IBM Clinches Security Certification for Linux

Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.

Alright...?

[mschoolbus]

What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.

So what the hell was going on before?

Just wondering..

[CausticWindow]

What are the ratings and how does other common OS's score? Anybody know?

Cool ;-) IBM forked over the few milllion....

[Creepy Crawler]

Hey, you really cant go wrong with a open source, GPL'ed operating system where drivers are wrote by guys from NASA (Thanks Mr. Becker), and your security ACL's are wrote by the Spooks (heh, thanks NoSuchAgency ;-).

It REALLY beats closed source OS'es (for govt's) as even our own MS of America wont let us see the code because it's "dangerous". However showing the Chinese is A-OK.

Gotta makes you think: what would our gov't choose if they didnt have their hand in MS'es pocket?

Red Hat / Oracle

[jmkaza]

According to this [com.com] article, Red Hat and Oracle are working on gaining the same level of certification by the end of the year.

What about BSD?

[dodell]

Please spare me of all the "BSD SUCKS" and "BSD IS DEAD" flames. Kthx.

Ignoring the fact that IBM markets Linux and not BSD, why haven't corporations made genuine efforts to get it accepted in environments such as the government. The article doesn't make it clear whether or not they're talking about serving or usability.

It seems to me that if they're talking about security and such, there's still a bit to be left desired. Additionally, SuSE is by no means the most standard (IMO, it's the most backward) distribution of Linux.

I'd be interested in learning why more companies don't take a look into BSD environments. The security is there. The license is TOTALLY unrestrictive. It's stable, secure, well documented and well accepted (except on /.) -- why doesn't it get more corporate love?

It must really be secure then...

[Dot.Com.CEO]

I mean, look at all the other level 4 assurance level OSs here [commoncriteria.org]. Of course, Windows 2k has had this certification since last year AND Microsoft has prepared a nice guide for ensuring compliance to the common criteria guides for the Windows Sysadmin. I'm very glad that Linux will be able to compete with Windows on a bureaucratic level as well as on technical merit, but perhaps there is a slight overreacction from the part of the /. editors?

Linux in Government

[Sogol]

I'm a sysadmin for a large government data center. We've been using Linux in production for years, and we always purchase boxed distributions, even some preconfigured(!) machines from Dell. Government regulations do, however, prevent me from ordering Windex and Duster. These are considered janitorial supplies, and there is no justification in Information Systems procuring these items. So frankly, I'm not sure what all the fuss is about. Things look a lot different on the ground.

Safe for medical storage info ?

[Anonymous Coward]

Does this mean that it is safe/legal to use linux on a machine used to store medical information, in compliance with HIPPA and other mandated privacy policies ?

Re:Thank you IBM

[DarkSarin]

Glad to see they aren't letting SCO scare them away from giving Linux their support time after time

Did you seriously think that they would? If so you need to share some of the dope you've been smoking. As has been said numerous times on this board: to IBM, SCO is nothing more than an annoying mosquito. They might be carrying West Nile, but they are still just a mosquito, and can be crushed or captured almost any time.

The cool part about this whole article is that with the security cert, the government could begin switching some of their offices over. It also means that organizations like hospitals (who need to be concerned with privacy due to HIPAA) can be sold on the fact that it is secure and they don't have to worry as much about some hacker stealing confidential information.

Think about it.

Playing D.A. here....

[tomstdenis]

I'm not sure that the government adopting OSS is such a good idea. I mean when something doesn't work who is held accountable? Linus? Alan? ...?

At least with proprietary technology there is the promise of accoutability [*] in the product.

[*] Yes I know this would mean Microsoft. DA damnit!

Tom

Re:Can vs. Will

[sporty]

Well, look at it this way. If you couldn't, trying would be futile. Sorta like trying to get water/blood from a stone. But, with linux certified, saying that you will not even have one supporter of linux in gov't just got a little unreasonable.

You have big corps like IBM, HP and Dell saying, "it's ok."
You have many countries saying "It's ok, see?"
You have the US (via certification) saying "it's ok."

Seems more unreasonable to say it will never happen every other day.

Won't they need to re-cert constantly ??

[Anonymous Coward]

Being that Linux is ever evolving and in a constant state of change, wouldn't that mean constant recertification ?

CmdrTaco's real name is Jayson Blair

[Anonymous Coward]

SuSE got the lowest possible passing rating, not the highest.

