Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Red Hat Software Businesses Linux Business Security

Red Hat Pushes For CC Certification By Year's End 183

Ridgelift writes "This article indicates Red Hat Linux is about to receive certification under the Common Criteria (CC) Scheme worldwide. This has been a long road for Red Hat, and 'once successfully certified in the UK, Red Hat products will be recognised as certified and approved by information security agencies from all 19 countries participating in the Common Criteria program.' This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX."
This discussion has been archived. No new comments can be posted.

Red Hat Pushes For CC Certification By Year's End

Comments Filter:
  • by Punchinello ( 303093 ) * on Sunday November 30, 2003 @09:09PM (#7595609)

    This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX

    Red Hat will also sit along side Windows 2000 which also has the Common Criteria certification. See the press release:

    http://www.microsoft.com/presspass/press/2002/oct0 2/10-29CommonCriteriaPR.asp [microsoft.com]

    • by EmbeddedJanitor ( 597831 ) on Sunday November 30, 2003 @09:10PM (#7595619)
      Damn, just when I thought the certification had some value!
      • by calebtucker ( 691882 ) on Sunday November 30, 2003 @09:14PM (#7595650) Journal
        Yeah, I kinda scratched my head when I saw a microsoft O/S at EAL4+. I think the CC is more about validating the core of the operating system. As you add more software to a system, it's going to become more vulnerable (*cough* IE, outlook, IIS *cough*).
        • by tonyr60 ( 32153 ) * on Sunday November 30, 2003 @09:22PM (#7595696)
          Common Criteria is about validating that the OS/Firewall/etc. etc. does what the VENDOR says it will do. Just because a bunch of products have Common Criteria Certifications does not mean that they are equally secure. HP-UX, Solaris, Win2K and soon Redhat will have achieved Common Criteria certification but it does NOT mean that they are equally secure.
          • Exactly. Try putting an unpatched Solaris or HP-UX box on the public internet!
          • The CC functional requirements are very specific. If two products claim to satisfy an identification requirement (for example) and both pass evaluation, then you have some assurance that they've both correctly implemented it. That assurance is based on the evaluation assurance level. That doesn't mean they're equal, but it sets the lower bound.

            Incidentally, any security product can be evaluated under the CC; there are many functional requirements that wouldn't immediately come to mind (e.g., anonymity r
          • So it's a bit like ISO9000.... you can put ISO9000 labels on concrete lifejackets - so long as you build them according to your inhouse procedures.
            • by Iorek ( 68393 ) on Sunday November 30, 2003 @10:21PM (#7595953) Homepage Journal
              There's a difference, though. The security target evaluation (at the beginning of the evaluation - it really scopes the evaluation) is a sanity check. The evaluator would certainly fail the ASE components of a concrete lifejacket evaluation. The evaluator is making sure the functional requirements are mutually supportive, that the security problem they're solving is well defined, that the requirements themselves can solve that problem... It's far more than a "This is what I do... See, I'm doing what I say I do."
          • by Guppy06 ( 410832 ) on Sunday November 30, 2003 @10:24PM (#7595963)
            "Common Criteria is about validating that the OS/Firewall/etc. etc. does what the VENDOR says it will do."

            Microsoft: "This operating system has numerous vulnerability exploits and poor compatability with old drivers and applications."

            CC board: "Well, whaddaya know, so it does!"
          • The Common Criteria seems to be at least as much about money as security.

            If I were concerned about security, I'd start looking at OpenBSD first, FreeBSD next.

            But those OS's don't seem to be on the CCEVS list.

            It's ridiculous that a monetary hurdle will arbitrarily exclude excellent secure OS's from consideration while including less secure OS's that do little more than buy certification.

            IMHO an impartial standards body like NIST ought to periodically evaluate OS's for security, performance and reliabili

        • by Jeremiah Cornelius ( 137 ) on Sunday November 30, 2003 @09:23PM (#7595700) Homepage Journal
          Yeah. Most CC implementations are on private segments - no WAN or Internet links.

          Easy enough to fly your OS in those restrictions...

          Remember the Orange Book C2 security for Windows NT? That was only for a standalone box - no net, no modem.

