Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat Pushes For CC Certification By Year's End

Posted by timothy on from the stampede-of-approval dept.

Ridgelift writes "This article indicates Red Hat Linux is about to receive certification under the Common Criteria (CC) Scheme worldwide. This has been a long road for Red Hat, and 'once successfully certified in the UK, Red Hat products will be recognised as certified and approved by information security agencies from all 19 countries participating in the Common Criteria program.' This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX."

13 of 183 comments (clear)

  1. SuSE? by santiag0 · · Score: 5, Interesting

    Does anyone know if SuSE/Novell is pursuing this same certification?

  2. At last... by Zenophran · · Score: 4, Interesting

    We're looking to use it in some places, but wasn't able to think of it until we found out it was going through certification.

    It mightn't mean much to some places, but for government organisations, it's a big step to getting it in more places than just using it for "development toys".

  3. One small step by Anonymous Coward · · Score: 4, Interesting

    This is another way of legitimizing Linux in the corporate world. Despite Red Hats recent business decisions over all this is a very strong/smart move for all Linux users.

  4. Validating the Kernel Development Model by oo_waratah · · Score: 5, Interesting

    From the original February discussion. This has even more relevance now. ...

    "The Common Criteria, ..., grades products based not only on their security and reliability, but also on the development and support processes that ensure quick responses to problems."
    Does that mean that the US Gov. will be officially saying that the Kernel development model is OK ?

  5. The level matters; most CC certs are useless by Wesley+Felter · · Score: 4, Interesting

    RHEL is getting certified at EAL2, which is really weak.

    Even the Windows 2000 EAL4 certification only protects against "inadvertent or casual attempts to breach the system security." No real security here. For more info, read Jonathan Shapiro's article.

  6. Other Distributions? by Storm · · Score: 4, Interesting

    I was just wondering whether or not other distributions can use the work that RH is doing to get a "common Common Criteria" effect. After all, they are all using the same Ring 0 piece, being the Linux kernel. After that, it should just become a matter of configuration verification...

    And with the support that Linux has gotten from the NSA, through SE-Linux, I would think a lot of the in-depth work on Linux has been covered.

    --
    --Storm
  7. Ok I'll throw one in: RedHat is dying :-) by Ricin · · Score: 2, Interesting

    Since the discussion so far was so boring let's instead wonder why RH is so eager to wlk the "established commerce" path.

    I'll tell you what their problem is: they're the first. The first always loses. They get to fight the hardest their own community, they get all the surprises boomeranged back to them, they just get everything first. Even if they don't really innovate. And _that_ is going to kill them. They don't know how to react any more (heck no one does) and so they jump back into corporate logic... which they were seen as being a counter to.

    I don't know I don't have much love for them but neither do I have any hate towards them. But I feel that the 5th or so is going to be the one that matters 5 years from now. Heck it may be a BeOS clone or a BSD even so. IMHO, we're now at a point where armies die, believe it or not.

    Footnotes are recorded right now.

  8. Re:Windows 2000 is certified as well by Jeremiah+Cornelius · · Score: 4, Interesting
    You are talking about Orange Book C2. This is the standard config for this certification.

    It is a step above C1 - no attempt made to secure the platform!

    C2 does have fairly strigent requirements regarding the separation of roles and audit history by role/principal.

    All of which are guaranteed in a standalone config.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  9. SuSE already have it, next Debian? by ciaran_o_riordan · · Score: 4, Interesting

    SuSE already have it.

    Next question, will someone fund a community owned distro to get this certification?
    (i.e. Debian etc.)

    --
    Expert in software patents or patent law? Contribute to the ESP wiki!
  10. RH Linux EAL: 2 MS Windows 2000 EAL: 4 by Drestin · · Score: 4, Interesting
    And this is almost 4 years after Windows 2000 did it with ease. Of course, Windows XP/2003 are even more secure so...

    What gets me is, if it's so expensive and time consuming to do this, why not go straight for level 4 certification? Unless it was unachievable... Vendors know ahead of time if they'll pass or not, all the criteria is there for the public to review. You don't submit until you are already sure you'll pass. Obviously Linux is not EAL 4 ready. Windows 2000 is not only EAL 4 but also augmented with ALC FLR 3.

    Who is going to notice an effortless to achieve EAL 2?

  11. Re:Meh by Iorek · · Score: 3, Interesting

    "Speaking as someone who works for the government"

    Well, speaking as someone who works for a government's CC certification scheme, EAL2 actually does give you some assurance, and I've personally seen companies stumble in getting it. At that level, you're taking a closer look at the developer's design, configuration management and testing; you're making sure they conduct a proper vulnerability analysis, and devising your own penetration tests. It's a significant jump from EAL1.

  12. Re:Windows 2000 is certified as well by Iorek · · Score: 5, Interesting

    There's a difference, though. The security target evaluation (at the beginning of the evaluation - it really scopes the evaluation) is a sanity check. The evaluator would certainly fail the ASE components of a concrete lifejacket evaluation. The evaluator is making sure the functional requirements are mutually supportive, that the security problem they're solving is well defined, that the requirements themselves can solve that problem... It's far more than a "This is what I do... See, I'm doing what I say I do."

  13. Its form testing is useless for security by Skapare · · Score: 4, Interesting

    Security cannot be determined from simply doing a suite of tests, and determining that it must be secure if the tester was unable to break in. The biggest variable that affects security is the administration of the machines ... and this applies to all systems, BSD, Linux, Solaris ... and yes, even MS Windows. Even OpenBSD clearly states their history of security (note, they never claim that is is secure, only that it has been to a certain degree) is based on the default install. Change it in any way, and all bets are off.

    Security is not a thing you can just buy. Likewise it cannot be an attribute or property of a thing you can buy (or download). Security is in how you go about every aspect of the way you work, and not just in computers and networks. Social engineering is still a very workable way to access what you are not authorized to access. Poor passwords are incredibly common, for example (spammers are now using password guessing successfully to log into SMTP AUTH and MSA mail ports to submit their garbage ... they already have your userid). People are the weak link.

    So ... IMHO ... the Common Criteria Scheme is nothing more than a bunch of feel-good paperwork for PHBs. Unfortunately, it's what PHBs want to see, so vendors like Red Hat do need to play into this BS just to get some sales. But it doesn't tell you squat about real security.

    --
    now we need to go OSS in diesel cars