[luau] If someone ask you about Linux...

whenever whatever at whoever.net
Tue Jul 1 09:14:01 PDT 2003 

On Monday 30 June 2003 10:03 am, Taylor Cody L. Contractor 502 AOS/PETS wrote:
> Whenever, whatever, whoever,
> You posted about the NIAP and the NIST before.  I had typed up a reply but
> I didn't get around to posting it.  I was going to tell you last time that
> the DoD doesn't go to the NIAP to decide what is COE compliant.  The NIAP
> and the NIST are not DoD agencies.  The NSA is a DoD agency.  If you have
> noticed the NSA has their own security enhanced version of Linux.  I have
> some more info about the NIAP if you want it.  The military goes to the CIO
> "Chief Information Officers" Council to get a list of authorized products.

If you are willing to stop at http://niap.nist.gov and read a little, then you 
will see where NSA fit in. The se-linux don't mean anything, used for 
agrument with FSO before, they don't buy it.  CIO setup the guideline, NSA 
and NIST setup the EAL cert.  DAA own the system, if your DAA don't want to 
follow the guideline, he/she can do it by taking Title 10.  That means he/she 
is willing to take the risk. Not many DAA willing to do that.

note: EAL1-EAL6 =~ D1-A2(Orange book),  EAL3/4 =~ C2

>
> I can tell you the use of Linux and other open source software is approved
> by the DOD and has been used for years.  I have worked on many networks

Not for years, I have the official CIO signed document dated some time this 
year, I know it's only months.  It allows Open Source, but need to meet x and 
y requirment.  You can ask your IAO(ISSO) for the document.

> that use Red Hat, Apache, Samba, Snort and other open source products.  I
> have one close friend who is currently an admin on a military Linux
> network, and another who uses Red Hat and SNORT every day to perform
> security duties.  He is filling a security admin job.  His shop is a
> network security shop.  They are very picky about regulations and they
> would not be using open source software if it was not authorized.  There
> are many networks on this Island that I have worked on that are very
> concerned with security and they have been and are currently using open
> source products.  If you want to use M$ or open source software you always
> have to follow Common Operating Environment guidelines.  The same goes for
> hardware.  I happen to have instructions on this workstation for making a
> Red Hat 7.2 machine COE compliant.  This means Red Hat Linux is authorized
> on DOD networks if you comply with the guidelines.  There is a standard
> kernel that is mandatory.  The use of a standard kernel is to provide a
> common base environment or a foundation for the open source architecture. 
> We have to follow guidelines when it comes to what M$ updates we can load. 
> We are not authorized to load every piece of software M$ puts out.  We
> wouldn't want a few hundred thousand users to loose their network
> connection because we loaded a new M$ security update. Mass chaos because
> of M$ updates has become a not so uncommon occurrence.

There are many systems being stick into the DoD network without DAA's 
knowlege, if you are following the correct procedure, modify your SSAA and 
sumit it back to the DITSCAP process,  you could get an IATO but not an ATO 
with Linux on it.  COE compliant don't really have much weight, that's why 
RedHat notified me they sumitted their 'RedHat AS 2.1' into NIST for EAL test 
two weeks ago, but I can't find it anywhere at NIST.

>
> One last thing.  I know the DoD has some confidence in the security of
> Linux.  While I was in the Air Force one of my squadrons received the
> outstanding unit award for network security, four years in a row.  I don't
> think this would have happened if our Red Hat boxes weren't authorized. 
> But ya never know.  I apologize if this turned into a long boring post.
> -Cody

Some command might operate differently, because they take Title 10.  Security 
still have to follow the DoDD 8500 series and Rainbow series.

We have a few linux  and FreeBSD system on a private network, but still being 
forced to take them offline, you can't win when the security team came from 
DC to test(SRR scan and ISS scan) your network every six months.  They told 
me DoD wanted to use Open Source, but those software/OS can't be used unless 
they  have EAL rating.  You might want to ask your IAO(was ISSO) and NSO for 
more OISS and DITSCAP information.

More information about the LUAU mailing list