Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
SuSE Businesses Linux Business Security

SUSE Linux Receives EAL3 Certification 143

Posted by timothy from the tougher-than-backwards-pig-latin dept.
prostoalex writes "Reporters from CNet News.com learned that SUSE Linux Enterprise Server received EAL3 certification, which allows it to compete with such certified operating systems as Windows (from Microsoft), Solaris (from Sun), HP-UX (from HP) and AIX (from IBM). Albeit all of the aforementioned OSs have EAL4 certification, Evaluation Assurance Level 3 allows SUSE Linux to be considered for a range of government and military tenders. Red Hat Linux is expected to receive EAL2 certification any time now."
This discussion has been archived. No new comments can be posted.

SUSE Linux Receives EAL3 Certification More

SUSE Linux Receives EAL3 Certification

Comments Filter:

  • Windows 2000 is EAL4, but... (Score:5, Interesting)

    by quigonn ( 80360 ) on Wednesday January 21, 2004 @09:07AM (#8042132) Homepage
    ...you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix. No other servicepacks or hotfixes are allowed. Extremely ridiculous, especially when you have a look at how much software comes with SuSE (a lot!) and how much comes with Windows 2000 (virtually none!).

    But I'm still waiting for a certificate for some SELinux version. Since EAL4 is the highest level where it's still feasible to build the demanded security into it, hardly any normal "customer" operating system will achieve a higher level. But SELinux has been designed for security since the very beginning, and should be able to reach at least EAL5.

    • Re:Windows 2000 is EAL4, but... (Score:5, Informative)

      by blowdart ( 31458 ) on Wednesday January 21, 2004 @09:21AM (#8042241) Homepage

      "you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix. No other servicepacks or hotfixes are allowed"

      And it's the same with SuSE. If you look at the SuSE press release [suse.co.uk] you will see that the certidication is limited to "SUSE LINUX Enterprise Server 8 with Service Pack 3". Next service pack arrives it will need recertified.

      Also there's no way of knowing (that I can see) what extra software was installed. Sendmail? Apache? Or are we just talking a basic kernel and networking?

      • Also there's no way of knowing (that I can see) what extra software was installed. Sendmail? Apache? Or are we just talking a basic kernel and networking?

        I don't know much about the EAL standard, but after a quick look at the previous certification [bsi.bund.de](EAL 2), I think it probably includes all of the software.

      • Re:Windows 2000 is EAL4, but... (Score:4, Insightful)

        by Otter ( 3800 ) on Wednesday January 21, 2004 @10:12AM (#8042533) Journal
        Next service pack arrives it will need recertified.

        And, of course, it has to be that way. quigonn, if a product had a certification that claims it's secure no matter what changes you subsequently make, how much faith would you have in that certification?

      • Re:Windows 2000 is EAL4, but... (Score:1, Informative)

        by Anonymous Coward
        First of all, before people guess around, look at the SUSE security websites. All the details are there:

        http://www.suse.de/de/security/certification/in d ex .html

        As you can see, the certified system does not run a webserver, but it runs SSH, Postfix, and FTP!

        Also, the "+" in the EAL3+ certification means that at least minor bugfixes can be applied to the system without losing the certification status, because the processes of how these fixes are developed, distributed and applied have also been certified.

    • you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix.

      The same is true of EAL4 Solaris, and presumably also of SuSE. It wouldn't make sense to certify all versions and configurations of a particular OS, including service packs/patches that haven't yet been written. Take a look at how to set up EAL4 certified solaris [sun.com] [sun.com] to
      see how specific the certification is.

      But I'm still waiting for a certificate for some SELinux version.

      I

    • There is security and then there is security features. SELinux is designed with specific security features in mind - the main one is a flexible way to manage access control based on the FLASK architecture. You will be able to implement, at the OS level, RBAC, MAC, & DAC. So, it is security enhanced but some of the enhancements are to facilitate the use of "better" access control mechanisms such as RBAC and DAC not just better code checking or something.
    • To make any sense of the various Evaluation Assurance Levels [slashdot.org] (EAL) you need to understand what the Common Criteria [ncsc.mil] is, where it came from (US military InfoSec), and what it is trying to do - a standard for purchasing and implmenting military and government computer systems for classified or sensitive data. You also need the other half of the equation, the Protection Profile [slashdot.org], what it is trying to achieve. There is a far greater focus on access control, and auditing than in your typically commercial computing
    • IMHO it won't take too long to get an SElinux version because its in the 2.6 kernel.
    • EAL4 is bullshit... it doesnt include white-box code auditing and it's a standard developed in a vacuum (ISO and NIST are vacuums). I wouldn't trust any standard not evaluated by hackers. I mean, if Windoze can get their highest rating when it has known and unpatched exploits, what does that say about their testing and standards? This test was done using SP3 which doesnt include the RPC fixes; any system based on this will get Blastered almost immediately if it were attached to a public or infected net

