Red Hat Linux Gets Top Govt. Security Rating

zakeria writes "Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies. Earlier this month IBM was able to achieve EAL4 Augmented with ALC_FLR.3 certification for Red Hat Enterprise Linux, putting it on a par with Sun Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, vice president of open systems with IBM."

CentOS too?

[frankenheinz]

So does CentOS get some sort of auto cert then?

Re:CentOS too?

[Anonymous Coward]

> So does CentOS get some sort of auto cert then?

No. CentOS (i.e., the actual binaries built by the CentOS team on the particular set of hardware used by the CentOS team) needs to go through the exact same evaluation process, with documentation and all.

Re:CentOS too?

[crush]

The certification is specific to the combination of RHEL on IBM eServers. So specific hardware and specific version of the OS. That said, practically there'd probably be no functional difference with CentOS on the same hardware ... but you couldn't run it if the certification were mandated.

Re:

[crush]

And it should soon (Jun 21) also be certified to the same level on HP hardware. See entry 10165 here: http://www.niap-ccevs.org/cc-scheme/in_evaluation. cfm [niap-ccevs.org]

Why is it hardware-specific?

[Dadoo]

Any idea why the certification is hardware specific? What do IBM eServers have that commodity hardware doesn't?

Re:

[Bishop]

This certifications at the EAL4 and up levels are all functional tests. That is the actual system is run. Software by itself cannot run. It needs the hardware. These types of certifications are designed to eliminate as many unknowns as possible. Any RHEL system should behave the same but can you guarantee that? Consider the simple case as a bug in a hardware driver in one system but not in the tested system. That said, it is reasonable to expect that all x86 type hardware similar to the eServers would achie

Re:

[flyingfsck]

Sort-of. It depends on your contractual requirements. I always try to sneak in a provision to the effect that 'The system will use the CAPP/EAL4 reference design as a guideline'. Schtuff delivered to the military needs to be certified by their own security people anyway, but it helps a lot if you can show that you followed the CAPP/EAL4 configuration and point out where you had to deviate.

For people who don't grok EAL4 and ALC_FLR.3

[davecb]

This is roughly equivalent to "B" in the well-known U.S. "Orange Book" security standard. Previously all commercial off-the-shelf OSs were rated C or below, and had trouble even getting that (NT 4 got C only if the network was physically removed).

The letters correspond with school grades: A is excellent, B is ok, and C is barely adequate.

--dave

Re:For people who don't grok EAL4 and ALC_FLR.3

[crush]

It's worth pointing out that this is actually equivalent to a "B1" TCSEC rating http://en.wikipedia.org/wiki/TCSEC [wikipedia.org] and that it's impossible to get any higher rating for a commodity operating system. This is all specifically due to the SELinux support in Red Hat EL (and consequently CentOS and Fedora and other derivatives). Supposedly SuSE/Novell are trying to achieve this rating ATM but due to the limitations of AppArmor compared to SELinux it seems unlikely that they will.

Re:

[davecb]

Actually AppArmour would be a good addition to a B1 system, as a somewhat weaker (less fine-grained) variant is part of Trusted Solaris.

--dave

Re:

[morgan_greywolf]

Hmmm...I'm getting conflicting information. According to this Microsoft White Paper [microsoft.com] (sorry, Word .DOC format), the EAL4 + Augmented with ALC_FLR.3 rating, which BTW, both Windows XP SP 2 and Windows 2003 Server SP 1 also have, is only equivalent to C2, which is the same rating that NT 4 received. IOW, this cert doesn't really mean that much.

Re:

[dylan_-]

the EAL4 + Augmented with ALC_FLR.3 rating, which BTW, both Windows XP SP 2 and Windows 2003 Server SP 1 also have, is only equivalent to C2, which is the same rating that NT 4 received.

Here [niap-ccevs.org] is the Windows cert. Here [niap-ccevs.org] is the Redhat one. Notice that under PP identifiers Windows has CAPP, while Redhat has CAPP, LSPP and RBACPP.