          The Rainbow Books were a forerunner to the CC - which represented a harmonizing of the Red/Orange Books with Canadian Govt InfoSec standards.

        • I thought that EAL4 wasn't very secure [slashdot.org] at all anyway.
          • Remember, this is slashdot. So EAL 4 could be not secure at all when Microsoft certifies Windows for it. But EAL 2 (lower level) could be very secure once Red Had is in the game.

            In reality, EALs does not certifies the security, it certifies functionality of security-related applications. So EAL certification does not say "this product does not have security vulnerabilities" (no certification can), it sais "this product implements such methods of access control, such authentication procedures, etc".

        • Who the hell worries about putting IE or even OUTLOOK of all things on a server? Who puts IIS on anything but a web server?

          You dont really work on servers, do you?

          • I don't put IE or Outlook on a server - because I have eliminated MS server class machines!!!!!

            Anyway if you wern't totally ignornt, you would know that it is very painful to install any edition of Windows that currently ships without bug infested IE. You obviously failed even your Minesweeper Consultant and Solitaire Expert exam.

    • You have to be a little sceptical as to its value in that case. Does anyone have any links as what the Criteria actually are?
      • Basically, the CC is a standard for evaluating a product's security. I think the US government requires a certain level of certification for any computer that handle sensitive data (EAL2 maybe? can't remember).

        Soooo, I see the CC simply as a way to get government contracts for your product/software if you have enough money to front on the certification ($200k to $millions). So basically, a product evaluated at some EAL doesn't mean a whole lot IMHO.
      • by Iorek ( 68393 ) on Sunday November 30, 2003 @09:45PM (#7595809) Homepage Journal
        The Common Criteria are composed of two types of requirements: security functional and security assurance. The requirements are different for each evaluation, so you need to read what's called a security target to find out which ones are relevant to the specific evaluation.

        For example, Windows 2000 was evaluated against all the security assurance requirements in the EAL4 package (plus a few). There were also a ton of security functional requirements based on what Windows 2000 provides (e.g., identification, authentication, audit, etc.). For details, read the Target of Evaluation Description section of the ST at http://niap.nist.gov/cc-scheme/CCEVS_VID402-ST.pdf

        Red Hat's Enterprise Linux will have their own ST.
    • by Jeremiah Cornelius ( 137 ) on Sunday November 30, 2003 @09:16PM (#7595663) Homepage Journal
      CC is restricted to VERY specific implementations.

      No deviation is allowed from the exact hardware, software and network configuration that is the certification target. Yes, this includes additional security patches. That would constitute a new platform for certification - at an additional expense of may hundreds of thousands USD.

      I suppose that it makes a decent benchmark of sorts. Still, its mainly a diligence measure for getting into Govt purchasing schedules, and has little to do with a practical or useful evaluation of the actual security of an OS.

    • Ya, 'cept they wont go near XP with a dirty stick.
    • w2000...
      Why waste money in a certificate of security that is sooo useless?
      Money better spent elsewere for sure.
    • by Storm ( 2856 ) on Sunday November 30, 2003 @09:31PM (#7595739) Homepage
      Its pretty well common knowledge in the security community that Microsoft paid for that certification.

      While I can't remember if it was specifically Windows 2000 with the Common Criteria or Windows NT with the Orange Book Cert, I do remember that the system configuration which won them the cert was with no network connection, no floppy drives, and no CDROM drives on the box that was tested. In essence, no non-keyboard input methods. (They couldn't guarantee the OS would stay clean long enough to get the cert.)

      Basically, the certification was useless as soon as you configured the box to do any useful processing on the machine. Then again, many would say that is the same of Windows itself.
      • by Jeremiah Cornelius ( 137 ) on Sunday November 30, 2003 @09:44PM (#7595807) Homepage Journal
        You are talking about Orange Book C2. This is the standard config for this certification.

        It is a step above C1 - no attempt made to secure the platform!

        C2 does have fairly strigent requirements regarding the separation of roles and audit history by role/principal.

        All of which are guaranteed in a standalone config.