As someone else mentioned, IBM probrably went for the cheapest testing first.

But that does not change the fact that you deliberately told an untruth.

Re:Can vs. Will

[jellomizer]

Well IBM is a force to be reckoned with as well. In some ways a little more then Microsoft. Especially in New York State, where almost all the agencies use IBM products. But it was IBM who brought Microsoft into the mainstream. And they can probably bring Linux into the mainstream. It will not be an overnight adoption but a gradual one.

Are there any secure Os's out there?

[sirrube]

If Linux only got Low2Moderate - and Windows2k got Moderate2High. Are there any off the shelf OS's that rank equal or better to win2k or is Windows2k the only one out there? Thinking of all the security breaches in Windows2k a Low2Moderate score does not impress me nor does Microsoft when it comes to Security.

Re:Can vs. Will

[4of12]

Just because the government can consider buying Linux, doesn't mean it will.

Correct. And it's true that no one ever got fired for buying Microsoft.

But much of the Linux deployment in government up to this point has been precisely because it can be had for no official government expenditure. It's always harder to get money for projects than it is to get money to keep your existing people. Those people have been doing some testing of Linux.

Shoestring Linux projects have proven themselves to be not only cost-effective, but generally reliable and useful.

Given that prototype testing already in place, authorizing incremental purchases to add on to that base of Linux functionality is an easier decision than if were made cold, without any evidence to support.

Re:simple question for someone in the know...

[stratjakt]

Why, just a bunch of bullshit rhetoric. [commoncriteria.org]

What, you thought government certifications mean something?

It's just beurocracy. If it means anything, it means the OS exists. Keeps them from buying too much vaporware.

Re:Can vs. Will

[EvilTwinSkippy]

Correct. And it's true that no one ever got fired for buying Microsoft.

No one gets fired, true. The powers that be simply move in a Unix admin and eliminate the Windows guy's position.

I speak from experience, on the good end of the shotgun. Unix guys can do Windows, and oh so much more.

Re:In your face!

[Osrin]

Principally he is right though... Linux will never and can never get EAL4, with a decent protection profile, as it currently stands. You would have to go back and document the development process for each and every component in the OS. Accounting for the activity of all the contributing developers. On the brighter side... there is talk of changing the CC process to better suit the OSS world.

Highest Rating Possible is misleading!

[sh4d0wb0x3r]

Linux received it's evaluation at a level of EAL2; according to the CC guidelines, this is "structurally tested" and means that it should "not demand more effort on the part of the developer that is consistent with good commercial practice"; applicable where "a low to moderate level of independently assured security" is required.
Windows 2K received an EAL4+, according to NIAP's evaluated product list [nist.gov]; which is *supposed* to show it was "methodically designed, tested, and reviewed". This is probably about on par with the old Orange Book (TCSEC) C3 it used to have. EAL4 does "not require substantial specialist knowledge" and is the "highest level in which it is likely to be economically feasible to retrofit in an existing product line." It's intended that an EAL4 system shows "low-level design for the Target of Evaluation (ToE)"; with testing that supports "independent search for obvious vulnerabilities."
That being said, having an EAL2 or EAL4 will probably not get you into a job that involves holding classified data.
All of this is accessible from , the CC website [commoncriteria.org].

Re:Just wondering..

[molarmass192]

I found this link [com.com] which has more details, looks like it is EAL2 after all. I also found that Red Hat and Oracle are planning [redhat.com] on going after EAL4 for the latest RHAS so the W2K advantage might be short lived.

Re:The obligatory flamebait defending the facts

[SmallFurryCreature]

Well since your being factual why do you start with a lie? Windows does not have security rating, Windows 2000 service pack 3 has a rating. As for it already having it for a year is meaningless. Linux has started out as a free OS, meaning that it simply could not buy the testing. Half a million is of course peanuts to MS and for that matter IBM but to the loose group of coders it is a lot of money that would be next to impossible to collect, and why would they want to? What you are saying is that a train leaving the station at 8 in the morning arrives earlier then a train departing at 8 in the evening. Well duh.

This is good news allaround no matter wich OS you fancy. It levels the playing field. For the end consumers competition is always good, the price fighting between airlines means that the ticket prices drop and that more choice is available (super cheap vs service)

Now MS can't simply rely on getting the big contracts hopefully, as we have seen in munich this can force MS to offer huge pricecuts. For goverments the less they spend on software the less taxes you have to pay. Good news no?

