IBM and SUSE Linux achieve a higher level of Linux security certification across all IBM eServer systems

January 21, 2004

First Linux Operating System to Earn Evaluation Assurance Level EAL3+ Certification Companies Also Reach Common Operating Environment (COE) Standard Necessary for Command and Control Operations


IBM and Novell's SUSE Linux business unit today announced they had achieved new levels of security and operations certification for SUSE that will further enable the adoption of Linux by governments, as well as the Department of Defense for critical command-and-control operations.

SUSE Linux Enterprise Server 8 with Service Pack 3 on IBM eServers has achieved Controlled Access Protection Profile compliance under The Common Criteria for Information Security Evaluation (CC), commonly referred to as CAPP/EAL3+.

This represents a major expansion from last August, when IBM and SUSE announced they had achieved the first ever security certification for Linux. At that time, EAL2+ certification was announced for IBM's eServer xSeries line. Today's CAPP/EAL3+ achievement crosses the IBM eServer product line - iSeries, xSeries, pSeries and zSeries systems, as well as AMD Opteron-based systems.

CAPP/EAL3+ certification of Linux expands both the functional capabilities and confidence in Linux security beyond that met with the EAL2+. This was achieved through the addition of an auditing subsystem in SUSE Linux Enterprise Server 8 that provides auditing of security critical events. In addition, the CAPP/EAL3+ certification required more exhaustive testing and review.

IBM and SUSE Linux also announced Common Operating Environment (COE) compliance on IBM xSeries and zSeries platforms with SUSE Linux Enterprise Server 8, with support for pSeries and iSeries available in the first half of 2004. This achievement means that SUSE Linux is the first Linux distributor to offer both Common Criteria and COE compliance in the same package, creating the opportunity to run operational applications in a secure environment. COE, a specification created by the US Department of Defense (DoD), addresses functionality and interoperability requirements for commercially acquired IT products within its command-and-control systems.

"Certification under Common Criteria is a requirement for security related products in our environment," said William Wolf, U.S. Navy, Space & Naval Warfare Systems Center, San Diego. "We are encouraged by EAL 3 certification for Linux, as new doors will open to build flexible, cost effective solutions for our end users."

"Today's announcement with SUSE Linux is another key development fueling the rapid rise of Linux in the government sector," said James Stallings, general manager of Linux for IBM. "The Common Criteria certification across our server line further validates the security and quality of open source software. Additionally, the achievement of the operating environment standard necessary for critical command and control operations signifies that Linux can now be considered on equal footing with other operating systems."

The evaluation was completed by atsec information security GmbH, one of the world's leading vendor-independent IT security consulting companies, and accredited in Germany by the Federal Office for Information Security (BSI).

"Securing the EAL3+ certification is another clear testament to the strength of SUSE's processes," said Roman Drahtmueller, head of security, SUSE Linux. "Thanks to the close collaboration between SUSE, IBM and atsec, as well as atsec's broad experience in security evaluation, customers now can benefit from security assurances across all IBM platforms that are unique in the Linux market."

The Common Criteria (CC) is an internationally recognized ISO standard (ISO/IEC 15408) used by the Federal government and other organizations to assess security and assurance of technology products. The CC provides a standardized way of expressing security requirements and defines the respective set of rigorous criteria by which the product will be evaluated. It is widely recognized among IT professionals, government agencies, and customers as a seal of approval for mission-critical software.

Under Common Criteria, products are evaluated against strict standards for various features, such as the development environment, security functionality, the handling of security vulnerabilities, security related documentation and product testing. In certifying SUSE Linux Enterprise Server 8 across IBM eServer systems, atsec information security GmbH evaluated how SUSE Linux develops, tests and maintains its products, as well as assessing the processes in place at the company for handling security issues in its software.

"BSI considers the increasing number of IT security certificates for IT products as a significant progress in advancing IT security on a broad scale," said Udo Helmbrecht, President of the German Federal Office for Information Security (BSI). "At the same time, certification has a positive effect on the quality of IT products. The certification of SUSE Linux Enterprise Server 8 also demonstrates that the Common Criteria can definitly be used as basis for IT security certification of open source products."

IBM's commitment to accelerate the development and certification of Linux as a secure, industrial strength operating system is further demonstrated by the joint IBM/SUSE Linux plan to pursue a higher level of security certification for SUSE Linux - CAPP/EAL4+ - across the IBM eServer product line later this year.

In addition to Linux, IBM plans to obtain Common Criteria certification of z/VM, its premier virtualization technology, in 2004. It is anticipated that z/VM will be certified to conform to the requirements of the Labeled Security Protection Profile (LSPP) and the Controlled Access Protection Profile (CAPP), both at EAL3+. z/VM helps enable mainframe customers to run tens to even hundreds of instances of the Linux operating system on a single IBM zSeries server. And in a future release of z/OS, IBM intends to certify z/OS to the CAPP/EAL3 and the LSPP/EAL3+ levels.

IBM's suite of middleware products are also in line for Common Criteria certification on Linux. Common Criteria certifications have been awarded to IBM Directory Server and Tivoli Access Manager. Many other IBM Software products are now in evaluation for Common Criteria certification. Additional IBM Software products are being prepared to enter the evaluation process. For more information about our current certifications, visit

About IBM

IBM is the world's largest information technology company, with 80 years of leadership in helping businesses innovate. Drawing on resources from across IBM and key IBM Business Partners, IBM offers a wide range of services, solutions and technologies that enable customers, large and small, to take full advantage of the new era of e-business. For more information about IBM and Linux, visit

About Novell
Novell, Inc. is a leading provider of information solutions that deliver secure identity management (Novell® Nsure™), Web application development (Novell exteNd™) and cross-platform networking services (Novell Nterprise™), all supported by strategic consulting and professional services (Novell NgageSM). Active in the open source community with its Ximian and SUSE Linux brands, Novell is firmly committed to open source and offers comprehensive Linux products and services for the enterprise, from the desktop to the server. Novell's vision of one Net - a world without information boundaries - helps customers realize the value of their information securely and economically. For more information, call Novell's Customer Response Center at (888) 321-4CRC (4272) or visit Press should visit

Novell is a registered trademarks; Nsure, exteNd and Nteprise are trademarks; and Ngage is a service mark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG. * All third-party trademarks are the property of their respective owners.