        • by Mr. Slippery ( 47854 ) <tms&infamous,net> on Sunday November 30, 2003 @10:05PM (#7595887) Homepage
          It is a step above C1 - no attempt made to secure the platform!
          That's D. (Actually, D is reserved for systems that fail evaluation.)

          C1 (about equivalent to CC's EAL 2) does describe some very minimal security requirements, but the system doesn't need to distinguish individual users. C2 (~= EAL 3) adds a little more, including the requirement to identify individual users. The C levels require Discressionary Access Controls (basically, ACLs).

          The B levels (B1, B2, and B3, roughly corresponding to EALs 4, 5, 6) add Mandatory Access Control - basically, the ability to label something at a sensitivity level and to have users have clearances to only read things at at or below a certain level, and write things at or ablove a certain level (can't have a Top Secret user writing unclassified files). A level (EAL 7) requires a formal mathematical validation of the system.

    • by c1ay ( 703047 ) on Sunday November 30, 2003 @09:54PM (#7595842) Homepage
      How does a system where new security holes are discovered daily get this certification? Can it be revoked? Me thinks Windows Security is the world's second most rated oxymoron behind Microsoft Works!!!
  • A pity (Score:2, Insightful)

    by meridian ( 16189 )
    we will never see Debian get this
    • Re:A pity (Score:5, Informative)

      by calebtucker ( 691882 ) on Sunday November 30, 2003 @09:12PM (#7595628) Journal
      Probably not.. if I understand correctly, EAL 2 costs about $200-300k, and EAL 4 can cost around $1mil
    • Not really. I'm not bashing Debian here, but it's not likely any government agency or fortune 500 company is going to be adopting a community-supported distribution for widespread use any time soon. Government agencies and fortune 500 companies typically (read usually, not always) don't like software that doesn't come with a support agreement, even if it is arguably a better product. In any case though, this shouldn't change anyone's opinion of Debian. A certification should not be confused with quality
  • SuSE? (Score:5, Interesting)

    by santiag0 ( 213647 ) on Sunday November 30, 2003 @09:10PM (#7595618)
    Does anyone know if SuSE/Novell is pursuing this same certification?
  • At last... (Score:4, Interesting)

    by Zenophran ( 139656 ) on Sunday November 30, 2003 @09:13PM (#7595639)
    We're looking to use it in some places, but wasn't able to think of it until we found out it was going through certification.

    It mightn't mean much to some places, but for government organisations, it's a big step to getting it in more places than just using it for "development toys".
  • One small step (Score:4, Interesting)

    by Anonymous Coward on Sunday November 30, 2003 @09:13PM (#7595642)
    This is another way of legitimizing Linux in the corporate world. Despite Red Hats recent business decisions over all this is a very strong/smart move for all Linux users.
  • by sczimme ( 603413 ) on Sunday November 30, 2003 @09:16PM (#7595657)

    you can read about the Common Criteria here [nist.gov].

    Unfortunately, the other site [commoncriteria.org] has been shut down.
  • SuSE Linux (Score:4, Informative)

    by Anonymous Coward on Sunday November 30, 2003 @09:23PM (#7595701)
    This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX.

    ... and SuSE Linux [suse.com].

  • anything changed? (Score:2, Insightful)

    by Anonymous Coward
    at least linux-inclined sysadmins working for companies (who require too much of a product) will be able to select a linux variant without too-much-persuading their bosses. that is a biggie, i think, for a considerable number.
  • by DeepEyes78 ( 551679 ) on Sunday November 30, 2003 @09:24PM (#7595708)
    Red Hat couldn't have pulled this off without technology stolen from SCO. It's a known fact that SCO owns IP on everything that makes linux useful.

    drip...drip...

    Excuse me, I've got sarcasm dripping from my chin...
  • by Ricin ( 236107 ) on Sunday November 30, 2003 @09:25PM (#7595717)
    One more useless qualification-paid-for-sign-dotted-line.

    People should really get it through their skulls that this is not going to help and that talent may not be in their brokerage system already when looking for it (and so they miss out).

    One more example of commodifying the _wrong_ thing. Can pay in the short term but ughugh the longer term....

