RHEL now certified at EAL4+

RHEL is now certified at EAL4+, when configured appropriately on IBM’s mainframe, System x, System p5 and eServer boxes, according to the protection profiles LSPP (labeling), RBACPP (role based access control) and CAPP (audit).

EAL4+ is as far as you can go with an off the shelf OS. Beyond this, you need semiformal security design and pretty much a new OS. LSPP is the current equivalent of the old “orange book” B1 TCSEC rating.

This certification means that Linux is now officially considered appropriate for use as a “trusted” operating system, although with SELinux, it is far more flexible and capable than any of the existing MLS-oriented solutions. While the evaluation is specific to RHEL5 and IBM hardware, everything is freely available in source form, and also freely available as an installable distro via Fedora, Centos and derivatives thereof.

A lot of people thought it would be outright impossible to get an open source OS certified at this level. Not only were they wrong, but we’ve done it in a way which makes it part of the mainline kernel, upstream userland, and integrated into standard distributions. It is not some out-dated, incompatible and outrageously expensive fork of the OS, as has historically been the case with trusted OSes. “Military-strength” security is just now just another feature you get as standard in Linux, and it receives the same testing and community benefits as the rest of the OS.

Those who accuse Linux of lacking innovation might do well to look at this, and also see how others are now adopting these innovations.

News coverage:

Infoworld
Yahoo