I develop security products for Linux and many of my customers are only permitted to implement technology with a specific level of assurance.
Most of these customers must also adhere to the U.S. Defense Information Systems Agency (DISA) UNIX Security Technical Implementation Guide (STIG).
I have been asked, "Since Red Hat Enterprise Linux 4 and 5 are Common Criteria EAL4+ certified, do they still need to be tested against the DISA UNIX STIG?" The answer is Yes, they do.
First of all, I don't work for DISA or Red Hat but I do have years of experience in this area so, I will try to shed some light on this topic.
The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It originated from three standards: ITSEC, CTCPEC, and TCSEC.
Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements. Vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims.
To obtain a certification, organizations can go through the National Information Assurance Partnership's (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS). The NIAP is a U.S. government initiative to meet the security testing needs of both information technology consumers and producers and is operated by the National Security Agency (NSA).
The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation.
To achieve a particular EAL, the computer system must meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, and/or penetration testing. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.
In some cases, the evaluation may be augmented to include assurance requirements beyond the minimum required for a particular EAL. Officially this is indicated by following the EAL number with the word augmented and usually with a list of codes to indicate the additional requirements. As shorthand, vendors will often simply add a "plus" sign (as in EAL4+) to indicate the augmented requirements.
One particular augmentation is the evaluation against the Labeled Security Protection Profile (LSPP). The LSPP requirements are derived from the B1 class of the U.S. Department of Defense security standard called Trusted Computer System Evaluation Criteria (TCSEC) which was originally published in 1985.
The Multilevel Security (MLS) component of Security-Enhanced Linux (SELinux) helps a Linux operating system successfully pass an evaluation against the LSPP. SELinux is predominantly available in Red Hat-based systems but is also available in Debian as of the etch release, Ubuntu as of 8.04 Hardy Heron, Hardened Gentoo, Yellow Dog Linux, and openSUSE 11.1.
When I think of an EAL certification, I think of Underwriters Laboratory (UL) certifying the safety of an appliance like a toaster. It says that the toaster is safe as designed but if you use it in an incorrect manner—like sticking a metal knife in it while it is plugged in—then all bets are off.
The certified operating system has the capabilities and features to meet the tested security level but in many cases, you must still configure and enable those controls. Hence, the implementation of security guidelines such as DISA UNIX STIG and Center for Internet Security Benchmarks.
Of particular interest to my customer base are the Linux operating systems. Here are a few:
- Red Hat Enterprise Linux 3 is EAL 3+ CAPP
- Red Hat Enterprise Linux 4 is EAL3+ CAPP and EAL4+/CAPP
- Red Hat Enterprise Linux 5 is EAL4+ CAPP/RBACPP/LSPP
- Red Hat Enterprise Linux 6 (Pursuing EAL4+) (Read the announcement here)
- Novell SUSE Linux Enterprise Server 10 SP1 is EAL4+
- Oracle Enterprise Linux 5 is EAL4+ LSPP (See here)
It is my understanding that even though CentOS is built from Red Hat sources, it is NOT EAL4+ certified.
The associated cost with certifying an operating system or application has been a deterrent for many open source development communities and a source of frustration for technologists wanting to implement different solutions.
Also, these certifications can take months, even years, to achieve. This time line can significantly delay the adoption in organizations with strict requirements for these validations, such as the military and government agencies.
I hope this information was helpful in explaining the Command Criteria (ISO/IEC 15408) Evaluation Assurance Level. Watch for my next article in which I will discuss the availability of the DISA UNIX STIG for Linux operating system versions as well as SCAP.