  • Yeah, right. (Score:5, Funny)

    by Sarojin ( 446404 ) on Wednesday January 21, 2004 @09:07AM (#8042133)
    SuSE/Novell couldn't have pulled this off without technology stolen from SCO. It's a known fact that SCO owns IP on everything that makes linux useful.

  • I'm not impressed... (Score:4, Funny)

    by mikkado ( 535011 ) on Wednesday January 21, 2004 @09:09AM (#8042144)
    If windows too can have this certification, it is clearly not very high standard. So, actually, this means *nothing*.

  • EAL 1-4 Descriptions (Score:5, Informative)

    by peterdaly ( 123554 ) <{petedaly} {at} {ix.netcom.com}> on Wednesday January 21, 2004 @09:10AM (#8042150)
    Evaluation assurance level 1 (EAL1) - functionally tested
    EAL1 provides a basic level of assurance by an analysis of the security functions using a functional and interface specification and guidance documentation, to understand the security behaviour.

    Evaluation assurance level 2 (EAL2) - structurally tested
    EAL2 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation and the high-level design of the TOE, to understand the security behaviour.

    Evaluation assurance level 3 (EAL3) - methodically tested and checked

    EAL3 provides assurance by an analysis of the security functions, using a functional and interface specification, guidance documentation, and the high-level design of the TOE, to understand the security behaviour.

    Evaluation assurance level 4 (EAL4) - methodically designed, tested, and reviewed
    EAL4 provides assurance by an analysis of the security functions, using a functional and complete interface specification, guidance documentation, the high-level and low-level design of the TOE, and a subset of the implementation, to understand the security behaviour. Assurance is additionally gained through an informal model of the TOE security policy.
    • That being the case, I don't see how any Microtrash product would ever get even level 1. It would fail on the undisclosed or badly documented APIs for a start. But, reading these definitions, the whole thing is worthless because there is no INDEPENDENT review and only a subset of the junk is tested, even at level 4.

      Best to stick to something where the security model is open to inspection, such as OpenBSD.

      In any case, was the particular Win 2000 configuration which was tested not subsequently found to have s

    • The EAL description levels in itself are interesting, but you should take the protection profile in account with the evaluated operating system. If you look at all evaluated operating systems, you will see that they all use the Controlled Access Protection Profile (CAPP). This PP assumes certain things about threat levels, for instance no malicious administrator and no malicious users. Therefore, the PP is quite weak. This is the PP that has been used to evaluate WIndows 2000, for instance, but other operat

  • The Open Source Problem (Score:5, Interesting)

    by Ianoo ( 711633 ) on Wednesday January 21, 2004 @09:11AM (#8042152) Journal
    Certificates like this are going to become a real problem for open source software. There's no way a small distribution could get a certificate that costs many thousands of dollars to buy. There's certainly no way a single user who makes changes to his or her kernel could ever hope to achieve this kind of certification.

    Hence all the hard work of the kernel developers, who provide their services for free in many cases, cannot be directly recognised. Instead some huge corperation has to come along and sponsor such certification. This just isn't right, IMO.

    There's a much bigger issue here though, a threat from the future called Digital Rights Management and NGSCB. Who wants an operating system that will be unable to access secure web services because Microsoft introduces a protocol that requires a DRM-aware application running on a DRM-booted computer? Open source GPL'd Linux will never be able to obtain such certificates without massive corperate sponsorship from IBM, Novell, Redhat or whoever.

    Even if it does, changing one line in my kernel and recompiling would invalidate it, locking me out of my legally purchased music and movies, and even things like my e-mail eventually (we're already seeing this with the restrictions that a sender can put on an e-mail in Office 2003. Imagine when this is part of the operating system and not easily circumvented).

