It will be the first time that Linux has been submitted to Common Criteria, an ISO standard that provides an important yardstick for customers to gauge the security levels of technology products. If evaluation is achieved it would be a significant weapon for Red Hat and Linux supporters in their long-running security battle against Microsoft Corp.
Common Criteria evaluation would also provide an important stepping stone for Linux to continue its drive into public sector data centers following the US government’s July 2002 security policy directive, which requires independent security evaluations for products used in national security systems.
Oracle and Red Hat will submit Red Hat Linux Advanced Server for Evaluation Assurance Level (EAL) 2, which is applicable where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record, according to Common Criteria.org.
The two companies said they will also work together toward achieving further security evaluations under Common Criteria, and will release the security evaluation materials to the larger open source Linux community. Oracle also intends to submit its Oracle9i release 2 database management system running on Red Hat Linux Advanced Server for EAL 4, which is the highest level available for commercial software.
Oracle’s 8i database passed EAL 4 in July 2001 for deployment on Windows NT or Solaris, while Oracle 9i is currently in evaluation for EAL 4. The same level of evaluation has also been achieved by Microsoft’s Windows 2000 Professional, Server and Advanced Server editions in October 2002.
The Common Criteria evaluation plan is the second security boost Red Hat has received this week. On Tuesday the company announced that Red Hat Linux Advanced Server had achieved Common Operating Environment certification from the Department of Defense’s Defense Information Systems Agency.
Red Hat Linux Advanced Server received the certification running on IBM Corp’s eServer xSeries 330 server, and is now considered an approved operating system for use in the Department of Defense and other federal agency environments.
Source: Computerwire