IBM, Red Hat Attain EAL 4+ Certification for Enterprise Linux 4

Published: April 11, 2006

by Timothy Prickett Morgan

The governments of the world have some pretty stringent security and stability requirements for the operating systems they deploy, particularly when it comes to super-secret installations. That's why the Common Criteria certifications for IT gear exists. IBM announced last week at LinuxWorld that it had attained the EAL 4+ certification level for Red Hat's Enterprise Linux 4 running on various servers.

The Common Criteria certification is the result of the merging of security standards from North American and European governments. The scheme now has seven different security ratings, known as Evaluated Assurance Levels (EALs). The most secure platforms today are at the EAL 3 or EAL 4 level, but the criteria have been recently extended up to the EAL 7 level. (You can see the most recent EAL certifications at this site.)

Back in January 2004, Red Hat's WS 3 and AS 3 operating systems were certified at the EAL 3+ level on IBM's whole server line, and a year later, just prior to the launch of Red Hat Enterprise Linux 4, the company said that it was working with IBM to get that release of the operating system certified at the EAL 4 level. The Common Criteria Web site does not yet show the details of the certification for the latest Red Hat software on IBM iron. All that IBM did say is that the Controlled Access Protection Profile, or CAPP, had been certified at the EAL4+ level using RHEL 4 on IBM machines. There are two other profiles besides CAPP: Role-Based Access Control Protection Profile (RBACPP) and Labeled Security Protection Profile (LSPP). IBM and Red Hat didn't mention anything about these, but the companies have been working together since September 2005 to get this triple play with the future RHEL 5 version, which is due at the end of the year.

Last September, Sun Microsystems' Solaris 10 with Trusted Solaris Extensions achieved EAL certification on all three profiles.