Slashdot Mirror
SUSE Linux Receives EAL3 Certification
prostoalex writes "Reporters from CNet News.com learned that SUSE Linux Enterprise Server received EAL3 certification, which allows it to compete with such certified operating systems as Windows (from Microsoft), Solaris (from Sun), HP-UX (from HP) and AIX (from IBM). Albeit all of the aforementioned OSs have EAL4 certification, Evaluation Assurance Level 3 allows SUSE Linux to be considered for a range of government and military tenders. Red Hat Linux is expected to receive EAL2 certification any time now."
...you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix. No other servicepacks or hotfixes are allowed. Extremely ridiculous, especially when you have a look at how much software comes with SuSE (a lot!) and how much comes with Windows 2000 (virtually none!).
But I'm still waiting for a certificate for some SELinux version. Since EAL4 is the highest level where it's still feasible to build the demanded security into it, hardly any normal "customer" operating system will achieve a higher level. But SELinux has been designed for security since the very beginning, and should be able to reach at least EAL5.
A monkey is doing the real work for me.
SuSE/Novell couldn't have pulled this off without technology stolen from SCO. It's a known fact that SCO owns IP on everything that makes linux useful.
HOW'S MY POSTING? CALL 1-800-POSTING
Bullshit. Just get 100 dirty gnu hippies in one place, give them access to an unlimited supply of Coke/Jolt and pizza and you'll have your code audited in no time.
If windows too can have this certification, it is clearly not very high standard. So, actually, this means *nothing*.
Evaluation assurance level 1 (EAL1) - functionally tested
EAL1 provides a basic level of assurance by an analysis of the security functions using a functional and interface specification and guidance documentation, to understand the security behaviour.
Evaluation assurance level 2 (EAL2) - structurally tested
EAL2 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation and the high-level design of the TOE, to understand the security behaviour.
Evaluation assurance level 3 (EAL3) - methodically tested and checked
EAL3 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation, and the high-level design of the TOE, to understand the security behaviour.
Evaluation assurance level 4 (EAL4) - methodically designed, tested, and reviewed
EAL4 provides assurance by an analysis of the security functions, using a functional and complete interface specification, guidance documentation, the high-level and low-level design of the TOE, and a subset of the implementation, to understand the security behaviour. Assurance is additionally gained through an informal model of the TOE security policy.
Soccer Goal Plans
Certificates like this are going to become a real problem for open source software. There's no way a small distribution could get a certificate that costs many thousands of dollars to buy. There's certainly no way a single user who makes changes to his or her kernel could ever hope to achieve this kind of certification.
Hence all the hard work of the kernel developers, who provide their services for free in many cases, cannot be directly recognised. Instead some huge corperation has to come along and sponsor such certification. This just isn't right, IMO.
There's a much bigger issue here though, a threat from the future called Digital Rights Management and NGSCB. Who wants an operating system that will be unable to access secure web services because Microsoft introduces a protocol that requires a DRM-aware application running on a DRM-booted computer? Open source GPL'd Linux will never be able to obtain such certificates without massive corperate sponsorship from IBM, Novell, Redhat or whoever.
Even if it does, changing one line in my kernel and recompiling would invalidate it, locking me out of my legally purchased music and movies, and even things like my e-mail eventually (we're already seeing this with the restrictions that a sender can put on an e-mail in Office 2003. Imagine when this is part of the operating system and not easily circumvented).
Bullshit efforts certification efforts like EAL and NGSCB undermine and threaten open source and play right in to the hands of the major corperations. In today's world, the most important corperation producing operating systems is, you've guessed it: Microsoft!
This sort of thing plays right in to their hands. They're undermining the free work of all the thousands of Linux and BSD developers effectively through the back door: by making open source software an unviable solution under the guise of security. Fuck them.
It would seem that documented flaws in an OS should automatically reduce the EAL rating of that OS. Otherwise the EAL process is just a paper-pushing exercise.
Two wrongs don't make a right, but three lefts do.
But just 1 year ago, weren't we criticizing Windows for achieving EAL 4:
So which is it, Slashdot? I'm confused.
