LWN: Comments on "RHEL 5 going for Common Criteria EAL 4 rating"

RHEL 5 going for Common Criteria EAL 4 rating

etbe — Wed, 12 Oct 2005 05:07:38 +0000

The administrator has to perform tasks such as fixing file system
corruption, backing up data, and installing new applications (including
custom applications). These tasks are not compatible with preventing the
administrator from accessing secret data.

We have a secadm_r role for security administration which can be separate
from the sysadm_r for general system administration. This is currently
an experimental feature and is designed to be discretionary in nature.
We can't entirely prevent the sysadm from doing the wrong thing in regard
to security administration, but if they do so then they can't claim it to
be an accident, mistake, or an issue where their duties were unclear.

RHEL 5 going for Common Criteria EAL 4 rating

Vladimir — Tue, 11 Oct 2005 06:31:47 +0000

Just wanted to comment on this:
"LSPP has some very specific security requirements.... So, the direct value of this to non-govt types is unknown and historically limited."

I don't need to be a government type to be able to use LSPP or Type Enforcement or RBAC for everyday business.
How on Earth would you let sysadmins to use root and in the same type to not have access to classified data stored on the servers the run?

Regards,

RHEL 5 going for Common Criteria EAL 4 rating

kweidner — Tue, 04 Oct 2005 20:08:12 +0000

[...]it is up to the users to trust that the same care will be taken for further revisions.

It's not just a matter of trust. In this case the security target adds the claim to meet the highest CC level of flaw remediation procedures beyond what the protection profiles would require ("augmented with ALC_FLR.3"), this means that the evaluators are examining and confirming that the software developers have effective procedures in place to systematically address security flaws in the product and inform their users about them.

Check out page 124 in the standard [PDF link] if you want more details about how this works.

RHEL 5 going for Common Criteria EAL 4 rating

rmfought — Mon, 03 Oct 2005 14:22:18 +0000

From my understanding, the instant you patch or change the configuration of the evaluated software in any way, the certification is invalid. Thus the Win2k cert was only good for a short while (if at all) until patches were applied (IIRC, the version actually shipped was many revisions past the one certified).

Another important thing to understand (as many other have pointed out) is that EAL level has no relation to how secure an IT product is, only *assurance* of how well it was implemented (i.e. bug and malware-free) based on the security requirements set forth (a la different protection profiles). The protection profile/security target is really where the rubber meets the road as to what actual security features the product provides. The Red Hat PP is stronger security-wise than the one MS used. This is a good overview of the MS cert:

http://eros.cs.jhu.edu/~shap/NT-EAL4.html

Something as complex as an OS is a tough thing to keep certified because changes are so frequent. I guess the real value is in showing that it can be done, and then it is up to the users to trust that the same care will be taken for further revisions.

RHEL 5 going for Common Criteria EAL 4 rating

kweidner — Thu, 29 Sep 2005 19:57:46 +0000

This is different, the SUSE evaluation used the CAPP profile (same as the MS Windows evaluation mentioned here), and the new RH evaluation will be adding LSPP and RBAC for mandatory access control and role based security, making it comparable to Trusted Solaris and similar systems.

FYI, you can get the official lists of evaluated products and products in evaluation directly, no need to dig for old press releases ;)

Mandatory Access Control (MAC) means that the OS enforces restrictions and users can't override them. For example, you can't copy a file marked "secret" to an insecure device even if you own the file. By contrast, users can change the standard filesystem permissions (aka Discretionary Access Control or DAC) and give read or write access to others for files they own.

MAC is potentially interesting even outside government environments since it can protect against malicious software - for example it could ensure that your web browser cannot read your financial data even if an attacker has full control over it due to a security flaw.

RHEL 5 going for Common Criteria EAL 4 rating

bojan — Thu, 29 Sep 2005 05:30:19 +0000

Of course, but consider this. If you are building an OS and want it EAL 4 certified, does the fact that Windows is certified help you? Not much. If you are building an open source operating system, maybe even based on RHEL5 source, does the fact that it is certified help you? A lot more - you have the same source!

For instance, if CentOS wanted to certify their version 5, it would be much easier for them to do so (in terms of work required) once RHEL5 gets certified. No proprietary OS can claim the same. In other words, even in the certification space, the barrier to entry is reduced through open source.

RHEL 5 going for Common Criteria EAL 4 rating

lutchann — Thu, 29 Sep 2005 04:03:17 +0000

The whole product is certified, not just chunks of code. Having RHEL certified will make it easier for other vendors to get certified (although there's a lot to the certification package which won't be available under an open source license, particularly documentation) but any individual components you extract and put in another similar-but-slightly-different environment will have no special status what-so-ever.

RHEL 5 going for Common Criteria EAL 4 rating

drag — Tue, 27 Sep 2005 22:37:36 +0000

Well I bet you'd be happy to know that Suse has had a EAL4 certification for some time now. :)

see:
http://www.heise.de/english/newsticker/news/56451

RHEL 5 going for Common Criteria EAL 4 rating

veillard — Tue, 27 Sep 2005 22:28:05 +0000

Hi ncm :-)

I think the certification is only for a specific software on a specific
hardware platform, so in a sense this is limited. But this is still a
very important step to see *one* Linux distro get there.

RHEL 5 going for Common Criteria EAL 4 rating

drag — Tue, 27 Sep 2005 21:33:46 +0000

Ya, I've been following0 SELinux developements since it was just patches from NSA. It's pretty neat stuff and I've always been apreciative of Redhat/Fedora's work to make it more usefull for the average person.

