Forgot your password?
typodupeerror
Red Hat Software Businesses Security

Red Hat Linux Gets Top Govt. Security Rating 128

Posted by CmdrTaco
from the take-that-to-yer-boss-and-shove-it dept.
zakeria writes "Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies. Earlier this month IBM was able to achieve EAL4 Augmented with ALC_FLR.3 certification for Red Hat Enterprise Linux, putting it on a par with Sun Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, vice president of open systems with IBM."
This discussion has been archived. No new comments can be posted.

Red Hat Linux Gets Top Govt. Security Rating

Comments Filter:
  • CentOS too? (Score:3, Interesting)

    by frankenheinz (976104) on Monday June 18, 2007 @09:10AM (#19549647)
    So does CentOS get some sort of auto cert then?
    • Re:CentOS too? (Score:5, Informative)

      by Anonymous Coward on Monday June 18, 2007 @09:14AM (#19549687)
      > So does CentOS get some sort of auto cert then?

      No. CentOS (i.e., the actual binaries built by the CentOS team on the particular set of hardware used by the CentOS team) needs to go through the exact same evaluation process, with documentation and all.
      • Re:CentOS too? (Score:4, Informative)

        by crush (19364) on Monday June 18, 2007 @09:19AM (#19549733)
        The certification is specific to the combination of RHEL on IBM eServers. So specific hardware and specific version of the OS. That said, practically there'd probably be no functional difference with CentOS on the same hardware ... but you couldn't run it if the certification were mandated.
        • Re: (Score:3, Informative)

          by crush (19364)
          And it should soon (Jun 21) also be certified to the same level on HP hardware. See entry 10165 here: http://www.niap-ccevs.org/cc-scheme/in_evaluation. cfm [niap-ccevs.org]
        • Any idea why the certification is hardware specific? What do IBM eServers have that commodity hardware doesn't?
          • Re: (Score:3, Informative)

            by Bishop (4500)
            This certifications at the EAL4 and up levels are all functional tests. That is the actual system is run. Software by itself cannot run. It needs the hardware. These types of certifications are designed to eliminate as many unknowns as possible. Any RHEL system should behave the same but can you guarantee that? Consider the simple case as a bug in a hardware driver in one system but not in the tested system. That said, it is reasonable to expect that all x86 type hardware similar to the eServers would achie
    • Re: (Score:3, Insightful)

      by flyingfsck (986395)
      Sort-of. It depends on your contractual requirements. I always try to sneak in a provision to the effect that 'The system will use the CAPP/EAL4 reference design as a guideline'. Schtuff delivered to the military needs to be certified by their own security people anyway, but it helps a lot if you can show that you followed the CAPP/EAL4 configuration and point out where you had to deviate.
  • by davecb (6526) * <davec-b@rogers.com> on Monday June 18, 2007 @09:11AM (#19549657) Homepage Journal

    This is roughly equivalent to "B" in the well-known U.S. "Orange Book" security standard. Previously all commercial off-the-shelf OSs were rated C or below, and had trouble even getting that (NT 4 got C only if the network was physically removed).

    The letters correspond with school grades: A is excellent, B is ok, and C is barely adequate.

    --dave

    • by crush (19364) on Monday June 18, 2007 @09:16AM (#19549705)
      It's worth pointing out that this is actually equivalent to a "B1" TCSEC rating http://en.wikipedia.org/wiki/TCSEC [wikipedia.org] and that it's impossible to get any higher rating for a commodity operating system. This is all specifically due to the SELinux support in Red Hat EL (and consequently CentOS and Fedora and other derivatives). Supposedly SuSE/Novell are trying to achieve this rating ATM but due to the limitations of AppArmor compared to SELinux it seems unlikely that they will.
      • Re: (Score:3, Interesting)

        by davecb (6526) *
        Actually AppArmour would be a good addition to a B1 system, as a somewhat weaker (less fine-grained) variant is part of Trusted Solaris.

