Linux Goes Under Security Microscope

With doubts lingering over the stability and security of the Linux operating system, three tech heavyweights on Thursday announced plans to seek federal certification for the fast-growing open-source OS.

The three firms -- IBM Corp. , Oracle and Red Hat IBM, which has banked heavily on mainstream acceptance of Linux, said it would work with the open-source community to enter the Common Criteria certification process early this year. IBM's plans include winning federal certification for Linux at increasing security levels through 2003 and 2004.

Through its Linux Technology Center, IBM said it would invest heavily to enable Linux for Common Criteria certification across its eServer platforms, and will fund initial evaluations in 2003.

Common Criteria certification for Linux is seen as a crucial first stem to win commercial approval for Linux among government clients. The U.S. federal government CC approval for any IT product used in national security systems.

IBM's move comes on the same day Oracle and Red Hat announced plans to submit the Red Hat Linux Advanced Server for a Common Criteria (ISO 15408) evaluation at Evaluation Assurance Level (EAL) 2. Red Hat, which dominates the market for Linux, said the move would enable security-conscious customers in both the public and private sector to procure an evaluated Linux platform and run their enterprise software on a secure Linux operating system.

"In the future, Oracle and Red Hat intend to work toward achieving higher-level security evaluations of the Linux operating system," the companies said in a joint statement.

By submitting Red Hat Linux Advanced Server for evaluation, the two companies hope to dispel concerns among potential customers looking for a reliable alternative to Microsoft's Windows operating system.

"Further, systems integrators and independent software vendors, and independent hardware vendors will benefit from the evaluation by being able to provide a competitive offering on the Linux platform to potential customers who require evaluated products," the companies said.

Once the CC scrutiny is complete, Oracle and Red Hat said the security evaluation would be made available to the larger open-source community to allow Linux providers to distribute an evaluated Linux operating system.

The long-term aim is to get Linux to comply with the U.S. government's security policy directive, NSTISSP (National Security Telecommunications and Information Systems Security Policy) number 11, which requires independent security evaluations for products used in national security systems.