On Tuesday 05 August 2003 08:15 pm, Deven Phillips wrote: > Good info, > > They also mentioned in one article I read that they expect to acheive > EAL3+ or EAL4 by the end of the year. > > Deven
The highest rating you can find for COTS software/os is EAL4 EAL4 security must meet: 1) Discretionary Access Control (classic UNIX file permissions, file access controls in the directory are supported out to the mount points - NFS UID/GID synchronization) 2) Mandatory Access Control ( data flow is based on security labels and everything is labeled - Files and directorys/Interfaces/Remote hosts, Policy Enforced - No "Read-Up" System Security Policy / No "Write-Down" System Policy, communication limited to mount points - High mount point/Low mount point) 3)Role-Based Access Control (Separation of duties, many basic administration tasks do not require "root" user, ie: SA, IAO, NSO) 4) Audit Trail ( All administrative actions are audited, Audit trail is reviewed by Security Officer Role. DoD policy do not allow system administrator to review audit logs.) Many of our projects has been developed on Linux then switched to Solaris because they required EAL4 rating. Hopfully Linux can catch up with IBM's help, then kill SCO after.
