|
RH's Linux Achieves CAPP/EAL3+ Certification on All IBM eServer Systems |
|
Thursday, August 19 2004 @ 12:55 PM EDT
|
Things have been so busy with motion practice, I missed this press release from IBM and Red Hat from the first day at LinuxWorld, and it's important to have as part of our collection, so we're prepared for the FUD about open source and security. It's also important for people to know, in government and in business, that this level of security certification is now achievable on GNU/Linux systems. This quotation from the Department of Defense says it all: "'The Department of Defense commends IBM and Red Hat for their recent Common Criteria evaluation of Red Hat Enterprise Linux 3,' said Gary Zelanko, Chief, Enterprise Integration Advanced Analysis Laboratory, Department of Defense. 'Meeting the EAL3 security standard gives the U.S. Department of Defense a greater assurance level when using commercial technology to build secure information systems for the federal government. We appreciate the significant effort that IBM and Red Hat have undertaken to comply with this international standard and their ongoing commitment to achieving even higher assurance levels.'" Here is the press release.
*************************
IBM and Red Hat Achieve Common Criteria Security Certification Across All IBM eServer Systems
SAN FRANCISCO, CA -- Aug 3, 2004 -- In a move expected to further enable the adoption of Linux by businesses and governments around the world, Red Hat and IBM today announced they have achieved a new level of security certification for Red Hat across IBM servers.
The announcement was made at the opening of LinuxWorld in San Francisco.
Red Hat Enterprise Linux 3, Update 2 on IBM eServers has achieved Controlled Access Protection Profile compliance under The Common Criteria for Information Security Evaluation (CC), commonly referred to as CAPP/EAL3+. Today's CAPP/EAL3+ achievement crosses the IBM eServer product line, with Red Hat Enterprise Linux WS on xSeries, and Red Hat Enterprise Linux AS on xSeries, iSeries, pSeries, zSeries as well as Opteron-based systems.
"The Department of Defense commends IBM and Red Hat for their recent Common Criteria evaluation of Red Hat Enterprise Linux 3," said Gary Zelanko, Chief, Enterprise Integration Advanced Analysis Laboratory, Department of Defense. "Meeting the EAL3 security standard gives the U.S. Department of Defense a greater assurance level when using commercial technology to build secure information systems for the federal government. We appreciate the significant effort that IBM and Red Hat have undertaken to comply with this international standard and their ongoing commitment to achieving even higher assurance levels."
The Common Criteria (CC) is an internationally recognized ISO standard (ISO/IEC 15408) used by the Federal government and other organizations to assess security and assurance of technology products. The CC provides a standardized way of expressing security requirements and defines the respective set of rigorous criteria by which the product will be evaluated. It is widely recognized among IT professionals, government agencies, and customers as a seal of approval for mission-critical software.
Under Common Criteria, products are evaluated against strict standards for various features, such as the development environment, security functionality, the handling of security vulnerabilities, security related documentation and product testing.
"Red Hat Enterprise Linux has become a standard platform in governments around the world," said Brian Stevens, vice president of Operating Systems Development at Red Hat. "Achieving this latest certification underscores the position of Linux in environments that demand high levels of security. We look forward to working with IBM to expand government deployments of Red Hat Enterprise Linux."
"Today's announcement that Red Hat has achieved a new level of Common Criteria certification is another validation of the high level of security Linux is delivering to businesses and governments alike," said Jim Stallings, general manager, Strategic Growth Initiatives, IBM. "This certification will further drive Linux into the heart of the enterprise and ensure that it is increasingly used in mission critical environments."
CAPP/EAL3+ certification of Linux requires exhaustive testing and review and expands both the functional capabilities and confidence in Linux security. This is achieved through the addition of an auditing subsystem in Red Hat Enterprise Linux 3 that provides auditing of security critical events and through security functions that protect network transmitted data.
The evaluation was completed by atsec information security GmbH, one of the world's leading vendor-independent IT security consulting companies, and accredited in Germany by the Federal Office for Information Security (BSI).
