| |||||||||||||
|
| |||||||||||||
RHEL certified at EAL4+RHEL certified at EAL4+Posted Jun 17, 2007 9:01 UTC (Sun) by henning (subscriber, #13406)Parent article: RHEL certified at EAL4+ Nice to see that now two major enterprise distribution exists that support this security level. SLES was certified for this level more than two year ago, though: announcement.
(Log in to post comments)
RHEL certified at EAL4+ Posted Jun 17, 2007 9:54 UTC (Sun) by xose (guest, #535) [Link] not at the same level:
SLES-9 ( http://www.bsi.de/zertifiz/zert/reporte.htm#mittlere_Systeme ):
RHEL-5 ( http://www.niap-ccevs.org/cc-scheme/st/?vid=10125 ):
RHEL certified at EAL4+ Posted Jun 17, 2007 10:29 UTC (Sun) by henning (subscriber, #13406) [Link] Thank you for pointing this out, i was not aware of it. So the RBAC andLSPP profiles are not tested in SLES.
RHEL certified at EAL4+ (versus SLES at EAL4+) Posted Jun 18, 2007 0:08 UTC (Mon) by smoogen (subscriber, #97) [Link] In most cases the subprofiles are more important for areas of 'assurance'. CAPP is the 'lowest' level profile and is somewhat equivalent to C2 from the old Orange Book. LSPP is supposed to be equivalent to B1 and the RBAC+LSPP is supposed to move towards B2 (though I have heard differening opinions on this).
http://www.dynamoo.com/orange/orangechart.htm
In any case getting a CAPP/LSPP/RBAC is usually tied to a specific hardware+software combination. I could put the same software on a Dell server and not be 'certified' due to the fact that it requires some hardware dongle thingee that was needed for the protected path on the IBM or HP box.
Getting SuSE to be certified to EAL4+ on LSPP/RBAC is probably underway, but may be much harder to do... Selinux was written pretty much to help meet various EAL high level specifications with all the extra Math ready to be documented when asked for. AppArmour was not and you have to go through a lot of extra hoops to show that it meets the mathematical criteria.
I am not saying it is not impossible.. but that its a lot of extra hoops that in the end SuSE may decide are not a large enough incentive for sales.In the end, EAL certification is not a security standard. One can have a CAPP/LSPP/etc system that any script-kiddie can break into and mutiliate.. EAL is meant to be a validation that if you have a LSPP/RBAC system AND the sysadmin knows what they are doing.. the system should be robust in some sort of environment (which is usually described as being a non-threatening/trusted one.. eg NOT the internet.) Thus in the end having various EAL certs mean that you can be bought/sold to customers who have this requirement listed on their ISO9000 or some other audit list.
RHEL certified at EAL4+ (versus SLES at EAL4+) Posted Jun 18, 2007 21:08 UTC (Mon) by Wol (guest, #4433) [Link] If I may quote Einstein:
"As far as the laws of mathematics refer to reality they are not certain; and as far as they are certain they do not refer to reality"
So the maths is no guarantee that things will actually work in the real world...
Cheers,
RHEL certified at EAL4+ (versus SLES at EAL4+) Posted Jul 11, 2007 18:34 UTC (Wed) by kreutzm (subscriber, #4700) [Link] Hello,as there are some factual incorrect statements, I'll have to correct them.
a) When certifying products you always have to specify the environment. So it depends on the sponsor. Maybe special hardware is required, but I wouldn't expect IBM to sponsor Linux on Dell hardware. Though technically it might behave the same. (Maybe a hardware dongle is required, but I really doubt it)
But testing is very thourougly, so EAL 4+ is usually not easily breakable. Of course, if the admin usese "123" as root password and ignores all documentation, well ....
RHEL certified at EAL4+ Posted Jun 17, 2007 11:54 UTC (Sun) by pjm (subscriber, #2080) [Link] To be more explicit: EAL4+ by itself does not indicate a security level, it indicates a degree of assurance that the specified protection profiles are met. As I understand it, getting EAL7 in protection profiles LSPP, RBACPP and CAPP doesn't tell you much about how safe it is to connect your computer to the Internet beyond any other system that supports the notion of user-ids. See also the comments http://web.archive.org/web/20060527063317/http://eros.cs.... on Windows 2000 SP3+ getting an EAL4 for CAPP, where it is claimed that EAL4 doesn't require examining or testing the software, just examining the paperwork surrounding the creation of the software.
RHEL certified at EAL4+ Posted Jun 17, 2007 13:55 UTC (Sun) by jamesm (guest, #2273) [Link] Indeed, EAL4+ is an "evaluation assurance level". What is being evaluated is critical, and probably the important thing to note with this is that LSPP (Labeled Security) is included. You can read the spec here, www.commoncriteriaportal.org/public/files/ppfiles/lspp.pdf Essentially, what this means is that Mandatory Access Control has been implemented at the highest assurance level possible with an off the shelf operating system. The requirements here go way beyond userids. I suspect what you are referring to is CAPP-specific, which is a different protection profile that Linux has already been certified against.
|
|
||||||||||||