        --dave

      • Re: (Score:2, Interesting)

        Hmmm...I'm getting conflicting information. According to this Microsoft White Paper [microsoft.com] (sorry, Word .DOC format), the EAL4 + Augmented with ALC_FLR.3 rating, which BTW, both Windows XP SP 2 and Windows 2003 Server SP 1 also have, is only equivalent to C2, which is the same rating that NT 4 received. IOW, this cert doesn't really mean that much.
        • Re: (Score:3, Informative)

          by dylan_- (1661)

          the EAL4 + Augmented with ALC_FLR.3 rating, which BTW, both Windows XP SP 2 and Windows 2003 Server SP 1 also have, is only equivalent to C2, which is the same rating that NT 4 received.

          Here [niap-ccevs.org] is the Windows cert. Here [niap-ccevs.org] is the Redhat one. Notice that under PP identifiers Windows has CAPP, while Redhat has CAPP, LSPP and RBACPP.

          • Re: (Score:2, Informative)

            Not only that, but those Windows is only certified on specific hardware, while the same is not true of the RHEL5 cert. Thanks for pointing that out. It shows once again that a solid stable system like RHEL5 is indeed more secure than Windows, even if only it is because the military believes it to be so. But I'm guessing that military IT might know a thing or two about good systems security. ;)

            • Re: (Score:2, Informative)

              by Anonymous Coward
              Actually Military IT isn't the greatest. Too many young kids with not enough experience. However, the NSA does the accreditation and they, unlike the above poster states, are very good at what they do. The testing does'nt prove that the OS is more secure; it demonstrates that it is designed securely, and more importantly, that it has adequately tamper-resistant auditing and adequately rigorous permissions. That's why POSIX compliant OS'es aren't very convenient to certify; the permission systems are very di
            • But I'm guessing that military IT might know a thing or two about good systems security. ;)

              Their stakes may be slightly higher too.
          • by HuguesT (84078)
            Actually, Here [niap-ccevs.org] is the RHEL5 cert (both your links are the same).
      • by spevack (210449) *
        This is all specifically due to the SELinux support in Red Hat EL (and consequently CentOS and Fedora and other derivatives).

        It's more accurate to describe RHEL and CentOS as derivatives of Fedora. Fedora is the upstream for all other distributions that are in the Red Hat family. Red Hat Enterprise Linux is derived from Fedora, and CentOS is in turn derived from Red Hat Enterprise Linux.

        SELinux, for example, appeared in Fedora long before it ever appeared in RHEL or CentOS.
      • Re: (Score:3, Interesting)

        by asliarun (636603)
        Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well. Is that not so? In that case, wouldn't a BSD version be more suitable for secure/sensitive installations?

        Again, please don't treat this as a flame. I'm just curious to know how BSD ranks vis a vis other OSes, especially Linux, and especially in terms of security.
        • by crush (19364) on Monday June 18, 2007 @10:01AM (#19550183)
          I don't think it's a flame. All that this certification means is that a government department tested specific aspects of security on specific hardware. It shouldn't be thought of as anything more, it's just a rubber-stamp for administrators that don't want to understand security.
          • Re: (Score:3, Insightful)

            by Nutria (679911)
            it's just a rubber-stamp for administrators that don't want to understand security.

            No, it's not.

            "EAL4 with CAPP, LSPP and RBACPP" means that RHEL5 on most all current IBM h/w can be very secure by people who care and know what they are doing.

        • by jae471 (1102461)
          I believe you are correct. From what I've read, OpenBSD is tops when it comes to security. I haven't tested this in practice, though.
        • Re: (Score:3, Informative)

          by cowbutt (21077)
          Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well. Is that not so? In that case, wouldn't a BSD version be more suitable for secure/sensitive installations?

