Red Hat Pushes For CC Certification By Year's End

Ridgelift writes "This article indicates Red Hat Linux is about to receive certification under the Common Criteria (CC) Scheme worldwide. This has been a long road for Red Hat, and 'once successfully certified in the UK, Red Hat products will be recognised as certified and approved by information security agencies from all 19 countries participating in the Common Criteria program.' This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX."

Windows 2000 is certified as well

[Punchinello]

This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX

Red Hat will also sit along side Windows 2000 which also has the Common Criteria certification. See the press release:

http://www.microsoft.com/presspass/press/2002/oct0 2/10-29CommonCriteriaPR.asp

Re:Windows 2000 is certified as well

[EmbeddedJanitor]

Damn, just when I thought the certification had some value!

Re:Windows 2000 is certified as well

[calebtucker]

Yeah, I kinda scratched my head when I saw a microsoft O/S at EAL4+. I think the CC is more about validating the core of the operating system. As you add more software to a system, it's going to become more vulnerable (*cough* IE, outlook, IIS *cough*).

Re:Windows 2000 is certified as well

[Jeremiah+Cornelius]

CC is restricted to VERY specific implementations.

No deviation is allowed from the exact hardware, software and network configuration that is the certification target. Yes, this includes additional security patches. That would constitute a new platform for certification - at an additional expense of may hundreds of thousands USD.

I suppose that it makes a decent benchmark of sorts. Still, its mainly a diligence measure for getting into Govt purchasing schedules, and has little to do with a practical or useful evaluation of the actual security of an OS.

Re:Windows 2000 is certified as well

[houseofmore]

Ya, 'cept they wont go near XP with a dirty stick.

Re:Windows 2000 is certified as well

[r00zky]

w2000...
Why waste money in a certificate of security that is sooo useless?
Money better spent elsewere for sure.

Re:Windows 2000 is certified as well

[tonyr60]

Common Criteria is about validating that the OS/Firewall/etc. etc. does what the VENDOR says it will do. Just because a bunch of products have Common Criteria Certifications does not mean that they are equally secure. HP-UX, Solaris, Win2K and soon Redhat will have achieved Common Criteria certification but it does NOT mean that they are equally secure.

Re:Windows 2000 is certified as well

[Jeremiah+Cornelius]

Yeah. Most CC implementations are on private segments - no WAN or Internet links.

Easy enough to fly your OS in those restrictions...

Remember the Orange Book C2 security for Windows NT? That was only for a standalone box - no net, no modem.

The Rainbow Books were a forerunner to the CC - which represented a harmonizing of the Red/Orange Books with Canadian Govt InfoSec standards.

Re:Windows 2000 is certified as well

[calebtucker]

Basically, the CC is a standard for evaluating a product's security. I think the US government requires a certain level of certification for any computer that handle sensitive data (EAL2 maybe? can't remember).

Soooo, I see the CC simply as a way to get government contracts for your product/software if you have enough money to front on the certification ($200k to $millions). So basically, a product evaluated at some EAL doesn't mean a whole lot IMHO.

Re:Windows 2000 is certified as well

[duffbeer703]

Exactly. Try putting an unpatched Solaris or HP-UX box on the public internet!

Re:Windows 2000 is certified as well

[john82]

"Still, its mainly a diligence measure for getting into Govt purchasing schedules, and has little to do with a practical or useful evaluation of the actual security of an OS."

Sure, doesn't have a thing to do with the actual security of an OS. Next time, why not take the time to read about the spec for Common Criteria certification before making such an idiotic suggestion.

Re:Windows 2000 is certified as well

[Storm]

Its pretty well common knowledge in the security community that Microsoft paid for that certification.

While I can't remember if it was specifically Windows 2000 with the Common Criteria or Windows NT with the Orange Book Cert, I do remember that the system configuration which won them the cert was with no network connection, no floppy drives, and no CDROM drives on the box that was tested. In essence, no non-keyboard input methods. (They couldn't guarantee the OS would stay clean long enough to get the cert.)

Basically, the certification was useless as soon as you configured the box to do any useful processing on the machine. Then again, many would say that is the same of Windows itself.

Re:Windows 2000 is certified as well

[Jeremiah+Cornelius]

Johnboy,

I'm pretty familiar with the NIST publications on the subject. I use the NIST standrds as testing guidelines on a near daily basis. I readily attest to the value of these.