    Bullshit efforts certification efforts like EAL and NGSCB undermine and threaten open source and play right in to the hands of the major corperations. In today's world, the most important corperation producing operating systems is, you've guessed it: Microsoft!

    This sort of thing plays right in to their hands. They're undermining the free work of all the thousands of Linux and BSD developers effectively through the back door: by making open source software an unviable solution under the guise of security. Fuck them.
    • anyone who is able to support an installation that needs such a certificates should be able to spend that few tousand $.
    • Well, that sort of support is part of the OSDL's charter.

    • Certificates like this are going to become a real problem for open source software. There's no way a small distribution could get a certificate that costs many thousands of dollars to buy.

      So perhaps the powers that be in OSS should come up with their own certification (secure software?), with their own test regimen. It would be just as meaningful as any other cert.

    • I disagree. I do not believe commercial software security certifications are a threat to OSS as you suggest.

      A valuable result of the certification process is assurance. The software security certification process is capable of providing a reasonable, varying degree of assurance to a software platform snapshot. The OSS community is capable of creating and performing security evaluations of OSS targets. It's a matter of motivation I suppose.

      = jombee

    • Bullshit efforts certification efforts like EAL and NGSCB undermine and threaten open source and play right in to the hands of the major corperations. In today's world, the most important corperation producing operating systems is, you've guessed it: Microsoft!

      There's gotta be some sort of certification guidelines for these certifications. I mean, companies aren't just going to fly in there blind and see what's wrong with their products -- that's wasteful. They'll likely get tons of documentation on

  • Do security holes reduce EAL levels? (Score:4, Insightful)

    by G4from128k ( 686170 ) on Wednesday January 21, 2004 @09:12AM (#8042163)
    It would seem that documented flaws in an OS should automatically reduce the EAL rating of that OS. Otherwise the EAL process is just a paper-pushing exercise.

    • Re:Do security holes reduce EAL levels? (Score:5, Insightful)

      by tjansen ( 2845 ) * on Wednesday January 21, 2004 @11:09AM (#8043018) Homepage
      Actually it is even funnier: you can not update/patch your installation without losing the certification. So if an exploit becomes known for your OS you have the choice between either running an uncertified OS or running an OS with known exploits until the patch has been certified (which can take many months).

      So in reality certified OSes are less secure than an up-to-date system. But whatever, it's certified.
      • That's a good point. But I wonder if the process of getting the certification, with whatever scrutiny and preparation that entails, might make the later uncertified patched versions better than they might otherwise have been simply by having been built upon a well-tested foundation. So, while religiously maintaining a system's certification is probably counterproductive, obtaining that certification in the first place might not be.
    • I don't think that security holes reduce the EAL rating. If they were to do so, only holes that existed in the certified configuration should be considered. A security certification can't possibly tell you that a system is secure in every concievable configuration.

      Any moron of a sysadmin can take a very secure system and turn it into one full of holes. Conversely, the best sysadmin in the world can't make a poorly designed system secure. A certification gives you, a non-moron of a sysadmin, some hope t

  • That's great (Score:2, Interesting)

    by Eric S Rayrnond ( 739458 )
    It's good to see SUSE increasing security. It's even better seeing Linux become more viable for government and military uses.

    But just 1 year ago, weren't we criticizing Windows for achieving EAL 4: [slashdot.org]

    Microsoft has just received a Common Criteria certification for Windows 2000 at Evaluation Assurance Level (EAL) 4. Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this. What

    • Re:That's great (Score:2, Interesting)

      by gowen ( 141411 )
      But just 1 year ago, weren't we criticizing Windows for achieving EAL 4:
      We? No. Follow that link. See at the beginning where it says "lewko writes". That means the section you quoted is the opinion of lewko. [slashdot.org] Not mine, and probably not yours, either.

    • Re:That's great (Score:5, Informative)

      by NotAnotherReboot ( 262125 ) on Wednesday January 21, 2004 @10:04AM (#8042475)
      I don't really see anyone on here saying that these specs made SuSE any more secure. The gist of it is that by having this certification, they can now compete for government contracts previously unavailable to them.

      Companies have to jump through hoops to get some of these contracts; the requirements may be rediculous, but achieving the requirements to compete for contracts is still important none-the-less.

