Red Hat Pushes For CC Certification By Year's End

Ridgelift writes "This article indicates Red Hat Linux is about to receive certification under the Common Criteria (CC) Scheme worldwide. This has been a long road for Red Hat, and 'once successfully certified in the UK, Red Hat products will be recognised as certified and approved by information security agencies from all 19 countries participating in the Common Criteria program.' This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX."

Windows 2000 is certified as well

[Punchinello]

This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX

Red Hat will also sit along side Windows 2000 which also has the Common Criteria certification. See the press release:

http://www.microsoft.com/presspass/press/2002/oct0 2/10-29CommonCriteriaPR.asp

Re:Windows 2000 is certified as well

[EmbeddedJanitor]

Damn, just when I thought the certification had some value!

Re:Windows 2000 is certified as well

[calebtucker]

Yeah, I kinda scratched my head when I saw a microsoft O/S at EAL4+. I think the CC is more about validating the core of the operating system. As you add more software to a system, it's going to become more vulnerable (*cough* IE, outlook, IIS *cough*).

Re:Windows 2000 is certified as well

[Jeremiah+Cornelius]

CC is restricted to VERY specific implementations.

No deviation is allowed from the exact hardware, software and network configuration that is the certification target. Yes, this includes additional security patches. That would constitute a new platform for certification - at an additional expense of may hundreds of thousands USD.

I suppose that it makes a decent benchmark of sorts. Still, its mainly a diligence measure for getting into Govt purchasing schedules, and has little to do with a practical or useful evaluation of the actual security of an OS.

Re:Windows 2000 is certified as well

[tonyr60]

Common Criteria is about validating that the OS/Firewall/etc. etc. does what the VENDOR says it will do. Just because a bunch of products have Common Criteria Certifications does not mean that they are equally secure. HP-UX, Solaris, Win2K and soon Redhat will have achieved Common Criteria certification but it does NOT mean that they are equally secure.

Re:Windows 2000 is certified as well

[Storm]

Its pretty well common knowledge in the security community that Microsoft paid for that certification.

While I can't remember if it was specifically Windows 2000 with the Common Criteria or Windows NT with the Orange Book Cert, I do remember that the system configuration which won them the cert was with no network connection, no floppy drives, and no CDROM drives on the box that was tested. In essence, no non-keyboard input methods. (They couldn't guarantee the OS would stay clean long enough to get the cert.)

Basically, the certification was useless as soon as you configured the box to do any useful processing on the machine. Then again, many would say that is the same of Windows itself.

Re:Windows 2000 is certified as well

[Iorek]

The Common Criteria are composed of two types of requirements: security functional and security assurance. The requirements are different for each evaluation, so you need to read what's called a security target to find out which ones are relevant to the specific evaluation.

For example, Windows 2000 was evaluated against all the security assurance requirements in the EAL4 package (plus a few). There were also a ton of security functional requirements based on what Windows 2000 provides (e.g., identification, authentication, audit, etc.). For details, read the Target of Evaluation Description section of the ST at http://niap.nist.gov/cc-scheme/CCEVS_VID402-ST.pdf

Red Hat's Enterprise Linux will have their own ST.

Re:Windows 2000 is certified as well

[Mr.+Slippery]

It is a step above C1 - no attempt made to secure the platform!

That's D. (Actually, D is reserved for systems that fail evaluation.)

C1 (about equivalent to CC's EAL 2) does describe some very minimal security requirements, but the system doesn't need to distinguish individual users. C2 (~= EAL 3) adds a little more, including the requirement to identify individual users. The C levels require Discressionary Access Controls (basically, ACLs).

The B levels (B1, B2, and B3, roughly corresponding to EALs 4, 5, 6) add Mandatory Access Control - basically, the ability to label something at a sensitivity level and to have users have clearances to only read things at at or below a certain level, and write things at or ablove a certain level (can't have a Top Secret user writing unclassified files). A level (EAL 7) requires a formal mathematical validation of the system.

Re:Windows 2000 is certified as well

[EmbeddedJanitor]

It didn't need to. From what some people say it would seem that it only needs to achieve the vendor specified level. Scenario:

Microsoft: This is WinME, we claim it is shit.

CC Official:sniff, sniff. Yep, sure is. Stamp!

Re:Windows 2000 is certified as well

[Iorek]

There's a difference, though. The security target evaluation (at the beginning of the evaluation - it really scopes the evaluation) is a sanity check. The evaluator would certainly fail the ASE components of a concrete lifejacket evaluation. The evaluator is making sure the functional requirements are mutually supportive, that the security problem they're solving is well defined, that the requirements themselves can solve that problem... It's far more than a "This is what I do... See, I'm doing what I say I do."

Re:Windows 2000 is certified as well

[Guppy06]

"Common Criteria is about validating that the OS/Firewall/etc. etc. does what the VENDOR says it will do."

Microsoft: "This operating system has numerous vulnerability exploits and poor compatability with old drivers and applications."

CC board: "Well, whaddaya know, so it does!"

SuSE?

[santiag0]

Does anyone know if SuSE/Novell is pursuing this same certification?

Re:A pity

[calebtucker]

Probably not.. if I understand correctly, EAL 2 costs about $200-300k, and EAL 4 can cost around $1mil

Since the article didn't mention it...

[sczimme]

you can read about the Common Criteria here.

Unfortunately, the other site has been shut down.

Yeah right...

[DeepEyes78]

Red Hat couldn't have pulled this off without technology stolen from SCO. It's a known fact that SCO owns IP on everything that makes linux useful.

drip...drip...

Excuse me, I've got sarcasm dripping from my chin...

Validating the Kernel Development Model

[oo_waratah]

From the original February discussion. This has even more relevance now. ...

"The Common Criteria, ..., grades products based not only on their security and reliability, but also on the development and support processes that ensure quick responses to problems."
Does that mean that the US Gov. will be officially saying that the Kernel development model is OK ?

EAL4...so what

[solli]

The CC evaluation comes in two parts:
A profile for the evaluation, and the assurance level to which you achieve that profile.

So if your profile is essentially "can boot" you can probably achieve that with a high level of confidence. All this talk of EAL4 is pointless unless you are told what the profile is.

In the best case, this only means that RH (and Windows, for that matter) could be used in a system carrying information classified at a single level, say, "secret".

In no (normal) circumstance would either RH or Windows be used to handle information classified at two different levels, such as secret and unclassified. If you want to do that, you need to use Trusted Solaris or some other evaluated "Trusted" operating system. Getting a evaluation for a system that can label information and keep different types of information apart (B1 or B2 in DOD Orange Book parlance) is a whole different ball of wax than what RH and Windows received (C2).