Is EAL worthwhile or is it an "inadequate set of requirements"? Is EAL 4 worse than EAL 3?
Personally, I'm suspicious of most certifications, from business to security. Usually, they're just a way for the certifying company (in this case Common Criteria) to make easy money.
Anyway, maybe we should just wait for Eros, which is supposed to achieve EAL 7 when it is fully implemented, due to it's powerful and secure design, better than both Unix and Windows.
>>esr>>
There's a description of the EAL certification levels in the at the NIST site which is linked to from the top-level article. The point about this certification from Linux's point of view is that it allows it to be cinsidered for various sorts of Government deployment, which often require EAL certification to a certain level.
For SCO, I mean, given that they claim to own or claim to already be receiving payments for all of the above!
If you were blocking sigs, you wouldn't have to read this.
Reading this article... it costs money? WTF? You pay for higher levels or something?
Don't sell yourself short, sir. You are also on teh spoke.
Does this have anything to do with Novell entering the SuSE scene? Or has this certification been a long time coming? Either way, this is another scratch on the wall of achievements Linux has attained. Most pre Linux UNIX admins have a disdain for Linux zealots, etc who believe that Linux can solve any problem any time, and I'm in the same camp, but with distributions getting certifications like this, Linux continues to progress in promising ways in many fields.
--
The last digit of pi is four.
Anything with a vagina and a pulse is hot around here. You must be new.
Vagina and pulse optional.
I think it's the shiny outfits that do it for them.
Get your own free personal location tracker
It tells you that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.
Intersting Document on EL
Oh how desparately I must retain my /. karma! It's all I've got!
And as an utter nobody in the field of cyber-security, I can tell you that you'll have to start dropping the prefix "cyber" in order to be taken seriously.
when OS/2 Warp gets EAL5 next month.
___ Shout Central - Crushes your nuts!
If it's Microsoft the article is about, it's bad. No exceptions.
If it's about Linux, it's good. Also no exceptions.
Sigs for Nerds. Sigs that Matter.
because you apparantly got modslapped to -1 for going against the Open Source grain. You have my sympathies.
I'm a sys-admin in the US Army right now. Simply getting this new EAL accredation does not allow the military to install an OS (I don't know about the other agencies). The US military develops a set of security standards (baseline) for any OS that they use on a large scale. With these standards, we use it, without them, we don't. Certain *nix's including Solaris, and Red Hat are used on small scales for specific applications in the military, but this EAL will not allow the US Military any more options until senior leadership determines it neccessary and spends the money to adopt the standards of use and baselines for the operating system. I personally have been begging our head IASO to allow us to use Linux in a few instances, but have been shot down on every attempt for this one reason. I know I would love being able to avoid the weekly windows patches that have to be pushed down to the computers on our network though. The US Military does take InfoSec very seriously though. Although several US depertments have been criticized for a lack of InfoSec (Including Homeland Security), I've never heard of the DoD receiving any such negative rating.
S0ME0NE MAKE 0NE W1TH B1LL GATES THR0WING THE BALL!!`~!~! OMG ROFLF
EAL-rating only indicates how sure you are the product meets the profile (a set of security requirements). Saying it gets "EAL3 Certification" is like saying "We're now quite sure it does... eh... something"
For example, the Win2000 EAL4 certification was CAPP/EAL4 (Controlled Access Protection Profile). Its description:
It should be obvious that while CAPP is nice to have, it does not mean the system is "secure", even if you'd get EAL7. :-)
I guess this is just one of those "they have - we need it too!" things.
I guess it's flattering to be greeted by your own words when you click on a story, but it doesn't change the fact that this person, peterdaly, completely plagiarized what I wrote a few months back on another Linux security certification story
...
I wish I could prove this, but I can't list any comments beyond my last 24. Honestly, why would I accuse someone I don't know of plagiarism if it weren't true?
Shame on you, Anonymous Coward
What kind of geek site is this if you have to mention that Solaris is from Sun etc.???
Every decent computer nerd should have those words flowing through their veins...
-- Truth suffers from too much analysis.
