Red Hat Pushes For CC Certification By Year's End

Ridgelift writes "This article indicates Red Hat Linux is about to receive certification under the Common Criteria (CC) Scheme worldwide. This has been a long road for Red Hat, and 'once successfully certified in the UK, Red Hat products will be recognised as certified and approved by information security agencies from all 19 countries participating in the Common Criteria program.' This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX."

Windows 2000 is certified as well

[Punchinello]

This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX

Red Hat will also sit along side Windows 2000 which also has the Common Criteria certification. See the press release:

http://www.microsoft.com/presspass/press/2002/oct0 2/10-29CommonCriteriaPR.asp

Re:Windows 2000 is certified as well

[EmbeddedJanitor]

Damn, just when I thought the certification had some value!

Re:Windows 2000 is certified as well

[calebtucker]

Yeah, I kinda scratched my head when I saw a microsoft O/S at EAL4+. I think the CC is more about validating the core of the operating system. As you add more software to a system, it's going to become more vulnerable (*cough* IE, outlook, IIS *cough*).

Re:Windows 2000 is certified as well

[Jeremiah+Cornelius]

CC is restricted to VERY specific implementations.

No deviation is allowed from the exact hardware, software and network configuration that is the certification target. Yes, this includes additional security patches. That would constitute a new platform for certification - at an additional expense of may hundreds of thousands USD.

I suppose that it makes a decent benchmark of sorts. Still, its mainly a diligence measure for getting into Govt purchasing schedules, and has little to do with a practical or useful evaluation of the actual security of an OS.

Re:Windows 2000 is certified as well

[tonyr60]

Common Criteria is about validating that the OS/Firewall/etc. etc. does what the VENDOR says it will do. Just because a bunch of products have Common Criteria Certifications does not mean that they are equally secure. HP-UX, Solaris, Win2K and soon Redhat will have achieved Common Criteria certification but it does NOT mean that they are equally secure.

Re:Windows 2000 is certified as well

[Jeremiah+Cornelius]

Yeah. Most CC implementations are on private segments - no WAN or Internet links.

Easy enough to fly your OS in those restrictions...

Remember the Orange Book C2 security for Windows NT? That was only for a standalone box - no net, no modem.

The Rainbow Books were a forerunner to the CC - which represented a harmonizing of the Red/Orange Books with Canadian Govt InfoSec standards.

Re:Windows 2000 is certified as well

[Storm]

Its pretty well common knowledge in the security community that Microsoft paid for that certification.

While I can't remember if it was specifically Windows 2000 with the Common Criteria or Windows NT with the Orange Book Cert, I do remember that the system configuration which won them the cert was with no network connection, no floppy drives, and no CDROM drives on the box that was tested. In essence, no non-keyboard input methods. (They couldn't guarantee the OS would stay clean long enough to get the cert.)

Basically, the certification was useless as soon as you configured the box to do any useful processing on the machine. Then again, many would say that is the same of Windows itself.

Re:Windows 2000 is certified as well

[Jeremiah+Cornelius]

Johnboy,

I'm pretty familiar with the NIST publications on the subject. I use the NIST standrds as testing guidelines on a near daily basis. I readily attest to the value of these.

CC testing of implementations are not portable to diferent environments, and unless you duplicate the testing platform and environment as spec'ed, you are not running a certified platform.

No one is likely to ever run the spec'ed platform/environment.

It is a benchmark - like any other. Good for selling to the Government markets that have established CC.

Re:Windows 2000 is certified as well

[Jeremiah+Cornelius]

You are talking about Orange Book C2. This is the standard config for this certification.

It is a step above C1 - no attempt made to secure the platform!

C2 does have fairly strigent requirements regarding the separation of roles and audit history by role/principal.

All of which are guaranteed in a standalone config.

Re:Windows 2000 is certified as well

[Iorek]

The Common Criteria are composed of two types of requirements: security functional and security assurance. The requirements are different for each evaluation, so you need to read what's called a security target to find out which ones are relevant to the specific evaluation.

For example, Windows 2000 was evaluated against all the security assurance requirements in the EAL4 package (plus a few). There were also a ton of security functional requirements based on what Windows 2000 provides (e.g., identification, authentication, audit, etc.). For details, read the Target of Evaluation Description section of the ST at http://niap.nist.gov/cc-scheme/CCEVS_VID402-ST.pdf

Red Hat's Enterprise Linux will have their own ST.

Re:Windows 2000 is certified as well

[c1ay]

How does a system where new security holes are discovered daily get this certification? Can it be revoked? Me thinks Windows Security is the world's second most rated oxymoron behind Microsoft Works!!!

Re:Windows 2000 is certified as well

[Mr.+Slippery]

It is a step above C1 - no attempt made to secure the platform!

That's D. (Actually, D is reserved for systems that fail evaluation.)

C1 (about equivalent to CC's EAL 2) does describe some very minimal security requirements, but the system doesn't need to distinguish individual users. C2 (~= EAL 3) adds a little more, including the requirement to identify individual users. The C levels require Discressionary Access Controls (basically, ACLs).