    When something happens, formalizing it usually means restricting it from "just" happening further. Mkay ;-)

    • What do you mean? (Score:3, Insightful)

      by pr0ntab ( 632466 )
      The CC label is REQUIRED for some government computer work for which linux is perfectly suited, but until recently had to be passed up. We could use Trusted Solaris (yawn) or Win2K (barf). Then came SuSe, but we liked RedHat better. Now we will be able to have RedHat in the mix, which should keep things interesting.

      It's not so much that the people who actually check the security care what OS it is... it's the people who approve the classification of information systems, etc. you know, pencil pushers, that
  • by oo_waratah ( 699830 ) * on Sunday November 30, 2003 @09:32PM (#7595746)
    From the original February discussion. This has even more relevance now. ...

    "The Common Criteria, ..., grades products based not only on their security and reliability, but also on the development and support processes that ensure quick responses to problems."
    Does that mean that the US Gov. will be officially saying that the Kernel development model is OK ?
    • it isn't 'the Kernel development model' rather, the open source development model that they would be giving the ok for.
      • > it isn't 'the Kernel development model' rather, the open
        > source development model that they would be giving the ok for.

        Actually, it's the "open development model". The term "OpenSource" was created in 1998. Before this, many Free Software projects used the open development model. Linux was the first big one and it's use of this model really took off in 1992.

        (and anyway, they're not certifying a development model, they're certifying a specific box set.)
    • The implementation of Linux submitted for evaluation came from RedHat as do the support services. Therefore it is only RH's implementation of Linux plus support that has been accepted.

      OTOH, I guess it would not be a major problem for another vendor to go down this same path with Linux, as long as they can demonstrate a similar implementation process.

  • by Wesley Felter ( 138342 ) <wesley@felter.org> on Sunday November 30, 2003 @09:35PM (#7595758) Homepage
    RHEL is getting certified at EAL2, which is really weak.

    Even the Windows 2000 EAL4 certification only protects against "inadvertent or casual attempts to breach the system security." No real security here. For more info, read Jonathan Shapiro's article [jhu.edu].
    • by Anonymous Coward
      Even the Windows 2000 EAL4 certification only protects against "inadvertent or casual attempts to breach the system security." No real security here.

      EAL4 is the highest Windows, or any other commercial off-the-shelf application will ever get. Anything higher requires design verification from the planning stages and is intended for custom built applications for specific purposes.

  • by segment ( 695309 ) <sil AT politrix DOT org> on Sunday November 30, 2003 @09:35PM (#7595761) Homepage Journal

    KungFUnix proudly introduces CUP, Certified Unix Pimp certification. Now you too can study and memorize 50 common criteria books we select and get kickbacks from in order to achieve your goal of adding the word CUP to your signature.

    NO EXPERIENCE NEEDED!
    That's right act now and send us 2,000.00 (US), and we'll gladly present you with information on obtaining this new and exciting certification. So what can you do with a CUP certification:

    • Impress your clueless CTO
    • Impress friends
    • Add the word CUP to CCNA, MCSE, or CISSP
    • Use the cert for a dustrag
    • Smoke a doob with the cert
    shrugs Certs who needs em.
  • Other Distributions? (Score:4, Interesting)

    by Storm ( 2856 ) on Sunday November 30, 2003 @09:37PM (#7595772) Homepage
    I was just wondering whether or not other distributions can use the work that RH is doing to get a "common Common Criteria" effect. After all, they are all using the same Ring 0 piece, being the Linux kernel. After that, it should just become a matter of configuration verification...

    And with the support that Linux has gotten from the NSA, through SE-Linux, I would think a lot of the in-depth work on Linux has been covered.
  • by Ricin ( 236107 ) on Sunday November 30, 2003 @09:42PM (#7595795)
    Since the discussion so far was so boring let's instead wonder why RH is so eager to wlk the "established commerce" path.

    I'll tell you what their problem is: they're the first. The first always loses. They get to fight the hardest their own community, they get all the surprises boomeranged back to them, they just get everything first. Even if they don't really innovate. And _that_ is going to kill them. They don't know how to react any more (heck no one does) and so they jump back into corporate logic... which they were seen as being a counter to.

