[Infowarrior] - Red Hat Linux gets top government security rating

[Richard Forno]

Red Hat Linux gets top government security rating
IBM had achieved a new level of security certification with Red Hat Linux.
Robert McMillan (IDG News Service) 18/06/2007 08:27:27

http://www.computerworld.com.au/index.php/id;306842912;fp;4194304;fpid;1

Red Hat Linux has received a new level of security certification that should
make the software more appealing to some government agencies.

Earlier this month IBM was able to achieve EAL4 Augmented with ALC_FLR.3
certification for Red Hat Enterprise Linux, putting it on a par with Sun
Microsystems Inc.'s Trusted Solaris operating system, said Dan Frye, vice
president of open systems with IBM.

"This is the highest level of security function that anybody has," Frye
said. "We have delivered LSPP functionality in Red Hat Enterprise Linux 5
and we have certified that at the EAL4 level of assurance."

This rating is awarded by the government-funded National Information
Assurance Partnership's (NIAP) Common Criteria Evaluation and Validation
Scheme for IT Security program, which evaluates the security of commercial
technology products.

Red Hat Linux has been certified EAL4 Augmented with ALC_FLR.3 on IBM's
mainframe, System x, System p5 and eServer systems.

This level of security certification is not usually required for enterprise
contracts, but it is mandatory for some programs within government agencies
such as the U.S. Department of Defense and the U.S. National Security
Agency, Frye said.

Linux had already been certified at the EAL4 level, but this is the first
time that the operating system has received the Labeled Security Protection
Profile (LSPP) certification, which relates to its access-control features.

Linux developers have been working to add these "SE Linux" access control
features into the operating system for several years now. SE Linux shipped
as part of Red Hat Enterprise Linux 5, and now it has been certified for
government use, Frye said. "You now have a level of fine-grained control for
everybody," he added. "You can set security based on groups or based on
individuals."

In addition to LSPP Red Hat Linux has also been certified with Role Based
Access Control Protection (RBAC), and that too is noteworthy, said Red Hat
Inc.

"Historically, OS vendors have required you buy a separate branched OS to
get something that is LSPP and RBAC certified," the company said in a
statement. "This is something completely unique for commercial operating
systems because the support for multilevel security is native to the OS."

According to Frye, the certification is "big news for the Linux industry"
because it shows that open-source software can be used for sensitive
computing tasks. "If anyone had any doubts that you could do this with an
open-source operating system, we've proved them wrong."