Red Hat has joined with IBM and software maker Trusted Computer Solutions (TCS) to enter Red Hat Enterprise Linux (RHEL) for evaluation under the Common Criteria security scheme. Red Hat expects its upcoming RHEL 5 to achieve Evaluation Assurance Level 4 (EAL 4), the highest level generally achieved by commercial software.
The Common Criteria is an ISO standard recognized by more than a dozen national governments as well as large businesses with stringent security requirements. The increasing levels of certification achieved by Linux distributions are an important milestone for the platform’s maturity, because many organizations can’t run software that doesn’t have the right certification.
Red Hat said it is building a number of extra security features into RHEL 5 that will make it more secure than any other open-source operating system. “Red Hat Enterprise Linux will join an exclusive community of trusted operating systems that have achieved this level of security,” said TCS chief operating officer Ed Hammersla.
The companies didn’t give specifics on the new security features of RHEL 5, but said it will include kernel improvements and Security Enhanced Linux (SELinux) policy improvements, developed by IBM, Red Hat, TCS and the Linux developer community. TCS’ technology until now has only run on proprietary Unix systems. RHEL 5 won’t appear until late 2006, but the features are already available in TCS’ commercial products, the companies said.
Red Hat is being evaluated on IBM hardware for three protection profiles, Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile (CAPP), and Role-Based Access Control Protection Profile (RBAC).
Common Criteria doesn’t itself guarantee that an operating system is secure, but rather is a documentation program making it possible for organizations to verify that software reaches a certain level of security.
Microsoft achieved EAL 4 certification for Windows 2000 in 2003. No open source software was able to compete at that level until Novell’s Suse Linux achieved an EAL 4+ rating in February of this year, after a process also sponsored by IBM. A year earlier Suse had beat Red Hat to EAL 3+ certification.
“Novell is pleased to see that Red Hat, IBM and TCS are following our lead with regard to the importance of EAL certification for Linux,” a Novell spokesman said in a company blog. “Suse Linux Enterprise Server 9 is still the only operating system to be certified at this level, and will remain the only operating system certified at this level for at least the next year.”
Novell has taken a different tack from Red Hat over security features, choosing to de-emphasize SELinux as being relatively difficult and costly to implement. Instead, Novell promotes a hardening layer called AppArmor, which it acquired with vendor Immunix in May.
Achieving certification is time-consuming and costly, with each certification effort costing about US$1 million. IBM, Oracle and others have stepped in to sponsor the process for both Suse and Red Hat.