Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat Linux Gets Top Govt. Security Rating

Posted by CmdrTaco on from the take-that-to-yer-boss-and-shove-it dept.

zakeria writes "Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies. Earlier this month IBM was able to achieve EAL4 Augmented with ALC_FLR.3 certification for Red Hat Enterprise Linux, putting it on a par with Sun Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, vice president of open systems with IBM."

10 of 128 comments (clear)

  1. For people who don't grok EAL4 and ALC_FLR.3 by davecb · · Score: 5, Informative

    This is roughly equivalent to "B" in the well-known U.S. "Orange Book" security standard. Previously all commercial off-the-shelf OSs were rated C or below, and had trouble even getting that (NT 4 got C only if the network was physically removed).

    The letters correspond with school grades: A is excellent, B is ok, and C is barely adequate.

    --dave

    --
    davecb@spamcop.net
  2. Re:CentOS too? by Anonymous Coward · · Score: 5, Informative

    > So does CentOS get some sort of auto cert then?

    No. CentOS (i.e., the actual binaries built by the CentOS team on the particular set of hardware used by the CentOS team) needs to go through the exact same evaluation process, with documentation and all.

  3. Re:CentOS too? by crush · · Score: 3, Informative

    The certification is specific to the combination of RHEL on IBM eServers. So specific hardware and specific version of the OS. That said, practically there'd probably be no functional difference with CentOS on the same hardware ... but you couldn't run it if the certification were mandated.

  4. XP SP2 and Windows Server 2003 has the same rating by Anonymous Coward · · Score: 3, Informative
    http://www.microsoft.com/presspass/press/2005/dec0 5/12-14CommonCriteriaPR.mspx

    The following products have earned EAL 4 Augmented with ALC_FLR.3 certification from NIAP:
    • Microsoft Windows Server(TM) 2003, Standard Edition (32-bit version) with Service Pack 1
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit and 64-bit versions) with Service Pack 1
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit and 64-bit versions) with Service Pack 1
    • Microsoft Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (CIMC) (Security Level 3 Protection Profile, Version 1.0)
    • Microsoft Windows XP Professional with Service Pack 2
    • Microsoft Windows XP Embedded with Service Pack 2

  5. Re:Hrmm. Not good enough for the average user by sayfawa · · Score: 4, Informative

    That was a cut and paste troll.

    They're never on topic, they just show up in random Linux articles.

    --
    Free the Quark 3 from asymptotic confinement! Bring your charm! Don't get down! All colours and flavours welcome!
  6. Re:XP SP2 and Windows Server 2003 has the same rat by CloneRanger · · Score: 5, Informative

    Microsoft is only certified CAPP/eal4+. That is not LSPP/RBAC which is much harder and more secure.

  7. Re:For people who don't grok EAL4 and ALC_FLR.3 by crush · · Score: 4, Informative

    I don't think it's a flame. All that this certification means is that a government department tested specific aspects of security on specific hardware. It shouldn't be thought of as anything more, it's just a rubber-stamp for administrators that don't want to understand security.

  8. Re:Slashdot responses by dylan_- · · Score: 4, Informative

    It's not the same certification. Windows' is for CAPP only. Redhat's is for CAPP, LSPP and RBACPP.

    --
    Igor Presnyakov stole my hat
  9. None of your points are valid by lib3rtarian · · Score: 5, Informative

    I'm going to venture that you don't know much about serious professional level computer systems. I'm going to discuss, point by point, why you are just flat out wrong and not thinking clearly about many things.

    A)Many different versions of Linux have various binary packaging systems so you don't have to compile things, Debian and Redhat being the two most popular (yum and synaptic/ .deb and .rpm). The constant upgrade cycle where you discover that your most recent upgrade broke something has nothing to do with the process of compiling software per se, but interoperability between different software. The Microsoft WSUS updates are constantly breaking applications, and this is even more exaggerated in the server market.

    B)The vast majority of mission critical infrastructure systems that the internet and all high level computing systems run from the command line. Switches, routers, cores, these are the bread and butter of what makes the internet work, and nobody says that a developer has failed when they produce one of these that works. Frankly, you are just being hyperbolic, failure as a developer means that your application does not work. These devices and applications do work, and as anyone familiar with a command line interface knows, it is usually far simpler to troubleshoot a problem in an environment that you have complete control over (like the command line) than it is in some hairbrained GUI that is made to pander to people like yourself who consider themselves technical users but think that command line interfaces are bad.

    C)Linux documentation is far superior to that of Windows, because the API's and sourcecode are all available. Learn how to program, don't blame the difficulty of programming on inferior documentation and instructions. There are people who do what they want in linux, just because you can't, doesn't mean that there is something wrong with linux. Rather, it probably means you are not that smart. The entire notion that linux is an alien environment presupposes a fetish for windows.

    Your conclusion is complete bunk, because your arguments don't hold any water. Basically, what you've just done is ranted. Linux does not suck in the regards you listed. Nothing is perfect, and everything can be improved, but you simply don't make a nuanced point like this.

    Besides which, this thread was about Security!

  10. EAL-6 is the highest possible security rating by mikefocke · · Score: 3, Informative

    Not EAL-4 is not "TOP". Shame on the press release writers for spreading untruths.

    Nor is EAL-4 the highest rating an OS product has achieved.

    EAL-5 has been achieved by only one complex product in the world last I looked (BAE's STOP OS, a Linux look-alike in API/ABI running on an Intel CPUed platform) and it doesn't lose its security rating when connected to a network.

    The value of the rating system is that it lets everyone see the criteria under which you were judged and the degree of excellence against those criteria determined by independent judges. But the person selecting the product has to know a lot about security to be able to understand the value provided. For example, it is easy to configure most EAL-4 rated OSs in such a way that they void their rating.

    Having been the Product Manager during the STOP evaluation, let me congratulate Red Hat as achieving EAL 4 is a great achievement for their team (and was required of us before we could even submit for an EAL-5). May they now go on and undergo additional time, expense and pain in striving for a higher rating.