After over a year and a half of effort, Red Hat Enterprise Linux 5 has now achieved the Evaluation Assurance Level 4 (EAL 4+) for Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile (CAPP), and Role-Based Access Control Protection Profile (RBAC).
The new government certifications for RHEL 5 applies to IBM's System x, System p, System z, and BladeCenter.
According to IBM (Quote), it's the first time a Linux distribution has been certified to EAL 4+ on LSPP. "Solaris has had much of this market with Trusted Solaris and allot of customers have been asking for this from Linux so we expect it to do quite well," Dan Frye, IBM vice president of open systems development, told internetnews.com.
Though Red Hat's latest Red Hat Enterprise Linux 5 (RHEL 5) has only been available since March, certification efforts began a long time before then.
It was in September 2005 when the paint was still drying on the RHEL 4 release that Red Hat and IBM first began their efforts to get RHEL 5 EAL 4+ certified.
EAL 4 certification is a security evaluation of the Common Criteria Evaluation & Validation Scheme (CCEVS) that is operated by The National Information Assurance Partnership (NIAP). Successful EAL4 certification means that RHEL 5 meets government security standards for assured information sharing within and across government agencies.
Frye noted that getting the official EAL4+ certification now is right on schedule. There is a lot of "heavy lifting" involved in getting EAL 4+ for LSPP, and it took a while to get all the documentation in order. According to Frye there were no particular barriers or "gotchas" on the path to certification, and Red Hat and IBM worked closely in a joint team on a daily basis.
Even though RHEL 5 was a work in progress for much of the time that joint certification teams were working, Frye argued that Red Hat and open source can provide a predictable process. It was that predictable process that enabled the certification effort to proceed while work was still in progress.
"The open source process can be predictable if you're willing to do the work," Frye said. "If you rely on others to do the work, or if you're doing something the community isn't comfortable with, it may not be as predictable. In this case it was not a question of us getting Red Hat to do things. It was just us working hand in hand."
Frye said the cost of getting the certification was significant but he's confident it will pay off. He explained that before they embarked on the effort, a business case had to justify the expense.
At this point, the EAL 4+ certification for LSPP, CAPP RBAC is likely as far as IBM will take RHEL 5.
"There is no significant market that requires anything above this, so our plans are to maintain this level," Frye said.