"Ross S. W. Walker" <rwalker at medallion.com> wrote: >> I agree whole heartily. It would go a long way though if Redhat provided independent certification of their products under these compliance banners. << RHEL 5 is Common Criteria certified against the Controlled Access Protection Profile (CAPP), Labelled Security Protection Profile (LSPP) and Role-Based Access Control Protection Profile (RBACPP) at EAL (Evaluation Assurance Level) 4+ (i.e. all requirements of EAL4 and some of EAL5), when running on certain hardware platforms (IBM). See http://www.commoncriteriaportal.org/public/consumer/index.php?menu=5 for the reports. That may be overkill for what you require, but if your system is certified and accredited, it usually stops auditors in their tracks. I agree with concerns about the inability of auditors to correctly interpret requirements. The Y2K panic provided lots of examples; I recall one junior auditor demanding that a network hub be replaced because it was not "certified Y2K compliant". Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909