digg

Facebook Connect Join Digg About

Red Hat Linux Gets Top Government Security Rating

pcworld.com Red Hat Linux received a new level of security certification that should make the software appealing to government agencies.

Who dugg this? Made popular Jun 16, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

49 Comments

show profanity settings
expand all
  • baalzebub, on 10/11/2007, -4/+30Cool, Kudos to Redhat...
  • xXKobaXx, on 10/11/2007, -5/+20I use Ubuntu, only because I'm extremely lazy... (and I secretly suck ass at managing Linux) But this doesn't bother me in the least, in fact, because its Linux, I'm very happy :)
    But I'm really glad that Red Hat has become so secure.
  • inactive, on 10/11/2007, -3/+17Ubuntu is aiming to the servers too, but even mark shuttleworth realizes that, still, Ubuntu is not rival to Red Hat, the whole world knows that.
  • geminitojanus, on 10/11/2007, -3/+17We're all in this together. Redhat is one of the biggest Open Source/Linux contributers right now, doing amazing worthwhile work with GNOME, GCC, and the Linux kernel. Every improvement Redhat makes goes on to help the whole community as a whole.

    Ubuntu users should be and are cheering Redhat on; even if they quibble about who's doing what and which is "better", both camps realize that their work is helping everyone, and that it's to their advantage. So no, don't try to stir up antagonism that simply isn't there, it'll just get your buried and branded a troll.
  • baalzebub, on 10/11/2007, -2/+13i been a faithful Slackware user for several years, but it was when i bought Redhat-7.1 that introduced me to Linux, i am glad to hear about Redhat making progress as they do contribute a lot to the community...
  • SniperXPX, on 10/11/2007, -8/+19As long as Safari stays away.
  • inactive, on 10/11/2007, -5/+12I'm sure OpenBSD also has a pretty high ranking. OpenBSD used to get lots of funding from DARPA before Theo de Raadt (OBSD Founder) criticized the United States government for it's war in Iraq among other things. After he made those comments, the Dept. Of Defense and DARPA decided to cut funding. :-(
  • mighty_mouth, on 10/11/2007, -6/+12Does anyone know....has the National Information Assurance Partnership examined Microsoft's products yet? A comparision between the two's (MS and RH) ratings would be nice.
  • lulutv, on 10/11/2007, -4/+10@mighty

    IIRC NT 4 was the last MS OS to achieve this level. MS has such a poor security history that Sun's secure Solaris was the gold standard for secure gov't use before now. FWIW, it doesn't do much to compare the OSs (side from cost) at this level, since once you have this level of cert, you have it, there are no degrees to compare.
  • kevincw01, on 10/11/2007, -0/+6"Evaluation Assurance Level (EAL1 through EAL7) of a computer product or system is a numerical grade assigned ... The intent of the higher levels is to provide higher confidence that the system's principal security features are reliably implemented."

    "Commercial operating systems that provide conventional, user-based security features are typically evaluated at EAL4. Examples of such operating systems are Novell NetWare, SUSE Linux Enterprise Server 9, and Windows 2000 Service Pack 3."
  • oprahsTITS, on 10/11/2007, -1/+6A Linux story on digg that doesnt involve Ubuntu..? WTF??
  • IamF, on 10/11/2007, -2/+6I always trusted Red Hat. I used to run Red Hat on the old Pentium 75. I'm currently using Gentoo but that's just for now. I'd go back to Red Hat anytime.
  • prammy, on 10/11/2007, -1/+5Care to explain how exactly Red Hat is proprietary software? Or are you just talking out of your ass?
  • prammy, on 10/11/2007, -0/+4I started off on Slackware in 95. Since then I have used most distros. Red Hat is great for businesses now with the path they have taken with RHEL. Hell if people do not want to pay for a RH entitlement they can always use CentOS and yes, RH helps out the Centos team when they need help as well.

    So yea, I am pleased to see Red Hat making progress.
  • prammy, on 10/11/2007, -1/+5Like bjweeks said, Ubuntu and Red Hat do not compete for the same market. Besides, most Ubuntu fanboys are generally fans of Linux so I would assume that they would be pleased that any Linux distribution makes an accomplishment because what benefits one benefits the other.

    After all Red Hat is the largest contributor to the kernel, Gnome and quite a few other projects and every other distribution benefits from what Red Hat contributes. I know its fashionable to call Red Hat the MS of the Linux world, but that statement is just not true.
  • Heiios, on 10/11/2007, -0/+3Certification just means wiretapping made easier....
  • inactive, on 10/11/2007, -0/+3In related news, celebrations broke out in People's Liberation Army units developing first-strike cyberwarfare capabilities.
  • drag, on 10/11/2007, -0/+2""Not to spoil anyone's fun, but Win2K3 and XP Pro did get the same ratings.""

    Well, your almost right.

    The difference between this and what Windows has is the RBAC and LSPP stuff. Windows has limited RBAC support, although I don't know to much of the actual details.

    What sets this appart is the LSPP stuff, I suppose. SELinux, which is supported by Redhat and a few other systems, supports what is called 'Mandatory Access Control'.

