Slashdot Mirror

← Back to Stories (view on slashdot.org)

SUSE Linux Receives EAL3 Certification

Posted by timothy on from the tougher-than-backwards-pig-latin dept.

prostoalex writes "Reporters from CNet News.com learned that SUSE Linux Enterprise Server received EAL3 certification, which allows it to compete with such certified operating systems as Windows (from Microsoft), Solaris (from Sun), HP-UX (from HP) and AIX (from IBM). Albeit all of the aforementioned OSs have EAL4 certification, Evaluation Assurance Level 3 allows SUSE Linux to be considered for a range of government and military tenders. Red Hat Linux is expected to receive EAL2 certification any time now."

16 of 143 comments (clear)

  1. EAL 1-4 Descriptions by peterdaly · · Score: 5, Informative

    Evaluation assurance level 1 (EAL1) - functionally tested
    EAL1 provides a basic level of assurance by an analysis of the security functions using a functional and interface specification and guidance documentation, to understand the security behaviour.

    Evaluation assurance level 2 (EAL2) - structurally tested
    EAL2 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation and the high-level design of the TOE, to understand the security behaviour.

    Evaluation assurance level 3 (EAL3) - methodically tested and checked

    EAL3 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation, and the high-level design of the TOE, to understand the security behaviour.

    Evaluation assurance level 4 (EAL4) - methodically designed, tested, and reviewed
    EAL4 provides assurance by an analysis of the security functions, using a functional and complete interface specification, guidance documentation, the high-level and low-level design of the TOE, and a subset of the implementation, to understand the security behaviour. Assurance is additionally gained through an informal model of the TOE security policy.

    --
    Soccer Goal Plans
  2. Re:Certifications in current Job market. by James+Youngman · · Score: 1, Informative
    I'd like to know, with the growing list of certs for linux which ones are worth it?
    But the EAL certifications cover the security of the system itself. Those certifications are applied to computer system products, not to people...

    There's a description of the EAL certification levels in the at the NIST site which is linked to from the top-level article. The point about this certification from Linux's point of view is that it allows it to be cinsidered for various sorts of Government deployment, which often require EAL certification to a certain level.

  3. Re:That's great by Anonymous Coward · · Score: 0, Informative

    I guess it's flattering to be greeted by your own words when you click on a story, but it doesn't change the fact that this person, Eric S Raymond, completely plagiarized what I wrote a few months back on another desktop Linux story. He did go through the effort of changing my "Windows NT 4" to his "Windows 2000", but I'm not sure why he bothered ...

    I wish I could prove this, but I can't list any comments beyond my last 24. Honestly, why would I accuse someone I don't know of plagiarism if it weren't true?

    Shame on you, Mr. Eric S Raymond ...

  4. Re:Windows 2000 is EAL4, but... by blowdart · · Score: 5, Informative

    "you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix. No other servicepacks or hotfixes are allowed"

    And it's the same with SuSE. If you look at the SuSE press release you will see that the certidication is limited to "SUSE LINUX Enterprise Server 8 with Service Pack 3". Next service pack arrives it will need recertified.

    Also there's no way of knowing (that I can see) what extra software was installed. Sendmail? Apache? Or are we just talking a basic kernel and networking?

  5. EAL4 evaluation tells you nothing by Anonymous Coward · · Score: 4, Informative

    It tells you that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.

    Intersting Document on EL

  6. Re:certifications by Anonymous Coward · · Score: 2, Informative
    As a well-known expert in the field of cyber-security, I can tell you that certifications are very important.

    And as an utter nobody in the field of cyber-security, I can tell you that you'll have to start dropping the prefix "cyber" in order to be taken seriously.