Re:

[morgan_greywolf]

Not only that, but those Windows is only certified on specific hardware, while the same is not true of the RHEL5 cert. Thanks for pointing that out. It shows once again that a solid stable system like RHEL5 is indeed more secure than Windows, even if only it is because the military believes it to be so. But I'm guessing that military IT might know a thing or two about good systems security. ;)

Re:

[Anonymous Coward]

Actually Military IT isn't the greatest. Too many young kids with not enough experience. However, the NSA does the accreditation and they, unlike the above poster states, are very good at what they do. The testing does'nt prove that the OS is more secure; it demonstrates that it is designed securely, and more importantly, that it has adequately tamper-resistant auditing and adequately rigorous permissions. That's why POSIX compliant OS'es aren't very convenient to certify; the permission systems are very di

Re:

[bill_mcgonigle]

But I'm guessing that military IT might know a thing or two about good systems security. ;)

Their stakes may be slightly higher too.

Re:

[HuguesT]

Actually, Here [niap-ccevs.org] is the RHEL5 cert (both your links are the same).

Re:

[spevack]

This is all specifically due to the SELinux support in Red Hat EL (and consequently CentOS and Fedora and other derivatives).

It's more accurate to describe RHEL and CentOS as derivatives of Fedora. Fedora is the upstream for all other distributions that are in the Red Hat family. Red Hat Enterprise Linux is derived from Fedora, and CentOS is in turn derived from Red Hat Enterprise Linux.

SELinux, for example, appeared in Fedora long before it ever appeared in RHEL or CentOS.

Re:

[asliarun]

Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well. Is that not so? In that case, wouldn't a BSD version be more suitable for secure/sensitive installations?

Again, please don't treat this as a flame. I'm just curious to know how BSD ranks vis a vis other OSes, especially Linux, and especially in terms of security.

Re:For people who don't grok EAL4 and ALC_FLR.3

[crush]

I don't think it's a flame. All that this certification means is that a government department tested specific aspects of security on specific hardware. It shouldn't be thought of as anything more, it's just a rubber-stamp for administrators that don't want to understand security.

Re:

[Nutria]

it's just a rubber-stamp for administrators that don't want to understand security.

No, it's not.

"EAL4 with CAPP, LSPP and RBACPP" means that RHEL5 on most all current IBM h/w can be very secure by people who care and know what they are doing.

Re:

[jae471]

I believe you are correct. From what I've read, OpenBSD is tops when it comes to security. I haven't tested this in practice, though.

Re:

[cowbutt]

Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well. Is that not so? In that case, wouldn't a BSD version be more suitable for secure/sensitive installations?

No, because without the certification, secure/sensitive installations aren't allowed to use those flavours of BSD (or any other uncertified product). If there's no other way of performing a function, it might be justifiable, but it'll be a brave sysadmin that pursue

Re:

[asliarun]

Yes, I realize that my question was off-topic. My question was a more generic one, namely Linux v/s OpenBSD in terms of security.
I was also interested in knowing how popular BSD and Linux are for these kind of requirements.

Re:

[raddan]

The OpenBSD people have specifically stated that they will not pursue these kinds of certifications, because they take developer time away from actually making the operating system secure. IIRC, their opinion was that most of these certifications were based on a number of arbitrary tests that did not actually measure (nor accurately repsent) real-world security exposure. I don't know enough myself to comment on the subject, though. The subject may also be complicated by the fact that the OpenBSD's relati

Certifications aren't always required

[DragonHawk]

No, because without the certification, secure/sensitive installations aren't allowed to use those flavours of BSD (or any other uncertified product).

It's worth pointing out that these kinds of generic certifications aren't always required. They're generally required when you're doing multi-level security -- people with varying levels of trust using the same system. For example, if you need the system to prevent SECRET information from becoming available to a user who is only cleared to CONFIDENTIAL. Th

Re:

[Bender0x7D1]

For certification purposes, it really doesn't matter how secure the system is, but how secure you can show the system is.

I attended a presentation regarding these certifications from a manager at IBM, (I forget his name), that had taken several products through the certification process and he said that it is all about the documentation. For example, how many people working on BSD have the architecture, design and user documentation to prove that something has been designed securely? It might be secure a

Re:

[evilviper]

Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well.

The confusion here is that this certification has nothing to do with exploits or kernel bugs (the form of security most people talk about on a regular basis). We're talking about CIA/NSA levels security. It's based largely on how finely-grained the system permissions are, so that an exploited application can't access any other files, open any other ports, etc., etc., as

Re:

[Nevyn]

The difference, though, is that RedHat is a company, which wants to pay for certification so they can use it to market their product.