CC testing of implementations are not portable to diferent environments, and unless you duplicate the testing platform and environment as spec'ed, you are not running a certified platform.

No one is likely to ever run the spec'ed platform/environment.

It is a benchmark - like any other. Good for selling to the Government markets that have established CC.

Re:Windows 2000 is certified as well

[Jeremiah+Cornelius]

You are talking about Orange Book C2. This is the standard config for this certification.

It is a step above C1 - no attempt made to secure the platform!

C2 does have fairly strigent requirements regarding the separation of roles and audit history by role/principal.

All of which are guaranteed in a standalone config.

Re:Windows 2000 is certified as well

[Iorek]

The Common Criteria are composed of two types of requirements: security functional and security assurance. The requirements are different for each evaluation, so you need to read what's called a security target to find out which ones are relevant to the specific evaluation.

For example, Windows 2000 was evaluated against all the security assurance requirements in the EAL4 package (plus a few). There were also a ton of security functional requirements based on what Windows 2000 provides (e.g., identification, authentication, audit, etc.). For details, read the Target of Evaluation Description section of the ST at http://niap.nist.gov/cc-scheme/CCEVS_VID402-ST.pdf

Red Hat's Enterprise Linux will have their own ST.

Re:Windows 2000 is certified as well

[c1ay]

How does a system where new security holes are discovered daily get this certification? Can it be revoked? Me thinks Windows Security is the world's second most rated oxymoron behind Microsoft Works!!!

Re:Windows 2000 is certified as well

[Iorek]

The CC functional requirements are very specific. If two products claim to satisfy an identification requirement (for example) and both pass evaluation, then you have some assurance that they've both correctly implemented it. That assurance is based on the evaluation assurance level. That doesn't mean they're equal, but it sets the lower bound.

Incidentally, any security product can be evaluated under the CC; there are many functional requirements that wouldn't immediately come to mind (e.g., anonymity requirements in the privacy family FPR). Not only that, the CC allows for extensions, so if you can think up the requirements, products can be evaluated against them (although the ST evaluation may fail if your requirements are poorly written).

Re:Windows 2000 is certified as well

[b17bmbr]

then how bad does something have t be to not make it?

i hear WindowsME just missed CC by a whisker.

Re:Windows 2000 is certified as well

[EmbeddedJanitor]

So it's a bit like ISO9000.... you can put ISO9000 labels on concrete lifejackets - so long as you build them according to your inhouse procedures.

Re:Windows 2000 is certified as well

[Mr.+Slippery]

It is a step above C1 - no attempt made to secure the platform!

That's D. (Actually, D is reserved for systems that fail evaluation.)

C1 (about equivalent to CC's EAL 2) does describe some very minimal security requirements, but the system doesn't need to distinguish individual users. C2 (~= EAL 3) adds a little more, including the requirement to identify individual users. The C levels require Discressionary Access Controls (basically, ACLs).

The B levels (B1, B2, and B3, roughly corresponding to EALs 4, 5, 6) add Mandatory Access Control - basically, the ability to label something at a sensitivity level and to have users have clearances to only read things at at or below a certain level, and write things at or ablove a certain level (can't have a Top Secret user writing unclassified files). A level (EAL 7) requires a formal mathematical validation of the system.

Re:Windows 2000 is certified as well

[fireman+sam]

The only secure Windows box is the one that I planted my flowers in. No, wait, that fell off and fell two stories onto the footpath (sidewalk for the en_US folks)

Re:Windows 2000 is certified as well

[EmbeddedJanitor]

It didn't need to. From what some people say it would seem that it only needs to achieve the vendor specified level. Scenario:

Microsoft: This is WinME, we claim it is shit.

CC Official:sniff, sniff. Yep, sure is. Stamp!

Re:Windows 2000 is certified as well

[Iorek]

There's a difference, though. The security target evaluation (at the beginning of the evaluation - it really scopes the evaluation) is a sanity check. The evaluator would certainly fail the ASE components of a concrete lifejacket evaluation. The evaluator is making sure the functional requirements are mutually supportive, that the security problem they're solving is well defined, that the requirements themselves can solve that problem... It's far more than a "This is what I do... See, I'm doing what I say I do."

Re:Windows 2000 is certified as well

[Guppy06]

"Common Criteria is about validating that the OS/Firewall/etc. etc. does what the VENDOR says it will do."

Microsoft: "This operating system has numerous vulnerability exploits and poor compatability with old drivers and applications."

