Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat Linux Gets Top Govt. Security Rating

Posted by CmdrTaco on from the take-that-to-yer-boss-and-shove-it dept.

zakeria writes "Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies. Earlier this month IBM was able to achieve EAL4 Augmented with ALC_FLR.3 certification for Red Hat Enterprise Linux, putting it on a par with Sun Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, vice president of open systems with IBM."

11 of 128 comments (clear)

  1. CentOS too? by frankenheinz · · Score: 3, Interesting

    So does CentOS get some sort of auto cert then?

    --
    The law is not an ass. No really.
  2. Re:Hrmm. Not good enough for the average user by vfrex · · Score: 2, Interesting

    What does that have to do with RHEL? It is designed to be a stable server platform. Your post has so little to do with the article, I'm going to need to ask you to RTFM.

  3. Re:For people who don't grok EAL4 and ALC_FLR.3 by crush · · Score: 5, Interesting

    It's worth pointing out that this is actually equivalent to a "B1" TCSEC rating http://en.wikipedia.org/wiki/TCSEC and that it's impossible to get any higher rating for a commodity operating system. This is all specifically due to the SELinux support in Red Hat EL (and consequently CentOS and Fedora and other derivatives). Supposedly SuSE/Novell are trying to achieve this rating ATM but due to the limitations of AppArmor compared to SELinux it seems unlikely that they will.

  4. Re:Hrmm. Not good enough for the average user by jimstapleton · · Score: 3, Interesting

    Are you naturally this off topic, or did it take effort.

    Ignoring for the the moment I agree with *some* of your points, Linux on the desktop has nothing to do with this post, it is entirely about Linux as an enterprise grade server OS.

    --
    34486853790
    Connection too slow for X forwarding? Try "ssh -CX user@host"
  5. Re:For people who don't grok EAL4 and ALC_FLR.3 by davecb · · Score: 2, Interesting
    Actually AppArmour would be a good addition to a B1 system, as a somewhat weaker (less fine-grained) variant is part of Trusted Solaris.

    --dave

    --
    davecb@spamcop.net
  6. Re:For people who don't grok EAL4 and ALC_FLR.3 by morgan_greywolf · · Score: 2, Interesting

    Hmmm...I'm getting conflicting information. According to this Microsoft White Paper (sorry, Word .DOC format), the EAL4 + Augmented with ALC_FLR.3 rating, which BTW, both Windows XP SP 2 and Windows 2003 Server SP 1 also have, is only equivalent to C2, which is the same rating that NT 4 received. IOW, this cert doesn't really mean that much.

    --
    My blog
  7. Re:For people who don't grok EAL4 and ALC_FLR.3 by asliarun · · Score: 2, Interesting

    Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well. Is that not so? In that case, wouldn't a BSD version be more suitable for secure/sensitive installations?

    Again, please don't treat this as a flame. I'm just curious to know how BSD ranks vis a vis other OSes, especially Linux, and especially in terms of security.

  8. Only as secure as its least secure member... by TheGreatHegemon · · Score: 3, Interesting

    Make no mistake; the OS does make a good deal of difference for security in some respects. However, it seems to me that most security leaks come from HUMAN error. With respect to that, Red Hat does nothing (nor could I expect it to...). Nice to know that Linux can at least be recognized this way, at least.

  9. Yeah yeah. But what does it /mean/? by jimicus · · Score: 3, Interesting

    Any idiot can build a Linux system which runs absolutely no services whatsoever and SELinux to delegate authority appropriately with modern RedHat versions.

    What's more interesting is does the resulting system do anything useful? Web server? Mail server? DNS? File server?

    Do you lose certification as soon as any extra services are running? In which case, it's fairly meaningless because the certification only applies if the system is broadly useless.

  10. "Get the Facts" by dasunst3r · · Score: 2, Interesting

    I think Red Hat should send something to Steve Ballmer to rub this in his face... something along the lines of "Looks like you need to Get the Facts about Windows and Linux. Where are your lobbyists now?" along with a copy of the certification.

  11. Re:no real surprise here by sn00ker · · Score: 2, Interesting

    I'd wonder if openbsd has recieved this security rating?
    Of course it hasn't. Certification costs a lot of money (tens- if not hundreds-of-thousands of dollars), and there're no organisations with that kind of money that have a major interest in OpenBSD. Could it pass? No, because it lacks RBAC/MAC and other necessary security systems. Has it even been tested? Certainly not, because nobody's put it up for certification, and also because the team that produces it haven't built in subsystems for RBAC/MAC. That's not their aim, and likely never will be.

    On a side note, FreeBSD does have MAC capabilities, and could probably be configured to pass at least EAL3 (not sure about the design verification requirements for getting EAL4), but like OpenBSD it lacks a massive, financially-interested organisation to sponsor it through all the testing. Note the RHEL5 was sponsored by IBM, not by RedHat, which gives a very clear indication of just how much financial backing is necessary to seriously attempt to get a system certified under the Common Criteria. Getting an EAL certification, as the Wikipedia entry on the topic states, is not a significant indicator of the security of a system. It just shows that the system was tested against certain criteria and passed.

    --
    "God, root, what is difference?" - Pitr, userfriendly