Hi all,
Redhat announced that RHEL6 got EAL4+ certification at last week, and Redhat released cc-eal4-config-rhel62-0.33-1.noarch.rpm in RHEL6's repo, I think CentOS6.2 should got the same EAL4+ security level. Is that possible to add this package in CentOS6's repo?
Bests, An Yang
On 11/06/2012 09:07 AM, An Yang wrote:
Hi all,
Redhat announced that RHEL6 got EAL4+ certification at last week, and Redhat released cc-eal4-config-rhel62-0.33-1.noarch.rpm in RHEL6's repo, I think CentOS6.2 should got the same EAL4+ security level. Is that possible to add this package in CentOS6's repo?
We can add the package but what does that tell us....
CentOS has certainly not asked for or applied for or been considered for the EAL4+ Certification.
How much of what the EAL4 requirements can be assumed to be inherited ?
RHEL-5 has had this for a while as well, and we've been concious not to claim any thing based on that, are we getting it wrong ?
On 2012-11-06 11:23 +0000,Karanbir Singh wrote:
On 11/06/2012 09:07 AM, An Yang wrote:
Hi all,
Redhat announced that RHEL6 got EAL4+ certification at last week, and Redhat released cc-eal4-config-rhel62-0.33-1.noarch.rpm in RHEL6's repo, I think CentOS6.2 should got the same EAL4+ security level. Is that possible to add this package in CentOS6's repo?
We can add the package but what does that tell us....
CentOS has certainly not asked for or applied for or been considered for the EAL4+ Certification.
How much of what the EAL4 requirements can be assumed to be inherited ?
All the packages involved are in CentOS, and if without any functional modification, CentOS should inherit all the features required by EAL4+.
RHEL-5 has had this for a while as well, and we've been concious not to claim any thing based on that, are we getting it wrong ?
On 11/07/2012 08:19 AM, An Yang wrote:
CentOS has certainly not asked for or applied for or been considered for the EAL4+ Certification.
How much of what the EAL4 requirements can be assumed to be inherited ?
All the packages involved are in CentOS, and if without any functional modification, CentOS should inherit all the features required by EAL4+.
*should* being the keyword.
On 11/07/2012 12:09 PM, Karanbir Singh wrote:
On 11/07/2012 08:19 AM, An Yang wrote:
CentOS has certainly not asked for or applied for or been considered for the EAL4+ Certification.
How much of what the EAL4 requirements can be assumed to be inherited ?
All the packages involved are in CentOS, and if without any functional modification, CentOS should inherit all the features required by EAL4+.
*should* being the keyword.
Maybe we could post a wiki article teaching people how to implement the configuration and obtain similar results as those of the certification ?
On 11/07/2012 10:16 AM, Manuel Wolfshant wrote:
How much of what the EAL4 requirements can be assumed to be inherited ?
All the packages involved are in CentOS, and if without any functional modification, CentOS should inherit all the features required by EAL4+.
*should* being the keyword.
Maybe we could post a wiki article teaching people how to implement the configuration and obtain similar results as those of the certification ?
I havent read the specification or the evaluation process, but unless we can replay that to some level of confidence, then were only misleading people by promoting it.
On 11/07/2012 11:09 AM, Karanbir Singh wrote:
On 11/07/2012 08:19 AM, An Yang wrote:
CentOS has certainly not asked for or applied for or been considered for the EAL4+ Certification.
How much of what the EAL4 requirements can be assumed to be inherited ?
All the packages involved are in CentOS, and if without any functional modification, CentOS should inherit all the features required by EAL4+.
*should* being the keyword.
+1
On 2012-11-07 10:09 +0000,Karanbir Singh wrote:
On 11/07/2012 08:19 AM, An Yang wrote:
CentOS has certainly not asked for or applied for or been considered for the EAL4+ Certification.
How much of what the EAL4 requirements can be assumed to be inherited ?
All the packages involved are in CentOS, and if without any functional modification, CentOS should inherit all the features required by EAL4+.
*should* being the keyword.
Just the other rebuild packages in CentOS, "should" means sure -:) And I'll go through the Guide in CentOS 6.2, good luck.
On 11/07/2012 12:24 PM, An Yang wrote:
On 2012-11-07 10:09 +0000,Karanbir Singh wrote:
On 11/07/2012 08:19 AM, An Yang wrote:
CentOS has certainly not asked for or applied for or been considered for the EAL4+ Certification.
