"Ross S. W. Walker" <rwalker@xxxxxxxxxxxxx> wrote:
>>
I agree whole heartily. It would go a long way though if Redhat
provided independent certification of their products under these
compliance banners.
<<
RHEL 5 is Common Criteria certified against the Controlled Access
Protection Profile (CAPP), Labelled Security Protection Profile (LSPP) and
Role-Based Access Control Protection Profile (RBACPP) at EAL (Evaluation
Assurance Level) 4+ (i.e. all requirements of EAL4 and some of EAL5), when
running on certain hardware platforms (IBM). See
http://www.commoncriteriaportal.org/public/consumer/index.php?menu=5 for
the reports. That may be overkill for what you require, but if your system
is certified and accredited, it usually stops auditors in their tracks.
I agree with concerns about the inability of auditors to correctly
interpret requirements. The Y2K panic provided lots of examples; I recall
one junior auditor demanding that a network hub be replaced because it was
not "certified Y2K compliant".
Best,
--- Les Bell, RHCE, CISSP
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
