| |||||||||||||
|
| |||||||||||||
Blah, you've got to hold your mouth right to be compliant...Blah, you've got to hold your mouth right to be compliant...Posted May 8, 2004 10:00 UTC (Sat) by apollock (subscriber, #14629)Parent article: Red Hat gains security certification (News.com)
Heh, so I download the certification report. The first page says it all: Version 3 with security update RHSA-2003:416 running on specified Dell and Hewlett-Packard platforms.Oooh. The hardware it's running on makes it secure or not. Sheesh. I have to fork out the bucks for the hardware as well as the distro run an EAL2 Linux distro. (RHSA-2003:416 is CAN-2003-0985 btw). Now on to the meat of the document... Hmm, Oracle sponsored the evaluation. Interesting... Ah, the TOE scope. Now we're cooking. The TOE provides for a level of protection appropriate for an assumed non-hostile and well managed user community. It provides against threats of inadvertant or casual attempts to break system security.Better not hook it up to the Internet then... The TOE was evaluated in standalone mode. Most of its network facilities (.e.g. DNS, NFS, NIS and Xwindows) were excluded from the evaluated configuration, the Security Target did include Security Functions relating to remote login.How convenient. What I'd like to see is netfilter get accredited as an EAL something firewall. Checkpoint might sit up and take notice then. Now the killer: The following features of Red Hat Enterprise Linux were specifically excluded from the evaluation:And there's a little footnote that I can't seem to connect with the body of the document saying that not all the functions for software development are permitted in the evaluated configuration of the TOE. Fair enough. Shouldn't be doing development in an accredited environment (i.e. Production), really. But no Apache? Can't run an EAL2 webserver on RHEL. Guess that would mean hooking it up to the nasty Internet anyway...
(Log in to post comments)
|
|
||||||||||||