Actually that's just wrong. Red Hat doesn't really pay for them, the HW vendors like HP and IBM do ... so Trusted*BSD should easily be able to get that certification, if people wanted to buy systems with it.

But in my opinion the real major difference is that Fedora is a usable general purpose OS with MAC capabilities, this is like if FreeBSD shipped all of the code for

Re:

[evilviper]

this is like if FreeBSD shipped all of the code for MAC and TrustedBSD just shipped a policy file to enable it.

In fact much (most? all?) of the TrustedBSD code has been integrated back into FreeBSD 6.

Re:

[budgenator]

These levels of security require levels over and above what available in BSD as far as I know. The usual unix model of world/group/user isn't fine-grained enough for this. Linux has it only because the NSA has been working on it for years; I don't even pretend to understand SELinux.

Re:

[deskin]

Good question. I haven't spent much time with any BSD system, but I've spent enough with SELinux (personal pet peeve: it's not `SE Linux', though `SElinux' or 'selinux' are acceptable) to know a bit about the difference. Pardon me if I wax loquacious...

In the computing world, the vast majority of security flaws come from bugs: improper handling of untrusted data leads to buffer overflows time and time again. Fix the bugs, and those security flaws go away. However, what about the ones you didn't catch?

Re:

[drsmithy]

I'd just like to say, that is an excellent "in a nutshell" explanation of SELinux.

Re:

[systemeng]

I just got done with an NSA accreditation exercise for a SUSE 10.0 box. SUSE's support for proper logging and auditing was severely lacking and we had to jump through hoops. Why would a sane person invent something like AppArmour when the NSA created SElinux and it does what's required to pass certifications? SuSE has gotten better in 10.1 and 10.2 but I still don't think they've managed to get logging and auditing to work right. Go Redhat. SuSE has a nice desktop and 10.0 had better hardware support f

Re:

[jd]

That is not entirely true. EAL5 is within reach of commodity Operating Systems and, indeed, two hold such status. EAL6 is pushing it, but I can see nothing that would technically be impossible. EAL7 is the only one I can see that is definitely beyond commodity OS level.

Why Wikipedia?? WHY??

[sczimme]

What is it with you people and Wikipedia?? Are you really too lazy to find the *real* Orange Book?

NIST is hosting it; I'll even make a link [nist.gov] so no one gets hurt copying+pasting. Yes, it's a PDF.

Re:

[crush]

Commodity meaning that there are multiple sources of supply instead of a single monopolist producer which results in competition either driving down price or resulting in the incentive to add value in some other way. This would exclude mainframes or specialist realtime OSes in the embedded market.

Re:

[Anonymous Coward]

The letters correspond with school grades: A is excellent, B is ok, and C is barely adequate.

Just wait until the "No OS Left Behind" program gets passed.

Re:

[davecb]

Stock Unixes with the networking in place passed Orange Book "C" easily, specifically including Solaris 1, which **was** BSD.

The process was and is expensive, so only ritch folks certify their OS security, which explains why we haven't seen it for Linux before...

--dave (assuming, of course, that I'm not replying to a troll) c-b

XP SP2 and Windows Server 2003 has the same rating

[Anonymous Coward]

http://www.microsoft.com/presspass/press/2005/dec0 5/12-14CommonCriteriaPR.mspx [microsoft.com]

The following products have earned EAL 4 Augmented with ALC_FLR.3 certification from NIAP:

• Microsoft Windows Server(TM) 2003, Standard Edition (32-bit version) with Service Pack 1
• Microsoft Windows Server 2003, Enterprise Edition (32-bit and 64-bit versions) with Service Pack 1
• Microsoft Windows Server 2003, Datacenter Edition (32-bit and 64-bit versions) with Service Pack 1
• Microsoft Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (CIMC) (Security Level 3 Protection Profile, Version 1.0)
• Microsoft Windows XP Professional with Service Pack 2
• Microsoft Windows XP Embedded with Service Pack 2

Re:XP SP2 and Windows Server 2003 has the same rat

[CloneRanger]

Microsoft is only certified CAPP/eal4+ [niap-ccevs.org]. That is not LSPP/RBAC which is much harder and more secure.

Re:

[bgarcia]

Microsoft is only certified CAPP/eal4+. That is not LSPP/RBAC which is much harder and more secure.