Still kinda skirted around the issue, but it's a good enough answer so I'm happy. Just be carefull how it gets promoted, you don't want people to think: "Oh, look Redhat just reached the same level of security that Microsoft got back with Windows 2000 SP3." (which is obviously untrue)

RHEL 5 going for Common Criteria EAL 4 rating

bojan — Tue, 27 Sep 2005 20:14:45 +0000

>What we're trying to do with SELinux, though, is make the technology available in the standard, current product, rather than an old fork of the OS like traditional "trusted" OS vendors.

Good move. Do the same with GFS and Xen in RHEL5 and you'll have many more people jumping on the virualisation and cluster bandwagon. The current GFS/Cluster suite subscription fees are really not something your average company can afford. And yet, getting the hardware to run it almost is.

Bring it to the masses and see the adoption rate skyrocket.

RHEL 5 going for Common Criteria EAL 4 rating

bojan — Tue, 27 Sep 2005 19:55:54 +0000

> Unfortunately a certified RHEL wouldn't give anybody (except RH themselves) a bidding advantage

Maybe you haven't heard, but RHEL is an open source operating system. You are free to take the code (that's already been certified) and run certification for your own flavour you're building from it. I reckon that's a huge advantage for *all* Linux distros, not just Red Hat.

RHEL 5 going for Common Criteria EAL 4 rating

ncm — Tue, 27 Sep 2005 19:37:57 +0000

"it should make it much easier to get government contracts in many situations."

That's the entire point. This isn't about security, this is about getting Free Software into the bidding pool. Unfortunately a certified RHEL wouldn't give anybody (except RH themselves) a bidding advantage, unless the bid were on a lot more than just the hardware and OS.

RHEL 5 going for Common Criteria EAL 4 rating

jamesmrh — Tue, 27 Sep 2005 19:37:50 +0000

LSPP has some very specific security requirements, which are aimed at managing information at different classifications and users at different clearances. So, the direct value of this to non-govt types is unknown and historically limited.

What we're trying to do with SELinux, though, is make the technology available in the standard, current product, rather than an old fork of the OS like traditional "trusted" OS vendors. We're also trying to implement the technology in a more generalized way, so it can be re-used for other purposes. An example of this is MCS, which is an adaptation of MLS which allows users to assign security categories to files that they own.

There are several security technologies being rolled out for general use (Type Enforcement, MLS, MCS, RBAC etc), and rather than take a prescriptive stance, that is, to say "this is how your security should work", there's a lot of scope for users to innovate and feed their ideas back into the community.

The short answer to your question is that you get a bunch of security technologies which have not existed in a generally available, modern OS.

The certification will be for a specific configuration and on specific hardware, I believe, and I'm not sure which security policy (there are several mailing lists including the redhat-lspp list where these issues can be discussed in more detail).

RHEL 5 going for Common Criteria EAL 4 rating

drag — Tue, 27 Sep 2005 16:58:32 +0000

Now I am not trying to be a dick or anything.. I just want to understand more or less what this means for us non-government types.

My previous understanding of EAL4 and below certifications was that it's mostly paper work and accountablity rather then actual real-life security of the operating system... Stuff like having documentation aviable about how a admin should configure the system, how obvious is it that the system is misconfigured. Stuff like that. There is nothing like full-blown code audits by the government or security evaluated 'code paths' and the such... Nothing realy terribly usefull for actual real-world security.

For instance W2k had EAL4, but obviously W2k is not a terribly secure operating system. Now OBSD on the other hand is a VERY secure system, but I wouldn't be suprised at all if they couldn't get EAL4 in it's current state. It's a more beuacratic thing, then real-world thing, at least that's my understanding.

Also as was pointed out above Windows 2000 had a CAPP/EAL4 certification, but only in a certain configuration and with huge restrictions on what software you could run... basicly you couldn't realy use it on a network or something like that.

Here is a critic of the Windows cert http://eros.cs.jhu.edu/~shap/NT-EAL4.html

Is this certification going to be for a specific config or a only a default install? Is this with the 'restrictive' style SELINUX config or the default ruleset?

Also I noticed that the article had terms like LSPP, CAPP, and RBAC.. so is it were Win2k had CAPP/EAL4, RH5 will have LSPP/RBAC/CAPP/EAL4? Which I suppose is more difficult/stringent.

Still good luck for Redhat. Hope they get it nailed.. it should make it much easier to get government contracts in many situations. More money for Redhat means we get more things like GFS and Fedora/Redhat directory services (formally netscape directory).

RHEL 5 going for Common Criteria EAL 4 rating

jamesmrh — Tue, 27 Sep 2005 14:58:50 +0000

An important aspect of this is that it will include LSPP (Labeled Security Protection Profile) certifcation. LSPP is the modern equivalent of the B1 "trusted" certification, and requires an implementation of MLS and more stringent auditing facilities.

EAL4 is the assurance level of the certification, which is considered to be the highest level that can be reached for an off the shelf OS that was not designed from scratch specifically as a security technology.

Certifcation-wise, this will put Linux in the same arena as Trusted Solaris etc.

[not speaking for Red Hat officially, just part of the team]

Apparently Win2k has this too :-)

pjdc — Tue, 27 Sep 2005 14:53:44 +0000

Windows 2003's Internet Explorer ships with a restrictive default configuration that makes it almost impossible to use the Web at all, so the certification may well include IE.

Apparently Win2k has this too :-)

MathFox — Tue, 27 Sep 2005 14:44:39 +0000

Is the certification with or without Internet Explorer?

Apparently Win2k has this too :-)

Felix_the_Mac — Tue, 27 Sep 2005 14:32:33 +0000

http://msdn.microsoft.com/embedded/getstart/news/news/cce...