    Tradtionally general-purpose operating systems support what is called ' Discretionary Access Controls' through things like file system permissions and whatnot.

    DAC is things like 'Oh give such-and-such users rights to read/write this file' or 'if user belongs to group B then they can read these files or access this directory'. The stuff is based on usernames and what groups people belong to. This is the original design that Unix used and what Windows and Linux uses is about the same exact thing.

    MAC includes things like that, but also adds more fine-grained controls based on the context and roles that.

    For example of the things that people did to show off SELinux when it was new was to allow people to log in as root over the internet. So they'd setup a dedicated server with a ssh server and post the root password and ip address online and challenge people to log in as root and try to muck the system up.

    In real-world commercial setups it's used as a extra layer of security for internet-facing services. So for example you could run Apache as root and setup SELinux to only give Apache proccess rights to the files and other system resources that it needs to do it's job. So if Apache has a flaw in it and somebody is able to exploit that to gain root access then that person can not access any non-apache-related files or perform any sort of denial of service attack on the server.

    In the real world the effect has been so-so. The rules that Redhat and Fedora use doesn't realy make a whole lot of sense. It kinda pisses off administrators because MAC is so complex that it's not easy to deal with (which is why Linux is the first mainstream system to realy support it strongly). However it has stopped a handfull of Zero-Day exploits from affecting Redhat users, which is pretty good.

    For secure government agencies and ultra-secure setups then SELinux is a significant boon. When your able to justify the effort, time, and money needed to properly setup a MAC system to completely lock down a system and setup roles for 'secret', 'top secret', or 'ultra top secret' (or whatever the hell is used in government-land) then it can lead to very very impressive security. No root exploits or software bugs or buffer overflows will provide any sort of path for attackers to leak information.

    For normal people it's still pretty much a PITA though. Redhat and friends are working on making MAC easy for mortals to use, but it still has a ways to go.
  • emblemparade, on 10/11/2007, -0/+2This is good news for *all* Linux-based operating systems.
  • c130commnav, on 10/11/2007, -0/+2Would be nice to see the military start using Linux (be it RH or whatever), I know for us aircraft maintenance guys 99% of our computer usage is web and email which would mean converting would be fairly simple.
  • OBKenobi, on 10/11/2007, -2/+4[quote]Does anyone know....has the National Information Assurance Partnership examined Microsoft's products yet? A comparision between the two's (MS and RH) ratings would be nice.[/quote]

    Not to spoil anyone's fun, but Win2K3 and XP Pro did get the same ratings.

    http://www.microsoft.com/presspass/press/2005/dec05/12-14CommonCriteriaPR.mspx

    What do you except from the US government? Not to mention the fact that MSFT is one of America's biggest cash cows and political weapons.

    MSFT will continue to get breaks from the US government, even if there is a giant, gaping backdoor with a welcome sign for Al Qaeda in Win2K8 Server. That will fit with Bush's agenda just fine... "The 'terrists' are attacking our services!"
  • KibibyteBrain, on 10/11/2007, -1/+3Even when they do compete for the same market, Ubuntu and Redhat are still pretty different. Redhat was the gold standard of linux a while ago in the enterprise, and has very mature and developed administration tools. Ubuntu is reaching toward the next gen desktop, and so in a few years will probably have a more polished set of admin tools than RH. But now, Ubuntu is so unstandardized its kind of hard to recommend it if you really are in a production level environment who needs basically 24/7 workstation uptime with quick fixes like for development labs and such. Basically, if you want a C development workstation platform that you can image and deploy on 100 identical workstations that all sync up perfectly for a team of engineers, go redhat. If its your home workstation where you are more concerned with getting beryl and font smoothing to perform well, and playing with some new "desktop linux" type apps like kino and stuff, go Ubuntu.
  • estvir, on 10/11/2007, -0/+2I think I first used early versions of Mandrake (Now known as Mandriva) when I started messing around with Linux but I quickly tried Lindows (Now known as Linspire, I think :o) and Red Hat and while Lindows was fairly horrible, Red Hat was good.

    I might try out the latest Red Hat workstation (Or whatever it's called now) soon, see how it's going.
  • Error601, on 10/11/2007, -0/+1Of course that only applies to a specific configuration. I assume they'll offer that as a special product for contracts that require it just like Sun does. I won't make any difference to most people that are using the regular release.
  • c0t0d0s0, on 10/11/2007, -0/+1EMail apps are part of Desktop, so until you don´t talk IMAP directly via stunnel and telnet no certification for that ... ;)
  • c0t0d0s0, on 10/11/2007, -2/+3Certifing Red Hat Enterprise Linux 5 Client without an installed desktop isn´t an archievment, it´s an embarrasment .... Look on the bottom of page 16 of the evluation report ... So still some way to go to reach the same level as in real trusted environments like Trusted Solaris or Solaris 10 with Trusted Extenstion (when the certification of the later one is finalized)
  • xspinkickx, on 10/11/2007, -0/+1Good job red hat, but is there a link to what the government considers the most secure OS??
  • supaneko, on 10/11/2007, -4/+5+1.

