[olug] NSA XP manual

Brian Wiese bwiese at cotse.com
Sat Dec 13 05:15:55 UTC 2003


On Fri, 12 Dec 2003 08:36:13 -0600
"Tim - DZ" <iceburn at dangerzone.com> wrote:

|I know Red Hat was going after a Common Criteria cert...
|http://news.com.com/2100-1001-984383.html?tag=fd_top 
|
|The NSA also publishes a variety of 'templates' and tools to help secure
|a variety of things...like windows inf files, alteration on the password
|strength enforcement, etc... but most of the information on routers and
|such are recommendations and policy 
|http://nsa2.www.conxion.com/ 
...
|-----Original Message-----
|From: Sean Edwards
|It has been a couple of years since I have been
|involved with security, but does anybody know if the
|above is still true?  Are there D.O.D. standards and
|ratings for OpenSource projects, like Linux and
|OpenLDAP?

As Tim mentioned above, it is possible -- but costs quite a bit of time
and money for a company to get their product accrediated though the NSA's
vigorous testing and certifying that it does "what you tell it to do". 
The integration of Mandatory Access Controls () and Discretionary Access
Controls, with support for auditing/accounting logs of what is all going
on in the system and other stuff all go into achieving a DOD Orange Book
rating of it's "trustfulness".  Last I heard, it was typically a $1mil+ to
get some software tested.

The Security Enhanced Linux (nsa.gov/selinux) kernel patches from the NSA
should help the kernel to achieve some level of accrediation, should it be
tested... but the kernel and other FLOSS (free/libre and open source
software) is always rapidly changing -- I believe that just because RH 8.0
gets accrediated, doesn't mean 9.0 does.  

Red Hat and SuSE have achieved Common Operating Environment certifications
http://www.redhat.com/solutions/industries/government/coe/
http://www.hoise.com/primeur/03/articles/monthly/AE-PR-09-03-25.html

NSA Security Recommendation Guides
http://www.nsa.gov/snac/index.html

Some more information on Common Criteria and IA
http://iase.disa.mil/common/index.html
http://niap.nist.gov/cc-scheme/ValidatedProducts.html#operatingsystem

-- 
 Brian Wiese | bwiese(at)cotse.com | aim: unolinuxguru
-------------------------------------------------------
  GnuPG/PGP key 0x2FD6AF16 | "FREEDOM!" - Braveheart 
------------------------------------------------------- 
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html


More information about the OLUG mailing list