In addition to CAPP/EAL3+ certification, Red Hat and IBM are committed to working in partnership to obtain CAPP/EAL4+ certification for Red Hat across IBM's entire eServer product family.
IBM and Red Hat are committed to supporting the development and certification of Linux and will make available to the open source development community key components of the Common Criteria evaluation.
IBM plans to continue to invest in ongoing certifications for new and existing IBM products. z/VM V5.1, IBM's premier virtualization technology with the RACF for z/VM optional feature, is in evaluation for Common Criteria certification to conform to the requirements of the Labeled Security Protection Profile (LSPP) and the Controlled Access Protection Profile (CAPP), both at EAL3+. z/VM helps enable mainframe customers to run tens to even hundreds of instances of the Linux operating system on a single IBM zSeries server.
z/OS 1.6 with the RACF optional feature, is also in evaluation for Common Criteria certification to conform to the requirements of the LSPP and the CAPP, both at EAL3+. z/OS, IBM's flagship mainframe operating system, provides Labeled Security Protection with multilevel security support. Designed together with DB2 Version 8, this support can provide row-level security labeling in DB2 and protection in z/OS, designed to meet the stringent security requirements for multi-agency access to data.
IBM's suite of middleware products are also in line for Common Criteria certification on Linux. Common Criteria certifications have been awarded to IBM Directory Server, Tivoli Access Manager, and WebSphere MQ. Many other IBM Software products are now in evaluation for Common Criteria certification. Additional IBM Software products are being prepared to enter the evaluation process.
For more information about our current certifications, visit http://www-3.ibm.com/security/standards/st_evaluations.shtml
About Red Hat, Inc.
Red Hat, the world's leading open source and Linux provider, is headquartered in Raleigh, NC with satellite offices spanning the globe. Red Hat is leading Linux and open source solutions into the mainstream by making high quality, low cost technology accessible. Red Hat provides operating system software along with middleware, applications and management solutions. Red Hat also offers support, training and consulting services to its customers worldwide and through top-tier partnerships. Red Hat's Open Source strategy offers customers a long term plan for building infrastructures that are based on and leverage open source technologies with focus on security and ease of management. Learn more: http://www.redhat.com
About IBM
IBM is the world's largest information technology company, with 80 years of leadership in helping businesses innovate. Drawing on resources from across IBM and key IBM Business Partners, IBM offers a wide range of services, solutions and technologies that enable customers, large and small, to take full advantage of the new era of e-business. For more information about IBM and Linux, visit www.ibm.com/linux.
|
|
Authored by: Anonymous on Thursday, August 19 2004 @ 01:03 PM EDT |
Awesome. Congratulations!!! Linux is rock-solid SECURE. [ Reply to This | # ]
|
|
Authored by: trs on Thursday, August 19 2004 @ 01:03 PM EDT |
First post!! [ Reply to This | # ]
|
- Doh!! (eom) - Authored by: trs on Thursday, August 19 2004 @ 01:04 PM EDT
- More IBM Linux news - Authored by: Anonymous on Thursday, August 19 2004 @ 01:16 PM EDT
- Upcoming Legal Events - Authored by: Anonymous on Thursday, August 19 2004 @ 01:45 PM EDT
- OT and links here, please - Authored by: Anonymous on Thursday, August 19 2004 @ 01:57 PM EDT
- Somewhat OT: Cnet has story on Linux/Windows security - Authored by: ray08 on Thursday, August 19 2004 @ 02:27 PM EDT
- OT and links here, please - Authored by: Toon Moene on Thursday, August 19 2004 @ 04:24 PM EDT
- OT 9th circuit rules on P2P - Authored by: Baldy on Thursday, August 19 2004 @ 04:38 PM EDT
- Grokster decision - Authored by: jwoolley on Thursday, August 19 2004 @ 05:24 PM EDT
- Cartoon Strip - Authored by: mobrien_12 on Thursday, August 19 2004 @ 06:27 PM EDT
- OT isn't Fedora Core 2 under GLP? - Authored by: Fractalman on Thursday, August 19 2004 @ 06:59 PM EDT
- OT and links here, please - Authored by: Anonymous on Thursday, August 19 2004 @ 08:18 PM EDT
- List of exhibits IBM 231+232 - Authored by: Anonymous on Thursday, August 19 2004 @ 11:45 PM EDT
- I am getting edicated! - Authored by: Anonymous on Friday, August 20 2004 @ 12:20 AM EDT
- Attack Pierces Fully Patched XP Machines - Authored by: Anonymous on Friday, August 20 2004 @ 12:30 AM EDT
- OT and links here, please - Authored by: sef on Friday, August 20 2004 @ 12:46 AM EDT
- ZDNet and software patents - Authored by: Anonymous on Friday, August 20 2004 @ 03:49 AM EDT
- Corel thinking about putting toes back into Linux pool? - Authored by: Anonymous on Friday, August 20 2004 @ 09:29 AM EDT
|
Authored by: PolR on Thursday, August 19 2004 @ 01:15 PM EDT |
If any are needed
[ Reply to This | # ]
|
|
Authored by: leguirerj on Thursday, August 19 2004 @ 01:20 PM EDT |
I think SUN's Jonathan Schwartz, was wrong about the business relationship
between redhat and IBM.[ Reply to This | # ]
|
|
Authored by: Rasyr on Thursday, August 19 2004 @ 01:52 PM EDT |
Okay, so who was that guy a few months back that rambled on and on about how
Linux did not meet EAL specs?
Somebody want to forward that press release to him?
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, August 19 2004 @ 01:53 PM EDT |
~PHROSTIE is too lazy to relogin again.
this is very cool, but it is important which version of RedHat they discussing.
how current of a version.
if it was MS saying windows has met a certain security level, we would be
asking, what version?
RH9?
RH8?
RH7?
?
?
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, August 19 2004 @ 02:23 PM EDT |
Ok. What is update2 for RHEL3. I have almost 20 RHEL machines across the US that
I admin and I have never heard of update2. Is that the cummulative patches of
all of the up2date'd rpms or what? <br>
<br>
It takes two cdroms now of updates for the RHEL3 to get them current. Is there
one "iso" or something from them or what?<br>
<br>
[ Reply to This | # ]
|
|
Authored by: overshoot on Thursday, August 19 2004 @ 02:29 PM EDT |
Well, back when Microsoft trumpeted their EAL4 certification, Jonathan S.
Shapiro of Johns Hopkins University Information Security Institute explained what it all
means.
To paraphrase: In the case of CAPP, an EAL3 evaluation tells you
everything you need to know. It tells you that IBM and Red Hat spent millions of
dollars producing documentation that shows that RHEL 3.0 meets an inadequate set
of requirements, and that you can have reasonably strong confidence that this is
the case. [ Reply to This | # ]
|
|
Authored by: Nick_UK on Thursday, August 19 2004 @ 02:30 PM EDT |
I run two Red Hat EL 3 servers at work for DNS/DHCP
(Oracle DB and Lucent's QIP/QMS), and they are faultless.
When I used to run it on Windows, I had nothing but
problems (usual one was the service just used to stop, but
task manager et al showed it running!), so I got in a
habit of stopping/restarting the service[s] every few
days.
Anyway, the point. I work for a Company owned by a very
large Company which is owned by a very big Company - my UK
sub-net is a small cog in the Global LAN (I have > 10000
people in mail address book, and that is only the parent
Company of my firm, not the whole Company!).
I was told to get Red Hat EL 3 for this project several
months back :) To say I was a happy bunny is an
understatement.
Nick [ Reply to This | # ]
|
|
Authored by: rsmith on Thursday, August 19 2004 @ 02:35 PM EDT |
I've been browsing through the Common
Criteria, and this is what it says about AEL3:
EAL3
provides assurance by an analysis of the security functions, using a functional
and interface specification, guidance documentation, and the high-level design
of the TOE, to understand the security behaviour.
