SELinux Panel at FOSE in Washington 73
Tony Stanco writes: "Newsforge has an article on what happened at the Security Enhanced Linux panel in Washington about certification under the Common Criteria for Information Technology Security Evaluation standard."
Good choice (Score:3, Insightful)
the link in the story (Score:1)
newsforge has been flaky recently... (Score:2, Informative)
The Cyberspace Policy Institute at The George Washington University is launching an effort to get international security ratings for the U.S. National Security Agency-driven Security Enhanced Linux project, a move that organizers hope will make Linux more attractive to cautious technology purchasers, including government agencies.
Martin R. Dean, senior security researcher at the Cyberspace Policy Institute (CPI) and principal engineer at Science Applications International Corp., said SELinux still needs some enhancements, such as becoming a fully integrated operating system instead of a patch to Red Hat Linux, but the institute is starting to look for partners to help guide the ultra-secure Linux distribution through the rigorous EAL4 security certification, known formally as the Common Criteria for Information Technology Security Evaluation standard.
Dean spoke at a panel discussion on SELinux, one of the last events at the FOSE technology-in-government trade show Thursday. Other panelists were Peter Loscocco, the SELinux project leader at the NSA; Tony Stanco, senior policy analyst for Open Source and e-government at CPI and founder of FreeDevelopers.net; and Mark Westerman, senior consultant with network security company Westcam and administrator of the SELinux project at SourceForge.net.
Microsoft is currently trying to get the EAL4 for its Windows 2000 OS, and Dean argues that for Linux to be competitive at places like government agencies, where security ratings are used as a big evaluation tool for buying technology products, SELinux also needs the EAL4 rating.
CPI will coordinate activities like looking for developers and seeking sponsors to finance the security rating. The plan is to seek security ratings from the United States and at least one other country, possibly Great Britain, because some countries have different security standards, and some non-U.S. users might not trust the U.S. rating, Dean said.
Among Dean's goals is making SELinux easier to install and configure. Loscocco admits SELinux, which NSA released to the public in January 2001, is still hard for non-experts to set up.
NSA's SELinux documentation includes a sample security policy, but configuring the fine-grained controls, down to what programs individual users can run, does take some knowledge, Loscocco said.
Westerman has written a graphical installer that's a first step to pitching SELinux to mainstream users. "What we're looking at is getting the operating system to the point where we can roll it out to an elite IT organization, or where a user can run it on the desktop," Dean said. "What we looking at is getting the SELinux patch and the Linux operating system to the point where it's a robust operating system, so it's not just the small thing that sits on the server, but on everybody's desktop."
Dean expects that gaining the security rating will take a couple of years. "What we're going to have in a couple of years is an operating system that's been evaluated
During the panel discussion at FOSE, Loscocco and Westerman talked about the benefits of SELinux. Westerman described a customer's experience with a cracked DNS server, which was cracked a second time as soon as the customer reloaded the DNS software.
"At that point in time, I grabbed my CDs
"With SELinux, we're not as worried about the next buffer overflow," Westerman said.
Among the 30 audience members were several Microsoft booth workers. One asked a couple of questions about the SELinux project, including, ironically, whether changes made to ready it for the security certification would be released back to the community under the GNU General Public License. Panelists said that although the rules of security certification and the GPL sometimes conflict they were looking at ways to resolve the potential problems. Among those issues: A security certified operating system that's had outside changes made to it may lose its certification, and a distribution that's downloaded from a site that's not part of the official certification channels loses its certification, Westerman said.
However, Loscocco said his goal would be to release changes back to the GPL, and Dean argued that companies and government agencies looking for the security certification seal of approval may only need to see it once to trust a product.
"You need that check mark," Dean said. "It's important for organizations that have greater security needs than the norm to have this assurance process done."
Fortune Cookie say... (Score:2, Funny)
Re:Fortune Cookie say... (Score:1)
;-)
Re:Fortune Cookie say... (Score:1)
Re:Fortune Cookie say... (Score:1)
While Linux is being more and more part of a people's live, developers must pay attention to the background. A fact that helps is related to the common integration of Linux developers with security crackers into the "underworld", and their knowledge from this scenario.
SELinux vs. LIDS (Score:2, Insightful)
What is realy missing for both is a good documentation. E.g. an O'Reilly book
Are there any distro plans for SELinux? It would be nice to combine its great features with the momentum if would get from packaging it in a nice distro.
