Red Hat goes for Common Criteria approval

Red Hat has joined with IBM and software maker Trusted Computer Solutions (TCS) to enter Red Hat Enterprise Linux (RHEL) for evaluation under the Common Criteria security scheme. Red Hat expects its upcoming RHEL 5 to achieve Evaluation Assurance Level 4 (EAL 4), the highest level generally achieved by commercial software.

The Common Criteria is an ISO standard recognized by more than a dozen national governments as well as large businesses with stringent security requirements. The increasing levels of certification achieved by Linux distributions are an important milestone for the platform’s maturity, because many organizations can’t run software that doesn’t have the right certification.

Red Hat said it is building a number of extra security features into RHEL 5 that will make it more secure than any other open-source operating system. “Red Hat Enterprise Linux will join an exclusive community of trusted operating systems that have achieved this level of security,” said TCS chief operating officer Ed Hammersla.

The companies didn’t give specifics on the new security features of RHEL 5, but said it will include kernel improvements and Security Enhanced Linux (SELinux) policy improvements, developed by IBM, Red Hat, TCS and the Linux developer community. TCS’ technology until now has only run on proprietary Unix systems. RHEL 5 won’t appear until late 2006, but the features are already available in TCS’ commercial products, the companies said.

Red Hat is being evaluated on IBM hardware for three protection profiles, Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile (CAPP), and Role-Based Access Control Protection Profile (RBAC).

Common Criteria doesn’t itself guarantee that an operating system is secure, but rather is a documentation program making it possible for organizations to verify that software reaches a certain level of security.

Microsoft achieved EAL 4 certification for Windows 2000 in 2003. No open source software was able to compete at that level until Novell’s Suse Linux achieved an EAL 4+ rating in February of this year, after a process also sponsored by IBM. A year earlier Suse had beat Red Hat to EAL 3+ certification.

“Novell is pleased to see that Red Hat, IBM and TCS are following our lead with regard to the importance of EAL certification for Linux,” a Novell spokesman said in a company blog. “Suse Linux Enterprise Server 9 is still the only operating system to be certified at this level, and will remain the only operating system certified at this level for at least the next year.”

Novell has taken a different tack from Red Hat over security features, choosing to de-emphasize SELinux as being relatively difficult and costly to implement. Instead, Novell promotes a hardening layer called AppArmor, which it acquired with vendor Immunix in May.

Achieving certification is time-consuming and costly, with each certification effort costing about US$1 million. IBM, Oracle and others have stepped in to sponsor the process for both Suse and Red Hat.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now