Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Certification for SuSE: No Big Deal

SuSE has become the first Linux developer to receive a particular OS security certification that is internationally recognized and vital for selling to the U.S. and several European governments. This was hailed by some as a big score not only for SuSE but for all Linux distros.

But the certification has no value for Linux at large. It applies to only one version of SuSE's product, specifically the SuSE Linux Enterprise Server 8, with the certification-sles-eal2.
rpm installation package. This is true of all certifications under Common Criteria, an agreement among many nations to unify security certification standards. Common Criteria certifications apply only to specific product versions with established configurations (see "Certification Security Blanket").

Linux Enterprise Server was certified at Evaluated Assurance Level 2+ out of 7 levels. This means the product has been tested only according to a vendor-defined configuration; the vendor has furnished documentation that it has performed a vulnerability analysis against known vulnerabilities; and the vendor has supplied, and the testing firm analyzed, documentation on the configuration and operation of a subset of system features.

What's more, the EAL2+ certification is limited to a fixed configuration and is focused on nonhostile environments like a protected data center. On a SuSE Linux Enterprise Server configured according to EAL2+, the only network services allowed are SSH and FTP. More important, the cryptographic features of OpenSSH were not evaluated because such testing would have taken too long. Other common services--like HTTP, DNS and SMTP running on their standard ports--are not part of the
feature sets, further reducing the importance and usefulness of the
EAL2+ configuration.

Each Linux distribution has its own programs and configuration files and, often different kernel modifications. So while Common Criteria certification is a somewhat positive milestone for SuSE, the other Linux distributions will have to step up for their own.

  • 1