    I don't know I don't have much love for them but neither do I have any hate towards them. But I feel that the 5th or so is going to be the one that matters 5 years from now. Heck it may be a BeOS clone or a BSD even so. IMHO, we're now at a point where armies die, believe it or not.

    Footnotes are recorded right now.

  • EAL4...so what (Score:5, Informative)

    by solli ( 515086 ) on Sunday November 30, 2003 @09:43PM (#7595804)
    The CC evaluation comes in two parts:
    A profile for the evaluation, and the assurance level to which you achieve that profile.

    So if your profile is essentially "can boot" you can probably achieve that with a high level of confidence. All this talk of EAL4 is pointless unless you are told what the profile is.

    In the best case, this only means that RH (and Windows, for that matter) could be used in a system carrying information classified at a single level, say, "secret".

    In no (normal) circumstance would either RH or Windows be used to handle information classified at two different levels, such as secret and unclassified. If you want to do that, you need to use Trusted Solaris or some other evaluated "Trusted" operating system. Getting a evaluation for a system that can label information and keep different types of information apart (B1 or B2 in DOD Orange Book parlance) is a whole different ball of wax than what RH and Windows received (C2).

    • with Apple trying to get serious in the Unix / server world... i wonder if they would move darwin into a position of a old-school unix... trying to go on par and beat out redhat/suse, and even go for irix/hp-ux/win2k pro. They have the money, and it is only going to give them more leverage in the business world.
    • You hit the nail on the head there - unfortunately it seems no media has even attempted to understand the basics of CC, when reporting on this...

      A CC certification consists of two parts:
      An "assurance level", and either a "security target" or a "protection profile".

      A protection profile is a sort of a "standardized security target". A description of a number of requirements that you evaluate your system against. Whereas, a "security target" is something you yourself write, if you do not want to certify your
  • Meh (Score:4, Informative)

    by avageek ( 537035 ) on Sunday November 30, 2003 @09:48PM (#7595827)
    Speaking as someone who works for the government and knows exactly what a Common Criteria Certification is worth, why the hell do the Red Hat people think they're going to be major players by getting certified to EAL-2? I mean, seriously, *anyone* can get EAL-1, so they put just a tiny bit more effort (and dough) into it to get EAL-2, when competing operating systems like Windows and Solaris are EAL-4. No one is going to take them seriously with just an EAL-2. And that explains why it'll be done by the end of the year. And by the way, the CCC is a bunch of BS that tells you absolutely nothing about how secure a system is. For the government, it just dictates what you can and can't buy.
    • Re:Meh (Score:3, Interesting)

      by Iorek ( 68393 )

      "Speaking as someone who works for the government"

      Well, speaking as someone who works for a government's CC certification scheme, EAL2 actually does give you some assurance, and I've personally seen companies stumble in getting it. At that level, you're taking a closer look at the developer's design, configuration management and testing; you're making sure they conduct a proper vulnerability analysis, and devising your own penetration tests. It's a significant jump from EAL1.

      • I didn't say it gave you no assurance. I just said it wasn't enough when competing with the likes of Microsoft and Sun. Hmm, let's do the math, EAL-4 is greater than EAL-2, and EAL-2 is just not that great, even if some companies do screw up in trying to get it. Trusted Solaris has a great reputation as far as secure operating systems go, is EAL-4, and a lot of security software is based on it. Who is going to win that battle? It ain't gonna be Red Hat or SuSE. It may let them get their foot in the do
  • Now that's distinquished company.

    the main distinguishing charactaristic being that almost no-one uses them any more...
  • RHEL is to be tested for EAL2, which is rather different from EAL3 OSes (IRIX and Trusted IRIX/CMW) and EAL4 OSes (AIX5, HP-UX 11, Solaris8 and Trusted Solaris8, and Win2k Pro). In fact, the *only* OS RHEL will be "alongside" is SuSE. See this site [nist.gov] for details.

    Note that EAL2 is something that provides essentially no assurance of security. You can find details of this in Google's cache [216.239.39.104] (www.commoncriteria.org is no longer alive).

