval for mission-critical software.
"We are pleased that Linux has reached this important security milestone
through the joint efforts of IBM and SuSE," said Fritz Schulz, Defense
Information Systems Agency. "The Common Criteria certification of Linux
will be a critical factor as Linux is applied to mission critical
environments."
SuSE Linux Enterprise Server 8 on IBM eServer xSeries has earned an
Evaluation Assurance Level 2+ certification, commonly referred to as EAL2.
IBM and SuSE also announced today that the companies have filed for a higher
level of security certification for Linux, the Controlled Access Protection
Profile with EAL3+ across the IBM eServer product line, which is expected
later this year.
In addition to the Common Criteria certification, SLES 8 on IBM eServer
platforms will meet the Common Operating Environment (COE) standard later
this year. This will lead to a product that simultaneously meets Common
Criteria and COE requirements. This standard, unique to the US Department of
Defense (DoD), addresses functionality and interoperability requirements for
commercially acquired IT products. The COE specification is used to verify
the look and feel and function of software products as they are joined with
government customized code. The COE is broadly recognized as a standard
computing environment across the U.S. Government command and control
systems.
"IBM and SuSE's landmark decision to submit the SuSE Linux Enterprise Server
product to Common Criteria testing challenges the view of many skeptics that
open source systems could not withstand such testing due to the difficulty
of establishing processes in an open-source environment. This announcement
demonstrates IBM's commitment to enterprise infrastructure that is secure,
cost effective and open," said IBM Senior Vice President of Technology and
Manufacturing, Nicholas Donofrio. "With this announcement, we continue to
build upon our commitment to delivering Common Criteria certification across
the IBM eServer platforms. Most importantly, the Common Criteria
certification further validates the security and quality of open source
software, not only for Global Government, but for other industries with
critical security requirements."
"SuSE is the world's only open source operating system manufacturer which has
technically demonstrated Common Criteria proficiency that can control and
minimize security risks through a comprehensive quality assurance process,"
said Richard Seibt, Chief Executive Officer, SuSE Linux. "The Common
Criteria evaluation marks yet another first for SuSE, and will further
reassure companies of the high quality and security of the SuSE Linux
Enterprise Server."
Sponsored by IBM, the evaluation was completed by atsec information security
GmbH, one of the world's leading vendor-independent IT securi
How can you certify something that is illegal? Can you certify me stealing a car? SCO owns the certification, and soon enough i'm sure they will own my car :(
While this has implications for government acceptance of Linux, which is good, it turns out that it wasn't all that significant when W2K achieved it, and means even less that a system running linux got EAL2. It's probably most interesting that it was an IBM system running SUSE system, not RedHat.
Even the greediest government agency has to operate within budget
True, yes, but they can cut corners in other places and then profit personally by choosing Evil Corporation A (tm) as a supplier. After all, it's usually cheaper in the end to offer a minor discount to a high-volume sale, and then a larger "incentive" to those in charge. It's not like gov't have to use half the crap they come up with, that's for the grunts like you and me.
They need more granularity in their rating system if Linux got the same rating as OpenBSD or OpenVMS or Multics.
When someone might yell at me, it has to be OpenBSD.
I think what this means is that they can pick Linux and have a piece of paper supporting their choice. Got to cover their own backs I guess.
Better still the Defense Information Systems Agency is recommending that any Linux purchase support the LSB and that apps be written to the LSB.
So, not only is it now easier for government agencies to support Linux deployments, but they are going to force any Linux distributor doing business with the government into interoperability.
do the tests themselves work. Unfortunately, a lot of stuff in the computing world revolves around windows - so it could be a matter of adding criterium to the test based on what windows does or "is supposed to do."
It's one thing to say "Operating System A this this security feature while Operating System B does not", but it's a moot point when the way in which System B operates makes such a feature unnecessessary anyways, or if there's a better/different way of doing it that isn't written on a sheet of paper.
Linux is a Process, Not a Product. :)
I'm sure this upsets him to see people treating linux as if it weren't a ever changing dynamic process.
Seriously though that's great. Even though I don't use Suse or own an IBM server. Hopefully Dell will get in on this so I can afford a cheap server too.