          No, because without the certification, secure/sensitive installations aren't allowed to use those flavours of BSD (or any other uncertified product). If there's no other way of performing a function, it might be justifiable, but it'll be a brave sysadmin that pursue

          • by asliarun (636603)
            Yes, I realize that my question was off-topic. My question was a more generic one, namely Linux v/s OpenBSD in terms of security.
            I was also interested in knowing how popular BSD and Linux are for these kind of requirements.
            • by raddan (519638)
              The OpenBSD people have specifically stated that they will not pursue these kinds of certifications, because they take developer time away from actually making the operating system secure. IIRC, their opinion was that most of these certifications were based on a number of arbitrary tests that did not actually measure (nor accurately repsent) real-world security exposure. I don't know enough myself to comment on the subject, though. The subject may also be complicated by the fact that the OpenBSD's relati
          • No, because without the certification, secure/sensitive installations aren't allowed to use those flavours of BSD (or any other uncertified product).

            It's worth pointing out that these kinds of generic certifications aren't always required. They're generally required when you're doing multi-level security -- people with varying levels of trust using the same system. For example, if you need the system to prevent SECRET information from becoming available to a user who is only cleared to CONFIDENTIAL. Th

        • Re: (Score:3, Insightful)

          by Bender0x7D1 (536254)

          For certification purposes, it really doesn't matter how secure the system is, but how secure you can show the system is.

          I attended a presentation regarding these certifications from a manager at IBM, (I forget his name), that had taken several products through the certification process and he said that it is all about the documentation. For example, how many people working on BSD have the architecture, design and user documentation to prove that something has been designed securely? It might be secure a

        • Re: (Score:3, Informative)

          by evilviper (135110)

          Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well.

          The confusion here is that this certification has nothing to do with exploits or kernel bugs (the form of security most people talk about on a regular basis). We're talking about CIA/NSA levels security. It's based largely on how finely-grained the system permissions are, so that an exploited application can't access any other files, open any other ports, etc., etc., as

          • by Nevyn (5505) *

            The difference, though, is that RedHat is a company, which wants to pay for certification so they can use it to market their product.

            Actually that's just wrong. Red Hat doesn't really pay for them, the HW vendors like HP and IBM do ... so Trusted*BSD should easily be able to get that certification, if people wanted to buy systems with it.

            But in my opinion the real major difference is that Fedora is a usable general purpose OS with MAC capabilities, this is like if FreeBSD shipped all of the code for

            • by evilviper (135110)

              this is like if FreeBSD shipped all of the code for MAC and TrustedBSD just shipped a policy file to enable it.

              In fact much (most? all?) of the TrustedBSD code has been integrated back into FreeBSD 6.
        • These levels of security require levels over and above what available in BSD as far as I know. The usual unix model of world/group/user isn't fine-grained enough for this. Linux has it only because the NSA has been working on it for years; I don't even pretend to understand SELinux.
        • Re: (Score:2, Informative)

          by deskin (1113821)

          Good question. I haven't spent much time with any BSD system, but I've spent enough with SELinux (personal pet peeve: it's not `SE Linux', though `SElinux' or 'selinux' are acceptable) to know a bit about the difference. Pardon me if I wax loquacious...

          In the computing world, the vast majority of security flaws come from bugs: improper handling of untrusted data leads to buffer overflows time and time again. Fix the bugs, and those security flaws go away. However, what about the ones you didn't catch?

          • by drsmithy (35869)
            I'd just like to say, that is an excellent "in a nutshell" explanation of SELinux.
      • by systemeng (998953)
        I just got done with an NSA accreditation exercise for a SUSE 10.0 box. SUSE's support for proper logging and auditing was severely lacking and we had to jump through hoops. Why would a sane person invent something like AppArmour when the NSA created SElinux and it does what's required to pass certifications? SuSE has gotten better in 10.1 and 10.2 but I still don't think they've managed to get logging and auditing to work right. Go Redhat. SuSE has a nice desktop and 10.0 had better hardware support f
      • by jd (1658)
        That is not entirely true. EAL5 is within reach of commodity Operating Systems and, indeed, two hold such status. EAL6 is pushing it, but I can see nothing that would technically be impossible. EAL7 is the only one I can see that is definitely beyond commodity OS level.

