RHEL certified at EAL4+ (versus SLES at EAL4+)
Posted Jul 11, 2007 18:34 UTC (Wed) by
kreutzm (subscriber, #4700)
In reply to:
RHEL certified at EAL4+ (versus SLES at EAL4+) by smoogen
Parent article:
RHEL certified at EAL4+
Hello,
as there are some factual incorrect statements, I'll have to correct them.
a) When certifying products you always have to specify the environment. So it depends on the sponsor. Maybe special hardware is required, but I wouldn't expect IBM to sponsor Linux on Dell hardware. Though technically it might behave the same. (Maybe a hardware dongle is required, but I really doubt it)
b) There is no extra math in EAL 4+. You'll need some semi-formal formulation for EAL 5, but formal (mathematical) proofs are only for EAL 6 and EAL 7. But you simply cannot afford it typically.
c) I would consider the PPs the security standard. EAL is only a metric, how much effort went into testing. It is called "evaluation assurance level". The same product may be evaluated to EAL 1, where mainly some documentation is reviewed and up to EAL 7 with mathematical proofs. Just in the first case you are not very sure, that the product does in fact fulfill its promise, while in the latter case you have the mathematical proof.
d) Yes, you always have to read the assumptions. You know, the first certificate for a previous mainstream operating system had networking and graphics turned off ...
But testing is very thourougly, so EAL 4+ is usually not easily breakable. Of course, if the admin usese "123" as root password and ignores all documentation, well ....
(
Log in to post comments)
