Linked by Thom Holwerda on Tue 21st Aug 2007 22:03 UTC, submitted by Rahul
Linux "Who's afraid of SELinux? Well, if you are, you shouldn't be! Thanks to the introduction of new GUI tools, customizing your system's protection by creating new policy modules is easier than ever. In this article, Dan Walsh gently walks you through the policy module creation process."
Thread beginning with comment 264940
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Hmm
by linumax on Wed 22nd Aug 2007 03:25 UTC in reply to "RE[3]: Hmm"
linumax
Member since:
2007-02-07

Linux is more secure than windows cuz blah blah blah lies blah blah lies blah...

Ok, maybe you are just misinformed!

http://www.commoncriteriaportal.org/public/consumer/index.php

Red Hat Enterprise Linux Version 5 running on IBM Hardware
EAL4+ (Certified: 7 June 2007)

http://www.commoncriteriaportal.org/public/files/epfiles/st_vid1012...

Microsoft Windows 2003/XP with x64 Hardware
EAL4+ (Certified: 18 September 2006)

http://www.commoncriteriaportal.org/public/files/epfiles/ST_VID1015...

(Edit: RHEL4 has the same EAL4+ certification.
+ More on levels and what they need here:
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level)

Edited 2007-08-22 03:31

Reply Parent Score: 4

RE[5]: Hmm
by bob8 on Wed 22nd Aug 2007 03:51 in reply to "RE[4]: Hmm"
bob8 Member since:
2006-07-13

Except that RHEL 5 has EAL4+ for Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile (CAPP), and Role-Based Access Control Protection Profile (RBAC). The documents you linked to show that Windows only has EAL4+ with CAPP. It does not have any of the other protection mechanisms which is what is really important. The only other consumer OS to meet that higher lever of certification is Trusted Solaris.

As far as Windows getting certified in September and RHEL 5 being certified in June, RHEL 5 wasn't released until March. XP Was released in 2001 and 2003 was released in 2002. 3 months vs 5 and 3 years is a big difference.

Reply Parent Score: 3

RE[6]: Hmm
by linumax on Wed 22nd Aug 2007 04:32 in reply to "RE[5]: Hmm"
linumax Member since:
2007-02-07

...Well, how about the fact that Linux has achieved the highest security certification level available to commercial OS's...


The parent claimed that only Linux and Solaris had that certification level, which was false and I cleared that up. They both have the certification level of EAL4+, details may vary though.

As far as Windows getting certified in September and RHEL 5 being certified in June, RHEL 5 wasn't released until March. XP Was released in 2001 and 2003 was released in 2002. 3 months vs 5 and 3 years is a big difference.

I never compared the dates, I just noted them as it was in the charts.
Obviously Linux got certified faster.

Reply Parent Score: 2

RE[5]: Hmm
by makfu on Wed 22nd Aug 2007 04:23 in reply to "RE[4]: Hmm"
makfu Member since:
2005-12-18

"Linux is more secure than windows cuz blah blah blah lies blah blah lies blah... "

Well, technically EAL4+ is the certification for the level of assurance that the technical features are implemented correctly.

The protection profile is the actual set of security features evaluated, and as of right now the protection profiles that RHEL 5 is EAL4+ certified for are:

Controlled Access Protection Profile, Version 1.d

Labeled Security Protection Profile, Version 1.b

Role Based Access Control Protection Profile Version 1.0 (Archived)

This is roughly TCSEC B1 level security and the primary facilitator for Labeled and Role Protection is SELinux's MAC model.

Windows, while also EAL 4+, is only certified for the CAP Profile which is essentially TCSEC C2.

While NT 6 (Vista and Windows Server 2008) introduce Mandatory Integrity Control, this is not the same thing as a full MAC model (as MIC only enforces mandatory restrictions on modification of objects, not access to them). With the extension of the SACL on objects in NT 6, I wouldn't be surprised to see a full MAC model in the next release.

It's also interesting to take note of the configuration of the systems submitted for eval as those are the only components covered by the EAL. So, for example, Windows is EAL4+ certified for the CAP profile, including all its components, whereas RHEL isn't certified EAL for any profile if the configuration includes X (e.g. a graphical/workstation workload). This is where comparing the two becomes increasingly difficult, because one may be evaluated to support more workloads with certain features, while the other has more features but is limited in what workloads are covered.

These certifications and features may be great (and yes SELinux is pretty neat stuff), but it all comes down to systems/applications implementation and workloads, and in that respect, it is possible to build very secure solutions on either platform. However, for the moment, a proper SELinux implementation (e.g. RHEL) is certified for more stringent access protection profiles, though the configuration of Windows systems submitted potentially covers more workloads (but only up to the CAP profile).

Reply Parent Score: 3

RE[5]: Hmm
by TemporalBeing on Wed 22nd Aug 2007 05:01 in reply to "RE[4]: Hmm"
TemporalBeing Member since:
2007-08-22

maybe you are just misinformed!

No, not misinformed - just misquoted the version. I did try to track down the specific article that I read about it - but couldn't find it. However, the info has been correctly stated by the others responding to you.

Regardless, Linux has been certified at a higher level than Windows as a result.

Reply Parent Score: 1