Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
SuSE Businesses Linux Business Security Software Linux

SUSE Awarded EAL4 Certification 160

An anonymous reader writes "Following in the wake of its previous certifications, Novell's SUSE Linux Enterprise Server 9 has achieved EAL4 certification on 'an IBM eServer.' This puts SLES9 in the same league as Windows 2000 for sales in the government sector and is the first Linux distro to achieve an EAL4 certification."
This discussion has been archived. No new comments can be posted.

SUSE Awarded EAL4 Certification

Comments Filter:
  • by Anonymous Coward on Sunday February 20, 2005 @01:23PM (#11729467)
    .......oh fuck!
    • by man_of_mr_e ( 217855 ) on Sunday February 20, 2005 @02:47PM (#11729936)
      Hmm.. What I don't understand is how ANY version of linux achieved EAL3 or better. One of the criteria is that the OS have strict design documentation and that the implementation meets that design documentation. My understanding of the Linux development is that it's very informal and has no real design documentation (other than what a given hacker may create for themselves).

      I'm not saying that Linux doesn't deserve it, just that I don't understand how they were able to meet that criteria.
      • by mindstrm ( 20013 ) on Sunday February 20, 2005 @03:08PM (#11730036)
        Linux didn't achieve it.. a specific distribution by SUSE did. The documentation and implmenetation designs are by suse.

        The certification doesn't require documenting all the code.... it's more about overall system design,the security model, user authentication, etc.
        • Where can I get a copy of this documentation? I'd love to see it.
          • Hehehe... nice try at trolling. But how can anyone named "LordNimon" be trusted? Get thee back to the leisure hive! LOL!!!!111 (Note: I think you foed me once in a past life here on /.)
      • I may be mistaken, but I think the POSIX and SUS "design documents" are fairly strict...
      • The source code is the documentation. The system conforms very closely to that - give or take the odd bug in GCC...
      • by AstroDrabb ( 534369 ) on Sunday February 20, 2005 @05:07PM (#11730694)
        Are you just trolling?

        MS Windows 2000 has this cert. Exactly where is _all_ this MS documentation available to the public? Oh, that is right, it is not. So exactly why would "Linux" need to have this public documentation? "Linux" wasn't certified. A specific implementation of Linux, SuSE Linux Enterprise Server 9, was awarded this certification level. Novell put in the effort needed to achieve this certification, including proper documentation.

        The Linux kernel is Open Source, as well as most/all of the GNU code base forming the complete OS. I can go out and build my own Linux distro (which I have done for personal use based on LFS). However, that doesn't mean that _my_ version of GNU/Linux is EAL4 certified. If you read the articles or even the simple summary, you should have clearly understood that currently, the only version of Linux to be EAL4 certified is, SuSE Linux Enterprise Server 9.

        • There's nothing in the EAL process that requires documentation to be public. As such, your comments seem a little strange.

          I also did not suggest that Novell didn't put effort into the documentation. I said, I didn't understand how any Linux distro could meet design documentation that very likely didn't exist when the software was being designed.

          I wouldn't think (and I could be wrong), that generating design documentation after the fact is evidence of proper design (which is what the EAL is trying to ver
      • The requirement is actually that you document what your security model is and how your implementation achieves it, and then they verify that you're right.

        There are no restrictions on the development process. The point is that it gets validated as a finished item, so it doesn't matter how it got that way. It also doesn't matter who writes the documents, so long as they have the necessary information.

        It will be interesting to see when SuSE does with the documents which were part of the process. It would als
        • You are correct, up to a point. EAL4, sure, the design doesn't matter, just so long as you meet the criteria. The how isn't relevent.

          It's when you get into extreme levels of trust that the design needs to be a little better documented. I don't believe the Common Criteria has anything that goes as high as the Orange Book's B3 or A1 certifications, but IIRC those did require a level of proof that the code was correctly implemented, not merely that the mechanisms were all present and apparently funcioning.

          • The Common Criteria sort of goes past EAL4 to the proof of correctness stage, but the CC members don't all agree on the higher levels, probably because the code proving theory is not entirely worked out to everybody's satisfaction.

            If higher EAL levels were well defined, it might actually be easier for Linux to achieve them, because it would simply be a matter of writing out how Linux security is supposed to work, and then checking that no transition from an allowed state to a disallowed state can happen. I
        • That's may be what it is, but that doesn't seem to be what the spirit of the certifcaion is about. Check this out.

