NEW YORK -- Common Criteria certification is coming in record fashion for Nuremberg, Germany-based Linux distributor SuSE Linux AG.
Less than a year after achieving Evaluation Assurance Level (EAL) 2 for SuSE Linux Enterprise Server 8, SuSE is expected to announce today at LinuxWorld Conference & Expo that it has earned EAL3, the next level of certification.
Common Criteria is a set of criteria by which the security of a mission-critical software product is evaluated. Certification is a seal of approval that is recognized by government agencies and enterprise IT professionals. Countries that recognize the Common Criteria include the United States, Canada, the United Kingdom, Australia, New Zealand, Germany, France and Japan.
In reaching EAL3, SuSE Linux Enterprise Server 8, which is built on the 2.4.21 Linux kernel, met criteria established in the Controlled Access Protection Profile (CAPP). Certification means that the software supports access controls that enforce limitations on users and data objects, according to a description on the Common Criteria Web site. Software at this level also has audit capabilities that record security events. CAPP assures a level of protection against casual and inadvertent threats, though software that meets these criteria does not necessarily fend off "hostile and well-funded attackers," the site said.
"This is a huge advantage, not only for SuSE, but for the open source community and Linux as a whole," said Helmut Kurth, vice president and chief scientist of German security consultancy Atsec Information Security GmbH. Atsec, along with IBM, assisted SuSE with the certification process. "All the documentation developed and additional software developed [while] satisfying CAPP certification will be openly available in the open source community. This allows other distributions to go down the same path and follow this evaluation rather than develop their own."
SuSE has a jump on its main rival, top Linux distributor Red Hat Inc. of Raleigh, N.C. Red Hat is currently preparing for EAL2 certification for Red Hat Enterprise Linux.
SuSE Linux Enterprise Server 8 was certified EAL3 on five IBM hardware eServer platforms: the xSeries, the midrange iSeries and pSeries servers, the mainframe zSeries and on AMD Opteron.
Atsec representatives said that no operating system has ever been evaluated on such a broad range of platforms and in such a short period of time -- 10 months. SuSE hopes to reach EAL4 by the end of 2004. EAL7 is the highest Common Criteria level possible, but no product has reached that high a certification, Kurth said. IBM's zSeries mainframe machines have reached EAL5.
"The level that is most intriguing for commercial installations is EAL4," Kurth said.
Government agencies will not consider software unless it earns Common Criteria. Many enterprises follow the government's lead with their purchases.
"There are organizations that take this approach," Kurth said. "In Europe, for example, companies look for Common Criteria evaluation and prefer it for their products."
The open source nature of Linux, meanwhile, contributed to the rapid rise up the Common Criteria ladder for SuSE. At lower levels of Common Criteria, like EAL2 and 3, presentation of source code is not required. It is mandatory at EAL4. In the case of Linux, the source code is freely available and reviewed frequently so vulnerabilities can be identified and repaired.
"We don't want to be able to check off that a product has met Common Criteria evaluation, but ... to make the evaluation useful to people so they can use it and maintain it in a secure state," said Klaus Weidner, senior IT security consultant for Atsec. "Some evaluations are done in configurations that people don't use. We try to get a configuration that makes a lot of sense from a commercial point of view. We evaluate a configuration [that] companies can install and use."