Re:Thank you IBM

[AndroidCat]

Government security certification is a long process with much paperwork. I'm not sure about these certification levels, but they used to take your hardware/software and test it. If it didn't pass, all you were told was that failed, not why. Fun fun fun! I was rolling on floor when Microsoft claimed that NT had passed B2. The slightest change/patches and you had to start all over again. :^)

IBM probably started the process years ago. Note that it's only the IBM/SuSE distro that's certified (I'm guessing). Other companies should probably look into it. The article doesn't say how much it cost IBM, but I bet it wasn't cheap!

Government requiring LSB distribution too!

[isn't my name]

I think what this means is that they can pick Linux and have a piece of paper supporting their choice. Got to cover their own backs I guess.

Better still the Defense Information Systems Agency is recommending that any Linux purchase support the LSB [gcn.com] and that apps be written to the LSB.

So, not only is it now easier for government agencies to support Linux deployments, but they are going to force any Linux distributor doing business with the government into interoperability.

The problem with Linux and Common Criteria

[nemaispuke]

It is great that Linux has been evaluated using Common Criteria, unfortunately there will not be a whole lot of Government agencies lining up to buy it. The standard for classified material is C2/EAL4 regardless of classification. Since Linux does not have the extended auditing that commerical Unix and Windows NT/2000/XP has, it will never get above EAL3. What I would like to see is the the Hardened Gentoo box evaluated under CC (www.gentoo.org/proj/en/hardened). I logged into this box and could basically do nothing (as root)! It uses NSA's Security Enhanced Linux and a variation of Role Based Access Control. This machine will pass muster! I can't wait for the day Linux gets EAL4, but I don't think that is coming too soon.

Re:Can vs. Will

[Nucleon500]

Correct. And it's true that no one ever got fired for buying Microsoft.

Nope. [google.com]

Re:What about BSD?

[wawannem]

You're right... When I took a quick look at the number, I saw ten thousand, which seemed realistic enough that I just went ahead and posted it. Taking a second look, I see that it is one hundred thousand, which is ridiculously high. Sorry about that, and thanks for pointing it out without a serious flaming ;)

Using your updated command, I see that on a testing machine, there are about 14,000 packages available. For this little test to be fair, we need a BSD person to do something similar. I still believe the notion of my original post is correct though. The amount of available software is the biggest factor in most choices these days.

Cheers!

This is incorrect maybe

[Bruha]

Haha, what I submitted was still in my paste buffer 12 hours later (Yeah nerds do sleep).. This story according to CNN counterdicts what the main story says. Linux only got a rating for low to moderate security not the highest security.

In a article [cnn.com] on CNN it is reported that the Common Criteria organization, an international technology standards body, certified Linux for the first time on "mission critical" computers, including those in America's top-secret spy agencies and those used to deliver ammunition, food and fuel to soldiers.

While only certified for Low to Moderate security Linux is still under testing for higher security ratings. IBM says this is good since it gives them a footing in a area that has been dominated by Windows sales. Of note is the fact that IBM paid over $500,000 for testing and was also supported and jointly by SuSE

Re:Alright...?

[Anonymous Coward]

This isn't strictly correct.

Windows 2000 has a "CAPP/EAL4" certification, not "EAL4". The CAPP part means that the OS provides "a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security". That means the certification becomes meaningless the moment you connect a W2K box to the Internet. It is not certified at all while connected to the net.

By contrast, Linux is non-CAPP "EAL2+" certified, even when connected to the Internet.

You need to know the CC to know what this means.

[ibex42]

These articles all are very vague and do not provide nearly enough information to allow anyone to form a reasonable opinion. First, EAL2 is no where near the highest level of evaluation. More importantly, even if it was evaluated to EAL7, we have no idea what that means without looking at the protection profile (PP). The PP defines the features that are looked at for the evaluation. Without knowing the PP, they could be evaluationing Linux or any OS only for it's ability to control access with a username and password. So in theory, that could mean that once a username and password are provided, the user has unlimited access to all files on the system. As long as that feature is documented, mathematically modeled, and tested correctly it could get a high EAL rating.

The biggest thing to remember about the CC is that the level rating is relatively meaningless without considering the protection profile. The problem is vendors don't readily tell you the protection profile they use.