Red Hat Linux Gets Top Govt. Security Rating

zakeria writes "Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies. Earlier this month IBM was able to achieve EAL4 Augmented with ALC_FLR.3 certification for Red Hat Enterprise Linux, putting it on a par with Sun Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, vice president of open systems with IBM."

CentOS too?

[frankenheinz (976104)]

So does CentOS get some sort of auto cert then?

Re:CentOS too?

[by Anonymous Coward]

> So does CentOS get some sort of auto cert then?

No. CentOS (i.e., the actual binaries built by the CentOS team on the particular set of hardware used by the CentOS team) needs to go through the exact same evaluation process, with documentation and all.

Re:CentOS too?

[crush (19364)]

The certification is specific to the combination of RHEL on IBM eServers. So specific hardware and specific version of the OS. That said, practically there'd probably be no functional difference with CentOS on the same hardware ... but you couldn't run it if the certification were mandated.

Re:

[crush (19364)]

And it should soon (Jun 21) also be certified to the same level on HP hardware. See entry 10165 here: http://www.niap-ccevs.org/cc-scheme/in_evaluation. cfm [niap-ccevs.org]

Re:

[Bishop (4500)]

This certifications at the EAL4 and up levels are all functional tests. That is the actual system is run. Software by itself cannot run. It needs the hardware. These types of certifications are designed to eliminate as many unknowns as possible. Any RHEL system should behave the same but can you guarantee that? Consider the simple case as a bug in a hardware driver in one system but not in the tested system. That said, it is reasonable to expect that all x86 type hardware similar to the eServers would achie

Re:

[flyingfsck (986395)]

Sort-of. It depends on your contractual requirements. I always try to sneak in a provision to the effect that 'The system will use the CAPP/EAL4 reference design as a guideline'. Schtuff delivered to the military needs to be certified by their own security people anyway, but it helps a lot if you can show that you followed the CAPP/EAL4 configuration and point out where you had to deviate.

For people who don't grok EAL4 and ALC_FLR.3

[davecb (6526)]

This is roughly equivalent to "B" in the well-known U.S. "Orange Book" security standard. Previously all commercial off-the-shelf OSs were rated C or below, and had trouble even getting that (NT 4 got C only if the network was physically removed).

The letters correspond with school grades: A is excellent, B is ok, and C is barely adequate.

--dave

Re:For people who don't grok EAL4 and ALC_FLR.3

[crush (19364)]

It's worth pointing out that this is actually equivalent to a "B1" TCSEC rating http://en.wikipedia.org/wiki/TCSEC [wikipedia.org] and that it's impossible to get any higher rating for a commodity operating system. This is all specifically due to the SELinux support in Red Hat EL (and consequently CentOS and Fedora and other derivatives). Supposedly SuSE/Novell are trying to achieve this rating ATM but due to the limitations of AppArmor compared to SELinux it seems unlikely that they will.

Re:

[davecb (6526)]

Actually AppArmour would be a good addition to a B1 system, as a somewhat weaker (less fine-grained) variant is part of Trusted Solaris.

--dave

Re:

[morgan_greywolf (835522)]

Hmmm...I'm getting conflicting information. According to this Microsoft White Paper [microsoft.com] (sorry, Word .DOC format), the EAL4 + Augmented with ALC_FLR.3 rating, which BTW, both Windows XP SP 2 and Windows 2003 Server SP 1 also have, is only equivalent to C2, which is the same rating that NT 4 received. IOW, this cert doesn't really mean that much.

Re:

[dylan_- (1661)]

the EAL4 + Augmented with ALC_FLR.3 rating, which BTW, both Windows XP SP 2 and Windows 2003 Server SP 1 also have, is only equivalent to C2, which is the same rating that NT 4 received.

Here [niap-ccevs.org] is the Windows cert. Here [niap-ccevs.org] is the Redhat one. Notice that under PP identifiers Windows has CAPP, while Redhat has CAPP, LSPP and RBACPP.