Here are some relevant definitions:

• CAPP: Controlled Access Protection Profile [commoncriteriaportal.org]
• RBAC: Role-Based Access Control [wikipedia.org]
• LBAC: Lattice-Based Access Control [wikipedia.org]

Re:

[mrwolf007]

I read that link, but is the following just concidence? "Certificate Date: 01 April 2007" Hmm....

Someone want to explain the Common Criteria to me?

[Kadin2048]

I tried to get some understanding of how the "Common Criteria" work, and read the wiki article on the subject, but I'm still not clear. Can anyone elucidate on how the whole process works, and what the various grades are? I understand that the 'Common Criteria' in their purest form aren't a set list of features that products need to have -- it's more of a framework for specifying and testing criteria -- but obviously the US Government has to have its own standards, tested using the Common Criteria, that it

Re:Someone want to explain the Common Criteria to

[pantherace]

Basically, they tested a specific version. That specific version (not including any patches!) and type of setup qualifies for the rating.

If there is a vulnerability that would affect that setup/version in it's configured state, then the rating is supposed to be withdrawn, the problem fixed, and the system resubmitted.

Someone has figured out that perhaps, it might be a good idea to not have the vault door sealed, and a hole drilled in the side of the wall, so they tell you to apply security patches.

For the w

What does "more secure" mean?

[Anonymous Coward]

This is actually a complex issue that cannot be summarized as "much harder and more secure".

EAL4+ refers to the assurance level applied to the software in question. It measures how well the software is implemented - in some sense what the probability of undiscovered holes is.

EAL4+ is actually a rather low level of assurance. After all, Windows can pass EAL4+.

CAPP. LSPP, and RBAC are protection profiles that refer to the protection policy enforced by the software. CAPP coveres things like access control l

A good start.

[Lord_Pain]

NIAP certification is a good first step if they want to get into the DoD world.
It's a BIG first step. But there are others... FIPS for one. I wonder who will be working the ST&E on this OS. DoD? IntCom?
Also the amoeba like reach of DISA will have to be dealt with. They like their Windows(BOO!) and Solaris(Yay!). They are not too receptive to "new" things.
Perhaps it's biggest hurdle is not certifications... it's the in fighting among gov't organizations.

Re:

[CloneRanger]

>NIAP certification is a good first step if they want to get into the DoD world.

Linux is already in the DoD world. For Red Hat in particular, this is the fifth NIAP cert in the last 2 years.

>It's a BIG first step. But there are others... FIPS for one.

Which nss meets at level 2.

>Also the amoeba like reach of DISA will have to be dealt with.

Linux is already in the STIGs.

Re:

[Lord_Pain]

You should know that ANY change to an OS constitutes a requirement for a new certification. Especially if a new "security module" is the core feature.

Just saying linux has been certified is just as silly. Which flavor?
There are STIG's for Debian, RH and few other flavors. But this is a new product. Also any changes to an existing product will require another STIG.

The kind of generalization from you sounds like something I'd hear from DISA.

Mod Parent Informative

[mpapet]

As someone that has dealt at the periphery of projects where EAL certs are required, he's right on.

easy

[SolitaryMan]

putting it on a par with Sun Microsystems Inc.'s Trusted Solaris

Is this the same system that had famous telnet froot [slashdot.org] vulnerability recently?

Re:

[986151]

Is this the same system that had famous telnet froot vulnerability recently?

No

Re:

[cpuh0g]

No, Trusted Solaris and Solaris 10 with Trusted Extensions would not have been vulnerable to that vuln. And, did you know that MIT Kerberos distributions (which include a telnet daemon) also had a very similar hole ? So, basically ANY site that was running MIT kerberos with telnet enabled - Linux, BSD, etc) were also vulnerable to the same attack. MIT Kerberos is included in RH Linux and many other Linux distros as well. http://www.kb.cert.org/vuls/id/220816 [cert.org]

Slashdot responses

[Frankie70]

Check the slashdot story [slashdot.org] when Microsoft OS'es got a similiar certification.
Let's compare the comments at the end of the day.

Re:Slashdot responses

[dylan_-]

It's not the same certification. Windows' is for CAPP only. Redhat's is for CAPP, LSPP and RBACPP.

Resource and protection guarantees?

[Glock27]

In the embedded space, Green Hills Integrity has gained a lot of traction for reliable systems since it allows the developer to partition the system into spaces with guaranteed amounts of memory, cpu cycles and so on. It also offers strong guarantees that one partition can't affect another partition. See the Integrity features page [ghs.com].

