Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat Pushes For CC Certification By Year's End

Posted by timothy on from the stampede-of-approval dept.

Ridgelift writes "This article indicates Red Hat Linux is about to receive certification under the Common Criteria (CC) Scheme worldwide. This has been a long road for Red Hat, and 'once successfully certified in the UK, Red Hat products will be recognised as certified and approved by information security agencies from all 19 countries participating in the Common Criteria program.' This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX."

13 of 183 comments (clear)

  1. Windows 2000 is certified as well by Punchinello · · Score: 5, Informative

    This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX

    Red Hat will also sit along side Windows 2000 which also has the Common Criteria certification. See the press release:

    http://www.microsoft.com/presspass/press/2002/oct0 2/10-29CommonCriteriaPR.asp

    --

    Remember... ZG9uJ3QgZm9yZ2V0IHRvIGRyaW5rIHlvdXIgb3ZhbHRpbmU=

    1. Re:Windows 2000 is certified as well by tonyr60 · · Score: 5, Informative

      Common Criteria is about validating that the OS/Firewall/etc. etc. does what the VENDOR says it will do. Just because a bunch of products have Common Criteria Certifications does not mean that they are equally secure. HP-UX, Solaris, Win2K and soon Redhat will have achieved Common Criteria certification but it does NOT mean that they are equally secure.

    2. Re:Windows 2000 is certified as well by Jeremiah+Cornelius · · Score: 4, Informative
      Yeah. Most CC implementations are on private segments - no WAN or Internet links.

      Easy enough to fly your OS in those restrictions...

      Remember the Orange Book C2 security for Windows NT? That was only for a standalone box - no net, no modem.

      The Rainbow Books were a forerunner to the CC - which represented a harmonizing of the Red/Orange Books with Canadian Govt InfoSec standards.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    3. Re:Windows 2000 is certified as well by Iorek · · Score: 5, Informative

      The Common Criteria are composed of two types of requirements: security functional and security assurance. The requirements are different for each evaluation, so you need to read what's called a security target to find out which ones are relevant to the specific evaluation.

      For example, Windows 2000 was evaluated against all the security assurance requirements in the EAL4 package (plus a few). There were also a ton of security functional requirements based on what Windows 2000 provides (e.g., identification, authentication, audit, etc.). For details, read the Target of Evaluation Description section of the ST at http://niap.nist.gov/cc-scheme/CCEVS_VID402-ST.pdf

      Red Hat's Enterprise Linux will have their own ST.

    4. Re:Windows 2000 is certified as well by Mr.+Slippery · · Score: 5, Informative
      It is a step above C1 - no attempt made to secure the platform!
      That's D. (Actually, D is reserved for systems that fail evaluation.)

      C1 (about equivalent to CC's EAL 2) does describe some very minimal security requirements, but the system doesn't need to distinguish individual users. C2 (~= EAL 3) adds a little more, including the requirement to identify individual users. The C levels require Discressionary Access Controls (basically, ACLs).

      The B levels (B1, B2, and B3, roughly corresponding to EALs 4, 5, 6) add Mandatory Access Control - basically, the ability to label something at a sensitivity level and to have users have clearances to only read things at at or below a certain level, and write things at or ablove a certain level (can't have a Top Secret user writing unclassified files). A level (EAL 7) requires a formal mathematical validation of the system.

      --
      Tom Swiss | the infamous tms | my blog
      You cannot wash away blood with blood
  2. Re:A pity by calebtucker · · Score: 5, Informative

    Probably not.. if I understand correctly, EAL 2 costs about $200-300k, and EAL 4 can cost around $1mil

    --
    My sig can beat up your sig.
  3. Since the article didn't mention it... by sczimme · · Score: 5, Informative


    you can read about the Common Criteria here.

    Unfortunately, the other site has been shut down.

    --
    I want to drag this out as long as possible. Bring me my protractor.
  4. SuSE Linux by Anonymous Coward · · Score: 4, Informative
    This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX.

    ... and SuSE Linux.

  5. EAL4...so what by solli · · Score: 5, Informative
    The CC evaluation comes in two parts:
    A profile for the evaluation, and the assurance level to which you achieve that profile.

    So if your profile is essentially "can boot" you can probably achieve that with a high level of confidence. All this talk of EAL4 is pointless unless you are told what the profile is.

    In the best case, this only means that RH (and Windows, for that matter) could be used in a system carrying information classified at a single level, say, "secret".

    In no (normal) circumstance would either RH or Windows be used to handle information classified at two different levels, such as secret and unclassified. If you want to do that, you need to use Trusted Solaris or some other evaluated "Trusted" operating system. Getting a evaluation for a system that can label information and keep different types of information apart (B1 or B2 in DOD Orange Book parlance) is a whole different ball of wax than what RH and Windows received (C2).

  6. Meh by avageek · · Score: 4, Informative

    Speaking as someone who works for the government and knows exactly what a Common Criteria Certification is worth, why the hell do the Red Hat people think they're going to be major players by getting certified to EAL-2? I mean, seriously, *anyone* can get EAL-1, so they put just a tiny bit more effort (and dough) into it to get EAL-2, when competing operating systems like Windows and Solaris are EAL-4. No one is going to take them seriously with just an EAL-2. And that explains why it'll be done by the end of the year. And by the way, the CCC is a bunch of BS that tells you absolutely nothing about how secure a system is. For the government, it just dictates what you can and can't buy.

  7. NOT "alongside", but "a long way behind" by menscher · · Score: 4, Informative
    RHEL is to be tested for EAL2, which is rather different from EAL3 OSes (IRIX and Trusted IRIX/CMW) and EAL4 OSes (AIX5, HP-UX 11, Solaris8 and Trusted Solaris8, and Win2k Pro). In fact, the *only* OS RHEL will be "alongside" is SuSE. See this site for details.

    Note that EAL2 is something that provides essentially no assurance of security. You can find details of this in Google's cache (www.commoncriteria.org is no longer alive).

  8. Re:The level matters; most CC certs are useless by Anonymous Coward · · Score: 3, Informative
    Even the Windows 2000 EAL4 certification only protects against "inadvertent or casual attempts to breach the system security." No real security here.

    EAL4 is the highest Windows, or any other commercial off-the-shelf application will ever get. Anything higher requires design verification from the planning stages and is intended for custom built applications for specific purposes.

  9. Get the specs... by inode_buddha · · Score: 4, Informative

    ...here, look at the column under "Criteria". Be careful not to slashdot it - note the .mil domain ;)

    --
    C|N>K