          "EAL2 level is more detailed because it includes the high-level design and detail specifications of the target of evaluation. This level and its latter counterparts require developer testing and a vulnerability analysis. EAL3 analysis expands the testing coverage of the security functions and mechanisms and offers added security measures by ensuring that the target of evaluation is not tampere
          • I assume they look at "the development" of the EAL4 version as starting from where they take in a particular kernel release and making it secure (which may involve a significant amount of work, depending on what their design actually is). The concern is that someone could change something after you've evaluated it; you avoid that by not taking patches from anyone else unless you verify them.

            The Linux kernel could never get an EAL rating as it is developed by Linus et al, but that doesn't mean that a proces
    • "Same League as Windows 2000"

      I think you misspelled "produced with as much paperwork as Windows 2000"
  • by OffTheLip ( 636691 ) on Sunday February 20, 2005 @01:24PM (#11729470)
    It's really a matter of money and time.
    • by hal9000(jr) ( 316943 ) on Sunday February 20, 2005 @01:28PM (#11729502)
      Kinda. Provided there is a well designed and realistic Protection Profile and the Security Target is realisticaly designed, there is some value to the CC certification.

      The biggest issue I have seen with CC is more in the understanding, or lack there of, of what is covered in a CC eval on both consumers and vendors. Vendors obviously promte the CC eval because it is expensive and has a certain cache. Users tend to glaze over reading the certification docs and most often don't make it very far before checking whatever check box they need.

      • by Anonymous Coward

        it is expensive and has a certain cache

        It's cachet, not cache. Cache is storage; cachet is that certain attraction.

        Cache is pronounced "cash" cachet is "cashay".

        Get it right, people!

    • by Alien54 ( 180860 ) on Sunday February 20, 2005 @02:04PM (#11729696) Journal
      A certification some time ago that Windows was completely secure on a network, so long as you didn't actually connect it or plug it in to the network?

      I think the MS has improved on that with 2k, etc. , but I'm not sure.

      • by Anonymous Coward on Sunday February 20, 2005 @02:12PM (#11729742)
        Yeah, its meanless except for a small class of government applications. Unfortunately, Microsoft drank their own koolaid and started marketing the certification as a general security feature.

        "Windows NT's Security Certification means that firewalls are optional" -- actual bullshit advice from a microsoft document in the mid-90s.
      • There was some rumors a few years ago about Windows NT getting a C2 "certification" only when you did things like disconecting the floppy drive.

        I actually think most of this was the old "poking fun at Microsoft", tho. I mean, if that was the case, I doubt it would get certified.

        On the other hand, I never had much respect for those rainbow certifications.
        • C2 certification only applies to a specific version of NT 3.5 with specific patches installed. Any deviation from that would not be certified.

          C2 is a security specification for standalone, non-networked, non-distributed computing environments.

        • Re: (Score:3, Informative)

          Comment removed based on user account deletion
          • Still sounds like a heck of a good joke.

            No removable midia = no backup

            How trustworthy is that ?

            And I really don't recall (I might be wrong) HP/UX requiring the removal of the floppy drive to be certified C2.
            • Re:That is true (Score:3, Informative)

              by darkonc ( 47285 )
              Still sounds like a heck of a good joke.
              No removable midia = no backup

              It depends on what you describe as a joke.

              It allows the marketing 'droids to say things like 'We took a C2 certified system, added a ZIP drive and 3COM ethernet card, and voila one of the most usable, secure systems you could hope for.' (then hold their breath and hope that the carefully balanced shoe doesn't drop).

              It's not fraud if you honestly (if misleadingly) document what you're doing.

      • That was Windows NT, and the setup also mandated that there be no removable media. However, that was for a secure non-networked workstation, which have their uses in some cases.
    • by soren42 ( 700305 ) * <j@nOsPAm.son-kay.com> on Sunday February 20, 2005 @02:43PM (#11729919) Homepage Journal

      It's really a matter of money and time.

      That's exactly what it is... which is yet another facet of the differences between Novell and Red Hat. Novell has the money to apply their resources across a much broader spectrum than Red Hat - just by virtue of having more money. Also, they have much more staff on the payroll - and by extension, more time (read: manhours).

