Slashdot Mirror

← Back to Stories (view on slashdot.org)

SUSE Awarded EAL4 Certification

Posted by timothy on from the lockup dept.

An anonymous reader writes "Following in the wake of its previous certifications, Novell's SUSE Linux Enterprise Server 9 has achieved EAL4 certification on 'an IBM eServer.' This puts SLES9 in the same league as Windows 2000 for sales in the government sector and is the first Linux distro to achieve an EAL4 certification."

8 of 160 comments (clear)

  1. Same League as Windows 2000..... by Anonymous Coward · · Score: 5, Funny

    .......oh fuck!

    1. Re:Same League as Windows 2000..... by mindstrm · · Score: 5, Informative

      Linux didn't achieve it.. a specific distribution by SUSE did. The documentation and implmenetation designs are by suse.

      The certification doesn't require documenting all the code.... it's more about overall system design,the security model, user authentication, etc.

  2. RHEL 4 - EAL4+ coming by OffTheLip · · Score: 5, Insightful

    It's really a matter of money and time.

    1. Re:RHEL 4 - EAL4+ coming by hal9000(jr) · · Score: 5, Insightful

      Kinda. Provided there is a well designed and realistic Protection Profile and the Security Target is realisticaly designed, there is some value to the CC certification.

      The biggest issue I have seen with CC is more in the understanding, or lack there of, of what is covered in a CC eval on both consumers and vendors. Vendors obviously promte the CC eval because it is expensive and has a certain cache. Users tend to glaze over reading the certification docs and most often don't make it very far before checking whatever check box they need.

    2. Re:RHEL 4 - EAL4+ coming by soren42 · · Score: 5, Insightful


      It's really a matter of money and time.

      That's exactly what it is... which is yet another facet of the differences between Novell and Red Hat. Novell has the money to apply their resources across a much broader spectrum than Red Hat - just by virtue of having more money. Also, they have much more staff on the payroll - and by extension, more time (read: manhours).

      Initially, there were a lot of concerns when Novell acquired SuSE around their committment to Free Software. But they have repeatedly (YaST, SuSE Linux Open Exchange, FreeSWAN, Hula, etc.) shown that they are committed to the philosophy of Free Software - not just buying the technology to close it up, and make money from selling something proprietary. So, those concerns have been put to bed, it makes Novell/SuSE a very attractive Linux option. They have the resources, relationships, and talent to work quickly and effectively - developing solid, certified, and feature-rich open software.

      Please don't mistake this comment as Red Hat bashing. I am simply pointing out that Novell has the resources to really make a difference in the US Linux market - and things like achieving EAL4 (so quickly) prove that.

      --

      "Adventure? Excitement? A Jedi craves not these things."
  3. Microsoft and Linux Denial by CoolSilver · · Score: 5, Insightful

    Wow, I guess Mr. Gates and company must be biting their nails. 2000 has that certification yet XP, the best product with "advanced security technologies" has nothing.

    Well I guess it means times have changed. Linux is a big player in the game now and Microsoft needs to realize this and stop denying. False statements hurt worse than the bitter truth of "your product isn't good enough". I rather trust a company and have something that works okay and secure than some company that hides facts and has a better product in some ways, just not security.

    It is funny how someone came out with a report saying windows is more secure, but is that based off the experimental code or source and which distribution. Novell and SuSE have always taken security as a priority and it shows.

  4. Re:Wasn't there .... by Anonymous Coward · · Score: 5, Funny

    Yeah, its meanless except for a small class of government applications. Unfortunately, Microsoft drank their own koolaid and started marketing the certification as a general security feature.

    "Windows NT's Security Certification means that firewalls are optional" -- actual bullshit advice from a microsoft document in the mid-90s.

  5. From one of the engineers... by omnirealm · · Score: 5, Informative

    Disclaimer: I work for the IBM Linux Technology Center; any comments I make are entirely my own.

    It's really a matter of money and time.

    And blood, sweat, and tears. You're talking to a guy who spent countless hours drafting hundreds of pages of low-level design documentation on the Linux kernel and set of trusted userspace applications in order to help satisfy the CAPP/EAL4 requirements. True, IBM paid me to do it, but the effort is far from trivial, and Linux's reputation gets a nice bolster when things like security certification happen.

    Back when my team achieved CAPP/EAL3 certification, the general attitude on Slashdot was, ``Great, but wake me up when we get EAL4.'' Well, now we've got EAL4. We have a secure protection profile ironed out, documented, and deployed, which helps immensely with setting up a locked down Linux box. We have engineers who have been given the job to review thousands of lines of source code and to write and run a battery of tests to verify that Linux kernels and applications really do, from a security standpoint, just what they claim to do, and they do it right. But I think, more than anything, that this is a strong indication of Linux's maturity. For the public sector, this satisfies a core requirement of many contracts. For the private sector, this is one more thing to impress the boss when advocating Linux solutions.

    --
    An unjust law is no law at all. - St. Augustine