Apple has announced Common Criteria Certification for Mac OS X 10.6 and 10.6 Server at the CAPP/EAL3 level. Common Criteria, an internationally approved set of security standards, provides a clear and reliable evaluation of the security capabilities of Information Technology products.
On January 20, atsec made the following announcement: "atsec information security is pleased to announce the successful Common Criteria Certification of Mac OS X Snow Leopard at EAL 3 (augmented for flaw remediation) with the Controlled Access Protection Profile [CAPP]. This certification includes both Mac OS X and Mac OS X Server."
The main security functions tested included:
- Audit
- User Data Protection
- Identification and Authentication
- Residual Data Protection
- Secure Communication
- Security Management
- TOE Self Protection
For more information on Apple's ongoing commitment to security, an overview of the Common Criteria, and the certification process, Apple has published a white paper that also includes valuable, related links.
The certification by the German firm atsec Information Security GmbH is a separate issue from the Mac OS X implementation of Sun's Basic Security Module (BSM) and its port to Mac OS X. It should be noted, however, that the BSM auditing system, which can detect and log a wide range of user authorized and unauthorized activities has been installed in Snow Leopard since its launch.
A few of the nagging problems of the BSM implementation in Leopard have ben remedied. SHH events can now be audited and new processes spawned are properly attributed to the user, not just the generic "launchd."
Unfortunately, to fully exploit the BSM auditing, the user needs the latest document, the "Security Configuration Guide" updated for Snow Leopard -- which has not been posted by Apple.
For more information, consult your local security organization. Dan O'Donnell of the RAND corporation will be presenting on this topic at the Macworld Conference and Expo in February. Additional discussion can be found on the Apple mailing list: Fed-talk.