Red Hat and IBM recently
that Red Hat Enterprise Linux 5 (RHEL5) has earned the highest level of
security certification achievable by commercial off-the-shelf operating
systems. The certification is applicable when RHEL5 is running on IBM
hardware, but all of the software is freely available, which may reduce
the worries of customers regardless of which hardware they are considering running Linux on. The Fedora and
CentOS distributions will immediately benefit, because they use the
same software and SELinux policies, but other distributions can use the
information as well.
that RHEL5 achieved comes from one of the most acronym-dense
regions of the internet, which is, perhaps, unsurprising for a partnership
between industry and the US government. Here is how the press release puts it:
[RHEL5] has been approved by the National Information Assurance Partnership for
Common Criteria Evaluation & Validation Scheme [NIAP-CCEVS] at Evaluation Assurance Level 4 (EAL4+) for Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile (CAPP), and Role-Based Access Control Protection Profile (RBAC).
The NIAP is overseen by the US National Security Agency (NSA) and exists to
create and administer certification programs like CCEVS.
The various protection profiles list the security requirements that need to
be met to be certified. CAPP is concerned mostly with standard UNIX-style
users and permissions,
with some audit requirements thrown in. LSPP and RBAC are concerned with
the security capabilities provided by SELinux along with auditing
requirements. The profiles document the behavior that is
expected while the testing verifies that the system does indeed behave that
These kinds of certifications are nice, in a checkbox kind of way. There
are many organizations that cannot or will not buy products that are not
certified for a particular level and protection profile. Windows Server has been certified at
EAL4, so filling in this checkbox for Linux may well remove a barrier to
Linux adoption in some places. Obtaining certification at this level is
great deal of work; Red Hat and IBM are to be commended for spending the
time and money to get to this point.
That being said, what does an EAL4+ mean for the security of servers that
run RHEL5? As we said in late
2003, when (pre-Novell) SuSE teamed up with IBM to get an EAL2+
certification, the answer is, unfortunately, not much. It would seem that
EAL4+ is a big step up from EAL2+, which it is, but not in the kinds of
protections it provides. The
EAL level is completely driven by how much testing and documentation go
into the certification; how much "assurance" there is that the profile is
met. The same profile (CAPP) was used in both.
In addition, the protection profiles are limited to:
a level of protection, which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well-funded attackers to breach system security.
This puts most, if not all, interesting security threats outside of the
scope of the testing. Adding two additional protection
profiles, as was done this time, is certainly significant, but they
still operate under the "no hostiles" caveat.
Kernel hacker James Morris
A lot of people thought it would be outright impossible to get an open source OS certified at this level. Not only were they wrong, but we've done it in a way which makes it part of the mainline kernel, upstream userland, and integrated into standard distributions. It is not some out-dated, incompatible and outrageously expensive fork of the OS, as has historically been the case with trusted OSes. "Military-strength" security is just now just another feature you get as standard in Linux, and it receives the same testing and community benefits as the rest of the OS.
Evidently, "military strength" security is only able to resist its own
users making mistakes rather than a concerted effort by an enemy, but this is
still a marvelous accomplishment.
most unfortunate part of this certification process is that it is likely to
vastly underestimate the abilities of an SELinux equipped system.
It would be very interesting to see what kind of protection profile could
actually be accommodated by RHEL5; it is likely to be much stronger than any
we have seen from CCEVS. But, given that customers are typically interested
in the checkbox much more than security, we will probably never know.
to post comments)