Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Red Hat Linux Gets Top Govt. Security Rating

CmdrTaco posted more than 7 years ago | from the take-that-to-yer-boss-and-shove-it dept.

Red Hat Software 128

zakeria writes "Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies. Earlier this month IBM was able to achieve EAL4 Augmented with ALC_FLR.3 certification for Red Hat Enterprise Linux, putting it on a par with Sun Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, vice president of open systems with IBM."

Sorry! There are no comments related to the filter you selected.

Hrmm. Not good enough for the average user (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19549595)

I'm a fairly technical user, not a tech god by any stretch of the imagination, but I know my way around. I know how to forward ports on my router, I do all my own XVID rips from Vdub, I can install most Linux distros without a problem, and I'm damned proficient at packages like Photoshop and Illustrator. In addition, I'm a gamer from back in the DOS days, so concepts like editing text files (config.sys, autoexec.bat, etc) don't necessarily scare me.

That said, as much as I like the concept of Linux, I simply will not try it any longer until I hear that a number of problems have been solved.

A) Having to recompile kernels/worrying that apps will be broken by upgrading that kernel. For that matter, I don't want to have to compile anything, ever. Just to make this clear, never. Come up with either something akin to Windows where I click on a standard installer, or make it like Mac where I just drag and drop the folder.

B) Any time I'm forced to drop to a command line, you as a developer have failed. Back 10 years ago, this may have been acceptable. In this day and age, it isn't. Furthermore, while once in a blue moon I may change a text file in Windows, in Linux it's a constant occurence. Again, you have failed.

C) MAN pages do not cut it. Neither does a message board where half the time I'll be called a clueless n00b, 25% of the time I'll be told to use a different distro, and the other 25% of the time I'll get genuinely helpful people giving me contradictory answers. If I'm expected to jump to an alien computing environment you'd best make sure your documentation is up to snuff. Linux sucks in this regard.

I'm an advanced user who's in favor of open source, but the bizarre, arcane, and technical details I have to jump through to achieve the same things that are comparatively simple in Mac or Windows may Linux a deal breaker. You will never, ever, become successful on the desktop until idiocy like this is exorcised from the OS.

Re:Hrmm. Not good enough for the average user (1, Insightful)

WrongSizeGlass (838941) | more than 7 years ago | (#19549669)

You will never, ever, become successful on the desktop until idiocy like this is exorcised from the OS.
... or the pool of computer users who label themselves advanced just because they can do things that are "comparatively simple in Mac or Windows". If a command line isn't for you, that's fine. Be sure to stay away from 'Terminal' on the Mac and the 'cmd.exe' on Windows.

Re:Hrmm. Not good enough for the average user (2, Interesting)

vfrex (866606) | more than 7 years ago | (#19549679)

What does that have to do with RHEL? It is designed to be a stable server platform. Your post has so little to do with the article, I'm going to need to ask you to RTFM.

Re:Hrmm. Not good enough for the average user (4, Funny)

Helen Keller (842669) | more than 7 years ago | (#19549797)

EvNGGG I cannnmmmmssee it's mngaTROLL, numbbehebehbehnuts!

Re:Hrmm. Not good enough for the average user (1)

$RANDOMLUSER (804576) | more than 7 years ago | (#19549835)

You really are the most underrated poster on /.
Always good for a laugh.

Re:Hrmm. Not good enough for the average user (4, Informative)

sayfawa (1099071) | more than 7 years ago | (#19549801)

That was a cut and paste troll. [slashdot.org]

They're never on topic, they just show up in random Linux articles.

Re:Hrmm. Not good enough for the average user (1)

init100 (915886) | more than 7 years ago | (#19551801)

What does that have to do with RHEL? It is designed to be a stable server platform.

It can be used as a desktop system. If it weren't meant to, they would hardly include Compiz in the distro.

Re:Hrmm. Not good enough for the average user (1)

otacon (445694) | more than 7 years ago | (#19549707)

Weird, most of the things you named are the reason I, and most people prefer linux. Compiling is what makes the system run so smooth. The command line gives you a lot of control, and it far more simple than trying to find your way through counter-intuitive Windows GUI's. The MAN pages are not the best source of information...an advanced user should know that.

Re:Hrmm. Not good enough for the average user (0)

Anonymous Coward | more than 7 years ago | (#19550709)

The MAN pages are not the best source of information...an advanced user should know that.

Well the various Linux distro's man pages aren't, but OpenBSD's man pages are quite informative.

Re:Hrmm. Not good enough for the average user (1)

init100 (915886) | more than 7 years ago | (#19551849)

Compiling is what makes the system run so smooth.

Ehrm, what? Every operating system and application need to be compiled to run. I guess that you mean compiling yourself, but that would still be wrong, as applications does not automatically become smoother just because you compile them yourself.

Re:Hrmm. Not good enough for the average user (0)

Anonymous Coward | more than 7 years ago | (#19549713)

"For that matter, I don't want to have to compile anything, ever."

Then use a binary-based distribution, and deal with not being able to access 100% of the software available for Linux. This is akin to complaining about Windows because you can't run some program some guy developed for Win 3.11 on Windows XP.

"Any time I'm forced to drop to a command line, you as a developer have failed. Back 10 years ago, this may have been acceptable. In this day and age, it isn't. Furthermore, while once in a blue moon I may change a text file in Windows, in Linux it's a constant occurence. Again, you have failed."

Absolutely correct. For all the, "LOL LEENUCKS ON TEH DESKTOP!!!!111111111111" bullshit, the monkeys behind the drive don't seem to get this. Why, pray tell, would any 'average' user wish to dick around with vi and text-editting config files? Hint: They wouldn't.

"MAN pages do not cut it. Neither does a message board where half the time I'll be called a clueless n00b, 25% of the time I'll be told to use a different distro, and the other 25% of the time I'll get genuinely helpful people giving me contradictory answers. If I'm expected to jump to an alien computing environment you'd best make sure your documentation is up to snuff. Linux sucks in this regard."

I'll take man pages over Windows Helpless files any day of the week. Christ, have you *read* Windows help documents? They're completely useless rubbish.

However, I'd like to see one thing put in all man files: More basic-use examples. There's a reason people don't RTFM, it's because the manual, if it's a good one, tends to be an inch thick and contains a few hundred pages. :P Noobs don't care about what options are POSIX-compliant, deprecated, or do things only one person sitting out in the middle of Wisconsin needs to do.

They've installed WhizBangProgram, they want to know how to make WhizBangProgram do what they want. Doesn't need to cover every single use case, but a basic:

"To make WhizBangProgram Bang Whizzes, use:

WhizBangProgram --input=~/whiz --bangage=10 --etc"

As for forums, welcome to the Internet; go check some MS or Mac forums, you'll find assholes there, too. Those're the breaks.

Re:Hrmm. Not good enough for the average user (2, Funny)

WrongSizeGlass (838941) | more than 7 years ago | (#19549775)

As for forums, welcome to the Internet; go check some MS or Mac forums, you'll find assholes there, too. Those're the breaks.
We don't need to check those forums - we have our own crop right here, don't we AC?

Did I miss something? Is it "Asshat Monday" and I didn't mark it on my calendar?

Re:Hrmm. Not good enough for the average user (1)

Sczi (1030288) | more than 7 years ago | (#19551465)

However, I'd like to see one thing put in all man files: More basic-use examples. [snip] They've installed WhizBangProgram, they want to know how to make WhizBangProgram do what they want. Doesn't need to cover every single use case, but a basic:
"To make WhizBangProgram Bang Whizzes, use:
WhizBangProgram --input=~/whiz --bangage=10 --etc"


Amen to that.. I hate Linux man pages for that reason. Put a sample in there! I've gotten frustrated and given up on a number of occasions when I couldn't piece together the command line syntax from man pages.

Re:Hrmm. Not good enough for the average user (1)

init100 (915886) | more than 7 years ago | (#19551997)

I hate Linux man pages for that reason. Put a sample in there!

I suggest the Perl man pages then, they have a good number of examples. I'd say most Perl functions I have looked up in the man pages have at least one but often several examples of its use.

Re:Hrmm. Not good enough for the average user (2, Insightful)

init100 (915886) | more than 7 years ago | (#19551965)

Why, pray tell, would any 'average' user wish to dick around with vi and text-editting config files? Hint: They wouldn't.

True, but I also think that most average users would take a text-based configuration file, especially one with instructive comments, over the Windows Registry any day of the week.

I'm not saying that registry editing is a usual occurrence, but sometimes it needs to be done, and I would prefer clear text files every time. Especially those parts of the registry indexed on class GUID are really opaque.

Re:Hrmm. Not good enough for the average user (0)

Anonymous Coward | more than 7 years ago | (#19549765)

Congratulations. You have a photographic memory [slashdot.org] .

Re:Hrmm. Not good enough for the average user (1)

Dr. Smoove (1099425) | more than 7 years ago | (#19549807)

Hi Mr. Advanced Computer User! Did you know that TFA is about servers, not desktops? Don't call yourself advanced if you're afraid of bash. You're either flamebaiting or extremely out of touch with the purpose of Linux.

Re:Hrmm. Not good enough for the average user (3, Interesting)

jimstapleton (999106) | more than 7 years ago | (#19549823)

Are you naturally this off topic, or did it take effort.

Ignoring for the the moment I agree with *some* of your points, Linux on the desktop has nothing to do with this post, it is entirely about Linux as an enterprise grade server OS.

Don't feed the M$-paid astroturfing troll.... (0)

Anonymous Coward | more than 7 years ago | (#19549917)

He's just spreading FUD.

Re:Hrmm. Not good enough for the average user (1)

daffmeister (602502) | more than 7 years ago | (#19549957)

I think we've seen this exact same post about a dozen times before.

MAN pages? You ARE using the wrong OS (0)

Anonymous Coward | more than 7 years ago | (#19550405)

MAN pages do not cut it.

Try OpenBSD's man pages [openbsd.org] they are actually informative and up-to-date.

None of your points are valid (5, Informative)

lib3rtarian (1050840) | more than 7 years ago | (#19550867)

I'm going to venture that you don't know much about serious professional level computer systems. I'm going to discuss, point by point, why you are just flat out wrong and not thinking clearly about many things.

A)Many different versions of Linux have various binary packaging systems so you don't have to compile things, Debian and Redhat being the two most popular (yum and synaptic/ .deb and .rpm). The constant upgrade cycle where you discover that your most recent upgrade broke something has nothing to do with the process of compiling software per se, but interoperability between different software. The Microsoft WSUS updates are constantly breaking applications, and this is even more exaggerated in the server market.

B)The vast majority of mission critical infrastructure systems that the internet and all high level computing systems run from the command line. Switches, routers, cores, these are the bread and butter of what makes the internet work, and nobody says that a developer has failed when they produce one of these that works. Frankly, you are just being hyperbolic, failure as a developer means that your application does not work. These devices and applications do work, and as anyone familiar with a command line interface knows, it is usually far simpler to troubleshoot a problem in an environment that you have complete control over (like the command line) than it is in some hairbrained GUI that is made to pander to people like yourself who consider themselves technical users but think that command line interfaces are bad.

C)Linux documentation is far superior to that of Windows, because the API's and sourcecode are all available. Learn how to program, don't blame the difficulty of programming on inferior documentation and instructions. There are people who do what they want in linux, just because you can't, doesn't mean that there is something wrong with linux. Rather, it probably means you are not that smart. The entire notion that linux is an alien environment presupposes a fetish for windows.

Your conclusion is complete bunk, because your arguments don't hold any water. Basically, what you've just done is ranted. Linux does not suck in the regards you listed. Nothing is perfect, and everything can be improved, but you simply don't make a nuanced point like this.

Besides which, this thread was about Security!

Re:Hrmm. Not good enough for the average user (0)

Anonymous Coward | more than 7 years ago | (#19551257)

Is this the point were you're told if you're a dumb I-traded-brains-for-looks user [sorry, no picture, but you can use the bathroom mirror if you don't remember your face] get the f**k out? or, better yet, if you can't take the heat stay out of the kitchen.

But then, if you had the two brain-cells required to understand the above advices, you'd not have been trolling off-topic here.

