Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Red Hat Software Businesses Security

Red Hat Linux Gets Top Govt. Security Rating 128

Posted by CmdrTaco from the take-that-to-yer-boss-and-shove-it dept.
zakeria writes "Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies. Earlier this month IBM was able to achieve EAL4 Augmented with ALC_FLR.3 certification for Red Hat Enterprise Linux, putting it on a par with Sun Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, vice president of open systems with IBM."
This discussion has been archived. No new comments can be posted.

Red Hat Linux Gets Top Govt. Security Rating More

Red Hat Linux Gets Top Govt. Security Rating

Comments Filter:

  • CentOS too? (Score:3, Interesting)

    by frankenheinz ( 976104 ) on Monday June 18, 2007 @09:10AM (#19549647)
    So does CentOS get some sort of auto cert then?

  • Re:Hrmm. Not good enough for the average user (Score:2, Interesting)

    by vfrex ( 866606 ) on Monday June 18, 2007 @09:13AM (#19549679)
    What does that have to do with RHEL? It is designed to be a stable server platform. Your post has so little to do with the article, I'm going to need to ask you to RTFM.

  • Re:For people who don't grok EAL4 and ALC_FLR.3 (Score:5, Interesting)

    by crush ( 19364 ) on Monday June 18, 2007 @09:16AM (#19549705)
    It's worth pointing out that this is actually equivalent to a "B1" TCSEC rating http://en.wikipedia.org/wiki/TCSEC [wikipedia.org] and that it's impossible to get any higher rating for a commodity operating system. This is all specifically due to the SELinux support in Red Hat EL (and consequently CentOS and Fedora and other derivatives). Supposedly SuSE/Novell are trying to achieve this rating ATM but due to the limitations of AppArmor compared to SELinux it seems unlikely that they will.

  • Re:Hrmm. Not good enough for the average user (Score:4, Interesting)

    by jimstapleton ( 999106 ) on Monday June 18, 2007 @09:28AM (#19549823) Journal
    Are you naturally this off topic, or did it take effort.

    Ignoring for the the moment I agree with *some* of your points, Linux on the desktop has nothing to do with this post, it is entirely about Linux as an enterprise grade server OS.
  • Actually AppArmour would be a good addition to a B1 system, as a somewhat weaker (less fine-grained) variant is part of Trusted Solaris.

    --dave

  • Re:For people who don't grok EAL4 and ALC_FLR.3 (Score:2, Interesting)

    by morgan_greywolf ( 835522 ) on Monday June 18, 2007 @09:42AM (#19550001) Homepage Journal
    Hmmm...I'm getting conflicting information. According to this Microsoft White Paper [microsoft.com] (sorry, Word .DOC format), the EAL4 + Augmented with ALC_FLR.3 rating, which BTW, both Windows XP SP 2 and Windows 2003 Server SP 1 also have, is only equivalent to C2, which is the same rating that NT 4 received. IOW, this cert doesn't really mean that much.

  • Re:For people who don't grok EAL4 and ALC_FLR.3 (Score:3, Interesting)

    by asliarun ( 636603 ) on Monday June 18, 2007 @09:54AM (#19550105)
    Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well. Is that not so? In that case, wouldn't a BSD version be more suitable for secure/sensitive installations?

    Again, please don't treat this as a flame. I'm just curious to know how BSD ranks vis a vis other OSes, especially Linux, and especially in terms of security.

  • Only as secure as its least secure member... (Score:4, Interesting)

    by TheGreatHegemon ( 956058 ) on Monday June 18, 2007 @09:57AM (#19550143)
    Make no mistake; the OS does make a good deal of difference for security in some respects. However, it seems to me that most security leaks come from HUMAN error. With respect to that, Red Hat does nothing (nor could I expect it to...). Nice to know that Linux can at least be recognized this way, at least.

  • Yeah yeah. But what does it /mean/? (Score:4, Interesting)

    by jimicus ( 737525 ) on Monday June 18, 2007 @10:36AM (#19550545)
    Any idiot can build a Linux system which runs absolutely no services whatsoever and SELinux to delegate authority appropriately with modern RedHat versions.

    What's more interesting is does the resulting system do anything useful? Web server? Mail server? DNS? File server?

    Do you lose certification as soon as any extra services are running? In which case, it's fairly meaningless because the certification only applies if the system is broadly useless.

  • "Get the Facts" (Score:2, Interesting)

    by dasunst3r ( 947970 ) on Monday June 18, 2007 @02:06PM (#19553887) Homepage
    I think Red Hat should send something to Steve Ballmer to rub this in his face... something along the lines of "Looks like you need to Get the Facts about Windows and Linux. Where are your lobbyists now?" along with a copy of the certification.

  • Re:no real surprise here (Score:3, Interesting)

    by sn00ker ( 172521 ) on Monday June 18, 2007 @08:34PM (#19559037) Homepage

    I'd wonder if openbsd has recieved this security rating?
    Of course it hasn't. Certification costs a lot of money (tens- if not hundreds-of-thousands of dollars), and there're no organisations with that kind of money that have a major interest in OpenBSD. Could it pass? No, because it lacks RBAC/MAC and other necessary security systems. Has it even been tested? Certainly not, because nobody's put it up for certification, and also because the team that produces it haven't built in subsystems for RBAC/MAC. That's not their aim, and likely never will be.

    On a side note, FreeBSD does have MAC capabilities, and could probably be configured to pass at least EAL3 (not sure about the design verification requirements for getting EAL4), but like OpenBSD it lacks a massive, financially-interested organisation to sponsor it through all the testing. Note the RHEL5 was sponsored by IBM, not by RedHat, which gives a very clear indication of just how much financial backing is necessary to seriously attempt to get a system certified under the Common Criteria. Getting an EAL certification, as the Wikipedia entry [wikipedia.org] on the topic states, is not a significant indicator of the security of a system. It just shows that the system was tested against certain criteria and passed.

Slashdot Top Deals

An authority is a person who can tell you more about something than you really care to know.

Close