      Initially, there were a lot of concerns when Novell acquired SuSE around their committment to Free Software. But they have repeatedly (YaST, SuSE Linux Open Exchange, FreeSWAN, Hula, etc.) shown that they are committed to the philosophy of Free Software - not just buying the technology to close it up, and make money from selling something proprietary. So, those concerns have been put to bed, it makes Novell/SuSE a very attractive Linux option. They have the resources, relationships, and talent to work quickly and effectively - developing solid, certified, and feature-rich open software.

      Please don't mistake this comment as Red Hat bashing. I am simply pointing out that Novell has the resources to really make a difference in the US Linux market - and things like achieving EAL4 (so quickly) prove that.
      • by Anonymous Coward

        That's exactly what it is... which is yet another facet of the differences between Novell and Red Hat. Novell has the money to apply their resources across a much broader spectrum than Red Hat - just by virtue of having more money. Also, they have much more staff on the payroll - and by extension, more time (read: manhours).

        IBM paid for it. IBM's engineers did it. They do this kind of thing on behalf of the distro's it uses on its hardware. It has absolutely nothing to do with the resources of Novell

      • Initially, there were a lot of concerns when Novell acquired SuSE around their committment to Free Software. But they have repeatedly (YaST, SuSE Linux Open Exchange, FreeSWAN, Hula, etc.) shown that they are committed to the philosophy of Free Software - not just buying the technology to close it up, and make money from selling something proprietary.

        If it's Free Software [fsf.org] then they can't buy it up and make it proprietary because it's licensed under the GPL! I'm not saying that Novell isn't doing good st

    • by omnirealm ( 244599 ) on Sunday February 20, 2005 @03:56PM (#11730316) Homepage

      Disclaimer: I work for the IBM Linux Technology Center; any comments I make are entirely my own.

      It's really a matter of money and time.

      And blood, sweat, and tears. You're talking to a guy who spent countless hours drafting hundreds of pages of low-level design documentation on the Linux kernel and set of trusted userspace applications in order to help satisfy the CAPP/EAL4 requirements. True, IBM paid me to do it, but the effort is far from trivial, and Linux's reputation gets a nice bolster when things like security certification happen.

      Back when my team achieved CAPP/EAL3 certification, the general attitude on Slashdot was, ``Great, but wake me up when we get EAL4.'' Well, now we've got EAL4. We have a secure protection profile ironed out, documented, and deployed, which helps immensely with setting up a locked down Linux box. We have engineers who have been given the job to review thousands of lines of source code and to write and run a battery of tests to verify that Linux kernels and applications really do, from a security standpoint, just what they claim to do, and they do it right. But I think, more than anything, that this is a strong indication of Linux's maturity. For the public sector, this satisfies a core requirement of many contracts. For the private sector, this is one more thing to impress the boss when advocating Linux solutions.

      • thanks 8even if you get paid for it), this helps linux a lot. Stupid question, is all that documentation available for everybody?
      • Seriously. I live and die by the availability of such certifications. Even if we don't really implement it exactly, it's nice to be able to point to this and say, HEY, SLES 9 is EAL4 (mutter: in that configuration), it's perfectly fine! And it's business as usual, albeit with one less win2k paperweight (which doesn't really have a valid EAL cert either, so who's fooling who?)

        If I could give you a hug, I would.
      • We have a secure protection profile ironed out, documented, and deployed

        Can you provide a reference to the profile? Or even just a very high level, one- or two-sentence description?

        I know the Win2K PP, for example, assumed that the machine was not connected to a network. Was network access part of the SuSE PP?

      • Back when my team achieved CAPP/EAL3 certification, the general attitude on Slashdot was, ``Great, but wake me up when we get EAL4.'' Well, now we've got EAL4.

        And my eternal gratitude. Realize that many of the trolls here have at best a vague guess of what exactly EAL4 is.

        EAL4 is a ton of work, documentation probably being the worst part. In fact, given the nature of the kernel alone I wasn't even sure you could do it.
    • by eer ( 526805 ) on Sunday February 20, 2005 @04:39PM (#11730544)
      Other posts are correct - IBM made this happen through manpower and expenses, to create the documentation needed for so many open source projects (lacking design documentation, for the most part), and for underwriting the evaluation labs effort.

      But Novell/SuSE also deserves credit for running a top-notch configuration management system (Autobuild), having controls and procedures for keeping track of where which patches that get incorporated come from, and for having a patch notification and publication process that enables customers to get timely notification of necessary patches.

      The business processes surrounding manufacturing the distribution and supporting customers on a global basis are valuable Novell/SuSE contributions.