CC board: "Well, whaddaya know, so it does!"

A pity

[meridian]

we will never see Debian get this

Re:A pity

[calebtucker]

Probably not.. if I understand correctly, EAL 2 costs about $200-300k, and EAL 4 can cost around $1mil

SuSE?

[santiag0]

Does anyone know if SuSE/Novell is pursuing this same certification?

At last...

[Zenophran]

We're looking to use it in some places, but wasn't able to think of it until we found out it was going through certification.

It mightn't mean much to some places, but for government organisations, it's a big step to getting it in more places than just using it for "development toys".

One small step

This is another way of legitimizing Linux in the corporate world. Despite Red Hats recent business decisions over all this is a very strong/smart move for all Linux users.

Since the article didn't mention it...

[sczimme]

you can read about the Common Criteria here.

Unfortunately, the other site has been shut down.

SuSE Linux

This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX.

... and SuSE Linux.

anything changed?

at least linux-inclined sysadmins working for companies (who require too much of a product) will be able to select a linux variant without too-much-persuading their bosses. that is a biggie, i think, for a considerable number.

Yeah right...

[DeepEyes78]

Red Hat couldn't have pulled this off without technology stolen from SCO. It's a known fact that SCO owns IP on everything that makes linux useful.

drip...drip...

Excuse me, I've got sarcasm dripping from my chin...

Re:Yeah right...

[Lord+Kano]

Excuse me, I've got sarcasm dripping from my chin...

Maybe you should ask Darl to warn you further in advance next time.

Playing the corporate game

[Ricin]

One more useless qualification-paid-for-sign-dotted-line.

People should really get it through their skulls that this is not going to help and that talent may not be in their brokerage system already when looking for it (and so they miss out).

One more example of commodifying the _wrong_ thing. Can pay in the short term but ughugh the longer term....

When something happens, formalizing it usually means restricting it from "just" happening further. Mkay ;-)

Validating the Kernel Development Model

[oo_waratah]

From the original February discussion. This has even more relevance now. ...

"The Common Criteria, ..., grades products based not only on their security and reliability, but also on the development and support processes that ensure quick responses to problems."
Does that mean that the US Gov. will be officially saying that the Kernel development model is OK ?

The level matters; most CC certs are useless

[Wesley+Felter]

RHEL is getting certified at EAL2, which is really weak.

Even the Windows 2000 EAL4 certification only protects against "inadvertent or casual attempts to breach the system security." No real security here. For more info, read Jonathan Shapiro's article.

Re:The level matters; most CC certs are useless

Even the Windows 2000 EAL4 certification only protects against "inadvertent or casual attempts to breach the system security." No real security here.

EAL4 is the highest Windows, or any other commercial off-the-shelf application will ever get. Anything higher requires design verification from the planning stages and is intended for custom built applications for specific purposes.

KungFUnix certification

[segment]

KungFUnix proudly introduces CUP, Certified Unix Pimp certification. Now you too can study and memorize 50 common criteria books we select and get kickbacks from in order to achieve your goal of adding the word CUP to your signature.

NO EXPERIENCE NEEDED!
That's right act now and send us 2,000.00 (US), and we'll gladly present you with information on obtaining this new and exciting certification. So what can you do with a CUP certification:

• Impress your clueless CTO
• Impress friends
• Add the word CUP to CCNA, MCSE, or CISSP
• Use the cert for a dustrag
• Smoke a doob with the cert

shrugs Certs who needs em.

Other Distributions?

[Storm]

I was just wondering whether or not other distributions can use the work that RH is doing to get a "common Common Criteria" effect. After all, they are all using the same Ring 0 piece, being the Linux kernel. After that, it should just become a matter of configuration verification...

And with the support that Linux has gotten from the NSA, through SE-Linux, I would think a lot of the in-depth work on Linux has been covered.

Ok I'll throw one in: RedHat is dying :-)

[Ricin]

Since the discussion so far was so boring let's instead wonder why RH is so eager to wlk the "established commerce" path.

I'll tell you what their problem is: they're the first. The first always loses. They get to fight the hardest their own community, they get all the surprises boomeranged back to them, they just get everything first. Even if they don't really innovate. And _that_ is going to kill them. They don't know how to react any more (heck no one does) and so they jump back into corporate logic... which they were seen as being a counter to.