      • What is it with you people and Wikipedia?? Are you really too lazy to find the *real* Orange Book?

        NIST is hosting it; I'll even make a link [nist.gov] so no one gets hurt copying+pasting. Yes, it's a PDF.

    • Re: (Score:2, Funny)

      by Anonymous Coward
      The letters correspond with school grades: A is excellent, B is ok, and C is barely adequate.

      Just wait until the "No OS Left Behind" program gets passed.
  • by Anonymous Coward on Monday June 18, 2007 @09:20AM (#19549751)
    http://www.microsoft.com/presspass/press/2005/dec0 5/12-14CommonCriteriaPR.mspx [microsoft.com]

    The following products have earned EAL 4 Augmented with ALC_FLR.3 certification from NIAP:
    • Microsoft Windows Server(TM) 2003, Standard Edition (32-bit version) with Service Pack 1
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit and 64-bit versions) with Service Pack 1
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit and 64-bit versions) with Service Pack 1
    • Microsoft Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (CIMC) (Security Level 3 Protection Profile, Version 1.0)
    • Microsoft Windows XP Professional with Service Pack 2
    • Microsoft Windows XP Embedded with Service Pack 2

    • by CloneRanger (122623) on Monday June 18, 2007 @09:47AM (#19550045)
      Microsoft is only certified CAPP/eal4+ [niap-ccevs.org]. That is not LSPP/RBAC which is much harder and more secure.
      • by bgarcia (33222)

        Microsoft is only certified CAPP/eal4+. That is not LSPP/RBAC which is much harder and more secure.

        Here are some relevant definitions:

      • Re: (Score:3, Funny)

        by mrwolf007 (1116997)
        I read that link, but is the following just concidence? "Certificate Date: 01 April 2007" Hmm....
      • I tried to get some understanding of how the "Common Criteria" work, and read the wiki article on the subject, but I'm still not clear. Can anyone elucidate on how the whole process works, and what the various grades are? I understand that the 'Common Criteria' in their purest form aren't a set list of features that products need to have -- it's more of a framework for specifying and testing criteria -- but obviously the US Government has to have its own standards, tested using the Common Criteria, that it
        • Basically, they tested a specific version. That specific version (not including any patches!) and type of setup qualifies for the rating.

          If there is a vulnerability that would affect that setup/version in it's configured state, then the rating is supposed to be withdrawn, the problem fixed, and the system resubmitted.

          Someone has figured out that perhaps, it might be a good idea to not have the vault door sealed, and a hole drilled in the side of the wall, so they tell you to apply security patches.

          For the w
      • by Anonymous Coward
        This is actually a complex issue that cannot be summarized as "much harder and more secure".

        EAL4+ refers to the assurance level applied to the software in question. It measures how well the software is implemented - in some sense what the probability of undiscovered holes is.

        EAL4+ is actually a rather low level of assurance. After all, Windows can pass EAL4+.

        CAPP. LSPP, and RBAC are protection profiles that refer to the protection policy enforced by the software. CAPP coveres things like access control l
  • NIAP certification is a good first step if they want to get into the DoD world.
    It's a BIG first step. But there are others... FIPS for one. I wonder who will be working the ST&E on this OS. DoD? IntCom?
    Also the amoeba like reach of DISA will have to be dealt with. They like their Windows(BOO!) and Solaris(Yay!). They are not too receptive to "new" things.
    Perhaps it's biggest hurdle is not certifications... it's the in fighting among gov't organizations.
    • >NIAP certification is a good first step if they want to get into the DoD world.

      Linux is already in the DoD world. For Red Hat in particular, this is the fifth NIAP cert in the last 2 years.

      >It's a BIG first step. But there are others... FIPS for one.

      Which nss meets at level 2.

