LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

RHEL certified at EAL4+

RHEL certified at EAL4+

Posted Jun 18, 2007 23:28 UTC (Mon) by jd (guest, #26381)
Parent article: RHEL certified at EAL4+

EAL4+ is fine, but as others have noted, it's only an assurance that a set of criteria has been met. It is not actually a security audit, per se, unless the specific implementation of the Common Criteria actually includes a security audit. I believe the highest rating for a general-purpose OS is EAL5, and Windows 2003 ranks EAL4, so 4+ seems to be a little on the old side anyway. Who wants to be known as only a little better than Windows on security?

Now, certain Government uses require certain EAL levels, so this will have an impact on who uses Linux. Maybe not a huge impact, but an impact nonetheless. That, in and of itself, is a major bonus, even if the label has little real value.

There are a few things that surprise me, assuming I read the PR correctly. Please correct me if I'm wrong, but there appears to be no security labeling of memory regions or of network connections. These are fairly significant security additions and have been considered an important part of mandatory access controls for a long time.

The next thing that surprises me is that I saw nothing obvious about a kernel or glibc security audit. A thorough audit of these two would be well within the capacity of IBM and would eliminate weaknesses at the critical points within the system. Any weakness in those two components will be shared with virtually all applications, so closing them would seem critical for true assurance.

I hope the EAL4+ tests make their way into the Linux Test Project, the way the other EAL tests have, and I also hope that some of the hardened Linux distros use these tests to show what level of security they are equivalent to, whether they are certified or not. It would be healthy competition if a solid hardened distro could show itself to be comparable or superior to the certified version of RHEL5 in terms of standards and security. Not because I have anything against Red Hat, but because it will boost efforts in the security arena.

(Log in to post comments)

RHEL certified at EAL4+

Posted Jun 19, 2007 0:20 UTC (Tue) by jamesm (guest, #2273) [Link]

Please correct me if I'm wrong, but there appears to be no security labeling of memory regions or of network connections.

SELinux provides MAC coverage for shared memory (and indeed all Sysv IPC mechanisms. For networking, there are two forms of external labeling (CIPSO and a new IPsec based scheme), as well as local labeling of packets integrated with iptables. There's also coverage at the socket API layer, so all newtworking is covered, as well as some protocol-specific coverage for things like Unix domain sockets and Netlink.

RHEL certified at EAL4+

Posted Jul 11, 2007 18:38 UTC (Wed) by kreutzm (subscriber, #4700) [Link]

Two points:

a) EAL 4 (or EAL4+) is the highest assurance level typically obtained comercially. Read: Everything higher is too expensive.

b) EAL 5 is not "better" than EAL 4. You have to compare the security targets or even better look which PPs are fulfilled.

c) LTP has been driven enormously by certification, IIRC.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds