Participants
Eric McDonald
Eric McDonald
Ron Mayer
Ron Mayer
Kenneth Buckler
Kenneth Buckler
Attachments
Show all attachments
Thread Outline
#1Eric McDonaldEric McDonald
Dec 14, 2010
#2Ron MayerRon Mayerto Eric McDonald (#1)
Jan 02, 2011
#3Kenneth BucklerKenneth Bucklerto Ron Mayer (#2)
Jan 05, 2011

Postgres DOD Certification Common Criteria Level

Started by Eric McDonaldover 15 years ago3 messagesgeneral
Jump to latest
#1Eric McDonald
Eric McDonald
norbus@hotmail.com

Greetings All:
Does anyone here have any insight on to what EAL level Postgres is at for DOD/Military installations? I see that there's an SE-Linux fortified version on the Wiki, but no certifications are listed in the contents.
Any direction to certifications, STIG, or otherwise would be greatly appreciated--
Thanks,
Eric McDonaldSr Network AdministratorPDC

#2Ron Mayer
Ron Mayer
rm_pg@cheapcomplexdevices.com
In reply to: Eric McDonald (#1)
Re: Postgres DOD Certification Common Criteria Level

Eric McDonald wrote:

Greetings All:

Does anyone here have any insight on to what EAL level Postgres is at
for DOD/Military installations? I see that there's an SE-Linux
fortified version on the Wiki, but no certifications are listed in the
contents.

Any direction to certifications, STIG, or otherwise would be greatly
appreciated--

Well, there's an (ancient) 8.1.5 which NTT got certified at EAL1
back in 07.

You can go here: http://www.commoncriteriaportal.org/products/
and expand "Databases" to see it.

It seems like there are some proprietary forks on the list
as well, at much higher levels (EAL4+); but I guess these
forks have diverged quite a bit.

I guess I'd be somewhat surprised to see the community
version on the list, since Wikipedia claims that getting
such certifications cost millions even back in the 90's.
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level

#3Kenneth Buckler
Kenneth Buckler
kenneth.buckler@gmail.com
In reply to: Ron Mayer (#2)
Re: Postgres DOD Certification Common Criteria Level

I don't believe the EAL certification is valid for the community
version of PostgreSQL.

From the EAL certification report:
"PostgreSQL Certified Version is a relational database management
system, which is applicable to enterprise business. It is an enhanced
version of the open source PostgreSQL and delivered from NTT Data
Corp. PostgreSQL Certified Version runs on Red Hat Enterprise Linux AS
v.4 for x86."

As far as DoD STIG requirements go, I would recommend reviewing the
generic database checklist:
http://iase.disa.mil/stigs/content_pages/database_security.html

It's not much, but it's a start.

Ken

Show quoted text

On Sun, Jan 2, 2011 at 5:12 PM, Ron Mayer <rm_pg@cheapcomplexdevices.com> wrote:

Eric McDonald wrote:

Greetings All:

Does anyone here have any insight on to what EAL level Postgres is at
for DOD/Military installations?  I see that there's an SE-Linux
fortified version on the Wiki, but no certifications are listed in the
contents.

Any direction to certifications, STIG, or otherwise would be greatly
appreciated--

Well, there's an (ancient) 8.1.5 which NTT got certified at EAL1
back in 07.

You can go here: http://www.commoncriteriaportal.org/products/
and expand "Databases" to see it.

It seems like there are some proprietary forks on the list
as well, at much higher levels (EAL4+); but I guess these
forks have diverged quite a bit.

I guess I'd be somewhat surprised to see the community
version on the list, since Wikipedia claims that getting
such certifications cost millions even back in the 90's.
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

← Back to Topics