So, my question is: Is there similar functionality in the works for Linux?

Re:

[Mr. Hankey]

Integrity is an RTOS platform, not a general purpose OS. I've worked with their ARINC 673 product a bit, much standard UNIX functionality would break the guarantees made by an ARINC-compliant OS so it's just not present. Xen is a close enough approximation if you just want to partition the system off without using ARINC 673, but in order to get the same sort of certifications as Integrity (or VxWorks' ARINC 673 product for that matter) all the code involved with Linux - kernel, userspace etc. - would need a

Re:

[Glock27]

Integrity is an RTOS platform, not a general purpose OS.

Linux is also a widely used RTOS platform. Integrity is optimized for realtime embedded use, but provides all the facilities of a "general purpose" OS. It's also possible to run Linux inside an Integrity partition.

One aspect of security is that no user should be able to affect the availability of the system through various forms of DOS attack, like the venerable forkbomb.

I'll look into Xen a bit more, does it allow the partitioning of CPU, memory

Re:

[Mr. Hankey]

Linux can certainly be used as an RTOS, in fact I've configured it for several embedded systems, but it's also relatively easy to use as a general purpose OS. If you stick to ARINC 653 (you're right on that of course, it's been a while since I was involved in spec'ing the CPCI boards) a full TCP/IP stack is basically out, amongst other niceties. You can do a cut down one, in our case with a special network card, but not everything works within the 653 spec according to the Green Hills staff with whom I've s

Only as secure as its least secure member...

[TheGreatHegemon]

Make no mistake; the OS does make a good deal of difference for security in some respects. However, it seems to me that most security leaks come from HUMAN error. With respect to that, Red Hat does nothing (nor could I expect it to...). Nice to know that Linux can at least be recognized this way, at least.

Yeah yeah. But what does it /mean/?

[jimicus]

Any idiot can build a Linux system which runs absolutely no services whatsoever and SELinux to delegate authority appropriately with modern RedHat versions.

What's more interesting is does the resulting system do anything useful? Web server? Mail server? DNS? File server?

Do you lose certification as soon as any extra services are running? In which case, it's fairly meaningless because the certification only applies if the system is broadly useless.

Re:

[flyingfsck]

In practise you can never deliver a system that is exactly the same as the reference design. However, all equipment delivered to the military has to be certified by their own security people. This is a long process which takes months to years. It helps a lot if you can tell them that you followed the reference design up to a point and show exactly where you deviated. Therefore the certification of the reference design is very useful.

Re:

[drinkypoo]

What's more interesting is does the resulting system do anything useful? Web server? Mail server? DNS? File server?

Right! It was possible to get a C2 security rating with NT4, but you had to remove the floppy drive entirely (not just disable it) and both disable networking and disconnect the networking cable. Great, now you've got a standalone box that does nothing useful, but it's secure! Why not just turn it off?

Re:

[jimicus]

I prefer the "bucket of concrete" description. It's rather more final than "disable network and floppy drive", and has the advantage that it's substantially easier to understand by people who are just blindly demanding such certifications.

Anyone demands a secure system, I would be inclined to point out "I can give you a 100% guaranteed secure system. But I will have to bury it in reinforced concrete."

On a side note, has anyone attempted to get a system buried in concrete certified as secure?

Re:

[man_of_mr_e]

I keep seeing this comment, but it's a bit disingenuous. Yes, it's true that the first evaluation for NT4 required those things, but a secondary review in 1999 allowed NT4 to retain those items. In other words, NT4 did in fact achieve full C2 with networking and floppy.

Re:

[drinkypoo]

After hunting around I found a reference that says you are true. It also says that Microsoft formerly claimed that E2 was the highest possible security rating for a general-purpose OS, but once they finally got C2, they claimed that C2 was the highest possible security rating for such a system. So even when I find out I am wrong about MS (I simply never found out about the later review, which is pretty irrelevant coming so close to the end of NT4's useful life but still true) I find more reasons to hate the

Not the highest rating available

[KiltedKnight]

Perhaps someone needs to inform Mr. Frye that there are things out there that are higher-rated...

XTS-400 (Wikipedia entry) [wikipedia.org]

XTS-400 [baesystems.com]

That particular system is rated at EAL 5. IBM's only achieved EAL 4.

XTS-400 is good except...

