Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Red Hat Software Businesses Security

Red Hat Linux Gets Top Govt. Security Rating 128

zakeria writes "Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies. Earlier this month IBM was able to achieve EAL4 Augmented with ALC_FLR.3 certification for Red Hat Enterprise Linux, putting it on a par with Sun Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, vice president of open systems with IBM."
This discussion has been archived. No new comments can be posted.

Red Hat Linux Gets Top Govt. Security Rating

Comments Filter:
  • by WrongSizeGlass ( 838941 ) on Monday June 18, 2007 @09:12AM (#19549669)

    You will never, ever, become successful on the desktop until idiocy like this is exorcised from the OS.
    ... or the pool of computer users who label themselves advanced just because they can do things that are "comparatively simple in Mac or Windows". If a command line isn't for you, that's fine. Be sure to stay away from 'Terminal' on the Mac and the 'cmd.exe' on Windows.
  • by Anonymous Coward on Monday June 18, 2007 @11:36AM (#19551355)
    The key line is:

    "the assumed, specified circumstances, also known as the evaluated configuration, specified by Microsoft."

    This is the code base that actually has the certification.

    As soon as ANY change - and that includes adding patches - is made, the code base is no longer certified.

    Any advertisement that the "product has ZZZ certification" for any following product is false. It no longer has certification. But it CAN be advertized as "based on bbbbb with ZZZZ certification".
  • by pantherace ( 165052 ) on Monday June 18, 2007 @11:41AM (#19551443)
    Basically, they tested a specific version. That specific version (not including any patches!) and type of setup qualifies for the rating.

    If there is a vulnerability that would affect that setup/version in it's configured state, then the rating is supposed to be withdrawn, the problem fixed, and the system resubmitted.

    Someone has figured out that perhaps, it might be a good idea to not have the vault door sealed, and a hole drilled in the side of the wall, so they tell you to apply security patches.

    For the windows 2k thing: It's evaluated configuration wasn't vulnerable to any of the security patches, therefore it remains. ... which makes me wonder how stripped down it was. Probably no networking, among other things, because, I can't think of much in 2k that hasn't had a security hole!
  • Re:CentOS too? (Score:3, Insightful)

    by flyingfsck ( 986395 ) on Monday June 18, 2007 @12:12PM (#19551963)
    Sort-of. It depends on your contractual requirements. I always try to sneak in a provision to the effect that 'The system will use the CAPP/EAL4 reference design as a guideline'. Schtuff delivered to the military needs to be certified by their own security people anyway, but it helps a lot if you can show that you followed the CAPP/EAL4 configuration and point out where you had to deviate.
  • by init100 ( 915886 ) on Monday June 18, 2007 @12:12PM (#19551965)

    Why, pray tell, would any 'average' user wish to dick around with vi and text-editting config files? Hint: They wouldn't.

    True, but I also think that most average users would take a text-based configuration file, especially one with instructive comments, over the Windows Registry any day of the week.

    I'm not saying that registry editing is a usual occurrence, but sometimes it needs to be done, and I would prefer clear text files every time. Especially those parts of the registry indexed on class GUID are really opaque.

  • by Bender0x7D1 ( 536254 ) on Monday June 18, 2007 @12:30PM (#19552303)

    For certification purposes, it really doesn't matter how secure the system is, but how secure you can show the system is.

    I attended a presentation regarding these certifications from a manager at IBM, (I forget his name), that had taken several products through the certification process and he said that it is all about the documentation. For example, how many people working on BSD have the architecture, design and user documentation to prove that something has been designed securely? It might be secure and a lot of people may have reviewed it and declared it secure, (even the auditors), but without the corresponding documentation it can't pass certification. Why not? Well, without a design document, I can't verify the implementation actually does what it is supposed to. Also, without the user documentation, how do I know that I have to have certain services running for the behavior to be valid? The auditors are allowed to do anything they want to the system that isn't forbidden in the documentation. So, if it isn't documented that you can't turn off some security service, it is fair game. That's why the product, in a certain configuration, is certified and not any system that happens to run the OS.

    I think this is why we will only see high levels of certification going to corporate sponsored OSes. Let's face it, most open source developers don't want to spend most of their time documenting their work - they want to actually do it. It is only when you have management that focuses on the certification process, and holds everyone accountable for proper documentation, that the requirements can be met.

  • by Jesus_666 ( 702802 ) on Monday June 18, 2007 @01:35PM (#19553365)
    I'm a fairly technical user, not a tech god by any stretch of the imagination, but I know my way around. I know how to forward ports on my router, I do all my own CD rips from Grip, I can install most Windows versions without a problem, and I'm damned proficient at packages like Paint Shop Pro and the GIMP. In addition, I'm a gamer from back in the DOS/Win95 days, so concepts like editing undocumented system-critical settings (Registry hives) don't necessarily scare me.

    That said, as much as I like the concept of Windows NT, I simply will not try it any longer until I hear that a number of problems have been solved.

    A) Having to manually download software/worrying that nonstandard installation routines might scatter junk all over the file system and not remove it upon deinstallation. For that matter, I don't want to have to manually download and install anything, ever. Just to make this clear, never. Come up with either something akin to Ubuntu where I run Synaptic to install everything I need, or (if you absolutely have to) make it like Mac OS X where I just drag and drop the folder.

    B) Any time I'm forced to to edit the Registry by hand (without documentation, to boot), you as a developer have failed. Back 10 years ago, this may have been acceptable. In this day and age, it isn't. Furthermore, while once in a blue moon I may have to change a system-breaking internal file in Linux, in Windows it's a constant occurrence. Again, you have failed.

    C) A troubleshooting guide instead of proper OS documentation does not cut it. Neither does a message board where half the time I'll be told to reinstall, 25% of the time I'll be told to run random diagnosis apps, and the other 25% of the time I'll get genuinely helpful people giving me contradictory answers. If I'm expected to jump to an alien computing environment you'd best make sure your documentation is up to snuff. Most Windows apps suck in this regard.

    I'm an advanced user who's in favor of feature-rich OSes, but the bizarre, arcane, and technical details I have to jump through to achieve the same things that are comparatively simple in Mac OS X or Linux make Windows a deal breaker. You will never, ever, become successful on the server until idiocy like this is exorcised from the OS.
  • by Nutria ( 679911 ) on Monday June 18, 2007 @01:44PM (#19553531)
    it's just a rubber-stamp for administrators that don't want to understand security.

    No, it's not.

    "EAL4 with CAPP, LSPP and RBACPP" means that RHEL5 on most all current IBM h/w can be very secure by people who care and know what they are doing.

1 Mole = 007 Secret Agents