xorg and EAL4+
ewalsh at tycho.nsa.gov
Thu Apr 19 11:56:36 PDT 2007
James Courtier-Dutton wrote:
> Fortunately, Linux has EAL4+ security evaluation done for most security
> targets (configurations).
> The one major thing that is excluded each time is the X front end.
> I.e. Linux has EAL4+ for a server config, without X.
Specific distributions such as SLES9 and RHEL4 have received an EAL4
rating under a specific protection profile, CAPP. The vendors' decision
not to include X could be for conformance, or it could be simply to
reduce the set of packages that have to be documented and examined
(which would include all the X applications), or because they are
targeting the server market only.
There do exist variously accredited commercial Linux distributions that
include X, see for example Trusted Computer Solutions' Nettop2 product.
> Have any moves been made to modify X so that it could reach EAL4+
Yes, there is ongoing work on a security framework for X, XACE, and
> Or, is the X protocol just so broken, that X could never reach this
> level of security.
It is possible, but it depends on the protection profile and the
specific X protocol subset (extensions).
> The only alternative at the moment is MS Windows, that does have EAL4+
> Kind Regards
> xorg mailing list
> xorg at lists.freedesktop.org
Eamon Walsh <ewalsh at tycho.nsa.gov>
National Security Agency
More information about the xorg