[luau] IBM Clinches Government Security Certification for Linux - Short Full Article
whenever
whatever at whoever.net
Tue Aug 5 20:24:03 PDT 2003
On Tuesday 05 August 2003 08:15 pm, Deven Phillips wrote:
> Good info,
>
> They also mentioned in one article I read that they expect to acheive
> EAL3+ or EAL4 by the end of the year.
>
> Deven
The highest rating you can find for COTS software/os is EAL4
EAL4 security must meet:
1) Discretionary Access Control (classic UNIX file permissions, file access
controls in the directory are supported out to the mount points - NFS UID/GID
synchronization)
2) Mandatory Access Control ( data flow is based on security labels and
everything is labeled - Files and directorys/Interfaces/Remote hosts, Policy
Enforced - No "Read-Up" System Security Policy / No "Write-Down" System
Policy, communication limited to mount points - High mount point/Low mount
point)
3)Role-Based Access Control (Separation of duties, many basic administration
tasks do not require "root" user, ie: SA, IAO, NSO)
4) Audit Trail ( All administrative actions are audited, Audit trail is
reviewed by Security Officer Role. DoD policy do not allow system
administrator to review audit logs.)
Many of our projects has been developed on Linux then switched to Solaris
because they required EAL4 rating. Hopfully Linux can catch up with IBM's
help, then kill SCO after.
More information about the LUAU
mailing list