    • Re:That's great (Score:5, Interesting)

      by $ASANY ( 705279 ) on Wednesday January 21, 2004 @10:16AM (#8042571) Homepage
      EAL is certainly not the ultimate determination of a system's actual security, but right now it's the U.S. Government's (and a few other governments) standard. That standard really doesn't mean much outside of contracting with the feds. As far as indicating to non-government entities whether a product is secure or not, it's slightly better than worthless.

      My company does a lot of professional services with DOD and some other agencies, and it's been a huge pain for me that linux wasn't certified under Common Criteria. If I set up something to demo to DOD that was running on a linux box, because it's easier and works better, it was immediately shot down because it didn't meet their standards. End of discussion. Once you get the certification you can play ball, but until that time you can't do squat. So now that we are in the game, you better believe the introduction of linux in the federal government is going to be a flood. I know of a couple of civillian agencies ready to take the plunge (more often than not replacing Solaris with linux, but some dumping of MS as well), and some DOD R&D has been with linux but not much production stuff is in place -- yet. The three letter agencies are interested, and EAL3 is going to make a big difference there.

      SuSE probably hasn't "increased" security to make this happen at all, but simply paid the money and took the time to have one of the evaluating companies perform the certification tests. It described the installation method, the packages to be installed and the way the system would be managed, and the evaluating company ran the battery of tests for level 3 and certified that it passed those tests. Heck, given enough time and money SLES will comply with level 5, and the only thing keeping this from happening is the amount of investment SuSE, Novell and IBM are willing to make for this.

      EAL really says nothing about the security of linux based systems, but is says a ton about how receptive governments will be to employing it. This is indeed good news.


      • So I'm curious if, after the demos of EAL'd systems to government buyers, they allow the system to be modified - upgraded kernels, adding apache, etc.?

        I'm just wondering if the bureaucratic hurdle is a "one time, just to prove you can be certified" or whether it's an ongoing PITA?

        • The certification covers a specific install, and depending on the circumstances under which a certification is granted, you might have a lot of flexibility, or very little. Back in the early days of Common Criteria, Windows was certified under the provision of no floopy drive or network card, but somehow waivers were granted, exceptions allowed and the like.

          Now I'm not all that involved in this, but my take is that EAL3 will make a difference in being able to get your foot in the door. Once it's in, it's

    • I'd say it's a semi worth while set of requirements. It serves it's purpose as a cover your ass by making the proper motions to proctect our military secrets. That means there are a bunch of paperwork requirements in addition to the actual requirements. Since it's easier for Microsoft to generate the needed paperwork, they have an EAL 4 while SuSE has an EAL3.

      In a way comparing military security requirements to corprate security requirements is like comparing Apples to Oranges. They have much more control
    • I never busted on Windows for being EALed. I will say that Windows and other OSes have much more robust auditing than Linux, and that has been a big deterant from government certifications with the Linux OS.

      One thing that I think is interesting to note is that a _company_ providing a specific _distro_ of Linux is being certified here, not Linux proper. The company and specific distro thing is important because it shows the viability of making $$ off of open source software. Anyone can get all of the sam

    • Is EAL worthwhile or is it an "inadequate set of requirements"? Is EAL 4 worse than EAL 3?

      Most importantly, the EAL tells only half the story. There are 2 components, the PP (Protection Profile), which specifies what security features you're trying to provide, and the EAL (Evaluation Assurance Level) which tells you how certain the people evaluating it are that it meets the profile. Windows 2000 was certified against CAPP (the Controlled Access Protection Profile) to EAL4, The CAPP is, well, hopelessly

  • Wow, great news (Score:1, Offtopic)

    by Rogerborg ( 306625 )
    For SCO, I mean, given that they claim to own or claim to already be receiving payments for all of the above!

  • novell (Score:5, Interesting)

    by SinaSa ( 709393 ) on Wednesday January 21, 2004 @09:19AM (#8042226) Homepage
    Does this have anything to do with Novell entering the SuSE scene? Or has this certification been a long time coming? Either way, this is another scratch on the wall of achievements Linux has attained. Most pre Linux UNIX admins have a disdain for Linux zealots, etc who believe that Linux can solve any problem any time, and I'm in the same camp, but with distributions getting certifications like this, Linux continues to progress in promising ways in many fields.
    • SuSE got it's EAL 2 [nwfusion.com] certification on IBM hardware and as far as I know that was funded by IBM - I don't know if Novel had anything to do with this EAL 3 certification, but given the time certification takes I suspect that's unlikely.