  7. Summary Misleading by Mork29 · · Score: 5, Informative

    I'm a sys-admin in the US Army right now. Simply getting this new EAL accredation does not allow the military to install an OS (I don't know about the other agencies). The US military develops a set of security standards (baseline) for any OS that they use on a large scale. With these standards, we use it, without them, we don't. Certain *nix's including Solaris, and Red Hat are used on small scales for specific applications in the military, but this EAL will not allow the US Military any more options until senior leadership determines it neccessary and spends the money to adopt the standards of use and baselines for the operating system. I personally have been begging our head IASO to allow us to use Linux in a few instances, but have been shot down on every attempt for this one reason. I know I would love being able to avoid the weekly windows patches that have to be pushed down to the computers on our network though. The US Military does take InfoSec very seriously though. Although several US depertments have been criticized for a lack of InfoSec (Including Homeland Security), I've never heard of the DoD receiving any such negative rating.

  8. Re:That's great by NotAnotherReboot · · Score: 4, Informative

    I don't really see anyone on here saying that these specs made SuSE any more secure. The gist of it is that by having this certification, they can now compete for government contracts previously unavailable to them.

    Companies have to jump through hoops to get some of these contracts; the requirements may be rediculous, but achieving the requirements to compete for contracts is still important none-the-less.

  9. Re:Windows 2000 is EAL4, but... by kmarius · · Score: 2, Informative

    Also there's no way of knowing (that I can see) what extra software was installed. Sendmail? Apache? Or are we just talking a basic kernel and networking?

    I don't know much about the EAL standard, but after a quick look at the previous certification(EAL 2), I think it probably includes all of the software.

  10. Re:Windows 2000 is EAL4, but... by jcinnamond · · Score: 2, Informative

    you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix.


    The same is true of EAL4 Solaris, and presumably also of SuSE. It wouldn't make sense to certify all versions and configurations of a particular OS, including service packs/patches that haven't yet been written. Take a look at how to set up EAL4 certified solaris [sun.com] to
    see how specific the certification is.

    But I'm still waiting for a certificate for some SELinux version.

    I suspect cost plays a big factor here. I used to work for a hosting company and came across a customer who wanted C2 (kinda EAL3 equivalent) certified Solaris. We could do this, right up to the point at which they plugged it into the internet. To get their particular setup of Solaris certified would have meant involving a third party (CLEF) to audit the solution, and this would have cost quite a bit of money. In the end the customer decided to go with our explicitly uncertified "kinda like an EAL4 (CCAP) Solaris setup" with SSH (logging through BSM) stuck on the side.


    The real problem with certification is that it costs money, so it needs to have a business driver. In the case of solaris they needed the certification to sell to banks etc. SELinux is unlikely to have a similar financial incentive to takeup.

  11. What protection profile? by xmath · · Score: 5, Informative
    EAL3.... what protection profile?

    EAL-rating only indicates how sure you are the product meets the profile (a set of security requirements). Saying it gets "EAL3 Certification" is like saying "We're now quite sure it does... eh... something"

    For example, the Win2000 EAL4 certification was CAPP/EAL4 (Controlled Access Protection Profile). Its description:

    The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel.

    It should be obvious that while CAPP is nice to have, it does not mean the system is "secure", even if you'd get EAL7. :-)

    I guess this is just one of those "they have - we need it too!" things.

    1. Re:What protection profile? by hackstraw · · Score: 4, Informative

      EAL-rating only indicates how sure you are the product meets the profile (a set of security requirements). Saying it gets "EAL3 Certification" is like saying "We're now quite sure it does... eh... something"

      A college degree only indicates how sure you are the person meets the profile (a set of learning and skill requirements). Saying it gets "A college degree" is like saying "We're now quite sure the person is... eh... able to learn something".

      Trust me, there are many a bozo out there with a college degree, and there are, ahem, less than secure and robust OSes with EAL certification, but try to get a job where it says "College degree required" or install an OS where it says "EAL3 or higher required" and there is not that level of certification.

      On an aside, college degrees are pretty worthless nowadays. At least a generic 4 year degree. I often see on job listings something like "College degree in XXX required or equivalent work experience". This is not as true with higher degrees or professional degrees. Sometimes I think about how much money I would be making now if I had _worked_ instead of going to school and racking up about $30,000 in college loans. Actually, I have seen data that says that the "Stay in school" programs are completly irrational. Supposedly, a HS dropout that goes to work will be making much more $$ immediately and in the future (because of experience and seniority) than a HS graduate. Kinda makes me wonder what the governmental/societal push is for going to school.

