Slashdot Mirror

← Back to Stories (view on slashdot.org)

SUSE Linux Receives EAL3 Certification

Posted by timothy on from the tougher-than-backwards-pig-latin dept.

prostoalex writes "Reporters from CNet News.com learned that SUSE Linux Enterprise Server received EAL3 certification, which allows it to compete with such certified operating systems as Windows (from Microsoft), Solaris (from Sun), HP-UX (from HP) and AIX (from IBM). Albeit all of the aforementioned OSs have EAL4 certification, Evaluation Assurance Level 3 allows SUSE Linux to be considered for a range of government and military tenders. Red Hat Linux is expected to receive EAL2 certification any time now."

8 of 143 comments (clear)

  1. EAL 1-4 Descriptions by peterdaly · · Score: 5, Informative

    Evaluation assurance level 1 (EAL1) - functionally tested
    EAL1 provides a basic level of assurance by an analysis of the security functions using a functional and interface specification and guidance documentation, to understand the security behaviour.

    Evaluation assurance level 2 (EAL2) - structurally tested
    EAL2 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation and the high-level design of the TOE, to understand the security behaviour.

    Evaluation assurance level 3 (EAL3) - methodically tested and checked

    EAL3 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation, and the high-level design of the TOE, to understand the security behaviour.

    Evaluation assurance level 4 (EAL4) - methodically designed, tested, and reviewed
    EAL4 provides assurance by an analysis of the security functions, using a functional and complete interface specification, guidance documentation, the high-level and low-level design of the TOE, and a subset of the implementation, to understand the security behaviour. Assurance is additionally gained through an informal model of the TOE security policy.

    --
    Soccer Goal Plans
  2. Re:Windows 2000 is EAL4, but... by blowdart · · Score: 5, Informative

    "you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix. No other servicepacks or hotfixes are allowed"

    And it's the same with SuSE. If you look at the SuSE press release you will see that the certidication is limited to "SUSE LINUX Enterprise Server 8 with Service Pack 3". Next service pack arrives it will need recertified.

    Also there's no way of knowing (that I can see) what extra software was installed. Sendmail? Apache? Or are we just talking a basic kernel and networking?

  3. EAL4 evaluation tells you nothing by Anonymous Coward · · Score: 4, Informative

    It tells you that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.

    Intersting Document on EL

  4. Summary Misleading by Mork29 · · Score: 5, Informative

    I'm a sys-admin in the US Army right now. Simply getting this new EAL accredation does not allow the military to install an OS (I don't know about the other agencies). The US military develops a set of security standards (baseline) for any OS that they use on a large scale. With these standards, we use it, without them, we don't. Certain *nix's including Solaris, and Red Hat are used on small scales for specific applications in the military, but this EAL will not allow the US Military any more options until senior leadership determines it neccessary and spends the money to adopt the standards of use and baselines for the operating system. I personally have been begging our head IASO to allow us to use Linux in a few instances, but have been shot down on every attempt for this one reason. I know I would love being able to avoid the weekly windows patches that have to be pushed down to the computers on our network though. The US Military does take InfoSec very seriously though. Although several US depertments have been criticized for a lack of InfoSec (Including Homeland Security), I've never heard of the DoD receiving any such negative rating.

  5. Re:That's great by NotAnotherReboot · · Score: 4, Informative

    I don't really see anyone on here saying that these specs made SuSE any more secure. The gist of it is that by having this certification, they can now compete for government contracts previously unavailable to them.

    Companies have to jump through hoops to get some of these contracts; the requirements may be rediculous, but achieving the requirements to compete for contracts is still important none-the-less.

  6. What protection profile? by xmath · · Score: 5, Informative
    EAL3.... what protection profile?

    EAL-rating only indicates how sure you are the product meets the profile (a set of security requirements). Saying it gets "EAL3 Certification" is like saying "We're now quite sure it does... eh... something"

    For example, the Win2000 EAL4 certification was CAPP/EAL4 (Controlled Access Protection Profile). Its description:

    The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel.

    It should be obvious that while CAPP is nice to have, it does not mean the system is "secure", even if you'd get EAL7. :-)

    I guess this is just one of those "they have - we need it too!" things.

    1. Re:What protection profile? by hackstraw · · Score: 4, Informative

      EAL-rating only indicates how sure you are the product meets the profile (a set of security requirements). Saying it gets "EAL3 Certification" is like saying "We're now quite sure it does... eh... something"

      A college degree only indicates how sure you are the person meets the profile (a set of learning and skill requirements). Saying it gets "A college degree" is like saying "We're now quite sure the person is... eh... able to learn something".

      Trust me, there are many a bozo out there with a college degree, and there are, ahem, less than secure and robust OSes with EAL certification, but try to get a job where it says "College degree required" or install an OS where it says "EAL3 or higher required" and there is not that level of certification.

      On an aside, college degrees are pretty worthless nowadays. At least a generic 4 year degree. I often see on job listings something like "College degree in XXX required or equivalent work experience". This is not as true with higher degrees or professional degrees. Sometimes I think about how much money I would be making now if I had _worked_ instead of going to school and racking up about $30,000 in college loans. Actually, I have seen data that says that the "Stay in school" programs are completly irrational. Supposedly, a HS dropout that goes to work will be making much more $$ immediately and in the future (because of experience and seniority) than a HS graduate. Kinda makes me wonder what the governmental/societal push is for going to school.

  7. Re:Windows 2000 is EAL4, but... by moonbender · · Score: 4, Informative

    No, not all software was tested. Page 15f of the PDF you linked to contains a list of packages that were installed - I can't copy/paste due to the stupid Acrobat Reader security. Let's just say the list isn't very long and does not contain either Sendmail or Apache. There's a guide available which seems to endetail how to set up the evaluated environment on your own server FWIW. (Note: IBM sponsored the SuSE Linux Enterprise Server = SLES evaluation.)

    --
    Switch back to Slashdot's D1 system.