  • by Drestin ( 82768 ) on Sunday November 30, 2003 @10:00PM (#7595870)
    And this is almost 4 years after Windows 2000 did it with ease. Of course, Windows XP/2003 are even more secure so...

    What gets me is, if it's so expensive and time consuming to do this, why not go straight for level 4 certification? Unless it was unachievable... Vendors know ahead of time if they'll pass or not, all the criteria is there for the public to review. You don't submit until you are already sure you'll pass. Obviously Linux is not EAL 4 ready. Windows 2000 is not only EAL 4 but also augmented with ALC FLR 3.

    Who is going to notice an effortless to achieve EAL 2?

    • What gets me is, if it's so expensive and time consuming to do this, why not go straight for level 4 certification?

      It costs time and money to do this and what for? All the 'trusted OS' systems have to be rigorously certified on specific hardware and with a specific version of driver, etc. This limits their usefullness. They lag the technology curve by a considerable amount of time. (for example, certification occurs on a 2.4.21 kernel--but if your newest network card requires 2.4.23 too bad)

      NSA has wor
    • It is extremely time consuming. The main problem for Linux will be the requirements of documentation and development.

      For example, EAL4 requires a "Developer defined life-cycle model". That just doesn't merge well with Linus approach of "when it's done".
  • RH grows up (Score:2, Insightful)

    ... and it has *very little* to do with their stock price. It has a lot to do with credibility when making a sale.

    Think of it this way: lots of tech people get certifications such as CCNA, MCSE, etc. in order to get through the hiring process. The actual certifications may be meaningless in any number of ways, but the hiring people insist on them.

    Now, think of this: RH, as a fictitious person (a corporation) needs to get this cert so it can get that cool job. They want to get hired for that big enterpri

  • will someone please *off* the AC troll that's going on about the cert types? Yes, I *know* the diff, without even RTFA, and I *own* an original Orange Book. FWIW, the anti-troll ammo is on me for the next 12 Z
  • by Skapare ( 16644 ) on Sunday November 30, 2003 @10:59PM (#7596103) Homepage

    Security cannot be determined from simply doing a suite of tests, and determining that it must be secure if the tester was unable to break in. The biggest variable that affects security is the administration of the machines ... and this applies to all systems, BSD, Linux, Solaris ... and yes, even MS Windows. Even OpenBSD clearly states their history of security (note, they never claim that is is secure, only that it has been to a certain degree) is based on the default install. Change it in any way, and all bets are off.

    Security is not a thing you can just buy. Likewise it cannot be an attribute or property of a thing you can buy (or download). Security is in how you go about every aspect of the way you work, and not just in computers and networks. Social engineering is still a very workable way to access what you are not authorized to access. Poor passwords are incredibly common, for example (spammers are now using password guessing successfully to log into SMTP AUTH and MSA mail ports to submit their garbage ... they already have your userid). People are the weak link.

    So ... IMHO ... the Common Criteria Scheme is nothing more than a bunch of feel-good paperwork for PHBs. Unfortunately, it's what PHBs want to see, so vendors like Red Hat do need to play into this BS just to get some sales. But it doesn't tell you squat about real security.

    • Security cannot be determined...

      The CC have nothing to do with security in the sense you are talking about.
      They are all about trust and assurance, and about evaluation of security procedures. For example, documentation takes a central role, as does version management during the development process.

      It's got nothing to do with stuff like default configurations, open ports, buffer overflows or what have you. It just tackles the problem on an entirely different level.
  • Get the specs... (Score:4, Informative)

    by inode_buddha ( 576844 ) on Sunday November 30, 2003 @11:17PM (#7596181) Journal
    ...here [ncsc.mil], look at the column under "Criteria". Be careful not to slashdot it - note the .mil domain ;)
  • KDE... (Score:3, Funny)

    by grokster ( 557481 ) on Monday December 01, 2003 @04:16AM (#7597058)
    The KDE.org folks can leverage this to get Kommon Kriteria certification...
  • For an OS like Linux, thats always changing and evolving, how relevant is a Cert of this nature ? In an OS like Windoze where there are very little ( or far and few ) feature updates, between fairly long drawn out release cycles one can understand that each version being certified can mean something.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...