      More likely would be further IBM involvement as a company well placed to benefit from being able to sell more hardware deeper into government.

  • EAL4 evaluation tells you nothing (Score:4, Informative)

    by Anonymous Coward on Wednesday January 21, 2004 @09:24AM (#8042261)
    It tells you that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.

    Intersting Document on EL [jhu.edu]

  • Things will really get heated up (Score:5, Funny)

    by emo boy ( 586277 ) <hoffman_brian.bah@com> on Wednesday January 21, 2004 @09:32AM (#8042294) Homepage
    when OS/2 Warp gets EAL5 next month.

  • Summary Misleading (Score:5, Informative)

    by Mork29 ( 682855 ) <keith@yelnick.us@army@mil> on Wednesday January 21, 2004 @10:00AM (#8042449) Journal
    I'm a sys-admin in the US Army right now. Simply getting this new EAL accredation does not allow the military to install an OS (I don't know about the other agencies). The US military develops a set of security standards (baseline) for any OS that they use on a large scale. With these standards, we use it, without them, we don't. Certain *nix's including Solaris, and Red Hat are used on small scales for specific applications in the military, but this EAL will not allow the US Military any more options until senior leadership determines it neccessary and spends the money to adopt the standards of use and baselines for the operating system. I personally have been begging our head IASO to allow us to use Linux in a few instances, but have been shot down on every attempt for this one reason. I know I would love being able to avoid the weekly windows patches that have to be pushed down to the computers on our network though. The US Military does take InfoSec very seriously though. Although several US depertments have been criticized for a lack of InfoSec (Including Homeland Security), I've never heard of the DoD receiving any such negative rating.
    • I work for Conus CERT, as a reservist, and have also been pushing the Linux envelope. I believe there is a basic reluctance (similar to any business) to switch to a platform which very few current admins (as far as I know) have much experience with. Many I know are still die hard Microcert specialists. Much of the *nix that I've found is used only in the CERTs, dealing with network security/intrusion detection, and the end users are all stuck on/with Win2k. I'm sure that DOD acquisition is an intricate proc

  • What protection profile? (Score:5, Informative)

    by xmath ( 90486 ) on Wednesday January 21, 2004 @10:16AM (#8042574)
    EAL3.... what protection profile?

    EAL-rating only indicates how sure you are the product meets the profile (a set of security requirements). Saying it gets "EAL3 Certification" is like saying "We're now quite sure it does... eh... something"

    For example, the Win2000 EAL4 certification was CAPP/EAL4 (Controlled Access Protection Profile). Its description:

    The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel.

    It should be obvious that while CAPP is nice to have, it does not mean the system is "secure", even if you'd get EAL7. :-)

    I guess this is just one of those "they have - we need it too!" things.

    • It doesn't have to conform to a protection profile; that's just an option. The SUSE security target will list all the security functional and assurance requirements (the EAL3 assurance package in this case) that scope the evaluation (the "something," as you say).
      • you're right of course.. I meant security target when I said protection profile.

        terminology slip-up :-)

        indeed, SuSE's certification (EAL2) of July last year was for a "Product specific Security Target", no protection profile. Assuming it's still the case this year, it means comparing its EAL-rating to Common Criteria certifications of other products (with different security targets) is completely bogus.

        The problem is people seem to think "EAL3" is the certification by itself, while the security targe

        • Agreed. I've seen comments like "which is better? EAL3 or EAL4?" But I'm still confident that I (and like-minded people like yourself) can get the word out, so long as we keep commenting on these CC articles. :-)
          • For the benefit of other readers, a short summary of how the Common Criteria work - as far as I can remember (if any inaccuracies slip in, I'm sure someone will point them out :-)

            The common criteria are a framework for specifying and evaluating security properties of a product.

            They provide a big list of "security functional requirements" that a product might adhere to. Examples:

            "

            FAU_GEN.2.1 The TSF shall be able to associate each auditable event with the identity of the user that caused the event."

    • Re:What protection profile? (Score:5, Informative)

      by hackstraw ( 262471 ) on Wednesday January 21, 2004 @12:39PM (#8043866)
      EAL-rating only indicates how sure you are the product meets the profile (a set of security requirements). Saying it gets "EAL3 Certification" is like saying "We're now quite sure it does... eh... something"

      A college degree only indicates how sure you are the person meets the profile (a set of learning and skill requirements). Saying it gets "A college degree" is like saying "We're now quite sure the person is... eh... able to learn something".