It is great that Linux has been evaluated using Common Criteria, unfortunately there will not be a whole lot of Government agencies lining up to buy it. The standard for classified material is C2/EAL4 regardless of classification. Since Linux does not have the extended auditing that commerical Unix and Windows NT/2000/XP has, it will never get above EAL3. What I would like to see is the the Hardened Gentoo box evaluated under CC (www.gentoo.org/proj/en/hardened). I logged into this box and could basically do nothing (as root)! It uses NSA's Security Enhanced Linux and a variation of Role Based Access Control. This machine will pass muster! I can't wait for the day Linux gets EAL4, but I don't think that is coming too soon.
All this rating does is open the door a little. It's up to the marketing boys at IBM to bludgeon the pencil-pushers into submission.
Claiming some sort of "victory" for GNU/Linux as a whole is silly. This is another step in the right direction.
As GNU/Linux has become more utilized, it has attracted the attention of powerful (and some incompetent) enemies. Be careful what you wish for! GNU/Linux, by its nature will never present a unified front to defend itself. By binding the interestes of users to the interests of parties with power, we improve the chances that things will go our way.
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
First of all in case you missed it: SuSE Linux running on specific IBM hardware is certified at EAL2. Win2000 was certified at the much higher EAL4, but only under some fairly restrictive circumstances.
Now realistically, EAL4 IS a restrictive certification! Trusted Solaris8 is EAL4 certified. Most default Unix installs might barely pass EAL2. What good is it then?
Read the C|Net article and you'll find that IBM is pursuing EAL3 and EAL4 for SuSE Linux next. That's a Good Thing, for any number of reasons, not the least of which is being able to sell to defense contractors for secure (but not secret or top-secret) level requirements.
Practically speaking though, the different levels, while increasingly restrictive, aren't a scale of security goodness. They serve different effective purposes. Do you WANT an EAL4 system on your desktop? Probably not. Do you want it in your server room? There's a good chance, yeah. Do you want an EAL7 system for anything at all? Unless you're the NSA, probably not. This is an OS designed from the ground up with peer review at every stage (architecture, design, implementation) and independent verification on top of that. It is utterly restrictive--you wouldn't be able to put a web browser on an EAL7 system (or more to the point, you wouldn't be allowed to write and install one for the system without breaking the certification). This is the software that runs the shuttle and nuclear bases.
So basically, let's quit this damned pissing match. EAL2 is good for some things, EAL4 for others, and so forth.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Jonathan Shapiro wrote a great article analyzing the Windows Common Criteria certification; much of it applies to Linux as well. Among other things, it explains why Windows can get certified even with its remote root exploits: "An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected."
You assume, my dear Alex, that Microsoft will exist then. Silly boy. Go back to your X-Box.
Anbyody know what profile IBM used ? (seeo files/ index.html)
http://www.commoncriteria.org/protection_pr
--eludom
the nytimes has an article on it as well...
Just as info-security is a "process", so, too is the HIPAA Security Rule process-oriented. But there is so much misinformation out there about what HIPAA is and what it does. HIPAA certainly does NOT preclude emergency service personnel from keeping a record of their calls - what hooey.
If you want some really good descriptions of what HIPAA requires, including access to the free Privacy Rule training modules which New York State government is using for its HIPAA-impacted employees, try New York State's HIPAA web site at www.oft.state.ny.us/hipaa.
The HIPAA standards come in many flavors. The standards are applicable only to "covered entities", which are three types of entities: health care clearinghouses, health plans, and some health care providers (doctors, nurses, pharmacists, hospitals - but only those medical providers who engage in electronic medical billing).
There is an Electronic Data Interchange standard (regulation), setting the standards for the fields and the data sets required to be used when doing medical billing electronically.
There is a Privacy standard, which applies to ALL of the Individually Identifiable Health Information held by a covered entity.
There are "Identifier" standards, which give health plans, providers, and employers ID numbers for medical e-billing.
And, there is a Security standard, which applies only to ELECTRONIC health information held by a covered entity.
The Security standard is process-oriented. Only a few particular types of e-healthinfo security solutions are "required" - the rest are "addressable". What this means is that just about any type of solution can be used from an infosec perspective so long as the covered entity can justify its use and document that justification.
So, yes, this Common Criteria security certification which was secured by IBM might very well be pointed to in support of a decision to use Linux.
Thanks for taking the time to accurately link to everything. I appreciate taking the time to have details in a response, even if it doesn't get modded as high.
