Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat Pushes For CC Certification By Year's End

Posted by timothy on from the stampede-of-approval dept.

Ridgelift writes "This article indicates Red Hat Linux is about to receive certification under the Common Criteria (CC) Scheme worldwide. This has been a long road for Red Hat, and 'once successfully certified in the UK, Red Hat products will be recognised as certified and approved by information security agencies from all 19 countries participating in the Common Criteria program.' This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX."

20 of 183 comments (clear)

  1. Windows 2000 is certified as well by Punchinello · · Score: 5, Informative

    This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX

    Red Hat will also sit along side Windows 2000 which also has the Common Criteria certification. See the press release:

    http://www.microsoft.com/presspass/press/2002/oct0 2/10-29CommonCriteriaPR.asp

    --

    Remember... ZG9uJ3QgZm9yZ2V0IHRvIGRyaW5rIHlvdXIgb3ZhbHRpbmU=

    1. Re:Windows 2000 is certified as well by tonyr60 · · Score: 5, Informative

      Common Criteria is about validating that the OS/Firewall/etc. etc. does what the VENDOR says it will do. Just because a bunch of products have Common Criteria Certifications does not mean that they are equally secure. HP-UX, Solaris, Win2K and soon Redhat will have achieved Common Criteria certification but it does NOT mean that they are equally secure.

    2. Re:Windows 2000 is certified as well by Jeremiah+Cornelius · · Score: 4, Informative
      Yeah. Most CC implementations are on private segments - no WAN or Internet links.

      Easy enough to fly your OS in those restrictions...

      Remember the Orange Book C2 security for Windows NT? That was only for a standalone box - no net, no modem.

      The Rainbow Books were a forerunner to the CC - which represented a harmonizing of the Red/Orange Books with Canadian Govt InfoSec standards.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    3. Re:Windows 2000 is certified as well by john82 · · Score: 2, Informative

      "Still, its mainly a diligence measure for getting into Govt purchasing schedules, and has little to do with a practical or useful evaluation of the actual security of an OS."

      Sure, doesn't have a thing to do with the actual security of an OS. Next time, why not take the time to read about the spec for Common Criteria certification before making such an idiotic suggestion.

    4. Re:Windows 2000 is certified as well by Iorek · · Score: 5, Informative

      The Common Criteria are composed of two types of requirements: security functional and security assurance. The requirements are different for each evaluation, so you need to read what's called a security target to find out which ones are relevant to the specific evaluation.

      For example, Windows 2000 was evaluated against all the security assurance requirements in the EAL4 package (plus a few). There were also a ton of security functional requirements based on what Windows 2000 provides (e.g., identification, authentication, audit, etc.). For details, read the Target of Evaluation Description section of the ST at http://niap.nist.gov/cc-scheme/CCEVS_VID402-ST.pdf

      Red Hat's Enterprise Linux will have their own ST.

    5. Re:Windows 2000 is certified as well by Iorek · · Score: 2, Informative

      The CC functional requirements are very specific. If two products claim to satisfy an identification requirement (for example) and both pass evaluation, then you have some assurance that they've both correctly implemented it. That assurance is based on the evaluation assurance level. That doesn't mean they're equal, but it sets the lower bound.

      Incidentally, any security product can be evaluated under the CC; there are many functional requirements that wouldn't immediately come to mind (e.g., anonymity requirements in the privacy family FPR). Not only that, the CC allows for extensions, so if you can think up the requirements, products can be evaluated against them (although the ST evaluation may fail if your requirements are poorly written).

    6. Re:Windows 2000 is certified as well by Mr.+Slippery · · Score: 5, Informative
      It is a step above C1 - no attempt made to secure the platform!
      That's D. (Actually, D is reserved for systems that fail evaluation.)

      C1 (about equivalent to CC's EAL 2) does describe some very minimal security requirements, but the system doesn't need to distinguish individual users. C2 (~= EAL 3) adds a little more, including the requirement to identify individual users. The C levels require Discressionary Access Controls (basically, ACLs).

      The B levels (B1, B2, and B3, roughly corresponding to EALs 4, 5, 6) add Mandatory Access Control - basically, the ability to label something at a sensitivity level and to have users have clearances to only read things at at or below a certain level, and write things at or ablove a certain level (can't have a Top Secret user writing unclassified files). A level (EAL 7) requires a formal mathematical validation of the system.

      --
      Tom Swiss | the infamous tms | my blog
      You cannot wash away blood with blood
  2. Re:A pity by calebtucker · · Score: 5, Informative

    Probably not.. if I understand correctly, EAL 2 costs about $200-300k, and EAL 4 can cost around $1mil

    --
    My sig can beat up your sig.
  3. Since the article didn't mention it... by sczimme · · Score: 5, Informative


    you can read about the Common Criteria here.

    Unfortunately, the other site has been shut down.

    --
    I want to drag this out as long as possible. Bring me my protractor.
  4. SuSE Linux by Anonymous Coward · · Score: 4, Informative
    This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX.

    ... and SuSE Linux.

  5. EAL4...so what by solli · · Score: 5, Informative
    The CC evaluation comes in two parts:
    A profile for the evaluation, and the assurance level to which you achieve that profile.

