Lab 8 - Evaluation Criteria
In class we discussed several evaluation criteria for assurance. Today we will
look at some current systems which have met certain criteria levels. In
particular we'll look at what assurance levels products have achieved
and what modifications need to be made to products to reach that level of
assurance.
Evaluated Product
List - A historical perspective of systems which were evaluated under
TCSEC (Orange Book) by the Trusted Product Evaluation Program (TPEP) or
Trust Technology Assessment Program (TTAP). (loading slowly, be patient)
Common Criteria list of evaluated products - A long list of products by
manufacturer, their assurance level and associated documentation.
Several distributions of Linux have been rated EAL3 by Common Criteria.
Microsoft has several of its products rated EAL4. You can see them listed
under the Operating System section.
When a product achieves a certain certification, it is for the configuration
that was submitted to the evaluation group. This may or may not be the
default configuration of the system. Often it involves making a series
(sometimes a very long series) of changes to the configuration. Example
configuration guides follow:
- RedHat Enterprise Linux on HP hardware - Scroll to the bottom for
PDF links to the configuration guides.
- Apple MacOS X - Information on Common Criteria evaluation of OS X. There are links to
a configuration/administration guide and tools.
- Microsoft Windows 2000 - Main page for their Common Criteria
information for Windows 2000. The three guides mentioned in lecture are linked
to from this page.
- Unfortunately the documentation for Windows NT 4.0 TCSEC C2 rating is an
.exe download from
this TechNet page
instead of a PDF link. You can peruse it if you like, otherwise refer to
this checklist
for a brief overview of the steps.
Browse through these documents. Gather an impression of the ease or difficulty
of configuring the systems to meet their evaluated assurance level. Compose a
writeup of your thoughts on this matter and email me your writeup.