Wow, so did they certified just the kernel? After all Linux was certified, not GNU/Linux. :)
This announcement should help sell more licenses for SCO. They deserve it after all that hard work they've put into the OS.
This really isn't that great of news if you read Paul Thurotts comments Linux Rated Less Secure then Windows
Haha, what I submitted was still in my paste buffer 12 hours later (Yeah nerds do sleep).. This story according to CNN counterdicts what the main story says. Linux only got a rating for low to moderate security not the highest security.
In a article on CNN it is reported that the Common Criteria organization, an international technology standards body, certified Linux for the first time on "mission critical" computers, including those in America's top-secret spy agencies and those used to deliver ammunition, food and fuel to soldiers.
While only certified for Low to Moderate security Linux is still under testing for higher security ratings. IBM says this is good since it gives them a footing in a area that has been dominated by Windows sales. Of note is the fact that IBM paid over $500,000 for testing and was also supported and jointly by SuSE
I mean when something doesn't work who is held accountable? Linus? Alan? ...?
A vendor of a commercial distribution of an emancipated operating system will usually sell support contracts. Red Hat makes a sizable chunk of change from that line of work.
Will I retire or break 10K?
It seems a lot of you are completely missing the point here. EAL 4 is 'higher' than EAL2, that's entirely true. However:
EAL3+ all require the OS to be tested from *design*, and since there's never been an official design criterium, or design specification for any linux distro or kernel, it's quite simply impossible to even get EAL3 or more for a linux distro/kernel/whatever.
The reason Win2K could get EAL4, is because they were already working on that certification before it was even released. That's the whole point.
Mad.
Coz eternity my friend, is a long *ing time.
WinInformant was referenced as one of the top articles on this by Google:
"Linux was certified as providing 'low to moderate' security, while Windows 2000 received a 'moderate to high' security rating last year. According to people close to the certification, Linux was being tested for better security ratings, but only achieved the 'low to moderate' rating."
Somebody wanna explain to me how this works? Near as I can figure, all that happened was that Linux is still only EAL3 where Windows2K is EAL4 (versus scoring differently on the same test, as WinInformant seems to imply); IBM's older press releases seem to say that EAL4 testing is expected down the road, but this article seems to imply that they've now tried and flunked EAL4.
I'm not familiar with the differences in the testing, and some basic Googling just turns up lots of press releases so far.
Slashdot's token middle-aged housewife
Yes, it should have read "...got the lowest rating possible to still be considered for DoD work."
Coincidence?
to err is human, to forgive is divine, to forget is... umm...
The government is finally authorized to buy a free product.
I've found that my posts don't format quite right w/o a sig.
My complements.
EAL7 is the highest defined Common Criteria Evaluation Assurance Level. EAL2 is one of the lower ones and can be achieved by minimal documentation efforts. If one looks at the chart on page 54 of the Common Criteria Part 3 Security Assurance Requirements document, one sees that an EAL7 system would be analyzed in 25 areas where a EAL2 one would be analyzed in only 13. And even in the 13 areas that are common, there are requirements at the EAL7 level to do each thing much better that don't appear at the EAL2. What may seem like a minor wording difference between 2 requiremnets may take millions to achieve.
EAL2 does not require an exhaustive vulnerability analysis or penetration testing or a covert channel analysis as do those levels above EAL4.
I'm aware of only one OS aspiring to a greater than EAL5 level for a general purpose operating system, DigitalNet's STOP which is currently in evaluation, has been for 8 months and will be for several more months.
Acquiring that EAL5+ rating even for a operating system that previously received NSA's highest rating ever for a general purpose operating system takes several years and multiple million $, not the $500K quoted in another post.
The Govt procuring agency is responsible for assuring that the protection profile or security target that the OS was evaluated against is appropriate for the value of the data they are trying to protect and that the assurance level is also appropriate.
All an EAL2 does is allows the government to buy and to use Linux in the most insensitive areas. Surely three letter agencies would require much more than an EAL2.
For the original post to say "highest" is to say the writer misunderstood the significance of the IBM announcement.
...this one put me on the floor. Mod 6/hilarious should be put into use in honor of parent post!
"That damned fine mouse maker in Redmond."