The
analysis is supported by independent testing of the TOE security functions,
evidence of developer testing based on the functional specification and
high-level design, selective independent confirmation of the developer test
results, strength of function analysis, and evidence of a developer search for
obvious vulnerabilities (e.g. those in the public
domain).
EAL3 also provides assurance through the use
of development environment controls, TOE configuration management, and evidence
of secure delivery procedures.
This EAL represents a
meaningful increase in assurance from EAL2 by requiring more complete testing
coverage of the security functions and mechanisms and/or procedures that provide
some confidence that the TOE will not be tampered with during
development.
So it's not just a theoretical exercise, you also
have to do tests, and you can even download
the tests from SourceForge.
I suspect that standards like these are valued
by PHB's, but what does it mean in the real world? Can someone familiar with
this matter give some pointers?
This reminds me of the well-known story
of windows NT (3.51, IIRC) getting a C2 rating. MS and the trade press made a
lot of noise about it, but when people started reading the test report, it
turned out that the C2 rating was for a machine not plugged in to a network. :-)
See this
link, or google for "NT C2". --- Never ascribe to malice that which
is adequately explained by incompetence. [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, August 19 2004 @ 03:12 PM EDT |
... that microsoft zealots will finally admit that linux is more secure then
windows and it has absolutely nothing (not even a shred, schnibble, crum, or
spec) to do with marketshare?
i'm glad i had the opportunity to learn how to use linux all those years ago
when i got my first IT job. now i'm glad that red hat and suse have shown how
hardened linux can be. way to go![ Reply to This | # ]
|
|
Authored by: hsjones on Thursday, August 19 2004 @ 03:49 PM EDT |
I know it's been mentioned in some replies above, but I had to post it as a
parent -- Novell announced EAL3+ for SuSE linux Enterprise Server 8, several
months ago. Also, they are on the cusp of announcing EAL4+ for SLES 9. In fact,
Novell-SuSE is ahead of Red Hat in most regards when it comes to Linux
security.
Regardless, I do think that it's interesting/cool that IBM is subsidizing
certification for both distros. Really drives home the point that the hardware
companies don't want to recreate with Linux the monopology scenario that they
created with Windows and MS.
And it further invalidates the perpetual rumors about either IBM or HP acquiring
either Novell or Red Hat...
[ Reply to This | # ]
|
|
Authored by: icebarron on Thursday, August 19 2004 @ 04:16 PM EDT |
QUICK somebody warn Dan Dowd, this is gonna make him whine...
Peace to one and all
Dan[ Reply to This | # ]
|
|
Authored by: maco on Thursday, August 19 2004 @ 05:54 PM EDT |
This means a lot. MS apparently passed EAL4 before
SP2.
Questions:
- Does MS applying SP2 make it EAL5
- If
RH ELS adds enough security holes, can they become EAL4 like
MS?
- If SP2 has enough security holes, does it make it EAL6?
- At
this rate, I don't see how Linux can ever catch up
Please help me
with this - I'm very confused.[ Reply to This | # ]
|
- No - Authored by: Anonymous on Thursday, August 19 2004 @ 06:08 PM EDT
- MS - EAL4 Before SP2 - Authored by: Anonymous on Thursday, August 19 2004 @ 10:54 PM EDT
- No. - Authored by: dwheeler on Friday, August 20 2004 @ 12:11 AM EDT
- No. - Authored by: Anonymous on Friday, August 20 2004 @ 05:30 PM EDT
|
Authored by: Anonymous on Thursday, August 19 2004 @ 08:27 PM EDT |
Does anybody happen to know? I doubt windows is CAPP/EAL3+ Certified. How about
Solaris? I think IRIX might be. How about UnixWare?