      >Also the amoeba like reach of DISA will have to be dealt with.

      Linux is already in the STIGs.
      • by Lord_Pain (165272)
        You should know that ANY change to an OS constitutes a requirement for a new certification. Especially if a new "security module" is the core feature.

        Just saying linux has been certified is just as silly. Which flavor?
        There are STIG's for Debian, RH and few other flavors. But this is a new product. Also any changes to an existing product will require another STIG.

        The kind of generalization from you sounds like something I'd hear from DISA.
    • As someone that has dealt at the periphery of projects where EAL certs are required, he's right on.
  • putting it on a par with Sun Microsystems Inc.'s Trusted Solaris

    Is this the same system that had famous telnet froot [slashdot.org] vulnerability recently?

    • by 986151 (986151)

      Is this the same system that had famous telnet froot vulnerability recently?

      No

    • by cpuh0g (839926)
      No, Trusted Solaris and Solaris 10 with Trusted Extensions would not have been vulnerable to that vuln. And, did you know that MIT Kerberos distributions (which include a telnet daemon) also had a very similar hole ? So, basically ANY site that was running MIT kerberos with telnet enabled - Linux, BSD, etc) were also vulnerable to the same attack. MIT Kerberos is included in RH Linux and many other Linux distros as well. http://www.kb.cert.org/vuls/id/220816 [cert.org]
  • by Frankie70 (803801) on Monday June 18, 2007 @09:43AM (#19550013)
    Check the slashdot story [slashdot.org] when Microsoft OS'es got a similiar certification.
    Let's compare the comments at the end of the day.
  • In the embedded space, Green Hills Integrity has gained a lot of traction for reliable systems since it allows the developer to partition the system into spaces with guaranteed amounts of memory, cpu cycles and so on. It also offers strong guarantees that one partition can't affect another partition. See the Integrity features page [ghs.com].

    So, my question is: Is there similar functionality in the works for Linux?

    • Re: (Score:3, Informative)

      by Mr. Hankey (95668)
      Integrity is an RTOS platform, not a general purpose OS. I've worked with their ARINC 673 product a bit, much standard UNIX functionality would break the guarantees made by an ARINC-compliant OS so it's just not present. Xen is a close enough approximation if you just want to partition the system off without using ARINC 673, but in order to get the same sort of certifications as Integrity (or VxWorks' ARINC 673 product for that matter) all the code involved with Linux - kernel, userspace etc. - would need a
      • by Glock27 (446276)
        Integrity is an RTOS platform, not a general purpose OS.

        Linux is also a widely used RTOS platform. Integrity is optimized for realtime embedded use, but provides all the facilities of a "general purpose" OS. It's also possible to run Linux inside an Integrity partition.

        One aspect of security is that no user should be able to affect the availability of the system through various forms of DOS attack, like the venerable forkbomb.

        I'll look into Xen a bit more, does it allow the partitioning of CPU, memory

        • by Mr. Hankey (95668)
          Linux can certainly be used as an RTOS, in fact I've configured it for several embedded systems, but it's also relatively easy to use as a general purpose OS. If you stick to ARINC 653 (you're right on that of course, it's been a while since I was involved in spec'ing the CPCI boards) a full TCP/IP stack is basically out, amongst other niceties. You can do a cut down one, in our case with a special network card, but not everything works within the 653 spec according to the Green Hills staff with whom I've s
  • by TheGreatHegemon (956058) on Monday June 18, 2007 @09:57AM (#19550143)
    Make no mistake; the OS does make a good deal of difference for security in some respects. However, it seems to me that most security leaks come from HUMAN error. With respect to that, Red Hat does nothing (nor could I expect it to...). Nice to know that Linux can at least be recognized this way, at least.
  • by jimicus (737525) on Monday June 18, 2007 @10:36AM (#19550545)
    Any idiot can build a Linux system which runs absolutely no services whatsoever and SELinux to delegate authority appropriately with modern RedHat versions.