...you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix.
This should tell you how extremely useless the common criteria is for actually verifying the security of a product for real world use. Sure it might have some merit in high security government use, but that's about it.Also, you know how much it costs to get your product evaluated at EAL2 (yes, you have to pay for it) -- about $250k. EAL4 is about $1mil+.
We had someone who works at NIST on the CC come to my school last semester. He said there were less than 100 products that have been evaluated under the CC (can't remember exact number, but around 80).
It boils down to this: if you want to sell your software to the U.S. government, you gotta get it certified at EAL2 at least. Other than that, your EAL level X means nothing.
My sig can beat up your sig.
Comming soon? I am taking Red Hat Cert classes right now in NC. See Red Hat Academy
I'm sure glad they mentioned that. I might have gotten confused with all the other kinds of Windows currently on the market.
which often require EAL certification to a certain level
your comment "to a certain level" is slightly misguided. DoD sales often require certification, but the level is not specified in any case that I am aware of.
It means something to me (I work with the Common Criteria daily), but you do have a point: the certificates don't mean much to the general public beyond being a license to sell to the U.S. government.
I'd just like to point out that, while the Common Criteria (CC) is based on the U.S. Trusted Computer System Evaluation Criteria - the TCSEC, a.k.a. the Orange Book - it's also based on the European ITSEC and the Canadian CTCPEC... It's an international standard, and a common language for the world's security professionals.
Similarly, the Common Evaluation Methodology (CEM), a companion document to the CC, is an internationally-recognized methodology for conducting these evaluations, so that a gov't dept. in France knows exactly what was done in this SUSE evaluation (after they read the security target, anyway) and can make informed decisions based on that. Don't discount this international market: the list of countries that recognize these certificates is growing every year.
Now, on the subject of real security, again I hear what you're saying. These products get certified up to EAL4 (the highest level recognized internationally... We haven't developed the CEM beyond it yet) and you see flaws published every week. I think a big part of this problem is discretionary security versus mandatory (or real, you could say) security. Yes, you can evaluate a set of security funcitonal requirements (e.g., identification and authentication, stored data integrity, etc.), but at the end of the day, if we're trusting the process that's acting on behalf of the user, things are going to go awry. If we can't set an overall policy, regardless of whose in control of the individual processes, are we really secure? In certain environments, yes. That's where the CC is helping today. On the Internet? It could! Really! Mandatory access control and other necessary components are there, in the CC, but no products are claiming them. So where does that leaves us? These products that are getting certified are not secure in the Internet environment, that's where. And forums like this one scoff at the standard, when it's not the problem. It can, and will, in the future, certify SELinux, which does implement real security.
Finally, I just want to mention that the CEM covers more than code reviews. That's certainly part of the development class (ADV), but there's also configuration management requirements, delivery and operational requirements, installation, generation and start-up requirements, guidance document requirements, life-cycle support requirements, testing requirements and vulnerability assessment requirements (that, admittedly, only cover threats of a low attack potential at EAL4... as I said, we've got a ways to go with the methodology before we can certify Internet-secure operating systems).
Troll.
Does anyone know where a complete list of how each OS is rated? I'm curious about BSD, and OS X primarily...
Many I know are still die hard Microcert specialists. Much of the *nix that I've found is used only in the CERTs, dealing with network security/intrusion detection, and the end users are all stuck on/with Win2k.
First off, hate Redmond all you want, but Win2K [properly locked down] is one damned adequate [dare I say "fine"?] desktop operating system [and it's four year old technology at this point, which is saying something in and of itself]. If you want to bitch about desktop operating systems, try WinME or Mac9.x [possibly the worst desktop operating system ever conceived by the mind of man, to include Win3.1x] or that hideous Solaris abomination.
Second: Novell 0wnz security. When Novell integrates SuSE with Novell Directory Services [or eDirectory, or iChain, or nSure, or what-the-hell-ever buzzword the idiots in Novell marketing are calling it this week], you'll have all the Red Book/Blue Book/Purple Book/Green Eggs and Ham Book certifications your little heart could possibly desire.