How much of what the EAL4 requirements can be assumed to be inherited ?
All the packages involved are in CentOS, and if without any functional modification, CentOS should inherit all the features required by EAL4+.
*should* being the keyword.
Just the other rebuild packages in CentOS, "should" means sure -:) And I'll go through the Guide in CentOS 6.2, good luck.
You keep mentioning 6.2 in your mails. You do know that 6.3 is out for several months, right ?
On 11/07/2012 10:36 AM, Manuel Wolfshant wrote:
Just the other rebuild packages in CentOS, "should" means sure -:) And I'll go through the Guide in CentOS 6.2, good luck.
You keep mentioning 6.2 in your mails. You do know that 6.3 is out for several months, right ?
the certification is only applicable to 6.2 though
On 11/06/2012 03:07 AM, An Yang wrote:
Hi all,
Redhat announced that RHEL6 got EAL4+ certification at last week, and Redhat released cc-eal4-config-rhel62-0.33-1.noarch.rpm in RHEL6's repo, I think CentOS6.2 should got the same EAL4+ security level. Is that possible to add this package in CentOS6's repo?
Bests, An Yang
Reproducing the bits is not reproducing the certification ... becoming EAL4+ certified is a hugely expensive proposition.
This is what EAL is: http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
As you can see, this certification process for EAL4+ is a 2 year, $350,000.00 dollar process. To the best of my knowledge, RHEL and SLES are the only EAL certified Linux distros out there ... and that does not include their Fedora or OpenSUSE variants. My research shows that Debian and Ubuntu (as examples) are not EAL certified either.
Not only that, there is RHEL specific documentation about the EAL4+ certification process in that SRPM.
If we replace all the RHEL specific language in said documentation, we would be claiming CentOS has EAL4+ certification, which it does not. We can not publish something that claims EAL4+ certification (or even EAL testing) for CentOS.
That SRPM is easy enough to compile, so people can compile it if they want ... but if someone is in the least bit interested in EAL4+ certification for a machine because they actually need that certification, then they need to buy a RHEL subscription.
Red Hat charges money for their products specifically so that they can perform expensive certifications like this and provide that certification to their subscribers.
That is my take.
Thanks, Johnny Hughes
On 2012-11-06 06:47 -0600,Johnny Hughes wrote:
On 11/06/2012 03:07 AM, An Yang wrote:
Hi all,
Redhat announced that RHEL6 got EAL4+ certification at last week, and Redhat released cc-eal4-config-rhel62-0.33-1.noarch.rpm in RHEL6's repo, I think CentOS6.2 should got the same EAL4+ security level. Is that possible to add this package in CentOS6's repo?
Bests, An Yang
Reproducing the bits is not reproducing the certification ... becoming EAL4+ certified is a hugely expensive proposition.
What in the package are only the configure files and an evaluation guide, and with these guide, the users of CentOS will have an easiest way to secure their servers. I think just putting this package in CentOS' repo do not mean CentOS have any relationship with the certification of EAL4+, and just let the users know CentOS got all the capabilities of EAL4+ security level.
This is what EAL is: http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
As you can see, this certification process for EAL4+ is a 2 year, $350,000.00 dollar process. To the best of my knowledge, RHEL and SLES are the only EAL certified Linux distros out there ... and that does not include their Fedora or OpenSUSE variants. My research shows that Debian and Ubuntu (as examples) are not EAL certified either.
Not only that, there is RHEL specific documentation about the EAL4+ certification process in that SRPM.
If we replace all the RHEL specific language in said documentation, we would be claiming CentOS has EAL4+ certification, which it does not. We can not publish something that claims EAL4+ certification (or even EAL testing) for CentOS.
That SRPM is easy enough to compile, so people can compile it if they want ... but if someone is in the least bit interested in EAL4+ certification for a machine because they actually need that certification, then they need to buy a RHEL subscription.
Red Hat charges money for their products specifically so that they can perform expensive certifications like this and provide that certification to their subscribers.
That is my take.
Thanks, Johnny Hughes
CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
-
An Yang -
Johnny Hughes -
Karanbir Singh -
Ljubomir Ljubojevic -
Manuel Wolfshant