| |||||||||||||
|
| |||||||||||||
RHEL certified at EAL4+RHEL certified at EAL4+Posted Jun 17, 2007 11:54 UTC (Sun) by pjm (subscriber, #2080)In reply to: RHEL certified at EAL4+ by xose Parent article: RHEL certified at EAL4+
To be more explicit: EAL4+ by itself does not indicate a security level, it indicates a degree of assurance that the specified protection profiles are met. As I understand it, getting EAL7 in protection profiles LSPP, RBACPP and CAPP doesn't tell you much about how safe it is to connect your computer to the Internet beyond any other system that supports the notion of user-ids. See also the comments http://web.archive.org/web/20060527063317/http://eros.cs.... on Windows 2000 SP3+ getting an EAL4 for CAPP, where it is claimed that EAL4 doesn't require examining or testing the software, just examining the paperwork surrounding the creation of the software.
(Log in to post comments)
RHEL certified at EAL4+ Posted Jun 17, 2007 13:55 UTC (Sun) by jamesm (guest, #2273) [Link] Indeed, EAL4+ is an "evaluation assurance level". What is being evaluated is critical, and probably the important thing to note with this is that LSPP (Labeled Security) is included. You can read the spec here, www.commoncriteriaportal.org/public/files/ppfiles/lspp.pdf Essentially, what this means is that Mandatory Access Control has been implemented at the highest assurance level possible with an off the shelf operating system. The requirements here go way beyond userids. I suspect what you are referring to is CAPP-specific, which is a different protection profile that Linux has already been certified against.
|
|
||||||||||||