Re:

[spevack (210449)]

This is all specifically due to the SELinux support in Red Hat EL (and consequently CentOS and Fedora and other derivatives).

It's more accurate to describe RHEL and CentOS as derivatives of Fedora. Fedora is the upstream for all other distributions that are in the Red Hat family. Red Hat Enterprise Linux is derived from Fedora, and CentOS is in turn derived from Red Hat Enterprise Linux.

SELinux, for example, appeared in Fedora long before it ever appeared in RHEL or CentOS.

Re:

[asliarun (636603)]

Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well. Is that not so? In that case, wouldn't a BSD version be more suitable for secure/sensitive installations?

Again, please don't treat this as a flame. I'm just curious to know how BSD ranks vis a vis other OSes, especially Linux, and especially in terms of security.

Re:For people who don't grok EAL4 and ALC_FLR.3

[crush (19364)]

I don't think it's a flame. All that this certification means is that a government department tested specific aspects of security on specific hardware. It shouldn't be thought of as anything more, it's just a rubber-stamp for administrators that don't want to understand security.

Re:

[Nutria (679911)]

it's just a rubber-stamp for administrators that don't want to understand security.

No, it's not.

"EAL4 with CAPP, LSPP and RBACPP" means that RHEL5 on most all current IBM h/w can be very secure by people who care and know what they are doing.

Re:

[cowbutt (21077)]

Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well. Is that not so? In that case, wouldn't a BSD version be more suitable for secure/sensitive installations?

No, because without the certification, secure/sensitive installations aren't allowed to use those flavours of BSD (or any other uncertified product). If there's no other way of performing a function, it might be justifiable, but it'll be a brave sysadmin that pursue

Re:

[Bender0x7D1 (536254)]

For certification purposes, it really doesn't matter how secure the system is, but how secure you can show the system is.

I attended a presentation regarding these certifications from a manager at IBM, (I forget his name), that had taken several products through the certification process and he said that it is all about the documentation. For example, how many people working on BSD have the architecture, design and user documentation to prove that something has been designed securely? It might be secure a

Re:

[evilviper (135110)]

Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well.

The confusion here is that this certification has nothing to do with exploits or kernel bugs (the form of security most people talk about on a regular basis). We're talking about CIA/NSA levels security. It's based largely on how finely-grained the system permissions are, so that an exploited application can't access any other files, open any other ports, etc., etc., as

Re:

[by Anonymous Coward]

The letters correspond with school grades: A is excellent, B is ok, and C is barely adequate.

Just wait until the "No OS Left Behind" program gets passed.

XP SP2 and Windows Server 2003 has the same rating

[by Anonymous Coward]

http://www.microsoft.com/presspass/press/2005/dec0 5/12-14CommonCriteriaPR.mspx [microsoft.com]

The following products have earned EAL 4 Augmented with ALC_FLR.3 certification from NIAP:

• Microsoft Windows Server(TM) 2003, Standard Edition (32-bit version) with Service Pack 1
• Microsoft Windows Server 2003, Enterprise Edition (32-bit and 64-bit versions) with Service Pack 1
• Microsoft Windows Server 2003, Datacenter Edition (32-bit and 64-bit versions) with Service Pack 1
• Microsoft Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (CIMC) (Security Level 3 Protection Profile, Version 1.0)
• Microsoft Windows XP Professional with Service Pack 2
• Microsoft Windows XP Embedded with Service Pack 2

Re:XP SP2 and Windows Server 2003 has the same rat

[CloneRanger (122623)]

Microsoft is only certified CAPP/eal4+ [niap-ccevs.org]. That is not LSPP/RBAC which is much harder and more secure.

Re:

[bgarcia (33222)]

Microsoft is only certified CAPP/eal4+. That is not LSPP/RBAC which is much harder and more secure.

