Slashdot Mirror
SUSE Linux Receives EAL3 Certification
prostoalex writes "Reporters from CNet News.com learned that SUSE Linux Enterprise Server received EAL3 certification, which allows it to compete with such certified operating systems as Windows (from Microsoft), Solaris (from Sun), HP-UX (from HP) and AIX (from IBM). Albeit all of the aforementioned OSs have EAL4 certification, Evaluation Assurance Level 3 allows SUSE Linux to be considered for a range of government and military tenders. Red Hat Linux is expected to receive EAL2 certification any time now."
Evaluation assurance level 1 (EAL1) - functionally tested
EAL1 provides a basic level of assurance by an analysis of the security functions using a functional and interface specification and guidance documentation, to understand the security behaviour.
Evaluation assurance level 2 (EAL2) - structurally tested
EAL2 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation and the high-level design of the TOE, to understand the security behaviour.
Evaluation assurance level 3 (EAL3) - methodically tested and checked
EAL3 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation, and the high-level design of the TOE, to understand the security behaviour.
Evaluation assurance level 4 (EAL4) - methodically designed, tested, and reviewed
EAL4 provides assurance by an analysis of the security functions, using a functional and complete interface specification, guidance documentation, the high-level and low-level design of the TOE, and a subset of the implementation, to understand the security behaviour. Assurance is additionally gained through an informal model of the TOE security policy.
Soccer Goal Plans
"you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix. No other servicepacks or hotfixes are allowed"
And it's the same with SuSE. If you look at the SuSE press release you will see that the certidication is limited to "SUSE LINUX Enterprise Server 8 with Service Pack 3". Next service pack arrives it will need recertified.
Also there's no way of knowing (that I can see) what extra software was installed. Sendmail? Apache? Or are we just talking a basic kernel and networking?
I'm a sys-admin in the US Army right now. Simply getting this new EAL accredation does not allow the military to install an OS (I don't know about the other agencies). The US military develops a set of security standards (baseline) for any OS that they use on a large scale. With these standards, we use it, without them, we don't. Certain *nix's including Solaris, and Red Hat are used on small scales for specific applications in the military, but this EAL will not allow the US Military any more options until senior leadership determines it neccessary and spends the money to adopt the standards of use and baselines for the operating system. I personally have been begging our head IASO to allow us to use Linux in a few instances, but have been shot down on every attempt for this one reason. I know I would love being able to avoid the weekly windows patches that have to be pushed down to the computers on our network though. The US Military does take InfoSec very seriously though. Although several US depertments have been criticized for a lack of InfoSec (Including Homeland Security), I've never heard of the DoD receiving any such negative rating.
EAL-rating only indicates how sure you are the product meets the profile (a set of security requirements). Saying it gets "EAL3 Certification" is like saying "We're now quite sure it does... eh... something"
For example, the Win2000 EAL4 certification was CAPP/EAL4 (Controlled Access Protection Profile). Its description:
It should be obvious that while CAPP is nice to have, it does not mean the system is "secure", even if you'd get EAL7. :-)
I guess this is just one of those "they have - we need it too!" things.