All kidding aside, I really would like to know which OSes have this
certification.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, August 19 2004 @ 09:31 PM EDT |
But they dont tell u how much that Red Hat configuration is. And I but its not
free..
[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, August 19 2004 @ 11:36 PM EDT |
I think the title used by PJ is very good!
"RH's Linux Achieves CAPP/EAL3+ Certification on All IBM eServer
Systems"
And that is very different from:
"RH's Linux IS CAPP/EAL3+ certified ..."
For those cannot distinguish the differences, they will belive MS Windows IS
secure.
Actually, those certification process only says one thing:
The product being evaluvated CAN be MADE secure (meeting the requirement of
specific level of specification) under specific sets of conditions.
It is misleading say some IS secure without say HOW it can be done.
The mass media is only saying IS but never saying HOW.
If we go and read the CC levels details (what the IS means) and under what
conditions (what the HOW means), there are little relations with what we are
doing with a desktop computers at home or at office.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, August 19 2004 @ 11:43 PM EDT |
I'd like to request an article (if PJ feels like it), or any informed or
thoughtful comments on the Doctrine of Judicial Estoppel, and if they apply to
the SCO case.
First, relevant background links:
(1)
Doctrine of Judicial
Estoppel
(2) Judicial estoppel may arise from administrative filings [in this example from FTC filing, but
what about SEC filings]
Second, questions I am interested
in:
(A) In IBM's counterclaims and summary judgement motions, they make
quite a few references to SCO's SEC filings. Question: Are SCO estopped from
offering contradictory evidence/claims, in accordance with reference (2) ???
(B) If SCO were to assert that they did not repudiate the GPL
with reference to IBM counterclaim 8 (copyright infringement). Question: Would
they be estopped from claiming otherwise, in a future response to IBM
counterclaim 6 (breach of the GPL) ???
(C) If SCO were to assert that
they did repudiate the GPL with reference to IBM counterclaim 8 (copyright
infringement) or IBM counterclaim 6 (breach of the GPL), would they be estopped
from claiming the GPL is a valid license, that they accepted, for other, non-IBM
GPLed products??? (Previous post on this subject - please
read this before responding that the GPL is only a model license, and each
product is licensed separately)
Thank you in advance for informed
comments or thoughts.
Quatermass
IANAL IMHO etc.[ Reply to This | # ]
|
|
Authored by: dwheeler on Friday, August 20 2004 @ 12:02 AM EDT |
This is important for a lot of people, especially the Controlled Access
Protection Profile (CAPP) part. Some organizations require Common Criteria
evaluations before they allow use of such operating systems, so this evaluation
will open up a number of doors.
Here's some information if you're not
familiar with the Common Criteria (CC). The Common Criteria is an ISO standard
that's essentially a "Chinese menu" of possible security functions and possible
security assurances.
Security assurances are various processes that a lab can do
to increase assurance that the product does what it's supposed to do (e.g., run
functional tests, perform penetration testing, examine design documentation,
review software configuration management procedures, that sort of thing).
There
are pre-canned sets of assurances; those are the "evaluation assurance levels"
(EALs) that you're seeing.
If you're a customer, you should select from the
Common Criteria the functions and assurances that are important to you; when you
do, you create a "Protection Profile" (PP). If you're funding the evaluation of
a particular product (often done by the product vendor), you should select from
the Common Criteria the functions you want to have evaluated, how much assurance
(evaluation) you want to do, in what environment; that selection is documented
in a "Security Target".
Usually Security Targets intentionally include the
requirements from one or more PPs, since you'd like to show that a product meets
requirements by at least one customer, though it's not required.
The products
are then evaluated by an independent lab against the ST.
The CAPP part is
really important.
In theory, you could declare one uninteresting security
function, and evaluate it at a very high level... it'd get a high EAL, but
probably wouldn't be useful.
The CAPP is one of the few customer-created PPs for
operating systems, so by meeting it, Red Hat is showing that anyone who wants a
CAPP-like system can get one from Red Hat. The CAPP includes in it the EAL3
requirements. The CAPP, by the way, is essentially the same thing as the old
Orange Book level C2.
