SuSE and IBM get Common Criteria certified

[Posted August 5, 2003 by corbet]

One of the more highly hyped LinuxWorld announcements this week has been this press release from IBM and SuSE. It seems that the two have worked together to achieve Common Criteria "Evaluation Assurance Level 2+" certification for SuSE Linux Enterprise Server 8 running on the IBM eServer xSeries server. This is a significant development - it is the first Common Criteria certified Linux distribution. Obtaining this certification is said to be expensive (several hundred thousand dollars), but it should make it easier to sell Linux solutions to certain kinds of customers.

An EAL2 certification, however, does not actually mean a whole lot. The Common Criteria is an extensive standard; those who are curious can find it documented on commoncriteria.org; bear in mind that it's several hundred pages of grim technical text in PDF format; print it out and take it to bed. Those documents describe seven evaluation assurance levels. EAL1 is the lowest, described by Jonathan Shapiro as "the vendor showed up for the meeting." EAL7 requires formal designs, proofs that the implementation match the design, independent verification of all test results, etc. EAL2, the level achieved by IBM and SuSE, is described as follows:

EAL2 requires the cooperation of the developer in terms of the delivery of design information and test results, but should not demand more effort on the part of the developer than is consistent with good commercial practice. As such it should not require a substantially increased investment of cost or time.

EAL2 is applicable in those circumstances where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record. Such a situation may arise when securing legacy systems, or where access to the developer may be limited.

In other words, EAL2 requires the developers to have actually thought a little bit about security, but "should not require a substantially increased investment of cost or time." It does require that the system be tested (by the developer) against known vulnerabilities. But, in the end, EAL2 certification says that the developers thought about security, generated a big pile of paper, and spent a chunk of money. Not much more.

IBM and SuSE are aiming for EAL3 certification later this year. The requirement for EAL3 is:

EAL3 permits a conscientious developer to gain maximum assurance from positive security engineering at the design stage without substantial alteration of existing sound development practices... An EAL3 evaluation provides an analysis supported by "grey box" testing, selective confirmation of the developer test results, and evidence of a developer search for obvious vulnerabilities.

For what it's worth, some versions of Windows and most proprietary Unix systems are certified at EAL4. Red Hat (with Oracle's help) submitted Red Hat Enterprise Linux AS 2.1 for EAL2 certification last February. According to the press release, they planned to be the first CC-certified Linux. Looks like SuSE won that race.

SuSE and IBM get Common Criteria certified

Posted Aug 7, 2003 18:47 UTC (Thu) by addw (guest, #1771) [Link]

This sort of thing costs real, serious, hard earned cash. It would seem to be just the sort of thing where distributions put aside differences and cooperate. Everyone would get much further on the available cash.

OK: I know that these criteria cover: one version, one set of hardware; but there is a lot of commonality & some sort of cooperation should be possible.

The other thing to remember is that this says what a system is *capable* of, not what is achieves (think: root passwords on post it notes on the monitor).