Windows 2000 was certified at Level 4 vs. Level 2 for Linux. While it is a start, Linux has still(!) not achieved CC evaluation at the same standard as Windows.
OpenBSD is used for firewalls pretty often in the academic world, although I couldn't speak for the commercial one...
I hereby place the above post in the public domain.
no text
I hereby place the above post in the public domain.
For these security certifications the configuration of the system is very important. You won't get a cert if install a distro where you have webmin running by default with no password, or something.
How did IBM configure the box? What patches were applied to the kernel? Was proprietary software involved at all?
These are the questions I want answered.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Ok folks,
As someone who just spent the last 2 years of his IT career doing something called "Certification and Accreditation" I can tell you that this IS a big deal.
The DoD has a process called DITSCAP. In a nutshell it is a process that allows you to gauge the level of "risk" that your system presents, and that risk must be assumed by someone in a position of power.
There are many (boring) different kinds of regulations and rules that must be followed based you your confidentiality level, physical location, etc, etc ad nauseum..
Previous to this, if there was a system connected to a gov. network running Linux, it would have to be classified as a high risk simply because it did not meet one of the most simple DITSCAP requirements which says something to the effect of "Are the Commercial Off - The Shelf (COTS) and Government Off - The Shelf (GOTS) products certified?" Previous to this, ANY linux system would fail this requirement and would therefore HAVE to be assigned a higher risk than a win2K desktop. Fair? Hell no, but those are the rules.
The gov. agency running linux would have to go through all kinds of hoops to keep Linux and assume a "higher" risk level OR switch to Solaris and pay big $$$.
So, in doing this IBM was simply testing the waters with a cheaper EAL2 certification in order to see if they even had a chance. Seeing that they do, they will now go forward, and I wouldn't be surprised to see a bunch of other Linux Vendors going forward with their own testing.
So, this is HUGE.. Not just for Suse, not just for IBM, but for the future of Linux in Gov. institutions.
Sorry for the AC post, this is Maleficarum.
The common criteria is about an standardized approach to security. The CC itself is not about the system security, just the general approach to the security. CC is also more about information security and information assurance, it is not focused on system vulnrenabilities.
What does this mean?
It is basically just a bunch of paperwork to cover the a** of the civil servant who approves the computer system purchases.
You need to read the actual NIST docs about exactly what hardware the system had. The old NT4 C2 was a specific Compaq with no networking and no floppy drive, IIRC.
Then you need to look at what they claim to protect against. You can use a standard form letter like protection plan which says it won't get viruses or hacked as long the system has no networking and no removable media or you can use a protection plan which is useful.
This doesn't mean much in general, other than the usual misunderstanding and misquoting by sales people to management. It doesn't make any difference to Linux itself.
Gads...an informed post on security and the CC My complements.
;-)
Thanks.
EAL7 is the highest defined Common Criteria Evaluation Assurance Level. EAL2 is one of the lower ones and can be achieved by minimal documentation efforts. [....] For the original post to say "highest" is to say the writer misunderstood the significance of the IBM announcement.
I'm glad you pointed that out. Taco's "highest" comment was just plain silly.
I'm aware of only one OS aspiring to a greater than EAL5 level for a general purpose operating system, DigitalNet's STOP which is currently in evaluation, has been for 8 months and will be for several more months.
I didn't know you guys were doing that. It looks like you guys have built a ground up proprietary security OS with XTS-400. Am I reading that correctly? If so, that's much more ambitious than the Solaris/Linux proprietary modules Argus is using in pitbull.
PS - if you know anyone who needs the services of a CISSP, let me know...
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
A useful, informed post is made with an incredibly helpful link, and the moderators say: "Anonymous Coward? Knee-jerk zero"?
"Will the Real Slashdot Moderators please stand up, please stand up?"
Good for Windows and good for Linux, but what is the rating for OpenBSD or other BSD?
My memory is a little foggy here, but I seem to remember the slashdot story about Windows getting the Common Criteria cert -- the rating was so crappy, it basically meant "MS reps showed up, but no actual testing happened". Now Linux gets CC certified, and it gets the highest possible rating.
I guess I don't really have a point, I just thought that was funny.
The biggest thing to remember about the CC is that the level rating is relatively meaningless without considering the protection profile. The problem is vendors don't readily tell you the protection profile they use.
