United States (change)
Shortcuts: Downloads Fedora Red Hat Network
Red Hat is committed to providing secure and stable software that can be easily used in security-sensitive environments. Red Hat's enterprise software includes extensive security tools and features.
Red Hat Enterprise Linux is the most certified operating system available today. Through its history, Red Hat Enterprise Linux has passed the Common Criteria process 12 times on four different hardware platforms. Red Hat Enterprise Linux 5 has even received Common Criteria certification at Enterprise Assurance Level 4 (EAL 4+) under the Controlled Access Protection Profile (CAPP), Label Security Protection Profile (LSPP) and the Role-Based Access Control Protection Profile (RBACPP), providing a level of security and a feature set that was previously unheard-of from a mainstream operating system.
Red Hat's JBoss Enterprise Middleware solutions include support for common middleware security standards. Additionally, JBoss Enterprise Application Platform is the only open source application server to seek Common Criteria certification (EAL 2+) and certification for MetaMatrix Data Services Platform is currently underway.
For US Department of Defense customers, Red Hat Government can provide simple tools to meet the DISA STIG requirements. Red Hat can also provide simple DCID 6/3 compliance tools for intelligence customers.
US government and contractors may be interested in the Red Hat Government Security mailing list, a moderated forum for Red Hat users in the information assurance and certification/accreditation community: https://www.redhat.com/mailman/listinfo/gov-sec
Red Hat provides a number of security-specific courses, and also provides a formal certification program for systems engineers working in the security field. For more information about the Red Hat Certified Security Specialist (RHCSS) certification, visit https://www.redhat.com/training/security/courses/.
Red Hat has cleared representatives and engineers available for both pre-sales help and consulting engagements.
Red Hat Certificate System was acquired from AOL three years ago as part of the Netscape technology acquisition. Read more.
Red Hat Enteprise Linux has been used in systems from Protection Level 3 (PL3) up to PL5. For more information, please speak with your Red Hat account representative.
Red Hat Enterprise Linux can easily meet the requirements of the DISA STIGs. The Red Hat Government group has implementation tools that can help. Please contact your local Red Hat representative.
Red Hat Enterprise Linux provides out-of-the-box compliance with the NISPOM Chapter 8 audit requirements. A sample implementation can be found in /usr/doc/audit-1.5.2/nispom.rules in Red Hat Enterprise Linux versions 4 and 5.
In Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5, Red Hat provides FIPS 140-2 certified cryptography through the Network Security Services (NSS) libraries. These libraries are certified to Level 1 and Level 2. The original certification is http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt815.pdf and ongoing validation compliance is affirmed by Red Hat in accordance with the FIPS 140-2 Implementation Guidance, G.5.
All the NSS code that is subject to FIPS 140 guidelines and that was FIPS validated is in a shared library module called the "Soft Token" (/usr/lib/libsoftokn3.so on RHEL). The Soft Token module that was submitted to NIST and FIPS validated was version 3.11.4. NSS 3.11.4, NSS 3.11.5, and NSS 3.11.7 all include Soft Token 3.11.4.
Red Hat has been a leader in adopting standards like CVE and OVAL which help customers identify and assess security vulnerabilities. For example, each Red Hat Errata includes both CVE references and OVAL data. You can find the OVAL documents for Red Hat Enterprise Linux 3, 4, and 5 at the Red Hat OVAL site.