RE: who are you?

7 views
Skip to first unread message

ernie.kovak

unread,
Feb 29, 2012, 11:45:15 AM2/29/12
to Military Open Source Software
Hi, all - I'm Ernie Kovak. My company makes Java-based data
visualization and analysis tools for the IC and DoD, and we use as
much OSS as we can.

The one big thing I'm going to need help with is a new requirement to
operate at PL4... we're currently at PL2. I'm still trying to get my
head around that. We have thick and thin clients for displaying
results but most of our application is on a JBoss server, where it
acts as a proxy for backend databases. In addition to our current role-
based access controls we'll be filtering query results based on users'
credentials presumably obtained from DIAS or Scattered Castles.

Will OSS be a hurdle for PL4 accreditation? Can anyone point me to
documentation that is more useful than the DCID 6/3? Any general
pointers to get me started?

Thanks!
Ernie


Matt Micene

unread,
Feb 29, 2012, 11:58:08 AM2/29/12
to mil...@googlegroups.com
I can't provide any useful DCID 6/3 documentation, but I know that
Tresys' Certifiable Linux Integration Platform has created a targeted
release of RHEL 4 and 5 that meets DCID 6/3 PL4 standards. I wouldn't
expect OSS in and of itself to be a hurdle in the I&A process.

-Matt

> --
> You received this message because you are subscribed to the "Military
> Open Source Software" Google Group.
> To post to this group, send email to mil...@googlegroups.com
> To unsubscribe from this group, send email to mil-
> oss+uns...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/mil-oss?hl=en
>
> www.mil-oss.org

Aaron Pestel

unread,
Feb 29, 2012, 6:41:27 PM2/29/12
to mil...@googlegroups.com
Not sure if you are using community JBoss or enterprise JBoss, but the enterprise JBoss (Enterprise Application Platform) just received Common Criteria Certification EAL 4+ [1].  That doesn't necessarily solve your problem of accreditation, but may help.

Also, if you can let me know which end user you are supporting, I can try to ping some of the JBoss users in that account to see if any of them have already accredited JBoss on a PL4 system and may be able to provide some guidance.

[1]  https://www.redhat.com/about/news/press-archive/2012/2/jboss-enterprise-application-platform-achieves-highest-level-security-certification

Thanks,

Aaron Pestel

To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com

ernie.kovak

unread,
Mar 2, 2012, 10:20:33 AM3/2/12
to Military Open Source Software
Thanks, Aaron - we're using community JBoss, but sounds like we might
need to switch to enterprise. But I'm afraid I'm still stuck at a more
fundamental level. I don't understand how mandatory access controls
will help me. So, MAC implies the ability to assign permissions to
users and groups which is then enforced by the operating system. I see
how that is useful for protecting access to the file system or
applications, but how does it help with objects in memory?

For example, say my server connects to a database through a JDBC
connection pool and runs a query on behalf of a remote user who has
access to some tables but not others. How do the MAC controls enter
into that scenario?

Ernie
Reply all
Reply to author
Forward
0 new messages