atsec information security corporation, an independent, standards-based IT (information technology) security consulting and evaluation services company, has completed the Common Criteria (CC) evaluation of Red Hat Enterprise Linux 4 on a range of IBM server platforms.

The evaluation of Red Hat Enterprise Linux 4 at Evaluation Assurance Level (EAL) 4+ is the first successful Linux evaluation at this assurance level performed under the U.S. NIAP (National Information Assurance Partnership) CCEVS (Common Criteria Evaluation and Validation Scheme). This success builds on atsec's long record of more than 20 successful CC evaluations including six Linux evaluations on five different Linux platforms at assurance levels EAL2, EAL3, and EAL4+, performed with several vendors under both the German BSI (Bundesamt für Sicherheit in der Informationstechnik) and U.S. CCEVS schemes.

"atsec and IBM's maturity in evaluating Linux facilitated a smooth and timely evaluation under the U.S. scheme," said Fiona Pattinson, atsec Common Criteria lab manager.

The WS and AS distributions of the Red Hat Enterprise Linux 4 operating system platform were certified by the NIAP CCEVS as conformant to EAL4+ and the Controlled Access Protection Profile (CAPP), which specifies a set of security functional and assurance requirements for IT products.

The scrutiny of Linux continues. Red Hat Enterprise Linux 5 is in evaluation at EAL4 including the security functionality defined in three protection profiles recognized by the Common Criteria: Controlled Access Protection Profile (CAPP), Labeled Security Protection Profile (LSPP) and Role-Based Access Control Protection Profile (RBAC). These profiles support the requirements of Director of Central Intelligence Directive (DCID) 6/3 at Protection Level 4, which specifies security intelligence related information and systems measures, including those necessary for Top Secret and Below Interoperability (TSABI).

One more significant "first" emerged during the Red Hat Enterprise Linux 4 evaluation. In order to address the requirements of the CAPP, the audit subsystem was re-implemented. In accordance with the collaborative, open source nature of Linux development, the audit subsystem solution was offered back to the open source community for discussion and ultimately, acceptance.

"Throughout the history of atsec's Linux evaluation projects, I have been amazed by the level of support provided by commercial enterprises for the open source community," said Stephan Mueller, atsec's lead evaluator for Linux projects since 2004. "IBM demonstrated its real commitment to the Linux open source community -- as well as to security -- by sharing the results of its substantial investment leading to the Red Hat Enterprise Linux 4 evaluation."

The formal announcement of the successful CAPP/EAL4+ evaluation completion of Red Hat Enterprise Linux 4 was made at the RSA Conference 2006 in San Jose, Calif.