Re:Hrmm. Not good enough for the average user (2, Informative)

IdleTime (561841) | more than 7 years ago | (#19551363)

When you use Linux for your commercial needs (which this is clearly intended for), you don't recompile kernel every week. The box stays the way it is unless some major security related updates are needed. You schedule downtime to make any changes and you are lucky if you get 1 hours of downtime a year.

This is not desktops, but huge servers. I have many many times tried to get such organizations to even apply one of our patchsets to their servers due to them hitting known bugs and it may take a couple of months for them to schedule it, and then only after testing it on their test servers and getting approval from management. For all of them, this is perfect and does not constitute any problems at all.

Re:Hrmm. Not good enough for the average user (2, Informative)

mattpalmer1086 (707360) | more than 7 years ago | (#19551411)

Good news! It's ready!

A) You don't have to compile anything. But you can if you want to. And you can forget about all those dependency DLL-hell issues too that you get in Windows, if you use a modern distro with good package management. Then you just fire up the GUI, put a "tick" in the box for the software you want, and it gets it for you and installs it. It's easier than having to trawl through someone's web site for the right installer, manually download it, manually run the setup. And then find the installer won't remove the software properly when you want to get rid of it or find it needs some obscure runtime DLL you never heard of and don't know where to get.

B) I do take exception to the "force me to drop to the command line" bit. Why would you need to drop to the command line to edit a text file, assuming you needed to do such a thing? I do drop down to the command line quite frequently though - it's good for batch operations and scripting things together, but I use a graphical text editor if I need to edit text - I'm not a masochist! Having said that, I haven't had to edit a text file on linux for system administration reasons for nearly a year. It's not a constant occurrence, not anymore. Hardware - all auto detected on installation. All devices I've plugged in have just worked (no need to trawl manufacturer sites for the latest driver). GUIs for all common system administration tasks. As far as windows goes, anytime I have to directly edit the registry, you as a developer... oh, never mind ;)

C) Help is better these days, but I agree is still patchy in places. And arrogant people do still exist on some of the forums (hopefully getting fewer all the time). But then, Windows help files were never that good either, and I don't recall getting any help from Microsoft unless I paid for it. Can't really think of a system where the help and service has been uniformly excellent.

The truth is, linux is not the system you are describing anymore. Maybe 5 years ago - it's come on a long way. Why not download a bootable Ubuntu Live CD and give it a go, just so you know what's it's like these days.

Re:Hrmm. Not good enough for the average user (1)

flyingfsck (986395) | more than 7 years ago | (#19552161)

So what kind of bizarre Linux are you using? Maybe you should dump your 10 year old copy of Slackware and get a modern Mandriva, Ubuntu, RedHat or Suse version. You could also buy a machine that has Linux pre-installed from Dell and use that. If you don't change anything, it should keep working for years on end.

This is a recurring troll (1)

someone1234 (830754) | more than 7 years ago | (#19552799)

Re:This is a recurring troll (1)

Jesus_666 (702802) | more than 7 years ago | (#19553647)

I really gotta save my answer to that guy so I can have a reccurring counter-troll...

Re:Hrmm. Not good enough for the average user (5, Insightful)

Jesus_666 (702802) | more than 7 years ago | (#19553365)

I'm a fairly technical user, not a tech god by any stretch of the imagination, but I know my way around. I know how to forward ports on my router, I do all my own CD rips from Grip, I can install most Windows versions without a problem, and I'm damned proficient at packages like Paint Shop Pro and the GIMP. In addition, I'm a gamer from back in the DOS/Win95 days, so concepts like editing undocumented system-critical settings (Registry hives) don't necessarily scare me.

That said, as much as I like the concept of Windows NT, I simply will not try it any longer until I hear that a number of problems have been solved.

A) Having to manually download software/worrying that nonstandard installation routines might scatter junk all over the file system and not remove it upon deinstallation. For that matter, I don't want to have to manually download and install anything, ever. Just to make this clear, never. Come up with either something akin to Ubuntu where I run Synaptic to install everything I need, or (if you absolutely have to) make it like Mac OS X where I just drag and drop the folder.

B) Any time I'm forced to to edit the Registry by hand (without documentation, to boot), you as a developer have failed. Back 10 years ago, this may have been acceptable. In this day and age, it isn't. Furthermore, while once in a blue moon I may have to change a system-breaking internal file in Linux, in Windows it's a constant occurrence. Again, you have failed.

C) A troubleshooting guide instead of proper OS documentation does not cut it. Neither does a message board where half the time I'll be told to reinstall, 25% of the time I'll be told to run random diagnosis apps, and the other 25% of the time I'll get genuinely helpful people giving me contradictory answers. If I'm expected to jump to an alien computing environment you'd best make sure your documentation is up to snuff. Most Windows apps suck in this regard.

I'm an advanced user who's in favor of feature-rich OSes, but the bizarre, arcane, and technical details I have to jump through to achieve the same things that are comparatively simple in Mac OS X or Linux make Windows a deal breaker. You will never, ever, become successful on the server until idiocy like this is exorcised from the OS.

yay for ibm / redhat (0)

Anonymous Coward | more than 7 years ago | (#19549643)

when should I be there and who's buying the beer?

CentOS too? (4, Interesting)

frankenheinz (976104) | more than 7 years ago | (#19549647)

So does CentOS get some sort of auto cert then?

Re:CentOS too? (5, Informative)

Anonymous Coward | more than 7 years ago | (#19549687)

> So does CentOS get some sort of auto cert then?

No. CentOS (i.e., the actual binaries built by the CentOS team on the particular set of hardware used by the CentOS team) needs to go through the exact same evaluation process, with documentation and all.

Re:CentOS too? (3, Informative)

crush (19364) | more than 7 years ago | (#19549733)

The certification is specific to the combination of RHEL on IBM eServers. So specific hardware and specific version of the OS. That said, practically there'd probably be no functional difference with CentOS on the same hardware ... but you couldn't run it if the certification were mandated.

Why is it hardware-specific? (1)

Dadoo (899435) | more than 7 years ago | (#19553079)

Any idea why the certification is hardware specific? What do IBM eServers have that commodity hardware doesn't?