    What's more interesting is does the resulting system do anything useful? Web server? Mail server? DNS? File server?

    Do you lose certification as soon as any extra services are running? In which case, it's fairly meaningless because the certification only applies if the system is broadly useless.
    • In practise you can never deliver a system that is exactly the same as the reference design. However, all equipment delivered to the military has to be certified by their own security people. This is a long process which takes months to years. It helps a lot if you can tell them that you followed the reference design up to a point and show exactly where you deviated. Therefore the certification of the reference design is very useful.
    • by drinkypoo (153816)

      What's more interesting is does the resulting system do anything useful? Web server? Mail server? DNS? File server?

      Right! It was possible to get a C2 security rating with NT4, but you had to remove the floppy drive entirely (not just disable it) and both disable networking and disconnect the networking cable. Great, now you've got a standalone box that does nothing useful, but it's secure! Why not just turn it off?

      • by jimicus (737525)
        I prefer the "bucket of concrete" description. It's rather more final than "disable network and floppy drive", and has the advantage that it's substantially easier to understand by people who are just blindly demanding such certifications.

        Anyone demands a secure system, I would be inclined to point out "I can give you a 100% guaranteed secure system. But I will have to bury it in reinforced concrete."

        On a side note, has anyone attempted to get a system buried in concrete certified as secure?
      • I keep seeing this comment, but it's a bit disingenuous. Yes, it's true that the first evaluation for NT4 required those things, but a secondary review in 1999 allowed NT4 to retain those items. In other words, NT4 did in fact achieve full C2 with networking and floppy.
        • by drinkypoo (153816)
          After hunting around I found a reference that says you are true. It also says that Microsoft formerly claimed that E2 was the highest possible security rating for a general-purpose OS, but once they finally got C2, they claimed that C2 was the highest possible security rating for such a system. So even when I find out I am wrong about MS (I simply never found out about the later review, which is pretty irrelevant coming so close to the end of NT4's useful life but still true) I find more reasons to hate the
  • by KiltedKnight (171132) * on Monday June 18, 2007 @11:50AM (#19551585) Homepage Journal
    Perhaps someone needs to inform Mr. Frye that there are things out there that are higher-rated...

    XTS-400 (Wikipedia entry) [wikipedia.org]

    XTS-400 [baesystems.com]

    That particular system is rated at EAL 5. IBM's only achieved EAL 4.

  • RedHat is EAL4 certified on a particular hardware configuration, no one has physical access and you don't connect it to an insecure network like the Interent. I'm not sure how much use these certs are in the real world. But it does mean something to the PHBs. Now excuse me while my manager explains what ISO 9000 is, again ..
  • "Get the Facts" (Score:2, Interesting)

    by dasunst3r (947970)
    I think Red Hat should send something to Steve Ballmer to rub this in his face... something along the lines of "Looks like you need to Get the Facts about Windows and Linux. Where are your lobbyists now?" along with a copy of the certification.
  • Not EAL-4 is not "TOP". Shame on the press release writers for spreading untruths.

    Nor is EAL-4 the highest rating an OS product has achieved.

    EAL-5 has been achieved by only one complex product in the world last I looked (BAE's STOP OS, a Linux look-alike in API/ABI running on an Intel CPUed platform) and it doesn't lose its security rating when connected to a network.

    The value of the rating system is that it lets everyone see the criteria under which you were judged and the degree of excellence against those criteria determined by independent judges. But the person selecting the product has to know a lot about security to be able to understand the value provided. For example, it is easy to configure most EAL-4 rated OSs in such a way that they void their rating.

    Having been the Product Manager during the STOP evaluation, let me congratulate Red Hat as achieving EAL 4 is a great achievement for their team (and was required of us before we could even submit for an EAL-5). May they now go on and undergo additional time, expense and pain in striving for a higher rating.

Prediction is very difficult, especially of the future. - Niels Bohr

Working...