Linked by Thom Holwerda on Fri 29th Jun 2007 13:06 UTC, submitted by irbis
Red Hat "Red Hat and IBM recently announced that Red Hat Enterprise Linux 5 has earned the highest level of security certification achievable by commercial off-the-shelf operating systems. The certification is applicable when RHEL5 is running on IBM hardware, but all of the software is freely available, which may reduce the worries of customers regardless of which hardware they are considering running Linux on. The Fedora and CentOS distributions will immediately benefit, because they use the same software and SELinux policies, but other distributions can use the information as well."
Thread beginning with comment 251690
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: The article is wrong...
by tsedlmeyer on Fri 29th Jun 2007 17:48 UTC in reply to "RE[2]: The article is wrong..."
tsedlmeyer
Member since:
2005-07-07

this is a serious shortcoming and could possibly hamper implementation in some environments.


I think the circumstances where it could hamper deployment are going to be extremely rare. This would mostly have an impact in situations where RHEL5 was going to be deployed as a workstation. RHEL 5 is almost exclusively going to be considered for deployment as a server in these environments which means the GUI is pointless.

Let's also face the reality that for the most part certification is just a check mark during the purchasing phase. The product has to be certified to be purchased for the particular project. After that there is usually no effort to deploy the software in a manner consistent with the posture used during certification. Hopefully compliance with the relevant STIGs will occur. I'm not saying this is right or this is how it is everywhere, but it is certainly what I have generally seen.

Reply Parent Score: 1

Robert Escue Member since:
2005-07-08

I don't have that much experience working with Labeled Security, but I somehow don't think that I would want to be creating or modifying complex security relationships from the command line exclusively. Considering the deployment of systems using LSPP are usually air-gapped classified networks, the security concerns around using X are limited.

If your statement "Let's also face the reality that for the most part certification is just a check mark during the purchasing phase." is true, then vendors would not spend $500,000.00 or more on getting their products certified under Common Criteria. It is as I said previously, if the OS is not on the NIAP Approved List, it cannot be used, period. For more information I would start with DoD Instruction 8500.2 which can be found here:

http://www.niap-ccevs.org/cc-scheme/

I have worked in multiple environments where IA personnel have stated "If it is not on the NIAP Approved List, forget it" or words to that effect. These are the people who sign off on the security for the command or installation. It is in their best interest that evaluated products be used. Why do you think RedHat and Novell go through this process, because if they don't Linux would not be in use within DoD at all.

And if you are refering to the DISA UNIX STIG, I wouldn't bother, since the UNIX STIG (which covers Linux) is essentially a joke. As I am preparing for a DISA inspection and have run the SRR scripts on both Solaris and Linux machines, it seems DISA's focus is on things like password length, complexity, user account lockout and virus protection. On every UNIX/Linux machine we have run the SRR scripts on we get a CAT I finding for not having an anti-virus scanner on the machine. In other words applying Microsoft "security" solutions to non-Microsoft operating systems.

This is not security, this is "checking the box" in order to make senior management feel better while not doing anything to actually improve security of a DoD *nix asset, what Bruce Schneier calls "security theater".

Reply Parent Score: 3

Robert Escue Member since:
2005-07-08

Jim Laurent of Sun has a nice blog entry comparing Solaris 10 with Trusted Extensions against RHEL 5:

http://blogs.sun.com/jimlaurent/entry/solaris_trusted_extensions_vs...

Even he brings up the point of no trusted X. For RedHat to seriously see some traction in the space normally occupied by Trusted Solaris it would have to have the same feature set minimally, the RedHat offering simply doesn't compare.

While achieving the EAL4+ CC certification is good, one has to look past the press releases and dig into the Security Target report to see what was tested and what was not, then make your own judgement as to whether the product meets your needs.

Reply Parent Score: 3

RE[5]: The article is wrong...
by SEJeff on Sat 30th Jun 2007 05:04 in reply to "RE[4]: The article is wrong..."
SEJeff Member since:
2005-11-05

The article you linked to has (in some ways) outright lies. Here is a very nice rebuttal:
http://mentalrootkit.org/?p=16


From the sun comparison:
“RHEL5 LSPP requires customized versions of Linux file systems to associate security contexts with files and requires that the security context be specified for mounted file systems. The file systems are customized by extending the inode to include label information. Because of this strict requirement, new file systems and existing backup software must be specifically modified to support labels in order to work with RHEL5 LSPP.”

He is talking about extended attributes which do *NOT* require "customized version of Linux filesystems". It just requires filesystems that support EA such as ext3. Many of the claims in that Sun article are outright FUD where many (like trusted X) are very valid. Never trust a comparison that includes sun products from a sun employee. It doesn't make sense.

Reply Parent Score: 3