[ISN] Red Hat Linux Gets Top Government Security Rating

From: InfoSec News (alerts@private)
Date: Sun Jun 17 2007 - 23:06:47 PDT


http://www.pcworld.com/article/id,132978-c,redhat/article.html

By Robert McMillan
IDG News Service
June 15, 2007

Red Hat Linux has received a new level of security certification that 
should make the software more appealing to some government agencies.

Last week IBM Corp. was able to achieve EAL4 Augmented with ALC_FLR.3 
certification for Red Hat Enterprise Linux, putting it on a par with Sun 
Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, 
vice president of open systems with IBM.

"This is the highest level of security function that anybody has," Frye 
said. "We have delivered LSPP functionality in Red Hat Enterprise Linux 
5 and we have certified that at the EAL4 level of assurance."

This rating is awarded by the government-funded National Information 
Assurance Partnership's (NIAP) Common Criteria Evaluation and Validation 
Scheme for IT Security program, which evaluates the security of 
commercial technology products.

Red Hat Linux has been certified EAL4 Augmented with ALC_FLR.3 on IBM's 
mainframe, System x, System p5 and eServer systems.

This level of security certification is not usually required for 
enterprise contracts, but it is mandatory for some programs within 
government agencies such as the U.S. Department of Defense and the U.S. 
National Security Agency, Frye said.

Linux had already been certified at the EAL4 level, but this is the 
first time that the operating system has received the Labeled Security 
Protection Profile (LSPP) certification, which relates to its 
access-control features.

Linux developers have been working to add these "SE Linux" access 
control features into the operating system for several years now. SE 
Linux shipped as part of Red Hat Enterprise Linux 5, and now it has been 
certified for government use, Frye said. "You now have a level of 
fine-grained control for everybody," he added. "You can set security 
based on groups or based on individuals."

In addition to LSPP Red Hat Linux has also been certified with Role 
Based Access Control Protection (RBAC), and that too is noteworthy, said 
Red Hat Inc.

"Historically, OS vendors have required you buy a separate branched OS 
to get something that is LSPP and RBAC certified," the company said in a 
statement. "This is something completely unique for commercial operating 
systems because the support for multilevel security is native to the 
OS."

According to Frye, the certification is "big news for the Linux 
industry" because it shows that open-source software can be used for 
sensitive computing tasks. "If anyone had any doubts that you could do 
this with an open-source operating system, we've proved them wrong."


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Sun Jun 17 2007 - 23:23:30 PDT