      Disclaimer: I work for Novell and work with the folks at SuSE on a daily basis.

  • Hopefully this will make more enterprises/companies/governments go for GNU/Linux and open standards. Anyway, it's about time. :-)
    • by $ASANY ( 705279 ) on Sunday February 20, 2005 @02:11PM (#11729731) Homepage
      This really only makes a difference in the federal sector here in the U.S., as commercial firms might be interested in CC, they understand that CC really doesn't mean a whole lot. For the federal sector, this is only one half of the whole ball of wax.

      Just about every DoD or other federal government RFP these days requires that every part of the solution be CC EAL 3 or greater because of DoDD 8200.1 and other mandates. Without CC, you can't be considered, no matter how much better your solution is than the relatively limited menu of certified options.

      The other half is FIPS 140-2, which covers data encryption. If you don't have FIPS 140-2 you can't play ball, and even then in some places like the U.S. Navy, there's another layer of certifications for NMCI and such. So however we might celebrate SLES EAL4 cert, it STILL doesn't get them in the game without adding on a (typically) expensive FIPS 140-2 certified SSL component. My understanding is that RedHat understood this and bundled a certified solution with RHEL.

      So will this announcement cause more enterprises to use SLES? Nope. They don't really care. Companies? Same boat. Governments? Only in those cases where SLES will exist entirely within a secure intranet or will piggyback on a generally closed-source 3rd party FIPS certified encryption system. SLES hasn't scored yet.

      The other barrier is that for most potential government installs, there has to be CC certified software to run on it, unless it's just a network appliance. MySQL, Apache and all the rest would have to be CC certified to actually get a pure open source solution in the door.

      The net effect is that this plays directly into the hands of the big software/hardware vendors and creates a barrier to entry for smaller players who would like to play in the federal space. Sure, SLES is certified, but with what? Oracle and IBM? Who's going to pay to get Apache2 certified for both Common Criteria and FIPS 140-2?? Or MySQL? Or PHP4? Look for more domination in the federal software market by the likes of Microsoft and Oracle, who will have even less incentive to create really good software because this somewhat meaningless certification process reduces competition and increases profitability for those who can invest in certifications.

      Look at NMCI if you are doubtful. It hasn't helped the Navy improve it's IT infrastructure one bit, and made EDS nearly the sole vendor for all IT for the Navy. It's the gatekeeper of the NTISSP certification process, and everything it decides to approve has to be purchased through and managed by EDS. Certifications like this are simple money grabs by major Systems Integrators and muscular software companies.

      Nothing to see here. Keep moving.
      • ...and made EDS nearly the sole vendor for all IT for the Navy...

        This is the same EDS that keeps screwing up [theregister.co.uk] all those important govenment systems [publictechnology.net]? The EDS that managed to take down 60,000 PCs [theregister.co.uk]? They let that EDS run military systems?
      • by Anonymous Coward
        I don't know where you are getting your information from... But I work for the DoN and the DoD and we are in the process of deploying a large number of Red Hat Enterprise Linux boxes right now. The EAL4 certification means QUITE a bit, we could have deployed SOME Red Hat with only EAL3 certification, but we couldn't deploy Red Hat at any deeper classification level without EAL4.

        FIPS is a compliance level for encryption, and seeing as that it isn't hard to add this ability to applications, I'm not seeing th
        • I get my information from working in the federal/DoD arena for a software vendor and butting heads with this stuff on a fairly regular basis. We do a lot of work with SPAWAR and NAVSUP. Most of my work is in the Mobile arena, but I have a strong personal preference for Linux and try to push that as the OS for our products because it works better.

          NMCI has been a major pain in the butt for us. NAVSUP wants to do more handheld work, and all that is available on CLIN 23 is ancient, non-Wifi crud or Blackber

      • So however we might celebrate SLES EAL4 cert, it STILL doesn't get them in the game without adding on a (typically) expensive FIPS 140-2 certified SSL component. My understanding is that RedHat understood this and bundled a certified solution with RHEL.

        I've wondered about that after seeing some posts about it earlier.

        Are the hurdles preventing something like OpenSSL or GnuTLS from receiving FIPS certification mainly technical, or financial?

      • Throw out a few more permutations of the alphabet please. I enjoy reading cryptic bullshit.
        • 99.99% of everything to do with the Government is going to be cryptic or bullshit. NMCI is an ongoing effort by the US Navy to be cryptic and bullshit, thus killing two birds with one stone.
      • I was working for the US Navy when they started rolling that out. Yeesh! Talk about a catastrophe! It took a year and a half to get stable e-mail. Yes, a YEAR AND A HALF! Eighteen months to do what most Linux geeks can get done in a couple of hours or less.