Many uses of operating systems in the Department of
Defense require an evaluation against a "government PP", so meeting the CAPP
will open new opportunities for Red Hat. And even in many situations and
organizations worldwide where it's not a strict requirement, having these
certificates makes decision-makers a lot more comfortable in deploying GNU/Linux
systems.
Many people want security, and they don't want to just take the
vendor's word for it!
A CC evaluation is useful evidence that the product is
less risky.
Novell is ahead of Red Hat in this area, as others have noted.
But having two competing evaluated products is a good thing; choice lowers costs
for everyone.
I don't see the latest evaluation results posted at either the
US NIAP site or commoncriteriaportal.org; the only Red Hat eval I see is the
older EAL2 evaluation.
And I don't read German.
So, I can't see the ST that was
used for this evaluation.
Still, from the press reports, it appears that the
evaluation only applies to IBM mainframes, NOT to x86s. If that's true, that'd
be an unfortunate limitation. It might not be hard to extend the evaluation to
cover x86s later, if they wanted to do that.
I'm extremely familiar with the
CC, so if you have any questions, reply here, and I (or someone else) will try
to answer.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, August 20 2004 @ 04:37 AM EDT |
www.google.com
search: bastards (please excuse the language)
use feeling lucky.
Guess where that goes? :)
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, August 20 2004 @ 06:29 AM EDT |
I hope Microsoft is reading this so they will be motivated to launch their
Patent attack against Linux, Open Source, and the like, IF they really have
arsenal that the FUD media is claiming they have. They will not win, of course.
Microsoft, are your Patent attack plans similar to the Star Wars Defense program
Ronald Regan used against the Soviet Union? Lots of spending and building, large
threats, technology didn't really work, but the FUD used against the Soviet
Union helped end the Cold War.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, August 20 2004 @ 08:33 AM EDT |
http://www.business-standard.com/bsonline/storypage.php?bKeyFlag=BO&autono=3
576
While states like Madhya Pradesh, Kerala, West Bengal and Maharashtra are
already exploiting the advantages of open-source software of Linux, corporates
like Life Insurance Corporation have started the migration from SCO-Unix to
Linux to take advantage of the cost-effective alternative.
"Our estimates suggest that annually, over 25% of servers shipped in India
run on the Linux operating system. Similarly, of the total desktops shipped
annually, over two lakh desktops run on the Linux operating system," Javed
Tapia, director, Red Hat India, the leading Linux and open source provider firm,
said today.
http://www.eweek.com/article2/0,1759,1638009,00.asp
IBM is trying to use SCO as a punching bag this week as Big Blue fires off
another motion for partial summary judgment in its legal slugfest over Linux and
Unix copyright issues.
system5[ Reply to This | # ]
|
|
Authored by: jto on Friday, August 20 2004 @ 08:43 AM EDT |
I won't speculate on the validity of the Common Criteria process, but IBM has
published all the documentation on the certification of both SUSE SLES8 and Red
Hat RHEL3. This information can be used by anyone to help make their Linux
system secure to the Common Criteria requirements.
This information is all
at the IBM Linux
Technology Center web site at
http://www-124.ibm.com/linux/pubs/?topic_id=5
--- Regards, JTO [ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, August 23 2004 @ 04:47 AM EDT |
Actually CAPP 3 isn't that big of a deal; it doesn't say as much about the
actual security of a product as it does about the procedures involved in and
awareness of security.
Generally speaking; any reasonable OS could reach CAPP level 3 if they would pay
for the certification process. Even getting higher levels doesn't automatically
mean better security but rather having a better understanding of what security
problems there are.
This isn't Linux bashing or anything since the same goes for any other CAPP 3
certified OS. It may be required to be considered for certain government
purposes or it may be taken more seriously by business managers but really; it
doesn't say much about the actual security of the product at all.[ Reply to This | # ]
|
|
|
|
|