Here are some relevant definitions:

• CAPP: Controlled Access Protection Profile [commoncriteriaportal.org]
• RBAC: Role-Based Access Control [wikipedia.org]
• LBAC: Lattice-Based Access Control [wikipedia.org]

Re:

[mrwolf007 (1116997)]

I read that link, but is the following just concidence? "Certificate Date: 01 April 2007" Hmm....

Re:Someone want to explain the Common Criteria to

[pantherace (165052)]

Basically, they tested a specific version. That specific version (not including any patches!) and type of setup qualifies for the rating.

If there is a vulnerability that would affect that setup/version in it's configured state, then the rating is supposed to be withdrawn, the problem fixed, and the system resubmitted.

Someone has figured out that perhaps, it might be a good idea to not have the vault door sealed, and a hole drilled in the side of the wall, so they tell you to apply security patches.

For the w

easy

[SolitaryMan (538416)]

putting it on a par with Sun Microsystems Inc.'s Trusted Solaris

Is this the same system that had famous telnet froot [slashdot.org] vulnerability recently?

Slashdot responses

[Frankie70 (803801)]

Check the slashdot story [slashdot.org] when Microsoft OS'es got a similiar certification.
Let's compare the comments at the end of the day.

Re:Slashdot responses

[dylan_- (1661)]

It's not the same certification. Windows' is for CAPP only. Redhat's is for CAPP, LSPP and RBACPP.

Resource and protection guarantees?

[Glock27 (446276)]

In the embedded space, Green Hills Integrity has gained a lot of traction for reliable systems since it allows the developer to partition the system into spaces with guaranteed amounts of memory, cpu cycles and so on. It also offers strong guarantees that one partition can't affect another partition. See the Integrity features page [ghs.com].

So, my question is: Is there similar functionality in the works for Linux?

Re:

[Mr. Hankey (95668)]

Integrity is an RTOS platform, not a general purpose OS. I've worked with their ARINC 673 product a bit, much standard UNIX functionality would break the guarantees made by an ARINC-compliant OS so it's just not present. Xen is a close enough approximation if you just want to partition the system off without using ARINC 673, but in order to get the same sort of certifications as Integrity (or VxWorks' ARINC 673 product for that matter) all the code involved with Linux - kernel, userspace etc. - would need a

Only as secure as its least secure member...

[TheGreatHegemon (956058)]

Make no mistake; the OS does make a good deal of difference for security in some respects. However, it seems to me that most security leaks come from HUMAN error. With respect to that, Red Hat does nothing (nor could I expect it to...). Nice to know that Linux can at least be recognized this way, at least.

Yeah yeah. But what does it /mean/?

[jimicus (737525)]

Any idiot can build a Linux system which runs absolutely no services whatsoever and SELinux to delegate authority appropriately with modern RedHat versions.

What's more interesting is does the resulting system do anything useful? Web server? Mail server? DNS? File server?

Do you lose certification as soon as any extra services are running? In which case, it's fairly meaningless because the certification only applies if the system is broadly useless.

Not the highest rating available

[KiltedKnight (171132)]

Perhaps someone needs to inform Mr. Frye that there are things out there that are higher-rated...

XTS-400 (Wikipedia entry) [wikipedia.org]

XTS-400 [baesystems.com]

That particular system is rated at EAL 5. IBM's only achieved EAL 4.

EAL-6 is the highest possible security rating

[mikefocke (64233)]

Not EAL-4 is not "TOP". Shame on the press release writers for spreading untruths.

Nor is EAL-4 the highest rating an OS product has achieved.

EAL-5 has been achieved by only one complex product in the world last I looked (BAE's STOP OS, a Linux look-alike in API/ABI running on an Intel CPUed platform) and it doesn't lose its security rating when connected to a network.

The value of the rating system is that it lets everyone see the criteria under which you were judged and the degree of excellence against those criteria determined by independent judges. But the person selecting the product has to know a lot about security to be able to understand the value provided. For example, it is easy to configure most EAL-4 rated OSs in such a way that they void their rating.