The B levels (B1, B2, and B3, roughly corresponding to EALs 4, 5, 6) add Mandatory Access Control - basically, the ability to label something at a sensitivity level and to have users have clearances to only read things at at or below a certain level, and write things at or ablove a certain level (can't have a Top Secret user writing unclassified files). A level (EAL 7) requires a formal mathematical validation of the system.

Re:Windows 2000 is certified as well

[fireman+sam]

The only secure Windows box is the one that I planted my flowers in. No, wait, that fell off and fell two stories onto the footpath (sidewalk for the en_US folks)

Re:Windows 2000 is certified as well

[EmbeddedJanitor]

It didn't need to. From what some people say it would seem that it only needs to achieve the vendor specified level. Scenario:

Microsoft: This is WinME, we claim it is shit.

CC Official:sniff, sniff. Yep, sure is. Stamp!

Re:Windows 2000 is certified as well

[Iorek]

There's a difference, though. The security target evaluation (at the beginning of the evaluation - it really scopes the evaluation) is a sanity check. The evaluator would certainly fail the ASE components of a concrete lifejacket evaluation. The evaluator is making sure the functional requirements are mutually supportive, that the security problem they're solving is well defined, that the requirements themselves can solve that problem... It's far more than a "This is what I do... See, I'm doing what I say I do."

Re:Windows 2000 is certified as well

[Guppy06]

"Common Criteria is about validating that the OS/Firewall/etc. etc. does what the VENDOR says it will do."

Microsoft: "This operating system has numerous vulnerability exploits and poor compatability with old drivers and applications."

CC board: "Well, whaddaya know, so it does!"

SuSE?

[santiag0]

Does anyone know if SuSE/Novell is pursuing this same certification?

Re:A pity

[calebtucker]

Probably not.. if I understand correctly, EAL 2 costs about $200-300k, and EAL 4 can cost around $1mil

At last...

[Zenophran]

We're looking to use it in some places, but wasn't able to think of it until we found out it was going through certification.

It mightn't mean much to some places, but for government organisations, it's a big step to getting it in more places than just using it for "development toys".

One small step

This is another way of legitimizing Linux in the corporate world. Despite Red Hats recent business decisions over all this is a very strong/smart move for all Linux users.

Since the article didn't mention it...

[sczimme]

you can read about the Common Criteria here.

Unfortunately, the other site has been shut down.

SuSE Linux

This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX.

... and SuSE Linux.

Yeah right...

[DeepEyes78]

Red Hat couldn't have pulled this off without technology stolen from SCO. It's a known fact that SCO owns IP on everything that makes linux useful.

drip...drip...

Excuse me, I've got sarcasm dripping from my chin...

Re:Yeah right...

[Lord+Kano]

Excuse me, I've got sarcasm dripping from my chin...

Maybe you should ask Darl to warn you further in advance next time.

Playing the corporate game

[Ricin]

One more useless qualification-paid-for-sign-dotted-line.

People should really get it through their skulls that this is not going to help and that talent may not be in their brokerage system already when looking for it (and so they miss out).

One more example of commodifying the _wrong_ thing. Can pay in the short term but ughugh the longer term....

When something happens, formalizing it usually means restricting it from "just" happening further. Mkay ;-)

Validating the Kernel Development Model

[oo_waratah]

From the original February discussion. This has even more relevance now. ...

"The Common Criteria, ..., grades products based not only on their security and reliability, but also on the development and support processes that ensure quick responses to problems."
Does that mean that the US Gov. will be officially saying that the Kernel development model is OK ?

The level matters; most CC certs are useless

[Wesley+Felter]

RHEL is getting certified at EAL2, which is really weak.

Even the Windows 2000 EAL4 certification only protects against "inadvertent or casual attempts to breach the system security." No real security here. For more info, read Jonathan Shapiro's article.

Re:The level matters; most CC certs are useless

Even the Windows 2000 EAL4 certification only protects against "inadvertent or casual attempts to breach the system security." No real security here.

EAL4 is the highest Windows, or any other commercial off-the-shelf application will ever get. Anything higher requires design verification from the planning stages and is intended for custom built applications for specific purposes.

KungFUnix certification

[segment]

KungFUnix proudly introduces CUP, Certified Unix Pimp certification. Now you too can study and memorize 50 common criteria books we select and get kickbacks from in order to achieve your goal of adding the word CUP to your signature.

NO EXPERIENCE NEEDED!
That's right act now and send us 2,000.00 (US), and we'll gladly present you with information on obtaining this new and exciting certification. So what can you do with a CUP certification:

• Impress your clueless CTO
• Impress friends
• Add the word CUP to CCNA, MCSE, or CISSP
• Use the cert for a dustrag
• Smoke a doob with the cert

shrugs Certs who needs em.

Other Distributions?

[Storm]

I was just wondering whether or not other distributions can use the work that RH is doing to get a "common Common Criteria" effect. After all, they are all using the same Ring 0 piece, being the Linux kernel. After that, it should just become a matter of configuration verification...