Re:Why is it hardware-specific? (2, Informative)

Bishop (4500) | more than 7 years ago | (#19553579)

This certifications at the EAL4 and up levels are all functional tests. That is the actual system is run. Software by itself cannot run. It needs the hardware. These types of certifications are designed to eliminate as many unknowns as possible. Any RHEL system should behave the same but can you guarantee that? Consider the simple case as a bug in a hardware driver in one system but not in the tested system. That said, it is reasonable to expect that all x86 type hardware similar to the eServers would achieve the same certification.

Also IBM paid a pretty penny for the certifications. They would rather their competitors pay for their own certifications.

Re:CentOS too? (2, Insightful)

flyingfsck (986395) | more than 7 years ago | (#19551963)

Sort-of. It depends on your contractual requirements. I always try to sneak in a provision to the effect that 'The system will use the CAPP/EAL4 reference design as a guideline'. Schtuff delivered to the military needs to be certified by their own security people anyway, but it helps a lot if you can show that you followed the CAPP/EAL4 configuration and point out where you had to deviate.

For people who don't grok EAL4 and ALC_FLR.3 (5, Informative)

davecb (6526) | more than 7 years ago | (#19549657)

This is roughly equivalent to "B" in the well-known U.S. "Orange Book" security standard. Previously all commercial off-the-shelf OSs were rated C or below, and had trouble even getting that (NT 4 got C only if the network was physically removed).

The letters correspond with school grades: A is excellent, B is ok, and C is barely adequate.

--dave

Re:For people who don't grok EAL4 and ALC_FLR.3 (5, Interesting)

crush (19364) | more than 7 years ago | (#19549705)

It's worth pointing out that this is actually equivalent to a "B1" TCSEC rating http://en.wikipedia.org/wiki/TCSEC [wikipedia.org] and that it's impossible to get any higher rating for a commodity operating system. This is all specifically due to the SELinux support in Red Hat EL (and consequently CentOS and Fedora and other derivatives). Supposedly SuSE/Novell are trying to achieve this rating ATM but due to the limitations of AppArmor compared to SELinux it seems unlikely that they will.

Re:For people who don't grok EAL4 and ALC_FLR.3 (2, Interesting)

davecb (6526) | more than 7 years ago | (#19549923)

Actually AppArmour would be a good addition to a B1 system, as a somewhat weaker (less fine-grained) variant is part of Trusted Solaris.

--dave

Re:For people who don't grok EAL4 and ALC_FLR.3 (2, Interesting)

morgan_greywolf (835522) | more than 7 years ago | (#19550001)

Hmmm...I'm getting conflicting information. According to this Microsoft White Paper [microsoft.com] (sorry, Word .DOC format), the EAL4 + Augmented with ALC_FLR.3 rating, which BTW, both Windows XP SP 2 and Windows 2003 Server SP 1 also have, is only equivalent to C2, which is the same rating that NT 4 received. IOW, this cert doesn't really mean that much.

Re:For people who don't grok EAL4 and ALC_FLR.3 (2, Informative)

dylan_- (1661) | more than 7 years ago | (#19550529)

the EAL4 + Augmented with ALC_FLR.3 rating, which BTW, both Windows XP SP 2 and Windows 2003 Server SP 1 also have, is only equivalent to C2, which is the same rating that NT 4 received.
Here [niap-ccevs.org] is the Windows cert. Here [niap-ccevs.org] is the Redhat one. Notice that under PP identifiers Windows has CAPP, while Redhat has CAPP, LSPP and RBACPP.

Re:For people who don't grok EAL4 and ALC_FLR.3 (2, Informative)

morgan_greywolf (835522) | more than 7 years ago | (#19551197)

Not only that, but those Windows is only certified on specific hardware, while the same is not true of the RHEL5 cert. Thanks for pointing that out. It shows once again that a solid stable system like RHEL5 is indeed more secure than Windows, even if only it is because the military believes it to be so. But I'm guessing that military IT might know a thing or two about good systems security. ;)

Re:For people who don't grok EAL4 and ALC_FLR.3 (0)

Anonymous Coward | more than 7 years ago | (#19551327)

But I'm guessing that military IT might know a thing or two about good systems security. ;)
 
can't post logged in or with specifics but your naivete is cute. your faith is just as well placed in santa or the easter bunny. the military is part of the government. it is a big bureaucracy, probably certainly no better than a corporation of the same size, quite possibly worse.

Re:For people who don't grok EAL4 and ALC_FLR.3 (2, Informative)

Anonymous Coward | more than 7 years ago | (#19553033)

Actually Military IT isn't the greatest. Too many young kids with not enough experience. However, the NSA does the accreditation and they, unlike the above poster states, are very good at what they do. The testing does'nt prove that the OS is more secure; it demonstrates that it is designed securely, and more importantly, that it has adequately tamper-resistant auditing and adequately rigorous permissions. That's why POSIX compliant OS'es aren't very convenient to certify; the permission systems are very different.

Re:For people who don't grok EAL4 and ALC_FLR.3 (1)

bill_mcgonigle (4333) | more than 7 years ago | (#19554665)

But I'm guessing that military IT might know a thing or two about good systems security. ;)

Their stakes may be slightly higher too.

Re:For people who don't grok EAL4 and ALC_FLR.3 (1)

spevack (210449) | more than 7 years ago | (#19550029)

This is all specifically due to the SELinux support in Red Hat EL (and consequently CentOS and Fedora and other derivatives).

It's more accurate to describe RHEL and CentOS as derivatives of Fedora. Fedora is the upstream for all other distributions that are in the Red Hat family. Red Hat Enterprise Linux is derived from Fedora, and CentOS is in turn derived from Red Hat Enterprise Linux.

SELinux, for example, appeared in Fedora long before it ever appeared in RHEL or CentOS.

Re:For people who don't grok EAL4 and ALC_FLR.3 (2, Interesting)

asliarun (636603) | more than 7 years ago | (#19550105)

Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well. Is that not so? In that case, wouldn't a BSD version be more suitable for secure/sensitive installations?

Again, please don't treat this as a flame. I'm just curious to know how BSD ranks vis a vis other OSes, especially Linux, and especially in terms of security.