Re:SELinux vs. LIDS (Score:2)
Re:SELinux vs. LIDS (Score:3, Informative)
Stacking modules (loading more than one module at once) is problematic, because security policies are known to not be composable in general. However, if the modules have been designed to be stacked, then LSM will let you stack them.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. [wirex.com]
Immunix: [immunix.org] Security Hardened Linux Distribution
Available for purchase [wirex.com]
Re:SELinux vs. LIDS (Score:2)
Now, of course, the obvious argument would be that since both are open source, each can monitor the other's contributions to the merged product, but I highly doubt that Military red tape and PRC "Party procedures" would allow that to happen.
On second thought, the Chinese would most likely welcome the code, even though they can have it already...
Would be interesting, though!!
Certification is a b*tch! (Score:1)
Just make sure whatever is getting certified is ready for prime time, because the first major patch causes a de-cert real quick... Not nice.
BWP
NSA Enhanced Linux. (Score:1)
But seriously, although there are some interesting things in SE Linux, I do suspect that the trust model it embodies is actually significantly broken.
Even if the code is perfectly kosher.
Re:NSA Enhanced Linux. (Score:1, Informative)
Windows is secure??? (Score:4, Interesting)
"Microsoft is currently trying to get the EAL4 for its Windows 2000 OS, and Dean argues that for Linux to be competitive at places like government agencies, where security ratings are used as a big evaluation tool for buying technology products, SELinux also needs the EAL4 rating."
While I can certainly understand the value derived through attaining a prestigious security rating such as this and truly advocate this undertaking as I believe it will benefit OSS as a whole, I have a hard time believing that is a necessity in terms of staying competitive with M$ Windows.
With the rather suspect security record (to say the least...) of the Windows operating system, I could never fathom a security conscious sect of the government ever selecting Windows in lieu of a POSIX compliant OS such as Unix (or Linux, FreeBSD, etc...) that is designed specifically with security in mind. Even more, I would be quite suspect of any organization that would actually certify the operating system as being secure!!!
Though Windows 2000 may win in a consumer-based market or even that of a commercial world due to it many bug-ridden features, these same traits open it up for failure any truly security conscious environment...
At least, that would be my view on the matter...
Re:Windows is secure??? (Score:2, Informative)
Here's an out of date link for more info:
http://www.zdnet.com/windows/stories/main/0,472
Here's one from MS's site (NT 4 was also certified):
http://support.microsoft.com/default.aspx?scid=
Plenty of other info from google. This is a very exact definition, so if you change one thing, video driver, processor, etc, you no longer have a certified secure installation.
Re:Windows is secure??? (Score:2)
Lot's of Unices are certified (Solaris, HP-UX, etc.). Windows certification is relatively new and there are specially stripped down versions of Windows that are what actually get certified. Notice the article mentions that MS is in the process of getting 2k certified even though it's been out for a while. Right now, its just NT that is certified (i'm not sure what versions though).
The thought of an NT box with a little red sticker that says "Secret" is a bit scary though isn't it? *shudder*
Re:Windows is secure??? (Score:1)
4.0 was IIRC.
Re:Windows is secure??? (Score:4, Informative)
According to the documentation, not only does the product have to pass muster, but the company must have the financial viability to support the testing. The financial health of the company must be good enough so that there are no serious doubts about its long term existence. Apparently the NSA doesn't want to certify a product, bring it into deployment and then have the company fold. That I can see being the biggest hold back to a Linux Distro being certified.
All this information is free on the web. Do a search for rainbow series on google and you will find a link to the nsa site. There's also a number you can call and get a copy of the specs sent to you on cd on Uncle Sam's dime.
Re:Windows is secure??? (Score:2, Informative)
see nt 3.5 [ncsc.mil] and nt 4.0 [ncsc.mil]
Curiously the 3.5 eval was just weeks after I reported NT's vulnerable management of passwords over network links to CERT. CERT's reply was "well not enough people are using NT on the internet for this to be an issue.
I also forwarded my data to the TSEC evaluators. They indicated that since the evaluated version of the OS(sic) had had all networking capabilities removed (orange-book doen't cover network security), that the evaluation would not be affected by this hole.
As it happened the vulnerability I'd found was further tied to the internal storage of passwords in the NT Reigisty, later examined in L0ptCrack.
