Canonical has entered the security certifications space by achieving a few important security certifications for the first time on Ubuntu.
Canonical has achieved FIPS 140-2 Level 1 certification for several cryptographic modules on Ubuntu 16.04. Canonical has also achieved Common Criteria EAL2 certification for Ubuntu 16.04. In addition, Defense Information System Agency (DISA) has published Ubuntu 16.04 Security Technical Implementation Guide (STIG) allowing Ubuntu for use by Federal agencies. Center for Internet Security (CIS) has also been publishing benchmarks for Ubuntu which hardens the configuration of Ubuntu systems to make them more secure.
Canonical has made its security certification offerings available to all Ubuntu Advantage “Server Advanced” customers.
FIPS 140-2 is a US government computer security standard. It defines security requirements related to the design and implementation of a cryptographic module. It is a requirement for U.S Federal agencies to use FIPS 140-2 validated cryptography to protect sensitive information. The standard puts stringent requirements on testing and ensuring that the cryptographic implementations meet the standards and work as expected. The testing and validation must be performed by a laboratory, which is accredited under the Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) and is part of NIST’s National Voluntary Laboratory Accreditation Program (NVLAP). The validation testing for Ubuntu 16.04 was performed by atsec Information Security, a U.S. Govt and BSI accredited laboratory.
Anyone deploying systems for U.S. Federal government use including the cloud services are required to use FIPS 140-2 compliant systems. FIPS 140-2 is also used commonly outside of US Federal space. It has been adopted in regulated industries like finance, healthcare, legal and manufacturing and few others where there are Federal regulations on data security.
Canonical has validated the following cryptographic modules for Ubuntu 16.04:
OpenSSH-Client validated level 1 May 2017 (#2907)
OpenSSH-Server validated level 1 May 2017 (#2906)
OpenSSL validated level 1 April 2017 (#2888)
Kernel Crypto API validated level 1 July 2017 (#2962)
Strongswan validated level 1 July 2017 (#2978)
The modules are certified on amd64, IBM power8 and IBM s390 hardware platforms.
Common Criteria (CC) for Information Technology Security Evaluation is an international standard ISO/IEC IS 15408 for Computer security certification. It validates that a product satisfies a defined set of security requirements. Ubuntu 16.04 has been evaluated to assurance level EAL2 through CSEC – The Swedish Certification Body for IT Security. The consulting and evaluation was performed by atsec Information Security. The certification report is available on the CSEC website for more information.
Common Criteria is an internationally recognized set of standards used by Federal agencies, financial institutions and many other organizations dealing with sensitive data. The evaluation was performed on amd64, IBM power8 and IBM s390 hardware platforms.
Security Technical Implementation Guides (STIG) are developed by Defense Information System Agency (DISA) for the US Depart of Defense (DoD). They are configuration guidelines for hardening systems to improve security. They contain technical guidance which when implemented, locks down software and systems to mitigate malicious attacks.
DISA has in conjunction with Canonical developed a STIG for Ubuntu 16.04, and published it on their website here.
Center for Internet Security (CIS) is a non-profit organization that uses a consensus process to release benchmarks to safeguard organizations against cyber attacks. The benchmark contains configuration checklists to harden a system making it less vulnerable to malicious attacks. The consensus review process consists of subject matter experts who provide perspective on different backgrounds like audit and compliance, security research, consulting and software development. Each benchmark undergoes two phases of consensus review. In the first phase, a benchmark is drafted with the help of subject matter experts and a initial version of the benchmark is published. In the second phase, feedback from the wider internet community is reviewed and incorporated into the benchmark. Canonical has actively participated in the drafting of Ubuntu 16.04 and Ubuntu 18.04 benchmarks. CIS has also published benchmarks for Ubuntu 12.04 and 14.04 releases. The Ubuntu benchmarks can be downloaded from their website.