Red Hat Charts Security Roadmap

Commercial Linux vendor Red Hat announced its two-year roadmap Thursday, in an effort to make its operating system one of the safest on the planet.

That’s a good thing, because despite its position as the most-distributed Linux OS on Web servers around the world, tracking statistics from NetCraft suggest its security lags far behind Unix- and Windows-flavored systems.

The key to smooth driving on its two-year goal, according to Red Hat executive vice president of engineering Paul Cormier, is through certification and standards.

“Security certifications and compliance with standards are top priorities for Red Hat and are key drivers of innovation,” he said in a statement. “We are committed to industry standards and will continue to drive acceptance and adherence of standards, leading by example.”

The Raleigh, N.C., company’s latest example of standards-driven security was its addition of Security-Enhanced Linux (SELinux) in test versions of Red Hat-sponsored Fedora Core 2, test 2, back in March. SELinux is turned off by default in the release, at least until users get used to the different authentication methods. Project leaders said they expect to publicly release Fedora 2 on May 17.

SELinux was developed by the National Security Agency (NSA), and is essentially the Linux kernel with subsystem controls that allow only the least amount of user privileges to get the job done. The increased controls make it much more difficult for privilege escalation attacks on the OS.

Officials expect a fully integrated SELinux kernel to appear in Red Hat Enterprise Linux 4, which is due in early 2005.

The company also announced today certification through the Common Criteria Evaluation and Validation Scheme (CCEVS), a cooperative effort of the U.S., Canada and Europe and spearheaded by the National Institute of Standards and Technology (NIST) to assess the security levels of tech products. The certification is normally used by government agencies as a pre-requisite standard for purchasing the product.

In February, Red Hat gained Evaluation Assurance Level 2 (EAL 2) certification through the U.K. security scheme, which is also compliant with the U.S. EAL 2 is the second rung of a seven-step ladder that rates a software product’s overall security effectiveness and the level of testing that’s been conducted on the product. The Red Hat certification, however, is only good for customers who use the three versions of Red Hat Enterprise Edition 3 with certain models of Hewlett-Packard and Dell machines.

According to the NIST Web site, EAL 2 certification requires “developer testing, a vulnerability analysis, and independent testing based upon more detailed [target of evaluation] specifications.”

In this arena Red Hat lags behind its closest Linux competitor, SUSE Linux, which was acquired by Novell . In January, SUSE Linux Enterprise Server, Service Pack 3 gained EAL 3 certification, one step up the security ladder from Red Hat. A previous version of SUSE Enterprise Server has EAL 2 certification.

It’s with the more established operating systems that Red Hat has some real catching up to do. Seven Unix-flavored operating systems — primarily Solaris, HP-UX and AIX — have EAL 4 certification, as well as several versions of Microsoft Server.

Sponsorship plays a large part in the certification process, as it involves extensive third party testing of online transaction processing (OLTP) — tests software providers don’t necessarily have access to conduct themselves. For that reason, Red Hat turned to Oracle for help, while SUSE had IBM to help with testing in the past.

Leigh Day, a spokesperson at Red Hat, told the company would be pursuing further EAL certification with the help of IBM for the upcoming RHEL 4 release.

Also in February, Red Hat garnered compatibility certification with for Common Vulnerabilities and Exposures (CVE), a database of common vulnerability names that can be cross-linked with other CVE vendors. According to Mark Cox, Red Hat senior director of engineering on the CVE Web site, “it is often confusing when the same security issues get fixed by different vendors in different ways with different names and descriptions. We see the CVE Initiative as the way to solve this problem, giving the community accurate information on which they can base their security decisions.”

Other open source members of the CVE include MandrakeSoft and the Snort Development Team.

Sean Michael Kerner contributed to this story.

News Around the Web