        Security? That thing has more holes than swiss cheese! All applications are run on a single box, with clients connecting via Citrix. That box is typically Windows. Windows doesn't have Orange Book B-grade compartmentalization. This means that if you wer

  • Certs/ (Score:4, Insightful)

    by cyberfunk2 ( 656339 ) on Sunday February 20, 2005 @01:33PM (#11729545)
    While some of these certifications seem silly and almost obvious (as in "well of COURSE it can do that").

    We should remember, for non-technical people (i.e.: most of the government) this is all they have to judge tehcnical suitability for the job. And like the beauracrats they are, they adhere pretty strictly to these things.

    So yes, it is a big deal that a major distro's broken through some of the red tape.
    • Viewing the Novell press release [novell.com], it would appear that the cert has actually not been issued, and that Novell has only "successfully completed" the evaluation, which doesn't officially mean anything.

      Having said that, I will note that this evaluation was to an actual protection profile (the CAPP [nist.gov]), so the evaluation means something, unlike some [bsi.bund.de] other [cesg.gov.uk] evaluations [bsi.bund.de] that I could mention.

  • Maybe I missed it in the article, but I am curious if it was on a pSeries or xSeries. SLES9 on a pSeries box is a damn good combination. On the xSeries, it's o.k. but you do not have the peace of mind you get with the pSeries hardware.

    I feel a little more confident in our military using that than MS windows on cheap beige boxes.
    • by LinuxHam ( 52232 )
      I am curious if it was on a pSeries or xSeries

      When the config earned EAL2+, it was on xSeries, but according to this [ibm.com], they earned EAL3+ on *all* platforms. I did a little digging but couldn't find if the same applies to this certification. I know it doesn't answer your question, but it may keep your hopes up to dig some more. As an IBM consultant doing Linux on x, p, and z.. I say "cool!"
  • It certifies SLES 9 as being in the same league as Windows 2000.
    • Re:Well, not quite (Score:2, Informative)

      by g00n ( 565271 )
      Also means it's surpassed windows XP and 2003. These as far as i know (big statement) have not made these certifications yet.
  • by CoolSilver ( 794518 ) * on Sunday February 20, 2005 @01:38PM (#11729579)
    Wow, I guess Mr. Gates and company must be biting their nails. 2000 has that certification yet XP, the best product with "advanced security technologies" has nothing.

    Well I guess it means times have changed. Linux is a big player in the game now and Microsoft needs to realize this and stop denying. False statements hurt worse than the bitter truth of "your product isn't good enough". I rather trust a company and have something that works okay and secure than some company that hides facts and has a better product in some ways, just not security.

    It is funny how someone came out with a report saying windows is more secure, but is that based off the experimental code or source and which distribution. Novell and SuSE have always taken security as a priority and it shows.
    • by TheCabal ( 215908 ) on Sunday February 20, 2005 @01:56PM (#11729662) Journal
      CC evaluation is not an automatic thing. The sponsoring company (in that case Microsoft) pays for the evaluation. A target is generated, which details hardware and software configurations. This can take months. Then the actual platform itself is evaluated, which can also take months, especially if deficiencies are found and corrected. Win2k was released in 2000, but didn't get CC evaluation until 2004. There's a hint.
    • Re: XP's non-cert status...

      People tend to like things that are tried and true and are known to run solid.. Or with small incremental changes, done carefully.

      The problem with XP is two-fold.. first.. it (the "jump" to XP) was just that, a jump, that wasnt all that carefully considered beforehand (MS just figured that most people would go with it, because after all, it IS the latest and greatest).

      Second, MS marketing actually shot them in the foot here. They marketed this as the "hot new thing", "new and
      • by ScrewMaster ( 602015 ) on Sunday February 20, 2005 @03:04PM (#11730017)
        That, my friend, is probably the most succinct description of what is wrong with the world of personal computing that I've heard yet.

