Editing Evaluation Assurance Level (section)

=== EAL4: Methodically designed, tested and reviewed<span class="anchor" id="EAL4"></span> ===

EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.

Commercial [[operating system]]s that provide conventional, user-based security features are typically evaluated at EAL4. Examples with expired Certificate are [[AIX]],<ref name="OSEvaluations">{{Cite web |url=http://www.commoncriteriaportal.org/products_OS.html#OS |title=Common Criteria certified product list |access-date=2008-04-28 |archive-url=https://web.archive.org/web/20131231024938/http://www.commoncriteriaportal.org/products_OS.html#OS |archive-date=2013-12-31 |url-status=dead }}</ref> [[HP-UX]],<ref name="OSEvaluations" /> [[Oracle Linux]], [[NetWare]], [[Solaris (operating system)|Solaris]],<ref name="OSEvaluations" /> [[SUSE Linux Enterprise Server|SUSE Linux Enterprise Server 9]],<ref name="OSEvaluations" /><ref>{{Cite web |url=http://www.commoncriteriaportal.org/files/epfiles/0256a.pdf |title=Certification Report for SUSE Linux Enterprise Server 9 |access-date=2008-04-28 |archive-url=https://web.archive.org/web/20150923205652/http://www.commoncriteriaportal.org/files/epfiles/0256a.pdf |archive-date=2015-09-23 |url-status=dead }}</ref> [[SUSE Linux Enterprise Server|SUSE Linux Enterprise Server 10]],<ref>{{Cite web |url=http://www.niap-ccevs.org/cc-scheme/st/?vid=10271 |title=SUSE Linux Enterprise Server 10 EAL4 Certificate |access-date=2008-04-28 |archive-url=https://web.archive.org/web/20080522040250/http://www.niap-ccevs.org/cc-scheme/st/?vid=10271 |archive-date=2008-05-22 |url-status=dead }}</ref>  [[Red Hat Enterprise Linux|Red Hat Enterprise Linux 5]],<ref>{{Cite web |url=http://www.niap-ccevs.org/cc-scheme/st/?vid=10125 |title=Red Hat Enterprise Linux Version 5 EAL4 Certificate |access-date=2007-06-16 |archive-url=https://web.archive.org/web/20070619182212/http://www.niap-ccevs.org/cc-scheme/st/?vid=10125 |archive-date=2007-06-19 |url-status=dead }}</ref><ref>{{Cite web|url=https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.2_Release_Notes/security.html|title = Red Hat Customer Portal}}</ref> [[Windows 2000]] Service Pack 3, [[Windows 2003]],<ref name="OSEvaluations" /><ref name="2003EAL4+">[http://www.microsoft.com/presspass/press/2005/dec05/12-14CommonCriteriaPR.mspx#Microsoft Windows Platform Products Awarded Common Criteria EAL 4 Certification] {{webarchive|url=https://web.archive.org/web/20060420052906/http://www.microsoft.com/presspass/press/2005/dec05/12-14CommonCriteriaPR.mspx |date=2006-04-20 }}</ref> [[Windows XP]],<ref name="OSEvaluations" /><ref name="2003EAL4+" /> [[Windows Vista]],<ref>{{cite web|last=Myers|first=Tim|title=Windows Vista and Windows Server 2008 are Common Criteria Certified at EAL4+|url=http://blogs.msdn.com/b/timmyers/archive/2009/09/23/windows-vista-and-windows-server-2008-are-common-criteria-certified-at-eal4.aspx|publisher=Microsoft|access-date=May 15, 2013}}</ref><ref>{{cite web|title=National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme|url=http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf|access-date=May 15, 2013|archive-url=https://web.archive.org/web/20140327144626/http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf|archive-date=March 27, 2014|url-status=dead}}</ref> 
[[Windows 7]],<ref name="OSEvaluations" /><ref name="2008R2EAL4+">[https://technet.microsoft.com/en-us/library/dd229319.aspx Microsoft Windows 7, Windows Server 2008 R2 and SQL Server 2008 SP2 Now Certified as Common Criteria Validated Products]</ref> [[Windows Server 2008 R2]],<ref name="OSEvaluations" /><ref name="2008R2EAL4+" /> [[z/OS]] version 2.1 and [[z/VM]] version 6.3.<ref name="OSEvaluations" />

Operating systems that provide [[multilevel security]] are evaluated at a minimum of EAL4. Examples with active Certificate include [[SUSE LINUX Enterprise Server|SUSE Linux Enterprise Server 15]] (EAL 4+).<ref>{{cite web |title=SUSE Linux Enterprise Server 15 SP2 |url=https://www.commoncriteriaportal.org/files/epfiles/1151c_pdf.pdf |website=Common Criteria Portal |access-date=9 September 2022}}</ref> Examples with expired Certificate are [[Trusted Solaris]], [[Solaris 10|Solaris 10 Release 11/06 Trusted Extensions]],<ref>[http://www.oracle.com/technetwork/topics/security/solaris-10-tx-cr-v1-134034.pdf Solaris 10 Release 11/06 Trusted Extensions EAL 4+ Certification Report]</ref> an early version of the [[XTS-400]], [[VMware ESXi]] version 4.1,<ref name="VMware Infrastructure Earns Security Certification for Stringent Government Standards">{{Cite web|url=https://www.vmware.com/security/certifications/common-criteria.html|title=VMware Common Criteria Evaluation & Validation (CCEVS)|access-date=2019-01-27}}</ref> 3.5, 4.0, AIX 4.3, AIX 5L, AIX 6, AIX7, Red Hat 6.2 & SUSE Linux Enterprise Server 11 (EAL 4+).  vSphere 5.5 Update 2 did not achieve EAL4+ level it was an EAL2+ and certified on June 30, 2015.