SUSE Linux Receives EAL3 Certification

prostoalex writes "Reporters from CNet News.com learned that SUSE Linux Enterprise Server received EAL3 certification, which allows it to compete with such certified operating systems as Windows (from Microsoft), Solaris (from Sun), HP-UX (from HP) and AIX (from IBM). Albeit all of the aforementioned OSs have EAL4 certification, Evaluation Assurance Level 3 allows SUSE Linux to be considered for a range of government and military tenders. Red Hat Linux is expected to receive EAL2 certification any time now."

Windows 2000 is EAL4, but...

[quigonn]

...you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix. No other servicepacks or hotfixes are allowed. Extremely ridiculous, especially when you have a look at how much software comes with SuSE (a lot!) and how much comes with Windows 2000 (virtually none!).

But I'm still waiting for a certificate for some SELinux version. Since EAL4 is the highest level where it's still feasible to build the demanded security into it, hardly any normal "customer" operating system will achieve a higher level. But SELinux has been designed for security since the very beginning, and should be able to reach at least EAL5.

Re:Windows 2000 is EAL4, but...

[blowdart]

"you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix. No other servicepacks or hotfixes are allowed"

And it's the same with SuSE. If you look at the SuSE press release you will see that the certidication is limited to "SUSE LINUX Enterprise Server 8 with Service Pack 3". Next service pack arrives it will need recertified.

Also there's no way of knowing (that I can see) what extra software was installed. Sendmail? Apache? Or are we just talking a basic kernel and networking?

Yeah, right.

[Sarojin]

SuSE/Novell couldn't have pulled this off without technology stolen from SCO. It's a known fact that SCO owns IP on everything that makes linux useful.

EAL 1-4 Descriptions

[peterdaly]

Evaluation assurance level 1 (EAL1) - functionally tested
EAL1 provides a basic level of assurance by an analysis of the security functions using a functional and interface specification and guidance documentation, to understand the security behaviour.

Evaluation assurance level 2 (EAL2) - structurally tested
EAL2 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation and the high-level design of the TOE, to understand the security behaviour.

Evaluation assurance level 3 (EAL3) - methodically tested and checked

EAL3 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation, and the high-level design of the TOE, to understand the security behaviour.

Evaluation assurance level 4 (EAL4) - methodically designed, tested, and reviewed
EAL4 provides assurance by an analysis of the security functions, using a functional and complete interface specification, guidance documentation, the high-level and low-level design of the TOE, and a subset of the implementation, to understand the security behaviour. Assurance is additionally gained through an informal model of the TOE security policy.

The Open Source Problem

[Ianoo]

Certificates like this are going to become a real problem for open source software. There's no way a small distribution could get a certificate that costs many thousands of dollars to buy. There's certainly no way a single user who makes changes to his or her kernel could ever hope to achieve this kind of certification.

Hence all the hard work of the kernel developers, who provide their services for free in many cases, cannot be directly recognised. Instead some huge corperation has to come along and sponsor such certification. This just isn't right, IMO.

There's a much bigger issue here though, a threat from the future called Digital Rights Management and NGSCB. Who wants an operating system that will be unable to access secure web services because Microsoft introduces a protocol that requires a DRM-aware application running on a DRM-booted computer? Open source GPL'd Linux will never be able to obtain such certificates without massive corperate sponsorship from IBM, Novell, Redhat or whoever.

Even if it does, changing one line in my kernel and recompiling would invalidate it, locking me out of my legally purchased music and movies, and even things like my e-mail eventually (we're already seeing this with the restrictions that a sender can put on an e-mail in Office 2003. Imagine when this is part of the operating system and not easily circumvented).

Bullshit efforts certification efforts like EAL and NGSCB undermine and threaten open source and play right in to the hands of the major corperations. In today's world, the most important corperation producing operating systems is, you've guessed it: Microsoft!

This sort of thing plays right in to their hands. They're undermining the free work of all the thousands of Linux and BSD developers effectively through the back door: by making open source software an unviable solution under the guise of security. Fuck them.

novell

[SinaSa]

Does this have anything to do with Novell entering the SuSE scene? Or has this certification been a long time coming? Either way, this is another scratch on the wall of achievements Linux has attained. Most pre Linux UNIX admins have a disdain for Linux zealots, etc who believe that Linux can solve any problem any time, and I'm in the same camp, but with distributions getting certifications like this, Linux continues to progress in promising ways in many fields.

Things will really get heated up

[emo+boy]

when OS/2 Warp gets EAL5 next month.

Summary Misleading

[Mork29]

I'm a sys-admin in the US Army right now. Simply getting this new EAL accredation does not allow the military to install an OS (I don't know about the other agencies). The US military develops a set of security standards (baseline) for any OS that they use on a large scale. With these standards, we use it, without them, we don't. Certain *nix's including Solaris, and Red Hat are used on small scales for specific applications in the military, but this EAL will not allow the US Military any more options until senior leadership determines it neccessary and spends the money to adopt the standards of use and baselines for the operating system. I personally have been begging our head IASO to allow us to use Linux in a few instances, but have been shot down on every attempt for this one reason. I know I would love being able to avoid the weekly windows patches that have to be pushed down to the computers on our network though. The US Military does take InfoSec very seriously though. Although several US depertments have been criticized for a lack of InfoSec (Including Homeland Security), I've never heard of the DoD receiving any such negative rating.

What protection profile?

[xmath]

EAL3.... what protection profile?

EAL-rating only indicates how sure you are the product meets the profile (a set of security requirements). Saying it gets "EAL3 Certification" is like saying "We're now quite sure it does... eh... something"

For example, the Win2000 EAL4 certification was CAPP/EAL4 (Controlled Access Protection Profile). Its description:

The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel.

It should be obvious that while CAPP is nice to have, it does not mean the system is "secure", even if you'd get EAL7. :-)

I guess this is just one of those "they have - we need it too!" things.