        The only thing I would add is that this applies all across the board. Home users and corporate office users are in the same boat: they often have no interesting in "upgrading" to get more whiz-bang because they don't need it and don't want the headaches. That's the essentially conservative attitude that the bulk of users have, because any significant change means they may have to spend time and money they don't have to learn something new, deal with problems that weren't there before, and may find their shiny new OS and apps interfering with getting their jobs done. Microsoft's feature-oriented marketing and forced upgrade cycles have probably caused more lost man-hours than the common cold.
    • Well, the EAL4 certification is only just a bunch of paperwork. It certifies that the company who got it, did a lot of paperwork describing what the product does to be secure and _no_ check, in whatever kind, is made by the goverment to certify that the claims are indeed true. Also, the claims that need to be made are really trivial and almost all s/w vendors can claim conformity. There is no point comparing security of win2k and linux based on that cert...
      • by zogger ( 617870 )
        "There is no point comparing security of win2k and linux based on that cert... "

        Here's the obvious point: If you are trying to SELL it it matters. Discussing it on slashdot and what it really means or does is one thing, getting some org or agency or corporation to drop x-millions of dollars in your lap for your product is another. One of the main complaints about Linux that you read over and over is "how do you make money with open source software"? Well, here's one way to make that a reality. Jump through
      • Then why is it that it took so long to certify Linux? Why did it take 4 years to certify Windows 2000? Why is'nt XP certified?

        If it were easy to do and almost all major vendors could claim complience then why wouldn't MS make sure that XP was certified. They made a big deal about Win2000 certification when they got it. It's cheap marketing for MS and fuel for their FUD engine, which they know they need to keep fed. I doubt that MS simply doesn't care about certification or couldn't put enough resourc

        • "Then why is it that it took so long to certify Linux? Why did it take 4 years to certify Windows 2000? Why is'nt XP certified?"

          It's really a _lot_ of paperwork and I'm sure that MS got that cert everywhere it really matters. As for linux, seeing distros get that cert means that they have certain hopes to see linux in some places that require EAL4. Nothing more.

          "I'm sure Gates would have like to have been able to say , "Hey, XP's EAL4 certified by the US government" when asked about MS's

    • Wow, I guess Mr. Gates and company must be biting their nails. 2000 has that certification yet XP, the best product with "advanced security technologies" has nothing.

      IIRC, EAL is based on a specific version of the operating system, running on specific hardware. It's relatively pointless (IMO) to certify a desktop operating system which can run on a myriad of hardware - or you would certify, but only on a very limited range of hardware. It probably means relatively little.

  • Well now (Score:1, Insightful)

    by TheCabal ( 215908 )
    Maybe the zealots can stop screaming that EAL certification is just a money thing or that it's worthless just because Win2k was certified EAL4.
  • I put all my efforts and support in Suse about 2 years ago and all my eggs in the Linux basket (in general) about 4 years ago.

    I saw Redhat blink so I took the Suse path.
    No regrets...
    • I put all my efforts and support in Suse about 2 years ago and all my eggs in the Linux basket (in general) about 4 years ago.

      I did the same thing. There's been a few warts (configuring Samba, some graphics issues which weren't well documented) but it's generally been good. SuSE is pretty easy to work with, reasonably polished. They could do a better job keeping up with some of the big name open source software like Mozilla through the official update channels (they're usually a few versions behind) bu

      • I had problems with an Adaptec SCSI controller in a Dell system recently.

        The trouble is that Adaptec seems to think that doing RAID-1 in the device driver is somehow a good idea and worthy to be very secretive about. So they provide binary-only drivers for their card and it is 3 kernel versions behind.
        Of course we need no Adaptec software RAID-1 as Linux has it in the kernel. After some searching and asking I found a patch that allowed the Adaptec controller to operate as a plain SCSI controller and from
  • I can see a little dim hope that some corp's and gov's will more away from Windows and switch to Linux. But i dont know how realistic this is. Still i hope.
    • Re:Is there hope? (Score:5, Informative)

      by TheCabal ( 215908 ) on Sunday February 20, 2005 @01:53PM (#11729644) Journal
      Not likely to happen soon. Just because it's been EAL4 certified doesn't mean that is allowed to be operated on a Federal network. In the case of DoD network, it still needs a CTO (Certificate To Operate) before being allowed to be connected to the network. A CTO requires a whole DITSCAP session, formal documentation, evaluation and recommendation. For an operating system, it could literally be years before a CTO is produced. An interim CTO could be generated, but I don't think any major commands are willing to risk issuing one for such an unknown as this.
      • Your probably right.. and a CTO is years away..
      • However, there's nothing saying that contract providers to the government can't run Linux (and have), such as, say, the Federal Reserve.
        • Re:Is there hope? (Score:4, Informative)