I don't know I don't have much love for them but neither do I have any hate towards them. But I feel that the 5th or so is going to be the one that matters 5 years from now. Heck it may be a BeOS clone or a BSD even so. IMHO, we're now at a point where armies die, believe it or not.

Footnotes are recorded right now.

Re:Ok I'll throw one in: RedHat is dying :-)

[Ricin]

Actually Slack was the first distro

Re:Ok I'll throw one in: RedHat is dying :-)

[JK+Master-Slave]

SLS was the first distro.

Yggdrasil was the first Linux vendor to have a commercial CD-ROM distribution. Fall of '93.

There's an InfoMagic 'UNIX' CD that had a kernal 0.99.10 on it from July of '93.

Some of us were there.

Re:Ok I'll throw one in: RedHat is dying :-)

[egregious]

Actually Slack was the first distro

No it wasn't. SLS was the first linux distro.

Re:Ok I'll throw one in: RedHat is dying :-)

[Rex+Code]

No it wasn't. SLS was the first linux distro.

Not even close. The first Linux distribution was H.J. Lu's boot/root floppy combo, and I think even MCC+ came before SLS.

EAL4...so what

[solli]

The CC evaluation comes in two parts:
A profile for the evaluation, and the assurance level to which you achieve that profile.

So if your profile is essentially "can boot" you can probably achieve that with a high level of confidence. All this talk of EAL4 is pointless unless you are told what the profile is.

In the best case, this only means that RH (and Windows, for that matter) could be used in a system carrying information classified at a single level, say, "secret".

In no (normal) circumstance would either RH or Windows be used to handle information classified at two different levels, such as secret and unclassified. If you want to do that, you need to use Trusted Solaris or some other evaluated "Trusted" operating system. Getting a evaluation for a system that can label information and keep different types of information apart (B1 or B2 in DOD Orange Book parlance) is a whole different ball of wax than what RH and Windows received (C2).

SuSE already have it, next Debian?

[ciaran_o_riordan]

SuSE already have it.

Next question, will someone fund a community owned distro to get this certification?
(i.e. Debian etc.)

Meh

[avageek]

Speaking as someone who works for the government and knows exactly what a Common Criteria Certification is worth, why the hell do the Red Hat people think they're going to be major players by getting certified to EAL-2? I mean, seriously, *anyone* can get EAL-1, so they put just a tiny bit more effort (and dough) into it to get EAL-2, when competing operating systems like Windows and Solaris are EAL-4. No one is going to take them seriously with just an EAL-2. And that explains why it'll be done by the end of the year. And by the way, the CCC is a bunch of BS that tells you absolutely nothing about how secure a system is. For the government, it just dictates what you can and can't buy.

Re:Meh

[Iorek]

"Speaking as someone who works for the government"

Well, speaking as someone who works for a government's CC certification scheme, EAL2 actually does give you some assurance, and I've personally seen companies stumble in getting it. At that level, you're taking a closer look at the developer's design, configuration management and testing; you're making sure they conduct a proper vulnerability analysis, and devising your own penetration tests. It's a significant jump from EAL1.

Solaris, HP-UX and AIX...

[RLiegh]

Now that's distinquished company.

the main distinguishing charactaristic being that almost no-one uses them any more...

NOT "alongside", but "a long way behind"

[menscher]

RHEL is to be tested for EAL2, which is rather different from EAL3 OSes (IRIX and Trusted IRIX/CMW) and EAL4 OSes (AIX5, HP-UX 11, Solaris8 and Trusted Solaris8, and Win2k Pro). In fact, the *only* OS RHEL will be "alongside" is SuSE. See this site for details.

Note that EAL2 is something that provides essentially no assurance of security. You can find details of this in Google's cache (www.commoncriteria.org is no longer alive).

RH Linux EAL: 2 MS Windows 2000 EAL: 4

[Drestin]

And this is almost 4 years after Windows 2000 did it with ease. Of course, Windows XP/2003 are even more secure so...

What gets me is, if it's so expensive and time consuming to do this, why not go straight for level 4 certification? Unless it was unachievable... Vendors know ahead of time if they'll pass or not, all the criteria is there for the public to review. You don't submit until you are already sure you'll pass. Obviously Linux is not EAL 4 ready. Windows 2000 is not only EAL 4 but also augmented with ALC FLR 3.

Who is going to notice an effortless to achieve EAL 2?

Re: Actually wasn't Yggdrasil the first distro?

[Ricin]

No that was only released on punchcards and not updated after. It doesn't count anymore.

