Slashdot Mirror

← Back to Stories (view on slashdot.org)

SUSE Linux Receives EAL3 Certification

Posted by timothy on from the tougher-than-backwards-pig-latin dept.

prostoalex writes "Reporters from CNet News.com learned that SUSE Linux Enterprise Server received EAL3 certification, which allows it to compete with such certified operating systems as Windows (from Microsoft), Solaris (from Sun), HP-UX (from HP) and AIX (from IBM). Albeit all of the aforementioned OSs have EAL4 certification, Evaluation Assurance Level 3 allows SUSE Linux to be considered for a range of government and military tenders. Red Hat Linux is expected to receive EAL2 certification any time now."

6 of 143 comments (clear)

  1. Windows 2000 is EAL4, but... by quigonn · · Score: 5, Interesting

    ...you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix. No other servicepacks or hotfixes are allowed. Extremely ridiculous, especially when you have a look at how much software comes with SuSE (a lot!) and how much comes with Windows 2000 (virtually none!).

    But I'm still waiting for a certificate for some SELinux version. Since EAL4 is the highest level where it's still feasible to build the demanded security into it, hardly any normal "customer" operating system will achieve a higher level. But SELinux has been designed for security since the very beginning, and should be able to reach at least EAL5.

    --
    A monkey is doing the real work for me.
  2. The Open Source Problem by Ianoo · · Score: 5, Interesting

    Certificates like this are going to become a real problem for open source software. There's no way a small distribution could get a certificate that costs many thousands of dollars to buy. There's certainly no way a single user who makes changes to his or her kernel could ever hope to achieve this kind of certification.

    Hence all the hard work of the kernel developers, who provide their services for free in many cases, cannot be directly recognised. Instead some huge corperation has to come along and sponsor such certification. This just isn't right, IMO.

    There's a much bigger issue here though, a threat from the future called Digital Rights Management and NGSCB. Who wants an operating system that will be unable to access secure web services because Microsoft introduces a protocol that requires a DRM-aware application running on a DRM-booted computer? Open source GPL'd Linux will never be able to obtain such certificates without massive corperate sponsorship from IBM, Novell, Redhat or whoever.

    Even if it does, changing one line in my kernel and recompiling would invalidate it, locking me out of my legally purchased music and movies, and even things like my e-mail eventually (we're already seeing this with the restrictions that a sender can put on an e-mail in Office 2003. Imagine when this is part of the operating system and not easily circumvented).

    Bullshit efforts certification efforts like EAL and NGSCB undermine and threaten open source and play right in to the hands of the major corperations. In today's world, the most important corperation producing operating systems is, you've guessed it: Microsoft!

    This sort of thing plays right in to their hands. They're undermining the free work of all the thousands of Linux and BSD developers effectively through the back door: by making open source software an unviable solution under the guise of security. Fuck them.

  3. That's great by Eric+S+Rayrnond · · Score: 2, Interesting
    It's good to see SUSE increasing security. It's even better seeing Linux become more viable for government and military uses.

    But just 1 year ago, weren't we criticizing Windows for achieving EAL 4:
    Microsoft has just received a Common Criteria certification for Windows 2000 at Evaluation Assurance Level (EAL) 4. Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this. What does it all mean? This paper suggests that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.
    So which is it, Slashdot? I'm confused.

    Is EAL worthwhile or is it an "inadequate set of requirements"? Is EAL 4 worse than EAL 3?

    Personally, I'm suspicious of most certifications, from business to security. Usually, they're just a way for the certifying company (in this case Common Criteria) to make easy money.

    Anyway, maybe we should just wait for Eros, which is supposed to achieve EAL 7 when it is fully implemented, due to it's powerful and secure design, better than both Unix and Windows.
    --
    >>esr>>
    1. Re:That's great by gowen · · Score: 2, Interesting
      But just 1 year ago, weren't we criticizing Windows for achieving EAL 4:
      We? No. Follow that link. See at the beginning where it says "lewko writes". That means the section you quoted is the opinion of lewko. Not mine, and probably not yours, either.
      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    2. Re:That's great by $ASANY · · Score: 4, Interesting
      EAL is certainly not the ultimate determination of a system's actual security, but right now it's the U.S. Government's (and a few other governments) standard. That standard really doesn't mean much outside of contracting with the feds. As far as indicating to non-government entities whether a product is secure or not, it's slightly better than worthless.

      My company does a lot of professional services with DOD and some other agencies, and it's been a huge pain for me that linux wasn't certified under Common Criteria. If I set up something to demo to DOD that was running on a linux box, because it's easier and works better, it was immediately shot down because it didn't meet their standards. End of discussion. Once you get the certification you can play ball, but until that time you can't do squat. So now that we are in the game, you better believe the introduction of linux in the federal government is going to be a flood. I know of a couple of civillian agencies ready to take the plunge (more often than not replacing Solaris with linux, but some dumping of MS as well), and some DOD R&D has been with linux but not much production stuff is in place -- yet. The three letter agencies are interested, and EAL3 is going to make a big difference there.

      SuSE probably hasn't "increased" security to make this happen at all, but simply paid the money and took the time to have one of the evaluating companies perform the certification tests. It described the installation method, the packages to be installed and the way the system would be managed, and the evaluating company ran the battery of tests for level 3 and certified that it passed those tests. Heck, given enough time and money SLES will comply with level 5, and the only thing keeping this from happening is the amount of investment SuSE, Novell and IBM are willing to make for this.

      EAL really says nothing about the security of linux based systems, but is says a ton about how receptive governments will be to employing it. This is indeed good news.

  4. novell by SinaSa · · Score: 5, Interesting

    Does this have anything to do with Novell entering the SuSE scene? Or has this certification been a long time coming? Either way, this is another scratch on the wall of achievements Linux has attained. Most pre Linux UNIX admins have a disdain for Linux zealots, etc who believe that Linux can solve any problem any time, and I'm in the same camp, but with distributions getting certifications like this, Linux continues to progress in promising ways in many fields.

    --
    --
    The last digit of pi is four.