SUSE Linux Receives EAL3 Certification

← Back to Stories (view on slashdot.org)

SUSE Linux Receives EAL3 Certification

Posted by timothy on Wednesday January 21, 2004 @12:59AM from the tougher-than-backwards-pig-latin dept.

prostoalex writes "Reporters from CNet News.com learned that SUSE Linux Enterprise Server received EAL3 certification, which allows it to compete with such certified operating systems as Windows (from Microsoft), Solaris (from Sun), HP-UX (from HP) and AIX (from IBM). Albeit all of the aforementioned OSs have EAL4 certification, Evaluation Assurance Level 3 allows SUSE Linux to be considered for a range of government and military tenders. Red Hat Linux is expected to receive EAL2 certification any time now."

6 of 143 comments (clear)

Min score:

Reason:

Sort:

Do security holes reduce EAL levels? by G4from128k · 2004-01-21 01:12 · Score: 3, Insightful

It would seem that documented flaws in an OS should automatically reduce the EAL rating of that OS. Otherwise the EAL process is just a paper-pushing exercise.

--
Two wrongs don't make a right, but three lefts do.
1. Re:Do security holes reduce EAL levels? by tjansen · 2004-01-21 03:09 · Score: 4, Insightful
  
  Actually it is even funnier: you can not update/patch your installation without losing the certification. So if an exploit becomes known for your OS you have the choice between either running an uncertified OS or running an OS with known exploits until the patch has been certified (which can take many months).
  
  So in reality certified OSes are less secure than an up-to-date system. But whatever, it's certified.
Re:The Open Source Problem by imsabbel · 2004-01-21 01:13 · Score: 2, Insightful

anyone who is able to support an installation that needs such a certificates should be able to spend that few tousand $.

--
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
Re:Windows 2000 is EAL4, but... by Otter · 2004-01-21 02:12 · Score: 3, Insightful

Next service pack arrives it will need recertified.
And, of course, it has to be that way. quigonn, if a product had a certification that claims it's secure no matter what changes you subsequently make, how much faith would you have in that certification?

--
What I'm listening to now on Pandora...
USELESS by calebtucker · 2004-01-21 02:34 · Score: 2, Insightful

...you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix.
This should tell you how extremely useless the common criteria is for actually verifying the security of a product for real world use. Sure it might have some merit in high security government use, but that's about it.

Also, you know how much it costs to get your product evaluated at EAL2 (yes, you have to pay for it) -- about $250k. EAL4 is about $1mil+.

We had someone who works at NIST on the CC come to my school last semester. He said there were less than 100 products that have been evaluated under the CC (can't remember exact number, but around 80).

It boils down to this: if you want to sell your software to the U.S. government, you gotta get it certified at EAL2 at least. Other than that, your EAL level X means nothing.

--
My sig can beat up your sig.
Re:Certifications in current Job market. by Anonymous Coward · 2004-01-21 03:12 · Score: 1, Insightful

which often require EAL certification to a certain level

your comment "to a certain level" is slightly misguided. DoD sales often require certification, but the level is not specified in any case that I am aware of.