RH grows up

[inode_buddha]

... and it has *very little* to do with their stock price. It has a lot to do with credibility when making a sale.

Think of it this way: lots of tech people get certifications such as CCNA, MCSE, etc. in order to get through the hiring process. The actual certifications may be meaningless in any number of ways, but the hiring people insist on them.

Now, think of this: RH, as a fictitious person (a corporation) needs to get this cert so it can get that cool job. They want to get hired for that big enterprise thing, since they've been saying, "Enterprise" a lot lately. The hiring manager(s) want to see that cert on their CV.

My conclusion? This is a very smart move for RH, and they should pursue similar avenues as the market dictates.

Its form testing is useless for security

[Skapare]

Security cannot be determined from simply doing a suite of tests, and determining that it must be secure if the tester was unable to break in. The biggest variable that affects security is the administration of the machines ... and this applies to all systems, BSD, Linux, Solaris ... and yes, even MS Windows. Even OpenBSD clearly states their history of security (note, they never claim that is is secure, only that it has been to a certain degree) is based on the default install. Change it in any way, and all bets are off.

Security is not a thing you can just buy. Likewise it cannot be an attribute or property of a thing you can buy (or download). Security is in how you go about every aspect of the way you work, and not just in computers and networks. Social engineering is still a very workable way to access what you are not authorized to access. Poor passwords are incredibly common, for example (spammers are now using password guessing successfully to log into SMTP AUTH and MSA mail ports to submit their garbage ... they already have your userid). People are the weak link.

So ... IMHO ... the Common Criteria Scheme is nothing more than a bunch of feel-good paperwork for PHBs. Unfortunately, it's what PHBs want to see, so vendors like Red Hat do need to play into this BS just to get some sales. But it doesn't tell you squat about real security.

Get the specs...

[inode_buddha]

...here, look at the column under "Criteria". Be careful not to slashdot it - note the .mil domain ;)

What do you mean?

[pr0ntab]

The CC label is REQUIRED for some government computer work for which linux is perfectly suited, but until recently had to be passed up. We could use Trusted Solaris (yawn) or Win2K (barf). Then came SuSe, but we liked RedHat better. Now we will be able to have RedHat in the mix, which should keep things interesting.

It's not so much that the people who actually check the security care what OS it is... it's the people who approve the classification of information systems, etc. you know, pencil pushers, that give a shit about the Common Criteria cert on XYZ software.

I'm glad RedHat finally scrounged up some money from under the couch to remove this roadblock.

KDE...

[grokster]

The KDE.org folks can leverage this to get Kommon Kriteria certification...

How relevant is a Cert of this nature to Linux ?

[kbsingh]

For an OS like Linux, thats always changing and evolving, how relevant is a Cert of this nature ? In an OS like Windoze where there are very little ( or far and few ) feature updates, between fairly long drawn out release cycles one can understand that each version being certified can mean something.

Very good point often missed!

[Oestergaard]

You hit the nail on the head there - unfortunately it seems no media has even attempted to understand the basics of CC, when reporting on this...

A CC certification consists of two parts:
An "assurance level", and either a "security target" or a "protection profile".

A protection profile is a sort of a "standardized security target". A description of a number of requirements that you evaluate your system against. Whereas, a "security target" is something you yourself write, if you do not want to certify your system against an existing protection profile.

NSA has submitted protection profiles that are roughly equivalent to TCSEC C2 and TCSEC B2; the CAPP and LSPP protection profiles, respectively.

SuSE got an EAL-2 certification against some security target that they themselves wrote. This means, they are "fairly" sure that their system does roughly what's in the security target (that they wrote). Had they gotten an EAL-7, it would only mean that they were "very confident" that their system did what was in their security target. It would say nothing about the completeness or even relevance of their security target.

Some newer versions of windows got an EAL-4 against the CAPP. This can be seen roughly as equivalent of the old C2 certification.

Trusted Solaris also has an EAL-4. However, they have an EAL-4 against the LSPP, which means something roughly equivalent to the TCSEC B2 certification.

People, there is a world of difference between those two EAL-4 certifications!

One should note though, that NSA writes in the LSPP that it is not intended for systems that should be used in 'hostile' environments or even with malicious users. The internet, for example, can hardly be classified as a 'friendly' environment.

This is interesting, as virtually no systems that are connected to the internet today have anything even remotely resembling the functionalities mandated by the LSPP, not to speak about assurance levels...