Government users, it’s time to trust Linux vendor Red Hat (Quote).
After over a year and a half of effort, Red Hat Enterprise Linux 5 has now
achieved the Evaluation Assurance Level 4 (EAL 4+) for Labeled Security
Protection Profile (LSPP), Controlled Access Protection Profile (CAPP), and
Role-Based Access Control Protection Profile (RBAC).
The new government certifications for RHEL 5 applies to IBM’s System x, System p, System z, and BladeCenter.
According to IBM (Quote), it’s the first time a Linux distribution
has been certified to EAL 4+ on LSPP. “Solaris has had much of this market with Trusted Solaris and allot of customers have been asking for this from Linux so we expect it to do quite well,” Dan Frye, IBM vice president of open systems development, told internetnews.com.
Though Red Hat’s latest Red Hat Enterprise Linux 5 (RHEL 5) has only been available since March, certification efforts began a long time before then.
It was in September 2005 when the paint was still drying on the RHEL 4
release that Red Hat and IBM first began their efforts to get RHEL 5 EAL 4+ certified.
certification is a security evaluation of the Common Criteria Evaluation &
Validation Scheme (CCEVS) that is operated by The National Information
Assurance Partnership (NIAP). Successful EAL4 certification means that RHEL
5 meets government security standards for assured information sharing within
and across government agencies.
Frye noted that getting the official EAL4+ certification now is right on
schedule. There is a lot of “heavy lifting” involved in getting EAL 4+ for
LSPP, and it took a while to get all the documentation in order. According
to Frye there were no particular barriers or “gotchas” on the path to
certification, and Red Hat and IBM worked closely in a joint team on a
Even though RHEL 5 was a work in progress for much of the time that joint
certification teams were working, Frye argued that Red Hat and open source
can provide a predictable process. It was that predictable process that
enabled the certification effort to proceed while work was still in
“The open source process can be predictable if you’re willing to do the
work,” Frye said. “If you rely on others to do the work, or if you’re doing
something the community isn’t comfortable with, it may not be as
predictable. In this case it was not a question of us getting Red Hat to do
things. It was just us working hand in hand.”
Frye said the cost of getting the certification was significant but he’s
confident it will pay off. He explained that before they embarked on the
effort, a business case had to justify the expense.
At this point, the EAL 4+ certification for LSPP, CAPP RBAC is likely as far as IBM will take RHEL 5.
“There is no significant market that requires anything above this, so our
plans are to maintain this level,” Frye said.