atsec information security Completes Red Hat Enterprise Linux 4 CAPP/EAL4+ Common Criteria Certification for IBM
2006-02-15
AUSTIN, Texas – February 15, 2006 – atsec information security corporation, an independent, standards-based information technology (IT) security consulting and evaluation services company, has completed the Common Criteria (CC) evaluation of Red Hat Enterprise Linux 4 on a range of IBM server platforms. The WS and AS distributions of the Red Hat Enterprise Linux 4 operating system platform were certified by the NIAP CCEVS as conformant to evaluation assurance level (EAL) 4+ and the Controlled Access Protection Profile (CAPP), which specifies a set of security functional and assurance requirements for IT products.
The evaluation of Red Hat Enterprise Linux 4 at EAL4 is the first successful Linux evaluation at this assurance level performed under the U.S. National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme (NIAP CCEVS). The atsec Common Criteria Lab Manager, Fiona Pattinson, notes: "atsec and IBM's maturity in evaluating Linux facilitated a smooth and timely evaluation under the U.S. scheme."
This success builds on atsec's long record of more than 20 successful Common Criteria evaluations including six Linux evaluations on five different Linux platforms at assurance levels EAL2, EAL3, and EAL4+, performed with several vendors under both the German BSI and U.S. CCEVS Schemes.
The scrutiny of Linux continues. Red Hat Enterprise Linux 5 is in evaluation at Evaluation Assurance Level 4 (EAL4) including the security functionality defined in three protection profiles recognized by the Common Criteria: CAPP, Labeled Security Protection Profile (LSPP), and Role-Based Access Control Protection Profile (RBAC). These profiles support the requirements of Director of Central Intelligence Directive (DCID) 6/3 at Protection Level 4, which specifies security intelligence related information and systems measures, including those necessary for Top Secret and Below Interoperability (TSABI).
One more significant “first” emerged during the Red Hat Enterprise Linux 4 evaluation. In order to address the requirements of the CAPP, the audit subsystem was re-implemented. In accordance with the collaborative, open source nature of Linux development, the audit subsystem solution was offered back to the open source community for discussion and ultimately, acceptance. Stephan Mueller, atsec's lead evaluator for Linux projects since 2004, observes: "Throughout the history of the atsec Linux evaluation projects, I've been amazed by the level of support provided by commercial enterprises for the open source community. IBM demonstrated its real commitment to the Linux open source community - as well as to security - by sharing the results of its substantial investment leading to the Red Hat Enterprise Linux 4 evaluation.”
Formal announcement of the successful CAPP/EAL 4+ evaluation completion of Red Hat Enterprise Linux 4 was made at the RSA conference in San Jose.
About atsec information security
atsec information security is an independent, standards-based IT (information technology) security consulting and evaluation services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec launched its U.S. business in May 2003, building on extensive success in Europe dating back to 2000. atsec leverages its deep security, process, and standards expertise to consult on a wide range of IT security needs, enabling clients to establish integrated security management procedures in order to manage security risk and improve data, product, and business process reliability. atsec works with leading global companies such as IBM, HP, BMW, SGI, Swisscom, RWE, and Vodafone.