[ushering05401]

then the creators went and filed this patent: http://www.patentstorm.us/patents/7103914.html [patentstorm.us].

Am I wrong in thinking this is another overly broad patent good only to intimidate others who want to innovate in the realm of secure computing with Linux interop?

Regards.

it isn't the OS that is EAL4 certified ..

[rs232]

RedHat is EAL4 certified on a particular hardware configuration, no one has physical access and you don't connect it to an insecure network like the Interent. I'm not sure how much use these certs are in the real world. But it does mean something to the PHBs. Now excuse me while my manager explains what ISO 9000 is, again ..

Re:

[Bert64]

This is actually perfectly reasonable and useful, unlike the NT4 cert that required the network be disconnected...
Most important government systems are on their own networks, and sit inside datacenters where only a small subset of authorized staff have physical access.

Re:

[man_of_mr_e]

Which NT4 cert was that?

http://www.microsoft.com/technet/archive/security/ news/c2summ.mspx?mfr=true [microsoft.com]

"Windows NT 4.0 evaluation included servers and workstations in six different roles, operating in both TCP/IP networked and stand-alone modes."

"Get the Facts"

[dasunst3r]

I think Red Hat should send something to Steve Ballmer to rub this in his face... something along the lines of "Looks like you need to Get the Facts about Windows and Linux. Where are your lobbyists now?" along with a copy of the certification.

EAL-6 is the highest possible security rating

[mikefocke]

Not EAL-4 is not "TOP". Shame on the press release writers for spreading untruths.

Nor is EAL-4 the highest rating an OS product has achieved.

EAL-5 has been achieved by only one complex product in the world last I looked (BAE's STOP OS, a Linux look-alike in API/ABI running on an Intel CPUed platform) and it doesn't lose its security rating when connected to a network.

The value of the rating system is that it lets everyone see the criteria under which you were judged and the degree of excellence against those criteria determined by independent judges. But the person selecting the product has to know a lot about security to be able to understand the value provided. For example, it is easy to configure most EAL-4 rated OSs in such a way that they void their rating.

Having been the Product Manager during the STOP evaluation, let me congratulate Red Hat as achieving EAL 4 is a great achievement for their team (and was required of us before we could even submit for an EAL-5). May they now go on and undergo additional time, expense and pain in striving for a higher rating.

Re:

[WrongSizeGlass]

You will never, ever, become successful on the desktop until idiocy like this is exorcised from the OS.

... or the pool of computer users who label themselves advanced just because they can do things that are "comparatively simple in Mac or Windows". If a command line isn't for you, that's fine. Be sure to stay away from 'Terminal' on the Mac and the 'cmd.exe' on Windows.

Re:

[vfrex]

What does that have to do with RHEL? It is designed to be a stable server platform. Your post has so little to do with the article, I'm going to need to ask you to RTFM.

Re:

[Helen Keller]

EvNGGG I cannnmmmmssee it's mngaTROLL, numbbehebehbehnuts!

Re:

[$RANDOMLUSER]

You really are the most underrated poster on /.
Always good for a laugh.

Re:Hrmm. Not good enough for the average user

[sayfawa]

That was a cut and paste troll. [slashdot.org]

They're never on topic, they just show up in random Linux articles.

Re:

[init100]

What does that have to do with RHEL? It is designed to be a stable server platform.

It can be used as a desktop system. If it weren't meant to, they would hardly include Compiz in the distro.

Re:

[otacon]

Weird, most of the things you named are the reason I, and most people prefer linux. Compiling is what makes the system run so smooth. The command line gives you a lot of control, and it far more simple than trying to find your way through counter-intuitive Windows GUI's. The MAN pages are not the best source of information...an advanced user should know that.

Re:

[init100]

Compiling is what makes the system run so smooth.

Ehrm, what? Every operating system and application need to be compiled to run. I guess that you mean compiling yourself, but that would still be wrong, as applications does not automatically become smoother just because you compile them yourself.

Re:

[Dr. Smoove]

Hi Mr. Advanced Computer User! Did you know that TFA is about servers, not desktops? Don't call yourself advanced if you're afraid of bash. You're either flamebaiting or extremely out of touch with the purpose of Linux.

Re:Hrmm. Not good enough for the average user

[jimstapleton]

Are you naturally this off topic, or did it take effort.

Ignoring for the the moment I agree with *some* of your points, Linux on the desktop has nothing to do with this post, it is entirely about Linux as an enterprise grade server OS.

