{"product_id":10271,"v_id":10271,"product_name":"SUSE Linux Enterprise Server 10 SP1","certification_status":"Not Certified","certification_date":"2007-10-08T00:10:00Z","tech_type":"Operating System","vendor_id":{"name":"IBM Corporation","website":"https://www.ibm.com"},"vendor_poc":"George Wilson","vendor_phone":"512-286-9271","vendor_email":"gcwilson@us.ibm.com","assigned_lab":{"cctl_name":"atsec information security corporation"},"product_description":"<p>The target of evaluation (TOE) is the core operating system provided with the SUSE LINUX Enterprise Server 10 Service Pack 1 distribution.</p>\r\n<p>SUSE LINUX Enterprise Server is a general purpose, multi-user, multi-tasking Linux based operating system. It provides a platform for a variety of applications in the governmental and commercial environment. SUSE LINUX Enterprise Server is available on a broad range of computer systems, ranging from departmental servers to multi-processor enterprise servers and small server type computer systems.</p>\r\n<p>The TOE Security Functions (TSF) consist of functions of SUSE LINUX Enterprise Server that run in kernel mode plus some trusted processes. These are the functions that enforce the security policy as defined in this Security Target. Tools and commands executed in user mode that are used by an administrative user need also to be trusted to manage the system in a secure way. But as with other operating system evaluations they are not considered to be part of this TSF.</p>\r\n<p>System administration tools include the standard Linux commands. A graphical user interface for system administration or any other operation is not included in the evaluated configuration.</p>","evaluation_configuration":null,"security_evaluation_summary":"<p>The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the SLES10 SP1 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3 and National and International Interpretations effective on 2005-12-15. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3.</p>\r\n<p>The CCTL (atsec) determined that the evaluation assurance level (EAL) for the product is EAL 4, augmented with the CC ACL_FLR.3 Flaw Remediation assurance requirements. The product, when configured as specified in the Evaluated Configuration Guide satisfies all of the security functional requirements stated in the SUSE Linux Enterprise Server 10 SP1 Security Target for CAPP compliance, Version 1.3 and is conformant to the Controlled Access Protection Profile (CAPP). The evaluation was completed in July 2007. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.</p>","environmental_strengths":"<p>The functionality of SUSE LINUX Enterprise Server is consistent with the requirements set forth by the Protection Profiles it complies with, on the platforms specified in the Security Target.</p>\r\n<p><strong>Identification and Authentication:</strong> The identification and authentication mechanism identifies and authenticates users and assigns the configured group definition.</p>\r\n<p><strong>Security Audit:</strong> An administrator configurable audit subsystem is able to record system events and user actions. It stores the audit records on disk and appropriate access control configurations are in place to protect them from unauthorized access.</p>\r\n<p><strong>Discretionary Access Control:</strong> The Discretionary Access Control Policy is enforced on processes running on behalf of users as subjects and file system objects as well as IPC objects. This mechanism allows only administrators and object owners to modify the access control attributes of named objects. Access Control Lists (ACLs) can be used for a more fine grained control for file system objects.</p>\r\n<p><strong>Object reuse: </strong><strong><span style=\"font-weight: normal; font-size: 9.5pt;\">The TOE ensures that residual data is made unavailable prior to allocation of resources to subjects and objects.</span></strong></p>\r\n<p><strong>Security Management:</strong> The security management mechanism provides a set of administrative management tools to create, delete and modify users, groups and their authentication data. In addition, management tools for the audit subsystem are provided.</p>\r\n<p><strong>Secure Communication:</strong> The TOE provides SSHv2 and SSLv3 communication to ensure confidentiality and integrity of data transmitted.</p>\r\n<p><strong>Protection of TOE Security Functions: </strong>The protection mechanisms ensure that the execution between domains of trusted components and untrusted processes is separated to protect against interference. The separation mechanism allows communication between processes through well-defined interfaces only.</p>","features":[]}