Red Hat Enterprise Linux 7 in evaluation for Common Criteria certification

Security is a crucial component of the technology Red Hat provides for its customers and partners, especially those who operate in sensitive environments, including the military.

Given that importance, we are excited to announce that BSI, Germany's federal office for information security, is currently evaluating Red Hat Enterprise Linux 7 for Common Criteria certification, and we’re honored to be working with our hardware partners to certify Red Hat Enterprise Linux 7 on their products. The Common Criteria is an internationally recognized set of standards used by the federal government and other organizations to assess the security and assurance of technology products. This will be Red Hat’s 16th Common Criteria Certification, reinforcing our commitment to comply with and surpass public sector security standards.

In the Common Criteria scheme, the Evaluation Assurance Level (EAL) represents the depth and rigor of the evaluation, giving consumers the confidence that products certified at a specific level meet the package of security assurance requirements associated with that level. Red Hat Enterprise Linux 7 has been submitted for Common Criteria at EAL 4+, the highest level of assurance for an unmodified commercial operating system. The submission is for both Operating System Protection Profile (OSPP) v3.9 and v2.0 including Advanced Management, Labeled Security, and Enhanced Identity and Authentication extended modules.

The current certification is aiming to achieve two goals. The first is to meet OSPP v3.9 exactly as the National Information Assurance Partnership (NAIP) defined it, helping U.S. government agencies to meet this requirement. The second goal is to certify under OSPP v2.0 at EAL4+, including all capabilities previously certified to the base operating system on Red Hat Enterprise Linux 6, but without the Advanced Audit extended module.

The security function requirements under OSPP v2.0 will enable Security-Enhanced Linux’s (SELinux's) Multi-Level Security (MLS) and Role Based Access Control (RBAC) capabilities to be certified. Additionally, Red Hat will include System Security Services Daemon (SSSD) to authenticate users against remote servers demonstrating enterprise level user management. This will be done in both OSPP v3.9 as NIAP defined it and using the Enhanced Identity and Authentication extended module under OSPP v2.0.

This certification, in tandem with forthcoming FIPS 140-2 and cryptography certification for Red Hat Enterprise Linux 7, will provide users with further confidence that Red Hat Enterprise Linux 7 will meet or exceed government security requirements. The FIPS-140 certifications will include all the updated requirements that NIST has levied such as a new Deterministic Random Byte Generator (DRGB) as specified in SP 800-90a; an updated RSA key generation technique as specified in FIPS 186-4; and updated key sizes and algorithms as specified in SP 800-131a. Red Hat’s current FIPS work will contain all of its previously certified crypto modules and increase the scope to include gnutls and its crypto library, libnettle.

Red Hat encourages customers and partners to visit https://www.bsi.bund.de/EN/Topics/Certification/incertification.html and reference certification BSI-DSZ-CC-0949 to verify the evaluation of Red Hat Enterprise Linux 7 for Common Criteria Certification.

You can find out more about our sustained commitment to Common Criteria and other security certifications at http://www.redhat.com/security and http://www.redhat.com/solutions/government/certifications/.