Re:For people who don't grok EAL4 and ALC_FLR.3 (4, Informative)

crush (19364) | more than 7 years ago | (#19550183)

I don't think it's a flame. All that this certification means is that a government department tested specific aspects of security on specific hardware. It shouldn't be thought of as anything more, it's just a rubber-stamp for administrators that don't want to understand security.

Re:For people who don't grok EAL4 and ALC_FLR.3 (2, Insightful)

Nutria (679911) | more than 7 years ago | (#19553531)

it's just a rubber-stamp for administrators that don't want to understand security.

No, it's not.

"EAL4 with CAPP, LSPP and RBACPP" means that RHEL5 on most all current IBM h/w can be very secure by people who care and know what they are doing.

Re:For people who don't grok EAL4 and ALC_FLR.3 (1)

jae471 (1102461) | more than 7 years ago | (#19550611)

I believe you are correct. From what I've read, OpenBSD is tops when it comes to security. I haven't tested this in practice, though.

Re:For people who don't grok EAL4 and ALC_FLR.3 (2, Informative)

cowbutt (21077) | more than 7 years ago | (#19550657)

Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well. Is that not so? In that case, wouldn't a BSD version be more suitable for secure/sensitive installations?

No, because without the certification, secure/sensitive installations aren't allowed to use those flavours of BSD (or any other uncertified product). If there's no other way of performing a function, it might be justifiable, but it'll be a brave sysadmin that pursues such a course.

The above has no bearing on BSD's relative technical merits and demerits compared with OSs that have achieved CC certification.

Re:For people who don't grok EAL4 and ALC_FLR.3 (1)

asliarun (636603) | more than 7 years ago | (#19551275)

Yes, I realize that my question was off-topic. My question was a more generic one, namely Linux v/s OpenBSD in terms of security.
I was also interested in knowing how popular BSD and Linux are for these kind of requirements.

Re:For people who don't grok EAL4 and ALC_FLR.3 (1)

raddan (519638) | more than 7 years ago | (#19553211)

The OpenBSD people have specifically stated that they will not pursue these kinds of certifications, because they take developer time away from actually making the operating system secure. IIRC, their opinion was that most of these certifications were based on a number of arbitrary tests that did not actually measure (nor accurately repsent) real-world security exposure. I don't know enough myself to comment on the subject, though. The subject may also be complicated by the fact that the OpenBSD's relationship with DARPA (which used to fund OpenSSH development), which if I understand correctly, is no longer friendly...

Re:For people who don't grok EAL4 and ALC_FLR.3 (2, Insightful)

Bender0x7D1 (536254) | more than 7 years ago | (#19552303)

For certification purposes, it really doesn't matter how secure the system is, but how secure you can show the system is.

I attended a presentation regarding these certifications from a manager at IBM, (I forget his name), that had taken several products through the certification process and he said that it is all about the documentation. For example, how many people working on BSD have the architecture, design and user documentation to prove that something has been designed securely? It might be secure and a lot of people may have reviewed it and declared it secure, (even the auditors), but without the corresponding documentation it can't pass certification. Why not? Well, without a design document, I can't verify the implementation actually does what it is supposed to. Also, without the user documentation, how do I know that I have to have certain services running for the behavior to be valid? The auditors are allowed to do anything they want to the system that isn't forbidden in the documentation. So, if it isn't documented that you can't turn off some security service, it is fair game. That's why the product, in a certain configuration, is certified and not any system that happens to run the OS.

I think this is why we will only see high levels of certification going to corporate sponsored OSes. Let's face it, most open source developers don't want to spend most of their time documenting their work - they want to actually do it. It is only when you have management that focuses on the certification process, and holds everyone accountable for proper documentation, that the requirements can be met.

Re:For people who don't grok EAL4 and ALC_FLR.3 (1)

systemeng (998953) | more than 7 years ago | (#19550663)

I just got done with an NSA accreditation exercise for a SUSE 10.0 box. SUSE's support for proper logging and auditing was severely lacking and we had to jump through hoops. Why would a sane person invent something like AppArmour when the NSA created SElinux and it does what's required to pass certifications? SuSE has gotten better in 10.1 and 10.2 but I still don't think they've managed to get logging and auditing to work right. Go Redhat. SuSE has a nice desktop and 10.0 had better hardware support for out exotic tabletPC stuff than did the fedora release at the time but we paid for that with pain on the accreditation.

Re:For people who don't grok EAL4 and ALC_FLR.3 (0)

Anonymous Coward | more than 7 years ago | (#19551509)

It most certainly IS possible to get a higher evaluation of a "commodity operating system", of course depending on what your definition of commodity is.

Multics received a B2 evaluation under the old Orange Book system, and you could certainly order
that straight out of the Honeywell catalog. It was a mainframe, and therefore expensive, so
if "commodity" means cheap enough for home consumers, then no. (B2 is roughly EAL5 with LSPP.)
AT&T's SVR4.1ES version of UNIX was under evaluation for B2, although I'm not sure it ever actually received the certificate. (To forestall any SCO-related comments, the approaches for
security in SVR4.1ES and in SE/Linux are completely different.)

Several smart cards have EAL5 evaluations, and they are certainly "commodity" products.

IBM's PR/SM product for the System z mainframes has an EAL5 evaluation. Again, it is a mainframe product, but it comes with every System z mainframe that you buy.

Re:For people who don't grok EAL4 and ALC_FLR.3 (1)

crush (19364) | more than 7 years ago | (#19551883)

Commodity meaning that there are multiple sources of supply instead of a single monopolist producer which results in competition either driving down price or resulting in the incentive to add value in some other way. This would exclude mainframes or specialist realtime OSes in the embedded market.

Re:For people who don't grok EAL4 and ALC_FLR.3 (2, Funny)

Anonymous Coward | more than 7 years ago | (#19549935)

The letters correspond with school grades: A is excellent, B is ok, and C is barely adequate.

Just wait until the "No OS Left Behind" program gets passed.

Nice FUD, noob (0)

Anonymous Coward | more than 7 years ago | (#19550669)

(NT 4 got C only if the network was physically removed).


Yes, and the same statement applies to Lunix, OSX, MacOS, etc.

Nice FUD attempt: Bash NT for the same problems shared by all operating systems in a limp attempt to make your "lifesyle OS" look good.