Re:

[daffmeister]

I think we've seen this exact same post about a dozen times before.

None of your points are valid

[lib3rtarian]

I'm going to venture that you don't know much about serious professional level computer systems. I'm going to discuss, point by point, why you are just flat out wrong and not thinking clearly about many things.

A)Many different versions of Linux have various binary packaging systems so you don't have to compile things, Debian and Redhat being the two most popular (yum and synaptic/ .deb and .rpm). The constant upgrade cycle where you discover that your most recent upgrade broke something has nothing to do with the process of compiling software per se, but interoperability between different software. The Microsoft WSUS updates are constantly breaking applications, and this is even more exaggerated in the server market.

B)The vast majority of mission critical infrastructure systems that the internet and all high level computing systems run from the command line. Switches, routers, cores, these are the bread and butter of what makes the internet work, and nobody says that a developer has failed when they produce one of these that works. Frankly, you are just being hyperbolic, failure as a developer means that your application does not work. These devices and applications do work, and as anyone familiar with a command line interface knows, it is usually far simpler to troubleshoot a problem in an environment that you have complete control over (like the command line) than it is in some hairbrained GUI that is made to pander to people like yourself who consider themselves technical users but think that command line interfaces are bad.

C)Linux documentation is far superior to that of Windows, because the API's and sourcecode are all available. Learn how to program, don't blame the difficulty of programming on inferior documentation and instructions. There are people who do what they want in linux, just because you can't, doesn't mean that there is something wrong with linux. Rather, it probably means you are not that smart. The entire notion that linux is an alien environment presupposes a fetish for windows.

Your conclusion is complete bunk, because your arguments don't hold any water. Basically, what you've just done is ranted. Linux does not suck in the regards you listed. Nothing is perfect, and everything can be improved, but you simply don't make a nuanced point like this.

Besides which, this thread was about Security!

Re:

[Millenniumman]

Linux documentation is far superior to that of Windows, because the API's and sourcecode are all available. Learn how to program

Oh, that's wonderful. So if I want to, say, mount a network drive, which is generally almost impossible on linux (except for SUSE with yast2), I have to look through tons and tons of code. And of course there is no feasible way to figure out how to do it like that.

Compare that to the Windows/Mac way, where you either use the "help" feature, or are easily able to figure it out.

There are people who do what they want in linux, just because you can't, doesn't mean that there is something wrong with linux. Rather, it probably means you are not that smart.

Uh....

These devices and applications do work, and as anyone familiar with a command line interface knows, it is usually far simpler to troubleshoot a problem in an environment that you have complete control over (like the command line) than it is in some hairbrained GUI that is made to pander to people like yourself who consider themselves technical users but think that command line interfaces are bad.

Nonsense. I can use a unix CLI easily, but that does not mean it is always easier than doing things from a GUI. Some things

Re:

[IdleTime]

When you use Linux for your commercial needs (which this is clearly intended for), you don't recompile kernel every week. The box stays the way it is unless some major security related updates are needed. You schedule downtime to make any changes and you are lucky if you get 1 hours of downtime a year.

This is not desktops, but huge servers. I have many many times tried to get such organizations to even apply one of our patchsets to their servers due to them hitting known bugs and it may take a couple of m

Re:

[mattpalmer1086]

Good news! It's ready!

A) You don't have to compile anything. But you can if you want to. And you can forget about all those dependency DLL-hell issues too that you get in Windows, if you use a modern distro with good package management. Then you just fire up the GUI, put a "tick" in the box for the software you want, and it gets it for you and installs it. It's easier than having to trawl through someone's web site for the right installer, manually download it, manually run the setup. And then find t

Re:

[flyingfsck]

So what kind of bizarre Linux are you using? Maybe you should dump your 10 year old copy of Slackware and get a modern Mandriva, Ubuntu, RedHat or Suse version. You could also buy a machine that has Linux pre-installed from Dell and use that. If you don't change anything, it should keep working for years on end.

This is a recurring troll

[someone1234]

http://linux.slashdot.org/comments.pl?sid=162677&c id=13595596 [slashdot.org]

Re:

[Jesus_666]

I really gotta save my answer to that guy so I can have a reccurring counter-troll...