      Trust me, there are many a bozo out there with a college degree, and there are, ahem, less than secure and robust OSes with EAL certification, but try to get a job where it says "College degree required" or install an OS where it says "EAL3 or higher required" and there is not that level of certification.

      On an aside, college degrees are pretty worthless nowadays. At least a generic 4 year degree. I often see on job listings something like "College degree in XXX required or equivalent work experience". This is not as true with higher degrees or professional degrees. Sometimes I think about how much money I would be making now if I had _worked_ instead of going to school and racking up about $30,000 in college loans. Actually, I have seen data that says that the "Stay in school" programs are completly irrational. Supposedly, a HS dropout that goes to work will be making much more $$ immediately and in the future (because of experience and seniority) than a HS graduate. Kinda makes me wonder what the governmental/societal push is for going to school.
      • The analogy is kinda flawed, since a college degree should - regardless of the subject - at least indicate a certain level of education in some area.

        EAL just indicates how sure you are... you could get something EAL3-certified to be totally insecure.

        (note that I don't mean to say the certification is meaningless, just that its presentation in the article is. also, that comparisons like "but Win2000 has EAL4!" are bogus)

        A company that knows how the Common Criteria work won't require "EAL3", but actual

      • Actually, I have seen data that says that the "Stay in school" programs are completly irrational. Supposedly, a HS dropout that goes to work will be making much more $$ immediately and in the future (because of experience and seniority) than a HS graduate.

        I agree with that completely. I'm a university dropout, and I work at a gas station. The Lead Hand at my gas station (basically, she's one step down from being the boss) is a Highschool dropout. The only reason she's ahead of me, is because she has a few
    • Everybody is missing the (lack of) importance here. Read the description of the rating:

      ...a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security.

      This specifically precludes internet usage (unless you consider connecting to the internet to be non-hostile, in which case your paranoia badge is revoked).

      It DOES however open a door to let competitors into a contr

  • What kind of geek site is this if you have to mention that Solaris is from Sun etc.???

    Every decent computer nerd should have those words flowing through their veins...

  • USELESS (Score:3, Insightful)

    by calebtucker ( 691882 ) on Wednesday January 21, 2004 @10:34AM (#8042693) Journal

    ...you're only allowed to install a certain version of Windows 2000, with servicepacks up to a certain number, and one hotfix.

    This should tell you how extremely useless the common criteria is for actually verifying the security of a product for real world use. Sure it might have some merit in high security government use, but that's about it.

    Also, you know how much it costs to get your product evaluated at EAL2 (yes, you have to pay for it) -- about $250k. EAL4 is about $1mil+.

    We had someone who works at NIST on the CC come to my school last semester. He said there were less than 100 products that have been evaluated under the CC (can't remember exact number, but around 80).

    It boils down to this: if you want to sell your software to the U.S. government, you gotta get it certified at EAL2 at least. Other than that, your EAL level X means nothing.

  • Windows *from Microsoft*, huh? (Score:3, Funny)

    by johannesg ( 664142 ) on Wednesday January 21, 2004 @11:06AM (#8042997)
    I'm sure glad they mentioned that. I might have gotten confused with all the other kinds of Windows currently on the market.
  • Does anyone know where a complete list of how each OS is rated? I'm curious about BSD, and OS X primarily...

  • See (Score:2)

    by Cyno ( 85911 )
    ...which allows it to compete with such certified operating systems as Windows (from Microsoft), Solaris (from Sun), HP-UX (from HP) and AIX (from IBM).

    This is why I don't like certifications. They don't actually say anything about how Linux can compete with any other operating system, but they make people like you think they do.

    If the church gives you a piece of paper that says you are going to heaven do you actually believe that you will go to heaven?

    If a University gives you a degree does that degre
  • It would be great if the EAL software package and test methodologies are available for free(similar to Microsoft HCT). This way everybody can make sure that their linux distribuition passes the criteria. Enterprise distribution can spend the required amounts to get the official certification.
  • You've gotta be kidding. Mandrake deserves this more than Suse.

Slashdot Top Deals

The Tao is like a glob pattern: used but never used up. It is like the extern void: filled with infinite possibilities.

Close