Red Hat Linux Gets Top Govt. Security Rating 128
zakeria writes "Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies.
Earlier this month IBM was able to achieve EAL4 Augmented with ALC_FLR.3 certification for Red Hat Enterprise Linux, putting it on a par with Sun Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, vice president of open systems with IBM."
Re:Hrmm. Not good enough for the average user (Score:1, Insightful)
Re:Someone want to explain the Common Criteria to (Score:1, Insightful)
"the assumed, specified circumstances, also known as the evaluated configuration, specified by Microsoft."
This is the code base that actually has the certification.
As soon as ANY change - and that includes adding patches - is made, the code base is no longer certified.
Any advertisement that the "product has ZZZ certification" for any following product is false. It no longer has certification. But it CAN be advertized as "based on bbbbb with ZZZZ certification".
Re:Someone want to explain the Common Criteria to (Score:3, Insightful)
If there is a vulnerability that would affect that setup/version in it's configured state, then the rating is supposed to be withdrawn, the problem fixed, and the system resubmitted.
Someone has figured out that perhaps, it might be a good idea to not have the vault door sealed, and a hole drilled in the side of the wall, so they tell you to apply security patches.
For the windows 2k thing: It's evaluated configuration wasn't vulnerable to any of the security patches, therefore it remains.
Re:CentOS too? (Score:3, Insightful)
Re:Hrmm. Not good enough for the average user (Score:3, Insightful)
True, but I also think that most average users would take a text-based configuration file, especially one with instructive comments, over the Windows Registry any day of the week.
I'm not saying that registry editing is a usual occurrence, but sometimes it needs to be done, and I would prefer clear text files every time. Especially those parts of the registry indexed on class GUID are really opaque.
Re:For people who don't grok EAL4 and ALC_FLR.3 (Score:3, Insightful)
For certification purposes, it really doesn't matter how secure the system is, but how secure you can show the system is.
I attended a presentation regarding these certifications from a manager at IBM, (I forget his name), that had taken several products through the certification process and he said that it is all about the documentation. For example, how many people working on BSD have the architecture, design and user documentation to prove that something has been designed securely? It might be secure and a lot of people may have reviewed it and declared it secure, (even the auditors), but without the corresponding documentation it can't pass certification. Why not? Well, without a design document, I can't verify the implementation actually does what it is supposed to. Also, without the user documentation, how do I know that I have to have certain services running for the behavior to be valid? The auditors are allowed to do anything they want to the system that isn't forbidden in the documentation. So, if it isn't documented that you can't turn off some security service, it is fair game. That's why the product, in a certain configuration, is certified and not any system that happens to run the OS.
I think this is why we will only see high levels of certification going to corporate sponsored OSes. Let's face it, most open source developers don't want to spend most of their time documenting their work - they want to actually do it. It is only when you have management that focuses on the certification process, and holds everyone accountable for proper documentation, that the requirements can be met.
Re:Hrmm. Not good enough for the average user (Score:5, Insightful)
That said, as much as I like the concept of Windows NT, I simply will not try it any longer until I hear that a number of problems have been solved.
A) Having to manually download software/worrying that nonstandard installation routines might scatter junk all over the file system and not remove it upon deinstallation. For that matter, I don't want to have to manually download and install anything, ever. Just to make this clear, never. Come up with either something akin to Ubuntu where I run Synaptic to install everything I need, or (if you absolutely have to) make it like Mac OS X where I just drag and drop the folder.
B) Any time I'm forced to to edit the Registry by hand (without documentation, to boot), you as a developer have failed. Back 10 years ago, this may have been acceptable. In this day and age, it isn't. Furthermore, while once in a blue moon I may have to change a system-breaking internal file in Linux, in Windows it's a constant occurrence. Again, you have failed.
C) A troubleshooting guide instead of proper OS documentation does not cut it. Neither does a message board where half the time I'll be told to reinstall, 25% of the time I'll be told to run random diagnosis apps, and the other 25% of the time I'll get genuinely helpful people giving me contradictory answers. If I'm expected to jump to an alien computing environment you'd best make sure your documentation is up to snuff. Most Windows apps suck in this regard.
I'm an advanced user who's in favor of feature-rich OSes, but the bizarre, arcane, and technical details I have to jump through to achieve the same things that are comparatively simple in Mac OS X or Linux make Windows a deal breaker. You will never, ever, become successful on the server until idiocy like this is exorcised from the OS.
Re:For people who don't grok EAL4 and ALC_FLR.3 (Score:3, Insightful)
No, it's not.
"EAL4 with CAPP, LSPP and RBACPP" means that RHEL5 on most all current IBM h/w can be very secure by people who care and know what they are doing.