And with the support that Linux has gotten from the NSA, through SE-Linux, I would think a lot of the in-depth work on Linux has been covered.

EAL4...so what

[solli]

The CC evaluation comes in two parts:
A profile for the evaluation, and the assurance level to which you achieve that profile.

So if your profile is essentially "can boot" you can probably achieve that with a high level of confidence. All this talk of EAL4 is pointless unless you are told what the profile is.

In the best case, this only means that RH (and Windows, for that matter) could be used in a system carrying information classified at a single level, say, "secret".

In no (normal) circumstance would either RH or Windows be used to handle information classified at two different levels, such as secret and unclassified. If you want to do that, you need to use Trusted Solaris or some other evaluated "Trusted" operating system. Getting a evaluation for a system that can label information and keep different types of information apart (B1 or B2 in DOD Orange Book parlance) is a whole different ball of wax than what RH and Windows received (C2).

SuSE already have it, next Debian?

[ciaran_o_riordan]

SuSE already have it.

Next question, will someone fund a community owned distro to get this certification?
(i.e. Debian etc.)

Meh

[avageek]

Speaking as someone who works for the government and knows exactly what a Common Criteria Certification is worth, why the hell do the Red Hat people think they're going to be major players by getting certified to EAL-2? I mean, seriously, *anyone* can get EAL-1, so they put just a tiny bit more effort (and dough) into it to get EAL-2, when competing operating systems like Windows and Solaris are EAL-4. No one is going to take them seriously with just an EAL-2. And that explains why it'll be done by the end of the year. And by the way, the CCC is a bunch of BS that tells you absolutely nothing about how secure a system is. For the government, it just dictates what you can and can't buy.

Re:Meh

[Iorek]

"Speaking as someone who works for the government"

Well, speaking as someone who works for a government's CC certification scheme, EAL2 actually does give you some assurance, and I've personally seen companies stumble in getting it. At that level, you're taking a closer look at the developer's design, configuration management and testing; you're making sure they conduct a proper vulnerability analysis, and devising your own penetration tests. It's a significant jump from EAL1.

NOT "alongside", but "a long way behind"

[menscher]

RHEL is to be tested for EAL2, which is rather different from EAL3 OSes (IRIX and Trusted IRIX/CMW) and EAL4 OSes (AIX5, HP-UX 11, Solaris8 and Trusted Solaris8, and Win2k Pro). In fact, the *only* OS RHEL will be "alongside" is SuSE. See this site for details.

Note that EAL2 is something that provides essentially no assurance of security. You can find details of this in Google's cache (www.commoncriteria.org is no longer alive).

RH Linux EAL: 2 MS Windows 2000 EAL: 4

[Drestin]

And this is almost 4 years after Windows 2000 did it with ease. Of course, Windows XP/2003 are even more secure so...

What gets me is, if it's so expensive and time consuming to do this, why not go straight for level 4 certification? Unless it was unachievable... Vendors know ahead of time if they'll pass or not, all the criteria is there for the public to review. You don't submit until you are already sure you'll pass. Obviously Linux is not EAL 4 ready. Windows 2000 is not only EAL 4 but also augmented with ALC FLR 3.

Who is going to notice an effortless to achieve EAL 2?

Its form testing is useless for security

[Skapare]

Security cannot be determined from simply doing a suite of tests, and determining that it must be secure if the tester was unable to break in. The biggest variable that affects security is the administration of the machines ... and this applies to all systems, BSD, Linux, Solaris ... and yes, even MS Windows. Even OpenBSD clearly states their history of security (note, they never claim that is is secure, only that it has been to a certain degree) is based on the default install. Change it in any way, and all bets are off.

Security is not a thing you can just buy. Likewise it cannot be an attribute or property of a thing you can buy (or download). Security is in how you go about every aspect of the way you work, and not just in computers and networks. Social engineering is still a very workable way to access what you are not authorized to access. Poor passwords are incredibly common, for example (spammers are now using password guessing successfully to log into SMTP AUTH and MSA mail ports to submit their garbage ... they already have your userid). People are the weak link.

So ... IMHO ... the Common Criteria Scheme is nothing more than a bunch of feel-good paperwork for PHBs. Unfortunately, it's what PHBs want to see, so vendors like Red Hat do need to play into this BS just to get some sales. But it doesn't tell you squat about real security.

Get the specs...

[inode_buddha]

...here, look at the column under "Criteria". Be careful not to slashdot it - note the .mil domain ;)

What do you mean?

[pr0ntab]

The CC label is REQUIRED for some government computer work for which linux is perfectly suited, but until recently had to be passed up. We could use Trusted Solaris (yawn) or Win2K (barf). Then came SuSe, but we liked RedHat better. Now we will be able to have RedHat in the mix, which should keep things interesting.

It's not so much that the people who actually check the security care what OS it is... it's the people who approve the classification of information systems, etc. you know, pencil pushers, that give a shit about the Common Criteria cert on XYZ software.

I'm glad RedHat finally scrounged up some money from under the couch to remove this roadblock.

KDE...

[grokster]

The KDE.org folks can leverage this to get Kommon Kriteria certification...