Just be patient; it's coming...
PS: The really, really difficult choice for systems architects is gonna be between a Novell/SuSE/Novell Directory Services backbone, and a Microsoft/.NET-C#/Active Directory backbone. Within the developer community, the buzz on C# is hot, Hot, HOT [think Java circa 1997, or XML circa 2000], and if Novell doesn't figure out a response [Ximian/Mono/whatever], they're gonna be in trouble.
You mean like Lindows? HHmmm, maybe there is a reason for that lawsuit after-all...
Above,
If windows too can have this certification, it is clearly not very high standard. So, actually, this means *nothing*
Troll.
Below,
If windows too can have this certification, it is clearly not very high standard. So, actually, this means *nothing*
Funny.
Same comment!?!?!?
...which allows it to compete with such certified operating systems as Windows (from Microsoft), Solaris (from Sun), HP-UX (from HP) and AIX (from IBM).
This is why I don't like certifications. They don't actually say anything about how Linux can compete with any other operating system, but they make people like you think they do.
If the church gives you a piece of paper that says you are going to heaven do you actually believe that you will go to heaven?
If a University gives you a degree does that degree say you know anything about anything?
How many MCSEs does it take to change a lightbulb?
How many certs make you valuable?
None of them change your value or affect your knowledge in any way. So stop placing any value in them. Or I will think you a fool.
The worst part about it, is if you start investigating you'll find it was certified by a company in Germany. Since the US doesn't play nice with Common Criteria this means exactly diddly squat to anyone in the Department of Defense. Past DOD/CIO's have regulated that only Certifications approved by US Contractors on US Dollars are to be used for classified. Basically they're saying that they don't trust anyone else. So, even though SuSE has recieved an EAL3, legally it can't be used for anything more than EAL2 within the Defense Dept.
It would be great if the EAL software package and test methodologies are available for free(similar to Microsoft HCT). This way everybody can make sure that their linux distribuition passes the criteria. Enterprise distribution can spend the required amounts to get the official certification.
You've gotta be kidding. Mandrake deserves this more than Suse.
Campaign finance reform is national security.
EAL4 is bullshit... it doesnt include white-box code auditing and it's a standard developed in a vacuum (ISO and NIST are vacuums). I wouldn't trust any standard not evaluated by hackers. I mean, if Windoze can get their highest rating when it has known and unpatched exploits, what does that say about their testing and standards? This test was done using SP3 which doesnt include the RPC fixes; any system based on this will get Blastered almost immediately if it were attached to a public or infected network. Any user process on Win2k can gain Admin using SEH blasting shell code. Win2k and the Win32 API are too complicated to be provably secure. Since it's closed source and not open-source payware (if the source were included on the media), it's possible that bug that could be found (and fixed) by the public are hidden away in an ivory castle. Win2k is so full of redundant, legacy, incongruent, broken and incomplete features, there's no way to ever secure it w/o removing every unnecessary file, doing an extensive audit and unit testing, redoing some of the fundamental mistakes, and adding some security enhancements (remove RPC dependance, NTLM support, netbios; add encrypted memory spaces). Basically, it'd be better off to start from scratch, making an OS bootstrapped from .NET (no C/C++ compiled code). C/C++ coded operating systems are very difficult to make provably secure, no one has done it yet. A pure object-oriented OS (devoid of pointers, compartmentalized kernel, trusted hardware drivers) w/ real security features (much like Java VM) combined w/ hardware locking / keying of memory/disk pages would definitely be much better than the current state of OSes. Additionally, email programs should be REQUIRED to use gpg/pgp. A solid PKI infrastructure based on LDAP w/ Kerberos CA (which has a valid X.509 cert from thawte or verisign) is a DEFINITE must. In the future, P2P shared authentication MIGHT be a possibility.
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
As one of the people who helped write the navy's book on evaluation, I'm afraid I have to tell you you're wrong. Going back to the old Orange Book (TCSEC), there are certain applications that require certification at particular levels.
Besides, this comment doesn't even make any real sense -- you can be evaluated at EAL 1, which is merely functional testing and offers no assurance at all.