Re:Hrmm. Not good enough for the average user

[Jesus_666]

I'm a fairly technical user, not a tech god by any stretch of the imagination, but I know my way around. I know how to forward ports on my router, I do all my own CD rips from Grip, I can install most Windows versions without a problem, and I'm damned proficient at packages like Paint Shop Pro and the GIMP. In addition, I'm a gamer from back in the DOS/Win95 days, so concepts like editing undocumented system-critical settings (Registry hives) don't necessarily scare me.

That said, as much as I like the concept of Windows NT, I simply will not try it any longer until I hear that a number of problems have been solved.

A) Having to manually download software/worrying that nonstandard installation routines might scatter junk all over the file system and not remove it upon deinstallation. For that matter, I don't want to have to manually download and install anything, ever. Just to make this clear, never. Come up with either something akin to Ubuntu where I run Synaptic to install everything I need, or (if you absolutely have to) make it like Mac OS X where I just drag and drop the folder.

B) Any time I'm forced to to edit the Registry by hand (without documentation, to boot), you as a developer have failed. Back 10 years ago, this may have been acceptable. In this day and age, it isn't. Furthermore, while once in a blue moon I may have to change a system-breaking internal file in Linux, in Windows it's a constant occurrence. Again, you have failed.

C) A troubleshooting guide instead of proper OS documentation does not cut it. Neither does a message board where half the time I'll be told to reinstall, 25% of the time I'll be told to run random diagnosis apps, and the other 25% of the time I'll get genuinely helpful people giving me contradictory answers. If I'm expected to jump to an alien computing environment you'd best make sure your documentation is up to snuff. Most Windows apps suck in this regard.

I'm an advanced user who's in favor of feature-rich OSes, but the bizarre, arcane, and technical details I have to jump through to achieve the same things that are comparatively simple in Mac OS X or Linux make Windows a deal breaker. You will never, ever, become successful on the server until idiocy like this is exorcised from the OS.

Re:

[trianglman]

wow, this post shows that
A) You haven't used desktop Linux in a long time. I'm using Linux Mint right now and don't need to drop to the command line for anything other than rare extreme troubleshooting issues, or when its just plain easier (disclaimer, I find going to command line, and copying files from my desktop to a distant directory much easier than clicking through 5-10 folders).
B) You haven't done any systems administration on a Windows machine, probably ever. You don't have to recompile the Window

Re:

[WrongSizeGlass]

As for forums, welcome to the Internet; go check some MS or Mac forums, you'll find assholes there, too. Those're the breaks.

We don't need to check those forums - we have our own crop right here, don't we AC?

Did I miss something? Is it "Asshat Monday" and I didn't mark it on my calendar?

Re:

[init100]

Why, pray tell, would any 'average' user wish to dick around with vi and text-editting config files? Hint: They wouldn't.

True, but I also think that most average users would take a text-based configuration file, especially one with instructive comments, over the Windows Registry any day of the week.

I'm not saying that registry editing is a usual occurrence, but sometimes it needs to be done, and I would prefer clear text files every time. Especially those parts of the registry indexed on class GUID are really opaque.

Re:

[init100]

I hate Linux man pages for that reason. Put a sample in there!

I suggest the Perl man pages then, they have a good number of examples. I'd say most Perl functions I have looked up in the man pages have at least one but often several examples of its use.

Re:

[thommym]

Have a look at the Solaris man pages. Plenty of examples in them...

Australians...

[Savage-Rabbit]

I'm not a security expert, but this looks like an American government security certification. Why does the submitter link to Australian Computerworld? Why not the American version, which also carried the newswire story?

Because Australians are insensitive clods?

Re:

[flyingfsck]

The Common Criteria is a joint project between several governments including Australia: http://www.commoncriteriaportal.org/ [commoncriteriaportal.org]

If you need to supply computer equipment to a government agency then you better start reading. If not, then don't bother.

Re:

[WaZiX]

No Worries, Mate; I reckon its some Ozzies trying to come the raw prawn with ya!

Re:

[sn00ker]

I'd wonder if openbsd has recieved this security rating?

Of course it hasn't. Certification costs a lot of money (tens- if not hundreds-of-thousands of dollars), and there're no organisations with that kind of money that have a major interest in OpenBSD. Could it pass? No, because it lacks RBAC/MAC and other necessary security systems. Has it even been tested? Certainly not, because nobody's put it up for certification, and also because the team that produces it haven't built in subsystems for RBAC/MAC.