Re:Nice FUD, noob (1)

davecb (6526) | more than 7 years ago | (#19551811)

Stock Unixes with the networking in place passed Orange Book "C" easily, specifically including Solaris 1, which **was** BSD.

The process was and is expensive, so only ritch folks certify their OS security, which explains why we haven't seen it for Linux before...

--dave (assuming, of course, that I'm not replying to a troll) c-b

XP SP2 and Windows Server 2003 has the same rating (3, Informative)

Anonymous Coward | more than 7 years ago | (#19549751)

http://www.microsoft.com/presspass/press/2005/dec0 5/12-14CommonCriteriaPR.mspx [microsoft.com]

The following products have earned EAL 4 Augmented with ALC_FLR.3 certification from NIAP:
  • Microsoft Windows Server(TM) 2003, Standard Edition (32-bit version) with Service Pack 1
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit and 64-bit versions) with Service Pack 1
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit and 64-bit versions) with Service Pack 1
  • Microsoft Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (CIMC) (Security Level 3 Protection Profile, Version 1.0)
  • Microsoft Windows XP Professional with Service Pack 2
  • Microsoft Windows XP Embedded with Service Pack 2

Re:XP SP2 and Windows Server 2003 has the same rat (5, Informative)

CloneRanger (122623) | more than 7 years ago | (#19550045)

Microsoft is only certified CAPP/eal4+ [niap-ccevs.org] . That is not LSPP/RBAC which is much harder and more secure.

Re:XP SP2 and Windows Server 2003 has the same rat (1)

bgarcia (33222) | more than 7 years ago | (#19550789)

Microsoft is only certified CAPP/eal4+. That is not LSPP/RBAC which is much harder and more secure.
Here are some relevant definitions:

Re:XP SP2 and Windows Server 2003 has the same rat (3, Funny)

mrwolf007 (1116997) | more than 7 years ago | (#19551149)

I read that link, but is the following just concidence? "Certificate Date: 01 April 2007" Hmm....

Someone want to explain the Common Criteria to me? (1)

Kadin2048 (468275) | more than 7 years ago | (#19551153)

I tried to get some understanding of how the "Common Criteria" work, and read the wiki article on the subject, but I'm still not clear. Can anyone elucidate on how the whole process works, and what the various grades are? I understand that the 'Common Criteria' in their purest form aren't a set list of features that products need to have -- it's more of a framework for specifying and testing criteria -- but obviously the US Government has to have its own standards, tested using the Common Criteria, that it uses for approving systems. How does it work now? (Grumbles that the Rainbow Books were a fuckload simpler to understand...)

In particular, I really don't get this paragraph from the WP article:

So, if a product is Common Criteria certified, does that mean it is very secure? Let's look at an example.

Microsoft Windows 2000 is certified product at EAL4+, but regular security patches for security vulnerabilities are still published by Microsoft for Windows 2000. This is possible because the process of getting a Common Criteria certification allows a vendor to make certain assumptions about the operating environment and the strength of threats, if any, faced by the product in that environment. Based on these assumptions, the claimed security functions of the product are evaluated. Since Microsoft Windows 2000 has been EAL4+ certified, it should only be considered secure in the assumed, specified circumstances, also known as the evaluated configuration, specified by Microsoft.

Whether you run Microsoft Windows 2000 in the precise evaluated configuration or not, you should apply Microsoft's security patches for the vulnerabilities in Windows 2000 as they continue to appear. If any of these security vulnerabilities are exploitable in the product's evaluated configuration, the product's Common Criteria certification should be voluntarily withdrawn by the vendor. Alternatively, the vendor should re-evaluate the product to include application of the patches to fix the security vulnerabilities within the evaluated configuration. Failure by the vendor to take either of these steps would result in involuntary withdrawal of the product's certification by the certification body of the country in which the product was evaluated.

Microsoft Windows 2000 remains at EAL4+ without including the application of any Microsoft security vulnerability patches in its evaluated configuration. This shows both the limitation and strength of an evaluated configuration.

Re:Someone want to explain the Common Criteria to (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19551355)

The key line is:

"the assumed, specified circumstances, also known as the evaluated configuration, specified by Microsoft."

This is the code base that actually has the certification.

As soon as ANY change - and that includes adding patches - is made, the code base is no longer certified.

Any advertisement that the "product has ZZZ certification" for any following product is false. It no longer has certification. But it CAN be advertized as "based on bbbbb with ZZZZ certification".

Re:Someone want to explain the Common Criteria to (2, Insightful)

pantherace (165052) | more than 7 years ago | (#19551443)

Basically, they tested a specific version. That specific version (not including any patches!) and type of setup qualifies for the rating.

If there is a vulnerability that would affect that setup/version in it's configured state, then the rating is supposed to be withdrawn, the problem fixed, and the system resubmitted.

Someone has figured out that perhaps, it might be a good idea to not have the vault door sealed, and a hole drilled in the side of the wall, so they tell you to apply security patches.

For the windows 2k thing: It's evaluated configuration wasn't vulnerable to any of the security patches, therefore it remains. ... which makes me wonder how stripped down it was. Probably no networking, among other things, because, I can't think of much in 2k that hasn't had a security hole!

What does "more secure" mean? (2, Informative)

Anonymous Coward | more than 7 years ago | (#19551323)

This is actually a complex issue that cannot be summarized as "much harder and more secure".

EAL4+ refers to the assurance level applied to the software in question. It measures how well the software is implemented - in some sense what the probability of undiscovered holes is.

EAL4+ is actually a rather low level of assurance. After all, Windows can pass EAL4+.

CAPP. LSPP, and RBAC are protection profiles that refer to the protection policy enforced by the software. CAPP coveres things like access control lists and protection bits, LSPP covers mandatory security policies, like the Bell and LaPadula policy. RBAC covers role based access control. These are all security features.

You can have lots of security features and low assurance. You can have few security features and high assurance. You can have lots of security features and high assurance.

The old Orange Book scheme used a single dimension to rate the level of security. Both features
and assurance went up as you went up the scale. This was done to keep the system simple.

