CMPS 476 Lab 8

Lab 8 - Evaluation Criteria

In class we discussed several evaluation criteria for assurance. Today we will look at some current systems which have met certain criteria levels. In particular we'll look at what assurance levels products have achieved and what modifications need to be made to products to reach that level of assurance.

Evaluated Product List - A historical perspective of systems which were evaluated under TCSEC (Orange Book) by the Trusted Product Evaluation Program (TPEP) or Trust Technology Assessment Program (TTAP). (loading slowly, be patient)

Common Criteria list of evaluated products - A long list of products by manufacturer, their assurance level and associated documentation. Several distributions of Linux have been rated EAL3 by Common Criteria. Microsoft has several of its products rated EAL4. You can see them listed under the Operating System section.

When a product achieves a certain certification, it is for the configuration that was submitted to the evaluation group. This may or may not be the default configuration of the system. Often it involves making a series (sometimes a very long series) of changes to the configuration. Example configuration guides follow:

RedHat Enterprise Linux on HP hardware - Scroll to the bottom for PDF links to the configuration guides.
Apple MacOS X - Information on Common Criteria evaluation of OS X. There are links to a configuration/administration guide and tools.
Microsoft Windows 2000 - Main page for their Common Criteria information for Windows 2000. The three guides mentioned in lecture are linked to from this page.
Unfortunately the documentation for Windows NT 4.0 TCSEC C2 rating is an .exe download from this TechNet page instead of a PDF link. You can peruse it if you like, otherwise refer to this checklist for a brief overview of the steps.

Browse through these documents. Gather an impression of the ease or difficulty of configuring the systems to meet their evaluated assurance level. Compose a writeup of your thoughts on this matter and email me your writeup.