One of the more highly hyped LinuxWorld announcements this week has been
this press release from IBM and SuSE. It seems
that the two have worked together to achieve Common Criteria "Evaluation
Assurance Level 2+" certification for SuSE Linux Enterprise Server 8
running on the IBM eServer xSeries server. This is a significant
development - it is the first Common Criteria certified Linux
distribution. Obtaining this certification is said to be expensive
(several hundred thousand dollars), but it should make it easier to sell
Linux solutions to certain kinds of customers.
An EAL2 certification, however, does not actually mean a whole lot. The
Common Criteria is an extensive standard; those who are curious can find it
documented on
commoncriteria.org; bear in mind that it's several hundred pages of
grim technical text in PDF format; print it out and take it to bed.
Those documents describe seven evaluation assurance levels. EAL1 is the
lowest, described by
Jonathan Shapiro as "the vendor showed up for the meeting." EAL7
requires formal designs, proofs that the implementation match the design,
independent verification of all test results, etc. EAL2, the level
achieved by IBM and SuSE, is described as follows:
EAL2 requires the cooperation of the developer in terms of the
delivery of design information and test results, but should not
demand more effort on the part of the developer than is consistent
with good commercial practice. As such it should not require a
substantially increased investment of cost or time.
EAL2 is applicable in those circumstances where developers or users
require a low to moderate level of independently assured security
in the absence of ready availability of the complete development
record. Such a situation may arise when securing legacy systems, or
where access to the developer may be limited.
In other words, EAL2 requires the developers to have actually thought a
little bit about security, but "should not require a substantially
increased investment of cost or time." It does require that the system be
tested (by the developer) against known vulnerabilities. But, in the end,
EAL2 certification says that the developers thought about security,
generated a big pile of paper, and spent a chunk of money. Not much more.
IBM and SuSE are aiming for EAL3 certification later this year. The
requirement for EAL3 is:
EAL3 permits a conscientious developer to gain maximum assurance
from positive security engineering at the design stage without
substantial alteration of existing sound development practices...
An EAL3 evaluation provides an analysis supported by "grey box"
testing, selective confirmation of the developer test results, and
evidence of a developer search for obvious vulnerabilities.
For what it's worth, some versions of Windows and most proprietary Unix
systems are certified at EAL4. Red Hat (with Oracle's help) submitted
Red Hat Enterprise Linux AS 2.1 for EAL2 certification last February.
According to the press release, they planned to be the first CC-certified
Linux. Looks like SuSE won that race.
Comments (1 posted)