The Common Criteria is vastly more complex and confusing, and it is much harder to compare the level of security of two different products with Common Criteria evaluations.

very very rough equivalents:

Orange Book Common Criteria
      C2 ------ EAL3 and CAPP
      B1 ------ EAL4 and LSPP
      B2 ------ EAL5 and LSPP + covert storage channel protection
      B3 ------ EAL6 and LSPP + covert storage and timing channel protection
      A1 ------ EAL7 and LSPP + covert storage and timing channel protection

These equivalents are VERY rough, because LSPP doesn't really consider the issues at the higher
EAL levels.

Re:XP SP2 and Windows Server 2003 has the same rat (0)

Anonymous Coward | more than 7 years ago | (#19552003)

Assuming this is true (I don't know if it's true or not, and Microsoft has been known to stretch the truth before), there is still missing information.

On what hardware was this certification made, and under what circumstances? Like, NT4 you had to disconnect it from a network, but it was still "certified". What are the specifics for this? You cannot make a blanket claim that your software is certified for all hardware, because not all hardware is equal.

The Red Hat announcement lists specific hardware. Microsoft does not appear to do this.

-M

Why does this link to an Australian tech site? (0)

Anonymous Coward | more than 7 years ago | (#19549759)

I'm not a security expert, but this looks like an American government security certification. Why does the submitter link to Australian Computerworld? Why not the American version, which also carried the newswire story?

Australians... (1)

Savage-Rabbit (308260) | more than 7 years ago | (#19549865)

I'm not a security expert, but this looks like an American government security certification. Why does the submitter link to Australian Computerworld? Why not the American version, which also carried the newswire story?
Because Australians are insensitive clods?

Re:Australians... (1)

flyingfsck (986395) | more than 7 years ago | (#19552579)

The Common Criteria is a joint project between several governments including Australia: http://www.commoncriteriaportal.org/ [commoncriteriaportal.org]

If you need to supply computer equipment to a government agency then you better start reading. If not, then don't bother.

Re:Why does this link to an Australian tech site? (1)

WaZiX (766733) | more than 7 years ago | (#19550549)

No Worries, Mate; I reckon its some Ozzies trying to come the raw prawn with ya!

A good start. (1)

Lord_Pain (165272) | more than 7 years ago | (#19549883)

NIAP certification is a good first step if they want to get into the DoD world.
It's a BIG first step. But there are others... FIPS for one. I wonder who will be working the ST&E on this OS. DoD? IntCom?
Also the amoeba like reach of DISA will have to be dealt with. They like their Windows(BOO!) and Solaris(Yay!). They are not too receptive to "new" things.
Perhaps it's biggest hurdle is not certifications... it's the in fighting among gov't organizations.

Re:A good start. (1)

CloneRanger (122623) | more than 7 years ago | (#19550095)

>NIAP certification is a good first step if they want to get into the DoD world.

Linux is already in the DoD world. For Red Hat in particular, this is the fifth NIAP cert in the last 2 years.

>It's a BIG first step. But there are others... FIPS for one.

Which nss meets at level 2.

>Also the amoeba like reach of DISA will have to be dealt with.

Linux is already in the STIGs.

Re:A good start. (1)

Lord_Pain (165272) | more than 7 years ago | (#19550431)

You should know that ANY change to an OS constitutes a requirement for a new certification. Especially if a new "security module" is the core feature.

Just saying linux has been certified is just as silly. Which flavor?
There are STIG's for Debian, RH and few other flavors. But this is a new product. Also any changes to an existing product will require another STIG.

The kind of generalization from you sounds like something I'd hear from DISA.

Mod Parent Informative (1)

mpapet (761907) | more than 7 years ago | (#19550521)

As someone that has dealt at the periphery of projects where EAL certs are required, he's right on.

easy (1)

SolitaryMan (538416) | more than 7 years ago | (#19549925)

putting it on a par with Sun Microsystems Inc.'s Trusted Solaris

Is this the same system that had famous telnet froot [slashdot.org] vulnerability recently?

Re:easy (1)

986151 (986151) | more than 7 years ago | (#19550131)

Is this the same system that had famous telnet froot vulnerability recently?

No

HAHA (0)

Anonymous Coward | more than 7 years ago | (#19550165)

Anybody that still even has telnet enabled on a production server with WAN access should be shot. If anyone was surprised or pulling an omgz0r!@!@ because that came out, they shouldn't have their job. Telnet is widely known as being insecure.
For the record I administer 15 Solaris 10 servers.

Re:easy (1)

cpuh0g (839926) | more than 7 years ago | (#19550825)

No, Trusted Solaris and Solaris 10 with Trusted Extensions would not have been vulnerable to that vuln. And, did you know that MIT Kerberos distributions (which include a telnet daemon) also had a very similar hole ? So, basically ANY site that was running MIT kerberos with telnet enabled - Linux, BSD, etc) were also vulnerable to the same attack. MIT Kerberos is included in RH Linux and many other Linux distros as well. http://www.kb.cert.org/vuls/id/220816 [cert.org]

Slashdot responses (2, Funny)

Frankie70 (803801) | more than 7 years ago | (#19550013)

Check the slashdot story [slashdot.org] when Microsoft OS'es got a similiar certification.
Let's compare the comments at the end of the day.

Re:Slashdot responses (4, Informative)

dylan_- (1661) | more than 7 years ago | (#19550575)

It's not the same certification. Windows' is for CAPP only. Redhat's is for CAPP, LSPP and RBACPP.

Resource and protection guarantees? (1)

Glock27 (446276) | more than 7 years ago | (#19550031)

In the embedded space, Green Hills Integrity has gained a lot of traction for reliable systems since it allows the developer to partition the system into spaces with guaranteed amounts of memory, cpu cycles and so on. It also offers strong guarantees that one partition can't affect another partition. See the Integrity features page [ghs.com] .

So, my question is: Is there similar functionality in the works for Linux?

Re:Resource and protection guarantees? (2, Informative)

Mr. Hankey (95668) | more than 7 years ago | (#19552929)

Integrity is an RTOS platform, not a general purpose OS. I've worked with their ARINC 673 product a bit, much standard UNIX functionality would break the guarantees made by an ARINC-compliant OS so it's just not present. Xen is a close enough approximation if you just want to partition the system off without using ARINC 673, but in order to get the same sort of certifications as Integrity (or VxWorks' ARINC 673 product for that matter) all the code involved with Linux - kernel, userspace etc. - would need a line-by-line code review, probable changes, and sign off.