Anyhow enough people want to use NT in secure environments that MS will continue to seek these certifications.
Re:Windows is secure??? (Score:1, Insightful)
before security was a huge issue, and therefore
Linux/BSD and even OpenBSD will never reach some
of the other more secure OS's out there. There
design reasons for this like
1. Most utilities written in C/C++. These
languages are notorious for bugs (the infamous
buffer overflow comes to mind). It would be fine
to write the kernel in C, but anything in userland
from the shell up would benefit in security by using
a much more safe language. Of course, C and C++
are speed daemons, and servers/number crunching
benefit.
2. The user heirarchy and its implementation. There
is only one super user. This is a problem, for
example, when stuff like X needs to be suid to run.
(I heard the new XFree86 tries to fix this.
I do not know if this is true.)
3. All kinds of stuff, like ps -Al allowing view
of everyone's procesees (spelling?). Lots of other
stuff that takes a while to describe.
Many of these problems can be traced to UNIX's roots
, since in those days l337 hAx0rz weren't everywhere
and neither were professional uber-crackers. I
think there is a system called Plan 9 (also made
in part by Ken, around late 80s/90s) that is
significantly more secure.
Re:Windows is secure??? (Score:2, Interesting)
Re:Windows is secure??? (Score:1)
Re:Windows is secure??? (Score:1, Insightful)
As an example, the current EAL evaluated Cisco PIX firewall runs version 5.2(3) which has a number of known security issues. If a higher version (with the known security issues fixed) of the IOS is used, then the firewall is no longer configured as per the EAL evaluated configuration, and hence is no longer EAL compliant.
Appologies in advance for the change from Operating Systems to Cisco PIX, but I know the version information for PIX.
Secure vs. secure (Score:4, Informative)
Additionally, you need to understand just what is being evaluated at the different levels. As mentioned, WinNT was given C2 certification. Understand that this has everything to do with a particular feature set (fine grained ACLs primarily) and little to the with the penetrability of the system. Actual pen testing doesn't become a requirement until B1, IIRC.
The type of security that many are trying to achieve now (secure design, design verification, secure distribution, etc. i.e. security from the start) really doesn't come into play until A1 and that's the highest level of security deemed practicle in the TCSEC.
If you read the Orange book [ncsc.mil] all the way through, what you'll see is that the majority of the security is intended to be achieved via mandatory access controls, subject and object labeling, and the careful application of these concepts. Each level has a new set of requirements for how much of the system is submitted to manadatory access control, whether the TCB (trusted computing base) is a subsystem of a greater insecure system, modularity and seperation of duties, etc. Much higher level system design issues and features, really. Until B2, B3, and really A1 IMHO there's only basic and passing concern with what we're coming to realize as the one true requirement of security engineering: security from the start. Secure design, verification, implementation, and review.
I haven't closely studied the Common Criteria and the handful of protection profiles yet, but I suspect you'd find the same or a similar issue. These are evaluation criteria and they tend to be focused on evaluating a stated set of features and capabilities. In high security environments product certification is not a replacement for careful product evaluation by the end user/customer any more than skills certification (e.g. Cisco, MS certs) is a replacement for careful interviewing and skills assessment by a hiring manager.
EAL4 (Score:3, Informative)
A lot of this suff is based on design documentation (and an analysisof the design), demonstration that the design was followed, and solid clear end-user documentation. I can't imagine a design that requires IE to be integrated with the OS will pass EAL4 certification, so they may end up purgering themselves durring the certification process. Too bad the certification documents don't need to be made public. I would strongly hope that nobody will EAL4 certify anything with I.E. integrated. It's track record seems to indicate that the design was not well reflected in the implementation. Keep an eye out, if the certified version of Win2K doesn't have I.E. integrated, maybe the DOJ can slap MS on the wrist one more time.
Solaris 8 has a special EAL4 version, but you (rightly) pay quite a premium for that version, as I understand it. In order to get something certified, you submit an exact copy of the system to be certified. If one bit (other than passwords, usernames, and groups) is different from what is certified (besides allowable changes specified in the certified end-user documentation), it's no longer EAL4 certified.
This is pretty hard-core stuff. THe previooous security record of Win2K doesn't really come into account, becuase the EAL version would be best described as aspecificconfiguration of an OS based on Win2K, not actually Win2K.