    So if your profile is essentially "can boot" you can probably achieve that with a high level of confidence. All this talk of EAL4 is pointless unless you are told what the profile is.

    In the best case, this only means that RH (and Windows, for that matter) could be used in a system carrying information classified at a single level, say, "secret".

    In no (normal) circumstance would either RH or Windows be used to handle information classified at two different levels, such as secret and unclassified. If you want to do that, you need to use Trusted Solaris or some other evaluated "Trusted" operating system. Getting a evaluation for a system that can label information and keep different types of information apart (B1 or B2 in DOD Orange Book parlance) is a whole different ball of wax than what RH and Windows received (C2).

  6. Meh by avageek · · Score: 4, Informative

    Speaking as someone who works for the government and knows exactly what a Common Criteria Certification is worth, why the hell do the Red Hat people think they're going to be major players by getting certified to EAL-2? I mean, seriously, *anyone* can get EAL-1, so they put just a tiny bit more effort (and dough) into it to get EAL-2, when competing operating systems like Windows and Solaris are EAL-4. No one is going to take them seriously with just an EAL-2. And that explains why it'll be done by the end of the year. And by the way, the CCC is a bunch of BS that tells you absolutely nothing about how secure a system is. For the government, it just dictates what you can and can't buy.

  7. NOT "alongside", but "a long way behind" by menscher · · Score: 4, Informative
    RHEL is to be tested for EAL2, which is rather different from EAL3 OSes (IRIX and Trusted IRIX/CMW) and EAL4 OSes (AIX5, HP-UX 11, Solaris8 and Trusted Solaris8, and Win2k Pro). In fact, the *only* OS RHEL will be "alongside" is SuSE. See this site for details.

    Note that EAL2 is something that provides essentially no assurance of security. You can find details of this in Google's cache (www.commoncriteria.org is no longer alive).

  8. Re:The level matters; most CC certs are useless by Anonymous Coward · · Score: 3, Informative
    Even the Windows 2000 EAL4 certification only protects against "inadvertent or casual attempts to breach the system security." No real security here.

    EAL4 is the highest Windows, or any other commercial off-the-shelf application will ever get. Anything higher requires design verification from the planning stages and is intended for custom built applications for specific purposes.

  9. Get the specs... by inode_buddha · · Score: 4, Informative

    ...here, look at the column under "Criteria". Be careful not to slashdot it - note the .mil domain ;)

    --
    C|N>K
  10. Re:Ok I'll throw one in: RedHat is dying :-) by JK+Master-Slave · · Score: 2, Informative

    SLS was the first distro.

    Yggdrasil was the first Linux vendor to have a commercial CD-ROM distribution. Fall of '93.

    There's an InfoMagic 'UNIX' CD that had a kernal 0.99.10 on it from July of '93.

    Some of us were there.

  11. Re:Ok I'll throw one in: RedHat is dying :-) by egregious · · Score: 2, Informative

    Actually Slack was the first distro

    No it wasn't. SLS was the first linux distro.

  12. Re:Ok I'll throw one in: RedHat is dying :-) by Rex+Code · · Score: 2, Informative

    No it wasn't. SLS was the first linux distro.

    Not even close. The first Linux distribution was H.J. Lu's boot/root floppy combo, and I think even MCC+ came before SLS.

  13. Drawback by Anonymous Coward · · Score: 1, Informative

    The biggest drawback is that they're getting certified in the UK! Even if they were to change and go for an EAL3 or better it would be illegal to use in the US for classified processing until it is tested by a US sponsored evaluator. Talk about your Catch-22's.

  14. Very good point often missed! by Oestergaard · · Score: 2, Informative

    You hit the nail on the head there - unfortunately it seems no media has even attempted to understand the basics of CC, when reporting on this...

    A CC certification consists of two parts:
    An "assurance level", and either a "security target" or a "protection profile".

    A protection profile is a sort of a "standardized security target". A description of a number of requirements that you evaluate your system against. Whereas, a "security target" is something you yourself write, if you do not want to certify your system against an existing protection profile.

    NSA has submitted protection profiles that are roughly equivalent to TCSEC C2 and TCSEC B2; the CAPP and LSPP protection profiles, respectively.

    SuSE got an EAL-2 certification against some security target that they themselves wrote. This means, they are "fairly" sure that their system does roughly what's in the security target (that they wrote). Had they gotten an EAL-7, it would only mean that they were "very confident" that their system did what was in their security target. It would say nothing about the completeness or even relevance of their security target.

    Some newer versions of windows got an EAL-4 against the CAPP. This can be seen roughly as equivalent of the old C2 certification.

    Trusted Solaris also has an EAL-4. However, they have an EAL-4 against the LSPP, which means something roughly equivalent to the TCSEC B2 certification.

    People, there is a world of difference between those two EAL-4 certifications!

    One should note though, that NSA writes in the LSPP that it is not intended for systems that should be used in 'hostile' environments or even with malicious users. The internet, for example, can hardly be classified as a 'friendly' environment.

    This is interesting, as virtually no systems that are connected to the internet today have anything even remotely resembling the functionalities mandated by the LSPP, not to speak about assurance levels...