Not surprised at all... (0)

Anonymous Coward | more than 7 years ago | (#19550087)

My last employer was a DoD contractor, and we ran RHEL for the vast majority of the datacenter.

The *nix STIG (Security Technical Implmentation Guidelines) has included RHEL for a very long time... they only (very) recently split Linux off to its own separate one: https://www.aiptl.nit.disa.mil/Linux-STIG/wiki/sta tic.php?page=static070124-111906 [disa.mil]

/P

Only as secure as its least secure member... (3, Interesting)

TheGreatHegemon (956058) | more than 7 years ago | (#19550143)

Make no mistake; the OS does make a good deal of difference for security in some respects. However, it seems to me that most security leaks come from HUMAN error. With respect to that, Red Hat does nothing (nor could I expect it to...). Nice to know that Linux can at least be recognized this way, at least.

STGGC (0, Redundant)

Joebert (946227) | more than 7 years ago | (#19550219)

Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies

Secret to getting government contracts, qualify for enough award acronyms to confuse the government into a game of acronym counts.

Secret to not selling out, aim for acronyms with funny altermeanings.

Everyone's A Lesbian At Lindas' Castle, Fortress, Lair, & Resort

Yeah yeah. But what does it /mean/? (3, Interesting)

jimicus (737525) | more than 7 years ago | (#19550545)

Any idiot can build a Linux system which runs absolutely no services whatsoever and SELinux to delegate authority appropriately with modern RedHat versions.

What's more interesting is does the resulting system do anything useful? Web server? Mail server? DNS? File server?

Do you lose certification as soon as any extra services are running? In which case, it's fairly meaningless because the certification only applies if the system is broadly useless.

Re:Yeah yeah. But what does it /mean/? (1, Informative)

Anonymous Coward | more than 7 years ago | (#19551649)

There seems to be a fairly significant amount of ignorance on this topic.
Some information is available [commoncriteriaportal.org] , but it is as complex as the systems which need securing. The basic idea is to give a number that indicates the quality with which security is maintained. ALC_FLR.3 is broken down to mean:


  1. ALC = class of life cycle support
  2. FLR = family of flaw remediation
  3. 3 = level of ranking

In particular, at ALC_FLR.3 it means that you have procedures for reporintg flaws, you fix the flaws, and you tell users how to get the fixes. All of that must be verifiable and documented. It is the highest ranking in that category. There are many other categories, however.


Furthermore, there are additional protection profiles that may be invovled. Because of the difficulty of getting certifications, they are typically provided with a specific hardware baseline and a specific configuration. So, Sun's Trusted Solaris 8 was EAL4, but also has LSPP on top of it.


Well, what does all that mean? It means that evaluated products may be configured securely, but not that they are secure innately. Effort is required. In practice, having an EAL rating is an initial requirement for an OS. In some cases there is an minimum rating for using the software. Sometimes it extends beyond the OS. All of that depends upon the contract. EAL4 is generally considered the minimum rating to be viable in a "low risk" environment.

Re:Yeah yeah. But what does it /mean/? (1)

flyingfsck (986395) | more than 7 years ago | (#19552075)

In practise you can never deliver a system that is exactly the same as the reference design. However, all equipment delivered to the military has to be certified by their own security people. This is a long process which takes months to years. It helps a lot if you can tell them that you followed the reference design up to a point and show exactly where you deviated. Therefore the certification of the reference design is very useful.

Re:Yeah yeah. But what does it /mean/? (1)

drinkypoo (153816) | more than 7 years ago | (#19552111)

What's more interesting is does the resulting system do anything useful? Web server? Mail server? DNS? File server?

Right! It was possible to get a C2 security rating with NT4, but you had to remove the floppy drive entirely (not just disable it) and both disable networking and disconnect the networking cable. Great, now you've got a standalone box that does nothing useful, but it's secure! Why not just turn it off?

Re:Yeah yeah. But what does it /mean/? (1)

jimicus (737525) | more than 7 years ago | (#19554439)

I prefer the "bucket of concrete" description. It's rather more final than "disable network and floppy drive", and has the advantage that it's substantially easier to understand by people who are just blindly demanding such certifications.

Anyone demands a secure system, I would be inclined to point out "I can give you a 100% guaranteed secure system. But I will have to bury it in reinforced concrete."

On a side note, has anyone attempted to get a system buried in concrete certified as secure?

Re:Yeah yeah. But what does it /mean/? (0)

Anonymous Coward | more than 7 years ago | (#19553165)

>>Do you lose certification as soon as any extra services are running?
>>In which case, it's fairly meaningless because the certification only applies if the >>system is broadly useless.

Not useless at all - many agencies no doubt have already certified their mail/dns, etc software.

This certification still applies as it covers (or attempts to cover) the various system level vectors which could be exploited.

Not the highest rating available (2, Informative)

KiltedKnight (171132) | more than 7 years ago | (#19551585)

Perhaps someone needs to inform Mr. Frye that there are things out there that are higher-rated...

XTS-400 (Wikipedia entry) [wikipedia.org]

XTS-400 [baesystems.com]

That particular system is rated at EAL 5. IBM's only achieved EAL 4.

no real surprise here (0)

Anonymous Coward | more than 7 years ago | (#19553103)

redhat takes security very seriousley and they have a nice polished product. They've been putting out secure distributions for years and their product updates are very timely. I'd wonder if openbsd has recieved this security rating?

it isn't the OS that is EAL4 certified .. (1)

rs232 (849320) | more than 7 years ago | (#19553229)

RedHat is EAL4 certified on a particular hardware configuration, no one has physical access and you don't connect it to an insecure network like the Interent. I'm not sure how much use these certs are in the real world. But it does mean something to the PHBs. Now excuse me while my manager explains what ISO 9000 is, again ..

"Get the Facts" (2, Interesting)

dasunst3r (947970) | more than 7 years ago | (#19553887)

I think Red Hat should send something to Steve Ballmer to rub this in his face... something along the lines of "Looks like you need to Get the Facts about Windows and Linux. Where are your lobbyists now?" along with a copy of the certification.

You Fa1l it... (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#19554313)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?