Slashdot Mirror
Red Hat Linux Gets Top Govt. Security Rating
zakeria writes "Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies.
Earlier this month IBM was able to achieve EAL4 Augmented with ALC_FLR.3 certification for Red Hat Enterprise Linux, putting it on a par with Sun Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, vice president of open systems with IBM."
So does CentOS get some sort of auto cert then?
The law is not an ass. No really.
This is roughly equivalent to "B" in the well-known U.S. "Orange Book" security standard. Previously all commercial off-the-shelf OSs were rated C or below, and had trouble even getting that (NT 4 got C only if the network was physically removed).
The letters correspond with school grades: A is excellent, B is ok, and C is barely adequate.
--dave
davecb@spamcop.net
It's worth pointing out that this is actually equivalent to a "B1" TCSEC rating http://en.wikipedia.org/wiki/TCSEC and that it's impossible to get any higher rating for a commodity operating system. This is all specifically due to the SELinux support in Red Hat EL (and consequently CentOS and Fedora and other derivatives). Supposedly SuSE/Novell are trying to achieve this rating ATM but due to the limitations of AppArmor compared to SELinux it seems unlikely that they will.
That was a cut and paste troll.
They're never on topic, they just show up in random Linux articles.
Free the Quark 3 from asymptotic confinement! Bring your charm! Don't get down! All colours and flavours welcome!
Are you naturally this off topic, or did it take effort.
Ignoring for the the moment I agree with *some* of your points, Linux on the desktop has nothing to do with this post, it is entirely about Linux as an enterprise grade server OS.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
Microsoft is only certified CAPP/eal4+. That is not LSPP/RBAC which is much harder and more secure.
Make no mistake; the OS does make a good deal of difference for security in some respects. However, it seems to me that most security leaks come from HUMAN error. With respect to that, Red Hat does nothing (nor could I expect it to...). Nice to know that Linux can at least be recognized this way, at least.
I don't think it's a flame. All that this certification means is that a government department tested specific aspects of security on specific hardware. It shouldn't be thought of as anything more, it's just a rubber-stamp for administrators that don't want to understand security.
Any idiot can build a Linux system which runs absolutely no services whatsoever and SELinux to delegate authority appropriately with modern RedHat versions.
What's more interesting is does the resulting system do anything useful? Web server? Mail server? DNS? File server?
Do you lose certification as soon as any extra services are running? In which case, it's fairly meaningless because the certification only applies if the system is broadly useless.
It's not the same certification. Windows' is for CAPP only. Redhat's is for CAPP, LSPP and RBACPP.
Igor Presnyakov stole my hat
I'm going to venture that you don't know much about serious professional level computer systems. I'm going to discuss, point by point, why you are just flat out wrong and not thinking clearly about many things.
.deb and .rpm). The constant upgrade cycle where you discover that your most recent upgrade broke something has nothing to do with the process of compiling software per se, but interoperability between different software. The Microsoft WSUS updates are constantly breaking applications, and this is even more exaggerated in the server market.
A)Many different versions of Linux have various binary packaging systems so you don't have to compile things, Debian and Redhat being the two most popular (yum and synaptic/
B)The vast majority of mission critical infrastructure systems that the internet and all high level computing systems run from the command line. Switches, routers, cores, these are the bread and butter of what makes the internet work, and nobody says that a developer has failed when they produce one of these that works. Frankly, you are just being hyperbolic, failure as a developer means that your application does not work. These devices and applications do work, and as anyone familiar with a command line interface knows, it is usually far simpler to troubleshoot a problem in an environment that you have complete control over (like the command line) than it is in some hairbrained GUI that is made to pander to people like yourself who consider themselves technical users but think that command line interfaces are bad.
C)Linux documentation is far superior to that of Windows, because the API's and sourcecode are all available. Learn how to program, don't blame the difficulty of programming on inferior documentation and instructions. There are people who do what they want in linux, just because you can't, doesn't mean that there is something wrong with linux. Rather, it probably means you are not that smart. The entire notion that linux is an alien environment presupposes a fetish for windows.
Your conclusion is complete bunk, because your arguments don't hold any water. Basically, what you've just done is ranted. Linux does not suck in the regards you listed. Nothing is perfect, and everything can be improved, but you simply don't make a nuanced point like this.
Besides which, this thread was about Security!
I read that link, but is the following just concidence? "Certificate Date: 01 April 2007" Hmm....
I'm a fairly technical user, not a tech god by any stretch of the imagination, but I know my way around. I know how to forward ports on my router, I do all my own CD rips from Grip, I can install most Windows versions without a problem, and I'm damned proficient at packages like Paint Shop Pro and the GIMP. In addition, I'm a gamer from back in the DOS/Win95 days, so concepts like editing undocumented system-critical settings (Registry hives) don't necessarily scare me.
That said, as much as I like the concept of Windows NT, I simply will not try it any longer until I hear that a number of problems have been solved.
A) Having to manually download software/worrying that nonstandard installation routines might scatter junk all over the file system and not remove it upon deinstallation. For that matter, I don't want to have to manually download and install anything, ever. Just to make this clear, never. Come up with either something akin to Ubuntu where I run Synaptic to install everything I need, or (if you absolutely have to) make it like Mac OS X where I just drag and drop the folder.
B) Any time I'm forced to to edit the Registry by hand (without documentation, to boot), you as a developer have failed. Back 10 years ago, this may have been acceptable. In this day and age, it isn't. Furthermore, while once in a blue moon I may have to change a system-breaking internal file in Linux, in Windows it's a constant occurrence. Again, you have failed.
C) A troubleshooting guide instead of proper OS documentation does not cut it. Neither does a message board where half the time I'll be told to reinstall, 25% of the time I'll be told to run random diagnosis apps, and the other 25% of the time I'll get genuinely helpful people giving me contradictory answers. If I'm expected to jump to an alien computing environment you'd best make sure your documentation is up to snuff. Most Windows apps suck in this regard.
I'm an advanced user who's in favor of feature-rich OSes, but the bizarre, arcane, and technical details I have to jump through to achieve the same things that are comparatively simple in Mac OS X or Linux make Windows a deal breaker. You will never, ever, become successful on the server until idiocy like this is exorcised from the OS.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Not EAL-4 is not "TOP". Shame on the press release writers for spreading untruths.
Nor is EAL-4 the highest rating an OS product has achieved.
EAL-5 has been achieved by only one complex product in the world last I looked (BAE's STOP OS, a Linux look-alike in API/ABI running on an Intel CPUed platform) and it doesn't lose its security rating when connected to a network.
The value of the rating system is that it lets everyone see the criteria under which you were judged and the degree of excellence against those criteria determined by independent judges. But the person selecting the product has to know a lot about security to be able to understand the value provided. For example, it is easy to configure most EAL-4 rated OSs in such a way that they void their rating.
Having been the Product Manager during the STOP evaluation, let me congratulate Red Hat as achieving EAL 4 is a great achievement for their team (and was required of us before we could even submit for an EAL-5). May they now go on and undergo additional time, expense and pain in striving for a higher rating.