Having been the Product Manager during the STOP evaluation, let me congratulate Red Hat as achieving EAL 4 is a great achievement for their team (and was required of us before we could even submit for an EAL-5). May they now go on and undergo additional time, expense and pain in striving for a higher rating.

Re:

[vfrex (866606)]

What does that have to do with RHEL? It is designed to be a stable server platform. Your post has so little to do with the article, I'm going to need to ask you to RTFM.

Re:

[Helen Keller (842669)]

EvNGGG I cannnmmmmssee it's mngaTROLL, numbbehebehbehnuts!

Re:

[$RANDOMLUSER (804576)]

You really are the most underrated poster on /.
Always good for a laugh.

Re:Hrmm. Not good enough for the average user

[sayfawa (1099071)]

That was a cut and paste troll. [slashdot.org]

They're never on topic, they just show up in random Linux articles.

Re:

[otacon (445694)]

Weird, most of the things you named are the reason I, and most people prefer linux. Compiling is what makes the system run so smooth. The command line gives you a lot of control, and it far more simple than trying to find your way through counter-intuitive Windows GUI's. The MAN pages are not the best source of information...an advanced user should know that.

Re:Hrmm. Not good enough for the average user

[jimstapleton (999106)]

Are you naturally this off topic, or did it take effort.

Ignoring for the the moment I agree with *some* of your points, Linux on the desktop has nothing to do with this post, it is entirely about Linux as an enterprise grade server OS.

Re:

[daffmeister (602502)]

I think we've seen this exact same post about a dozen times before.

None of your points are valid

[lib3rtarian (1050840)]

I'm going to venture that you don't know much about serious professional level computer systems. I'm going to discuss, point by point, why you are just flat out wrong and not thinking clearly about many things.

A)Many different versions of Linux have various binary packaging systems so you don't have to compile things, Debian and Redhat being the two most popular (yum and synaptic/ .deb and .rpm). The constant upgrade cycle where you discover that your most recent upgrade broke something has nothing to do with the process of compiling software per se, but interoperability between different software. The Microsoft WSUS updates are constantly breaking applications, and this is even more exaggerated in the server market.

B)The vast majority of mission critical infrastructure systems that the internet and all high level computing systems run from the command line. Switches, routers, cores, these are the bread and butter of what makes the internet work, and nobody says that a developer has failed when they produce one of these that works. Frankly, you are just being hyperbolic, failure as a developer means that your application does not work. These devices and applications do work, and as anyone familiar with a command line interface knows, it is usually far simpler to troubleshoot a problem in an environment that you have complete control over (like the command line) than it is in some hairbrained GUI that is made to pander to people like yourself who consider themselves technical users but think that command line interfaces are bad.

C)Linux documentation is far superior to that of Windows, because the API's and sourcecode are all available. Learn how to program, don't blame the difficulty of programming on inferior documentation and instructions. There are people who do what they want in linux, just because you can't, doesn't mean that there is something wrong with linux. Rather, it probably means you are not that smart. The entire notion that linux is an alien environment presupposes a fetish for windows.

Your conclusion is complete bunk, because your arguments don't hold any water. Basically, what you've just done is ranted. Linux does not suck in the regards you listed. Nothing is perfect, and everything can be improved, but you simply don't make a nuanced point like this.

Besides which, this thread was about Security!

Re:

[IdleTime (561841)]

When you use Linux for your commercial needs (which this is clearly intended for), you don't recompile kernel every week. The box stays the way it is unless some major security related updates are needed. You schedule downtime to make any changes and you are lucky if you get 1 hours of downtime a year.

This is not desktops, but huge servers. I have many many times tried to get such organizations to even apply one of our patchsets to their servers due to them hitting known bugs and it may take a couple of m

Re:

[mattpalmer1086 (707360)]

Good news! It's ready!