Debian is pretty hard core with quality standards. Bastille and Debian probably stand the best chance of beilng able to put together an EAL4 distro, but niether of them is that well off financially. RedHat has some quality issues, but should be able to put something together as good as the certified version of NT. I don't think the costs would be justified for RedHat right now, though. The chances are slim to none that you'll ever be able to serve web pages from an all-microsoft EAL4 system within a decade. I highly doubt that EAL4 version of Solaris 8 has a vebserver, at least one capable of dynamic content.
Linux Security Modules (LSM) (Score:4, Interesting)
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. [wirex.com]
Immunix: [immunix.org] Security Hardened Linux Distribution
Available for purchase [wirex.com]
SELinux, = pretty good. (Score:1)
A well setup Linux server with the SELinux "patch"
would be a solid server.
here is the NSA posted paper intro on MAC vs DAC
http://www.nsa.gov/selinux/freenix01-abs.htm
and the paper on security objectives with SELinux
http://www.nsa.gov/selinux/ottawa01-abs.
and the Security policy config paper
http://www.nsa.gov/selinux/policy-abs.html
In my OWN opinion:
the MAC security model in The SELinux patch is the way to go. the only issue with it is the complex setup and maintence.
if those issues could be resloved and
Nex6
Certification and the GPL (Score:2, Insightful)
If an OS loses certification due to changes from the outside, then do what Debian does, have a stable, testing, and unstable distributions, and officially distribute only the stable distributions on CD. A long as you keep tight control over the changes made to the stable distribution, this shouldn't be a problem. This is how Debian does it, and also the reason why it's often accused of being out of date.
Also, distribute the certification only with CDs if you can't certify downloaded OSes (and make CDs the official distribution), even if they are exactly the same. Make it clearly noted, obviously, that certification only comes on official distribution channels (i.e. the CDs.)
Why I like SELinux (Score:2)
Though naturally distrustful of government spy agencies, I finally see some immediate return on my tax dollars. Something I can put on my own PC. This article really does send the message that open source is mainstream.
Another view - my employer has hundreds of Unix machines. We buy 3rd party software to make them more secure and our security group makes it near impossible to do things. Now, Linux isn't playing catch-up to Unix / NT / whatever, it leads.
For the last couple of months I've been working on getting a Beowulf cluster for a new project, moving away from commercial Linux
Mmmmmm - Imagine a Beowulf of SELinux.....
(Sorry, I'll go slap myself). Anyway, getting people to accept Linux is still tough. Who supports it? Who to sue when it breaks?
This article is ammunition. SELinux is a good thing.
I shoulda gone... (Score:2)
But when I got the badge and pamphlets in the mail, there was no mention of anything Linux related
I'll go next year, but did anyone know in advance that these guys were speaking? If so, is there a web resource that is available to check on Linux community participation in events? The big shows are obvious, but I really didn't think there would be a linux presence at FOSE at all....
NSA pushing open source for government! Thanks! (Score:4, Interesting)
I am in a NT shop and have a lonely Linux box that I managed to get in because I was able to show a couple of apps that the front office greensuiters thought were really neat and they said I could put one up (hooray!).
I was depending on providing more and more functionality as my sole method of bringing in more Linux, but now I can just go to the green suiters (who know NOTHING of technology) and say "Look, NSA did this".
Being good military men, I can hear them now "If it's good enough for NSA, no problem".
Like the poster on Newsforge said "I never thought I'd say this but 'Thanks NSA!'".
If you're in government and trying to push more open source, this may be just the 800 pound gorilla you need in your court.
NSA quite possibly may do more for open source in government than anyone. Sure is going to help my case out!
SE-Linux from long line of Trusted OS's (Score:2, Informative)
SE-Linux, SE-Darwin, and TrustedBSD actually have the same ancestry.
TrustedBSD - http://www.trustedbsd.org
SE-Darwin - http://www.stosdarwin.org/
Cheers,
Thomas Vincent
Re:SE-Linux from long line of Trusted OS's (Score:2)
However, no open source OS has, to my knowledge (which is severely lacking), been certified to date. I know TrustedBSD targets certification, but I don't know how close they're to that, and how is it going to be funded. Certification isn't free, and to keep the cert there will be continuous drain as re-certifying updated distribution costs money, too.
While SELinux is a work in progress and it'll still take time to get the required changes to the main kernel tree, it's good to know that there's an organization trying to fund the certification process.