    Thank you for the clarification. :)
  • Wootery, on 10/11/2007, -0/+1Not really - official acknowledgment that open-source software is good is always a good thing.
  • Error601, on 10/11/2007, -0/+1Nope...completely irrelevant to other distributions. It doesn't even mean another for other Redhat distributions.
  • bumbledragon, on 10/11/2007, -2/+3Actually those comments about Windows XP and 2003 getting the same rating is not true. There are evaluated against a less stringent protection profile (CAPP). Red Hat 5 is evaluated against LSPP which is more stringent.
  • Goosemaster, on 10/11/2007, -0/+1well that comment sure opens up a can of worms....
  • inactive, on 10/11/2007, -0/+1Just wait till Linux gets popular...
  • KibibyteBrain, on 10/11/2007, -1/+1I'd like to see a seasoned security admin harden an OS with a crappy kernel that has buggy memory leaking modules compiled in every which way like some of the small experimental desktop linux projects basically have. Or a custom network stack using outdated memory access APIs. Admins play a big role in setting up secure systems, but the development team are still the alpha and omega.
  • lesnadyk, on 10/11/2007, -1/+1Not really a big accomplishment considering the only competition to RH is Windows.
  • Wootery, on 10/11/2007, -1/+1@n0ydz

    Sounds familiar... ah yes, "The Legend of Puffy Hood". OpenBSD music ftw.

    ftp://ftp.openbsd.org/pub/OpenBSD/songs/song34.mp3
    http://www.openbsd.org/lyrics.html
  • prammy, on 10/11/2007, -1/+1@kibibytebrain

    I believe you are referring to kickstart. I agree on that, its awesome. Combine that with something like CFEngine and you have a pretty good setup for systems configuration and deployment. But as things stand, using cfengine and defining machine classes, Ubuntu can be managed just as easily. Though if you have both RH based and Deb based machines, you have to have 2 repos for updates.

    Ubuntu can be installed via kickstart as well AFAIK.

    One thing which I love about Red hat/CentOS/Fedora is the whole suite of configuration tools. Hopefully Ubuntu will have something similar in the default install.
  • inactive, on 10/11/2007, -0/+0...been using RH since they first started and have always been somewhat happy with their OS releases. I primarily use Cent with exception to the Oracle databases (to avoid finger pointing between support groups). Oracle is one of the few apps that breaks RH anyway.

    I am glad they are finally moving in the right direction with certification. They still have a long ways to go, but it is better than sitting still.

    Now they just need to make SELinux policies easier for the average Joe to design/implement/design. I am seeing some progress in that area as well.
  • mclaincausey, on 10/11/2007, -11/+10Guys, you should figure out what Common Criteria is before you get too excited.

    All this means is that Red Hat made claims about certain behaviors of the OS, and then provided evidence that those behaviors hold true. This is a matter of documentation first and foremost--it doesn't prove a thing about how secure the OS actually is. For EAL4 they also had to provide source code, which may or may not have actually been reviewed by the certification lab.

    This is not a security rating at all. It certifies that the claims Red Hat made about the OS in their Security Target document are believed by the private laboratory that performed the certification to hold, and that the government thinks that lab has done it's due dilligence in evaluating the product along the lines stipulated int he documentation. That's all.

    Without viewing the Security Target and seeing if the claims are worthwhile, this is completely meaningless except that it allows sale to the government.
  • dasunst3r, on 10/11/2007, -3/+2Looks like somebody needs to "Get the Facts" about Windows and Linux. {insert sarcastic laugh here}
  • canarchy, on 10/11/2007, -2/+0worth it
  • d00dtv, on 10/11/2007, -8/+5>Does anyone know....has the National Information Assurance Partnership examined Microsoft's products yet? A comparision between the two's (MS and RH) >ratings would be nice.
    Yeah right. The major security patches that Microsoft just came out with, including two for Vista, pretty much sums it up.
  • ja1217, on 10/11/2007, -6/+1While the admin/security team definitely plays a large part in how secure their computer systems are, the differences in *nix (who the hell uses *ux?) operating systems do make a difference. Frankly, I'm kind of surprised that OpenBSD wasn't mentioned, as from what I've read they have the best security record for an operating system (according to wikipedia, they have only had two remote holes in the default install in over 10 years). Perhaps it may not be as functional as RedHat in the environment that the government would be using them. From what I've read, its often used for firewalls and other devices for which the highest level of security is demanded.
  • HideoKojima, on 10/11/2007, -8/+2lol too bad noone uses it.
  • weebit, on 10/11/2007, -11/+2Yes but Red Hat is proprietary software.
  • amfantasy, on 10/11/2007, -15/+4ya...I'm an idiot
  • dopesick, on 10/11/2007, -15/+3Screw the Ubuntu fan boys. And I think the government has some VERY good linux/unix geeks. Since any *ux OS is as secure as the admin/security team can make it.
  • amfantasy, on 10/11/2007, -35/+10I think this is amazing news, this great on Red Hats part. Sadly I don't think the Ubuntu fan boys will let this reach front page

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.