A) You don't have to compile anything. But you can if you want to. And you can forget about all those dependency DLL-hell issues too that you get in Windows, if you use a modern distro with good package management. Then you just fire up the GUI, put a "tick" in the box for the software you want, and it gets it for you and installs it. It's easier than having to trawl through someone's web site for the right installer, manually download it, manually run the setup. And then find t

Re:Hrmm. Not good enough for the average user

[Jesus_666 (702802)]

I'm a fairly technical user, not a tech god by any stretch of the imagination, but I know my way around. I know how to forward ports on my router, I do all my own CD rips from Grip, I can install most Windows versions without a problem, and I'm damned proficient at packages like Paint Shop Pro and the GIMP. In addition, I'm a gamer from back in the DOS/Win95 days, so concepts like editing undocumented system-critical settings (Registry hives) don't necessarily scare me.

That said, as much as I like the concept of Windows NT, I simply will not try it any longer until I hear that a number of problems have been solved.

A) Having to manually download software/worrying that nonstandard installation routines might scatter junk all over the file system and not remove it upon deinstallation. For that matter, I don't want to have to manually download and install anything, ever. Just to make this clear, never. Come up with either something akin to Ubuntu where I run Synaptic to install everything I need, or (if you absolutely have to) make it like Mac OS X where I just drag and drop the folder.

B) Any time I'm forced to to edit the Registry by hand (without documentation, to boot), you as a developer have failed. Back 10 years ago, this may have been acceptable. In this day and age, it isn't. Furthermore, while once in a blue moon I may have to change a system-breaking internal file in Linux, in Windows it's a constant occurrence. Again, you have failed.

C) A troubleshooting guide instead of proper OS documentation does not cut it. Neither does a message board where half the time I'll be told to reinstall, 25% of the time I'll be told to run random diagnosis apps, and the other 25% of the time I'll get genuinely helpful people giving me contradictory answers. If I'm expected to jump to an alien computing environment you'd best make sure your documentation is up to snuff. Most Windows apps suck in this regard.

I'm an advanced user who's in favor of feature-rich OSes, but the bizarre, arcane, and technical details I have to jump through to achieve the same things that are comparatively simple in Mac OS X or Linux make Windows a deal breaker. You will never, ever, become successful on the server until idiocy like this is exorcised from the OS.

Re:

[WrongSizeGlass (838941)]

As for forums, welcome to the Internet; go check some MS or Mac forums, you'll find assholes there, too. Those're the breaks.

We don't need to check those forums - we have our own crop right here, don't we AC?

Did I miss something? Is it "Asshat Monday" and I didn't mark it on my calendar?

Re:

[init100 (915886)]

Why, pray tell, would any 'average' user wish to dick around with vi and text-editting config files? Hint: They wouldn't.

True, but I also think that most average users would take a text-based configuration file, especially one with instructive comments, over the Windows Registry any day of the week.

I'm not saying that registry editing is a usual occurrence, but sometimes it needs to be done, and I would prefer clear text files every time. Especially those parts of the registry indexed on class GUID are really opaque.

Australians...

[Savage-Rabbit (308260)]

I'm not a security expert, but this looks like an American government security certification. Why does the submitter link to Australian Computerworld? Why not the American version, which also carried the newswire story?

Because Australians are insensitive clods?

Re:

[WaZiX (766733)]

No Worries, Mate; I reckon its some Ozzies trying to come the raw prawn with ya!

Mod Parent Informative

[mpapet (761907)]

As someone that has dealt at the periphery of projects where EAL certs are required, he's right on.

Re:

[sn00ker (172521)]

I'd wonder if openbsd has recieved this security rating?

Of course it hasn't. Certification costs a lot of money (tens- if not hundreds-of-thousands of dollars), and there're no organisations with that kind of money that have a major interest in OpenBSD. Could it pass? No, because it lacks RBAC/MAC and other necessary security systems. Has it even been tested? Certainly not, because nobody's put it up for certification, and also because the team that produces it haven't built in subsystems for RBAC/MAC.