  12. Re:Windows 2000 is EAL4, but... by blowdart · · Score: 2, Informative
    Looking at page 16 of the PDF (they've turned cut and paste off) it's a very minimal distribution compared to what you or I would run.

    Generally it's a shell, filesystem, a few g* programs (but note no compiler), encryption libs, mailx, curses, openssl & openssl, perl (although no version), sys*, telnet, textutils, vim, vsftpd, w3m, wget and yast stuff.

    No apache, no sendmail, nothing fun :)

  13. Re:Windows 2000 is EAL4, but... by moonbender · · Score: 4, Informative

    No, not all software was tested. Page 15f of the PDF you linked to contains a list of packages that were installed - I can't copy/paste due to the stupid Acrobat Reader security. Let's just say the list isn't very long and does not contain either Sendmail or Apache. There's a guide available which seems to endetail how to set up the evaluated environment on your own server FWIW. (Note: IBM sponsored the SuSE Linux Enterprise Server = SLES evaluation.)

    --
    Switch back to Slashdot's D1 system.
  14. Re:Windows 2000 is EAL4, but... by Anonymous Coward · · Score: 1, Informative

    First of all, before people guess around, look at the SUSE security websites. All the details are there:

    http://www.suse.de/de/security/certification/ind ex .html

    As you can see, the certified system does not run a webserver, but it runs SSH, Postfix, and FTP!

    Also, the "+" in the EAL3+ certification means that at least minor bugfixes can be applied to the system without losing the certification status, because the processes of how these fixes are developed, distributed and applied have also been certified. At least that is what I understand.

    SUSE is actively working on getting the EAL4+ certification.

  15. Re:Does This mean anything to anybody? by Iorek · · Score: 2, Informative

    It means something to me (I work with the Common Criteria daily), but you do have a point: the certificates don't mean much to the general public beyond being a license to sell to the U.S. government.

    I'd just like to point out that, while the Common Criteria (CC) is based on the U.S. Trusted Computer System Evaluation Criteria - the TCSEC, a.k.a. the Orange Book - it's also based on the European ITSEC and the Canadian CTCPEC... It's an international standard, and a common language for the world's security professionals.

    Similarly, the Common Evaluation Methodology (CEM), a companion document to the CC, is an internationally-recognized methodology for conducting these evaluations, so that a gov't dept. in France knows exactly what was done in this SUSE evaluation (after they read the security target, anyway) and can make informed decisions based on that. Don't discount this international market: the list of countries that recognize these certificates is growing every year.

    Now, on the subject of real security, again I hear what you're saying. These products get certified up to EAL4 (the highest level recognized internationally... We haven't developed the CEM beyond it yet) and you see flaws published every week. I think a big part of this problem is discretionary security versus mandatory (or real, you could say) security. Yes, you can evaluate a set of security funcitonal requirements (e.g., identification and authentication, stored data integrity, etc.), but at the end of the day, if we're trusting the process that's acting on behalf of the user, things are going to go awry. If we can't set an overall policy, regardless of whose in control of the individual processes, are we really secure? In certain environments, yes. That's where the CC is helping today. On the Internet? It could! Really! Mandatory access control and other necessary components are there, in the CC, but no products are claiming them. So where does that leaves us? These products that are getting certified are not secure in the Internet environment, that's where. And forums like this one scoff at the standard, when it's not the problem. It can, and will, in the future, certify SELinux, which does implement real security.

    Finally, I just want to mention that the CEM covers more than code reviews. That's certainly part of the development class (ADV), but there's also configuration management requirements, delivery and operational requirements, installation, generation and start-up requirements, guidance document requirements, life-cycle support requirements, testing requirements and vulnerability assessment requirements (that, admittedly, only cover threats of a low attack potential at EAL4... as I said, we've got a ways to go with the methodology before we can certify Internet-secure operating systems).