          by TheCabal ( 215908 ) on Sunday February 20, 2005 @02:13PM (#11729753) Journal
          The EPL (Enterprise Product List) only lists software that is allowed to run on a Federal network. As long as the system isn't connected to a Federal network and meets the requirements of the contract in terms of reliability, security and auditability, there is nothing to say that a contractor couldn't use SuSE or even RHES (was evaluated EAL3) unless it was expressly forbidden in the contract.
    • It is happening more than you realize. I currently work for an aviation company who hired me because they are moving their core systems into the cockpit (as opposed to being used by the pilots in a free standing fashion). They currently use Windows, but to pass the DOT/FAA/DOD regulations, it will pretty much need Linux. So right now, 3 major software projects are being ported. Also interesting is that the airlines, Boeing, And airbus are not wanting windows. Apparently, they do not like the term "crashing
  • I totally regret using Red Hat first. Suse is indeed the better road. I'd love to see the gov't be run on linux :D
  • Netware is entrenched in goverment organisations. therefore Suse/Novell open server needs to be rubber stamped ASAP.
    • No piece of software running on a Federal interest network should be rubber stamped. It should be evalulated on its own merits by a formal DITSCAP process.

      For FWIW, all the Federal networks I've worked on, I've seend damn few Novell servers. A lot of them used to run Novell, then migrated to Windows. I don't recall NetWare being on the EPL for the command I work for, so it might have already gone the way of the dodo.
  • Don't they run US battleships on Windows NT? Is that the "C2" certification? Is there a Linux distro with that cert?
    • Re:Unsinkable (Score:5, Informative)

      by TheCabal ( 215908 ) on Sunday February 20, 2005 @02:35PM (#11729881) Journal
      There aren't any battleships currently in commission in the US Navy, all have been either scrapped or mothballed. You're probably thinking of the prototype cruiser that made all the headlines. It was running NT, bluescreened and the ship was stuck. Not that the bluescreen was not an OS error, but an error due to a divide by zero from the application, and it wasn't written well enough to handle that error nicely, so the OS did what it was supposed to. The ship was rushed anyway, and supposed to have Unix backends for all the C^2 functions. NT is just for the user workstations.

      The US retired the Rainbow Series a while ago, but EAL4 is about a close approximation to C2.
      • Can you explain to me why the OS would bluescreen due to a divide by zero from the APPLICATION? Maybe I'm naive, but an application should not be able to crash the kernel.

        • Because it resulted in a buffer overrun.
          • Can you explain why a buffer overrun in a userspace application could crash the KERNEL? The kernel isn't supposed to allow overruns or any other fault in individual userspace applications to take down the system.
            • Nope. I'm not a kernel programmer. Go ask the contractor why their software crashed the OS.
      • Re:Unsinkable (Score:3, Insightful)

        by Tom ( 822 )
        so the OS did what it was supposed to.

        Can I get some of what you're smoking? Since when is an OS supposed to crash hard just because a single application couldn't handle a divide-by-zero?

    • Don't they run US battleships on Windows NT?

      No, when battleships were in use they had analog mechanical fire control computers the size of washing machines. The "software" was a bunch of gyros, gears and cams.

  • by Quiberon ( 633716 ) on Sunday February 20, 2005 @02:31PM (#11729859) Journal
    I've got one of these here SuSE 9.2 Live KDE for Windows [btconnect.com]. Torrent here [btconnect.com]. Lots of Linux-for-Windows torrents there, in fact.

    Have fun !

  • Linux going for EAL5 (Score:4, Interesting)

    by Anonymous Coward on Sunday February 20, 2005 @03:27PM (#11730165)
    The French Ministry of Defense will put up 7 million over the next three years to fund an industrial consortium building a Linux-based operating system that can achieve EAL5 certification. The coalition includes Bertin Technologies, SURLOG, Jaluna, Mandrakesoft, and OPPIDA.

    BTW. There are Server and Embedded Linux version that has achieved Telecom Carrier Grade certification for reliablity. Microsoft won't try to get Telecom Carrier Grade certification for Windows because it is too unreliable.
  • I've been looking on the Microsoft site to get an idea of security accreditations, but it's impossible to find. Does anyone have a link to what version of MS has passed which accreditation (and in what way, because I'm not impressed with the NT C2 rating)"

    = Ch =

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall

Working...