Validated Product - Red Hat Enterprise Linux (RHEL) Advanced Server (AS) Version 3 Update 5 Running on Unisys ES7000 Hardware models 405, 410, 420, 430, and 440

PRODUCT DESCRIPTION

Red Hat Enterprise Linux (RHEL) Advanced Server (AS) Version 3 Update 5 Running on Unisys ES7000 Hardware is a hardware platform running an operating system. Red Hat Enterprise Linux (RHEL) Advanced Server (AS) Version 3 Update 5 is a commercial operating system product developed by Red Hat, Inc. It is a version of Linux that has been developed not only to serve as a fully capable operating system, but also to provide a good level of security for commercial environments. The Unisys ES7000 hardware platforms (specifically, the Unisys ES7000-4xx-M2) are mainframes designed and developed by Unisys Corporation. Each of these machines is designed to support numerous 32- or 64-bit Intel microprocessors, respectively, as well as other supporting and peripheral devices (memory, disks, CD and floppy disk drives, network cards, and other I/O devices such as keyboard and mice). Though the TOE includes both Red Hat and Unisys components, it is assembled, delivered, and supported by Unisys.

RHEL AS may be viewed as a series of layers. At the lowest layer, the kernel interacts with the hardware platform, providing a common set of services to application programs. These services include managing system memory, sharing access to the system processor(s), and access to devices. In addition, the operating system provides basic services such as:

1. File systems organized within a hierarchy of directories;
2. Device drivers providing interfaces to hardware devices;
3. User interfaces to run programs and access the file system. RHEL AS includes both graphical interfaces (GNOME and KDE) and shell command interpreters (e.g. bash). Note, however, that the graphical interfaces are excluded from the evaluated configuration; and,
4. System utilities to mount file systems, configure networks, and scheduled future tasks.

The kernel operates in the hardware processor’s privileged mode, known as kernel mode, with full control of all resources of the underlying hardware. The kernel is accessed via system calls which are facilitated via system libraries that translate widely known UNIX and POSIX calls, for example, appropriately.

RHEL AS also includes a large number of programs that run in user mode (the hardware processor’s unprivileged mode). These include system services, administrator and system utilities, and user programs. Some of the system services and utilities may be invoked just once, to initialize and configure some aspect of the system, whereas others (e.g., daemons) may run permanently (e.g. to accept login requests or update log files). User programs are provided to perform everyday tasks such as listing directories, moving files, or more complex operations such as text editing and, while included in the RHEL AS product, are not considered part of the TOE unless they are required to be used by an administrator.

The evaluation team ran its tests on an ES7000-420 Series platform since the security relevant code is unchanged on all the ES7000 mainframes.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which RHEL AS TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2 and International Interpretations effective on April 1, 2004. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 3 augmented with ALC_FLR.2. The product, when configured as specified in the Common Criteria - EAL3 Validation Configuration Guide for Red Hat Enterprise Linux Version 3 Update 5 on Unisys ES7000 4xx, December 05, 2006, Version 1, satisfies all of the security functional requirements stated in Red Hat Enterprise Linux (RHEL) Advanced Server (AS) Version 3 Update 5 Running on Unisys ES7000 Hardware Security Target (Version 1.0). Two validators monitored the evaluation carried out by SAIC. The evaluation was completed in January 2007. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-07-0006, dated 29 January 2007) prepared by CCEVS.

ENVIRONMENTAL STRENGTHS

RHEL AS is a commercial operating system product developed by Red Hat, Inc. The Unisys ES7000 hardware platforms are mainframes designed and developed by Unisys Corporation. Though the TOE includes both Red Hat and Unisys components, it is assembled, delivered, and supported by Unisys. RHEL supports five security functions.

Security audit: RHEL3 provides an audit capability to generate audit records for security relevant events. The administrative user can select which events will be audited and for which users auditing is active.

RHEL3 provides tools for the administrative user that allow extracting specific types of audit events, audit events for specific users and groups, and successful or failed events from the overall audit records collected by RHEL3. Those tools allow an administrative user to save or print the selected audit records in human readable form.

The audit function informs the system administrator via a syslog message when the capacity of the audit trail exceeds a configurable limit. The audit function also ensures that no audit records get lost due to exhaustion of the internal audit buffers. Processes that try to create an audit record while the internal audit buffers are full will be blocked until the required resources are available again.

User data protection: Discretionary Access Control (DAC) restricts access to file system objects based on Access Control Lists (ACLs) that include the standard UNIX permissions for user, group and others. Access control mechanisms also protect IPC objects from unauthorized access.

RHEL3 includes the ext3 file system, which supports POSIX ACLs. This allows defining access rights to files within this type of file system down to the granularity of a single user.

File system objects as well as IPC objects will be cleared before they can be reused by a process belonging to a different user.

Identification and authentication: RHEL3 provides identification and authentication using user passwords. The quality of the passwords used can be enforced through configuration options controlled by Red Hat Enterprise Linux. Other authentication methods (e. g. Kerberos authentication, token based authentication) that are supported by Red Hat Enterprise Linux as pluggable authentication modules are not part of the evaluated configuration. Functions to ensure medium password strength and limit the use of the su command and restrict root login to specific terminals are also included.

Security management: The management of the security critical parameters of RHEL3 is performed by administrative users. A set of commands that require root privileges are used for system management. Security parameters are stored in specific files that are protected by the access control mechanisms of RHEL3 against unauthorized access by users.

Protection of the TSF: While in operation, the kernel software and data are protected by the hardware memory protection mechanisms. The memory and process management components of the kernel ensure a user process cannot access kernel storage or storage belonging to other processes.

Non-kernel TSF software and data are protected by DAC and process isolation mechanisms. In the evaluated configuration, the reserved user ID root owns the directories and files that define the TSF configuration. In general, files and directories containing internal TSF data (e.g., configuration files, batch job queues) are also protected from reading by DAC permissions.

RHEL3 and the hardware and firmware components are assumed to be physically protected from unauthorized access by the environment. The system kernel mediates all access to the hardware mechanisms themselves, other than program visible CPU instruction functions.

RHEL3 provides a tool that allows an administrative user to check the correct operation of the underlying hardware. This tool performs tests to check the system memory, the memory protection features of the underlying processor and the correct separation between user and supervisor state.