Slashdot Mirror
Red Hat Pushes For CC Certification By Year's End
Ridgelift writes "This article indicates Red Hat Linux is about to receive certification under the Common Criteria (CC) Scheme worldwide. This has been a long road for Red Hat, and 'once successfully certified in the UK, Red Hat products will be recognised as certified and approved by information security agencies from all 19 countries participating in the Common Criteria program.' This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX."
we will never see Debian get this
meridian at tha.net
Yeah, I kinda scratched my head when I saw a microsoft O/S at EAL4+. I think the CC is more about validating the core of the operating system. As you add more software to a system, it's going to become more vulnerable (*cough* IE, outlook, IIS *cough*).
My sig can beat up your sig.
No deviation is allowed from the exact hardware, software and network configuration that is the certification target. Yes, this includes additional security patches. That would constitute a new platform for certification - at an additional expense of may hundreds of thousands USD.
I suppose that it makes a decent benchmark of sorts. Still, its mainly a diligence measure for getting into Govt purchasing schedules, and has little to do with a practical or useful evaluation of the actual security of an OS.
"Flyin' in just a sweet place,
Never been known to fail..."
Ya, 'cept they wont go near XP with a dirty stick.
at least linux-inclined sysadmins working for companies (who require too much of a product) will be able to select a linux variant without too-much-persuading their bosses. that is a biggie, i think, for a considerable number.
Basically, the CC is a standard for evaluating a product's security. I think the US government requires a certain level of certification for any computer that handle sensitive data (EAL2 maybe? can't remember).
Soooo, I see the CC simply as a way to get government contracts for your product/software if you have enough money to front on the certification ($200k to $millions). So basically, a product evaluated at some EAL doesn't mean a whole lot IMHO.
My sig can beat up your sig.
Exactly. Try putting an unpatched Solaris or HP-UX box on the public internet!
Conformity is the jailer of freedom and enemy of growth. -JFK
One more useless qualification-paid-for-sign-dotted-line.
;-)
People should really get it through their skulls that this is not going to help and that talent may not be in their brokerage system already when looking for it (and so they miss out).
One more example of commodifying the _wrong_ thing. Can pay in the short term but ughugh the longer term....
When something happens, formalizing it usually means restricting it from "just" happening further. Mkay
I'm pretty familiar with the NIST publications on the subject. I use the NIST standrds as testing guidelines on a near daily basis. I readily attest to the value of these.
CC testing of implementations are not portable to diferent environments, and unless you duplicate the testing platform and environment as spec'ed, you are not running a certified platform.
No one is likely to ever run the spec'ed platform/environment.
It is a benchmark - like any other. Good for selling to the Government markets that have established CC.
"Flyin' in just a sweet place,
Never been known to fail..."
Actually Slack was the first distro
So it's a bit like ISO9000.... you can put ISO9000 labels on concrete lifejackets - so long as you build them according to your inhouse procedures.
Engineering is the art of compromise.
Think of it this way: lots of tech people get certifications such as CCNA, MCSE, etc. in order to get through the hiring process. The actual certifications may be meaningless in any number of ways, but the hiring people insist on them.
Now, think of this: RH, as a fictitious person (a corporation) needs to get this cert so it can get that cool job. They want to get hired for that big enterprise thing, since they've been saying, "Enterprise" a lot lately. The hiring manager(s) want to see that cert on their CV.
My conclusion? This is a very smart move for RH, and they should pursue similar avenues as the market dictates.
C|N>K
The CC label is REQUIRED for some government computer work for which linux is perfectly suited, but until recently had to be passed up. We could use Trusted Solaris (yawn) or Win2K (barf). Then came SuSe, but we liked RedHat better. Now we will be able to have RedHat in the mix, which should keep things interesting.
It's not so much that the people who actually check the security care what OS it is... it's the people who approve the classification of information systems, etc. you know, pencil pushers, that give a shit about the Common Criteria cert on XYZ software.
I'm glad RedHat finally scrounged up some money from under the couch to remove this roadblock.
Fuck Beta. Fuck Dice
For an OS like Linux, thats always changing and evolving, how relevant is a Cert of this nature ? In an OS like Windoze where there are very little ( or far and few ) feature updates, between fairly long drawn out release cycles one can understand that each version being certified can mean something.