Have you patched your Win2000-2003 server today? If not you are putting the country at risk! Funny they knew about the hole 1 year ago and now it takes a Government security warning to get servers to listen. So as far as Windows security being a huge issue for MS? I just wonder how many Win servers are going to go into zombie mode in the next few weeks.
If this latest security risk of MS is any indication . Seems that security certification is something which MS just buys, not something they really work at. Remember that North Korean cracker school story? Do not be supprised if MS servers get whacked in the near future, never underestimate people who are really mad at you, something the US and MS is famous for. It is really foolish to think that the North Koreans with Chinese help cannot do some serious infrastructure damage. Think of it from the enemies perspective, what a cheap way to cause damage! One hell of a lot cheaper than Nukes.
OH THE SHAME I fell off the wagon and use sigs again!
When I tried to follow the IBM press release on this, I ran into a brick wall (long delay before a server error). It looks like a capitalization error, and This where I was able to find the page.
Free Software: Like love, it grows best when given away.
IBM and SuSE Linux Earn First Security Certification of Linux
Meets Federal Standards Critical to Homeland Security
ARMONK, N.Y. and OAKLAND, Calif. -- Aug. 5, 2003 -- IBM and SuSE Linux today announced that SuSE achieved the first ever security certification of Linux, taking the critical next step in the maturation of Linux and enabling the adoption of Linux by governments and companies around the world for mission critical environments.
SuSE Linux Enterprise Server 8 has achieved Common Criteria Security running on IBM eServer xSeries. The Common Criteria (CC) is an internationally recognized ISO standard (ISO 15408) used by the Federal government and other organizations to assess security and assurance of technology products. The Common Criteria provides a standardized way of expressing security requirements and defines the respective set of rigorous criteria by which the product will be evaluated. It is widely recognized among IT professionals, government agencies, and customers as a seal of approval for mission-critical software.
"We are pleased that Linux has reached this important security milestone through the joint efforts of IBM and SuSE," said Fritz Schulz, Defense Information Systems Agency. "The Common Criteria certification of Linux will be a critical factor as Linux is applied to mission critical environments."
SuSE Linux Enterprise Server 8 on IBM eServer xSeries has earned an Evaluation Assurance Level 2+ certification, commonly referred to as EAL2. IBM and SuSE also announced today that the companies have filed for a higher level of security certification for SuSE Linux, the Controlled Access Protection Profile with EAL3+ across the IBM eServer product line, which is expected later this year.
In addition to the Common Criteria certification, SLES 8 on IBM eServer platforms is expected to meet the Common Operating Environment (COE) standard later this year. This will lead to a product that simultaneously meets Common Criteria and COE requirements. This standard, unique to the US Department of Defense (DoD), addresses functionality and interoperability requirements for commercially acquired IT products. The COE specification is used to verify the look and feel and function of software products as they are joined with government customized code. The COE is broadly recognized as a standard computing environment across the U.S. Government command and control systems.
"The landmark decision to submit the SuSE Linux Enterprise Server product to Common Criteria testing challenges the view of many skeptics that open source systems could not withstand such testing due to the difficulty of establishing processes in an open-source environment. This announcement demonstrates IBM's commitment to enterprise infrastructure that is secure, cost effective and open," said IBM Senior Vice President of Technology and Manufacturing, Nicholas Donofrio. "With this announcement, we continue to build upon our commitment to delivering Common Criteria certification across the IBM eServer platforms. Most importantly, the Common Criteria certification further validates the security and quality of open source software, not only for Global Government, but for other industries with critical security requirements."
"SuSE is the world's only open source operating system manufacturer which has technically demonstrated Common Criteria proficiency that can control and minimize security risks through a comprehensive quality assurance process," said Richard Seibt, Chief Executive Officer, SuSE Linux. "The Common Criteria evaluation marks yet another first for
Free Software: Like love, it grows best when given away.
I didn't know you guys were doing that. It looks like [digitalnet.com] you guys have built a ground up proprietary security OS with XTS-400
Actually, they've been doing it much longer. XTS-400 is the grandchild of the B3-rated XTS-200, the first B3 rated system (XTS-300 was also B3 rated). The XTS-200 evaluation was in the early 1990s (at least that's when I was on the team). And XTS, of course, is the "Son of SCOMP", the first A1 semi-commercial operating system.
Daniel