Common Criteria Certification for Red Hat Enterprise Linux 8
Recently on 2nd March 2021 Redhat announced RHEL 8 certification will be of common criteria certificates.This is the first major security certification for RHEL8.
Red Hat maintains crucial IT security certificates for its next-generation operating system.
RHEL8 will now provide a more secure and more intelligent platform for critical and classified deployments while maintaining the flexibility, scalability and innovation of Linux and all RHEL8 certification will be valid globally.
RHEL8.1 is ceritifed by NIAP and testing and validation done by Acumen Security, a U.S. government-accredited laboratory.
RHEL8.1 was validated with respect to the Common Criteria Standard for Information Security Evaluation (ISO/IEC 15408) against version 4.2.1 of the NIAP General Purpose Operating System Protection Profile including Extended Package for Secure Shell (SSH), version 1.0 and is the latest Red Hat Enterprise Linux version to appear on the NIAP Product Compliant List.
What is Common Criteria?
Common Criteria named as CC is an ISO/IEC 15408 international standard for certifying computer security software.Computer systems can be secured so a specific level meeting common criteria established by government using protection profile called PP.
Standard Document containing criteria of certification to be met by government.
This Common Criteria Recognition Arrangement have been signed by 26 countries and they have to recognise and accept each others certifications.Common Criteria members committee known as CCRA. CCRA Members divided into two roles Authorizing and Consuming.
That simply means any common criteria certification will be valid for 26 countries. Authorizing Member are India, Australlia, New Zealand, Canada, France, Germany, Italy, Japan, Malaysia, Netherlands, Norway, Republic of Korea, Singapore, Spain, Sweden, Turkey and United States and rest countries will fall in consuming role.
In United States Common Criteria is handled by the National Information Assurance Partnership known as NIAP.
Rest of the countries have their own CC authorities. Each authority certifies CC labs the body which do the actual work of evaluating products.
Once it is certified by the authority considering the evidence from the lab examination and the vendor in that case certification is recognized globally.
If you want to know more on how common criteria works please check link.
rhel8 bags common criteria.So now RHEL8.1 is now common criteria certified. Fedora and CentOS is related to RHEL but they are bot yet certified for common criteria.
How to keep my system CC compliant?
There is a security plugin for the yum update tool that allows RHEL customers to install patches related to security fixes.This will allows a system to be updated for security issues.
This will not allow bug fixes or other enhancement installed.This will provide a more stable system and meets security update requirements.
# yum --enablerepo=* install yum-plugin-security # yum --enablerepo=* updateinfo # yum --enablerepo=* update --security
After security updates CC-evaluated configuration has changed and the system is no longer certified.This makes your system non compliant to CC and you have to follow below mention guidelines from DISA.
Defense Information Systems Agency (DISA) have recently published a Secure Technical Implementation Guide for Red Hat Enterprise Linux 8.
That`s it about common criteria certification for Red Hat Enterprise Linux 8 and you need to follow DISA guidelines.
Source : Redhat Press Release
Other Redhat 8 Certifications