SUSE
®Linux Enterprise 12
Security Certifications
Common Criteria, FIPS, PCI DSS, DISA STIG, ...
What's All This About?
Thomas Biege
Team Lead Maintenance/Security [email protected]
2
Evaluation – Validation – Certification
Certification
Evaluation
Examine claims
made about a
target. “Claims” do
not need to be
based on standards.
Compare behavior
of the software /
module against an
existing standard or
expected behavior.
Validation
Security Certifications that matter
Common Criteria
• ISO/IEC 15408 (ITSEC, CTCPEC, TCSEC)
• Accepted by 26 countries
• Tested and verified by independent 3rd party (the evaluator), at different Evaluation Assurance Levels
• Certificate created by government agency
• Includes development processes, IT infrastructure, physical security, and HR procedures
“How can I be sure to get the security functions I need?”
6
FIPS 140-2
• Federal Information Processing Standard (FIPS)
‒ FISMA, NIST SP 800, FedGov, financial industry
‒ Certificate is issued by NIST (US) and CSE (Canada)
• FIPS 140-2 ensures that
‒ Crypto algorithms/modes follow the newest standard
‒ No obvious crypto weakness exists
‒ No outdated algorithms or too short keys are used
‒ Self tests and integrity checks with each invocation of CM
“How can I be sure my ciphers are correct and up-to-date?”
DISA STIG
• DISA = Defense Information Systems Agency
• STIG = Security Technical Implementation Guides
• Secure configuration guides for military field users
• Mandatory requirement
• US DoD customers through DISA
“How can I lockdown my system to make it less vulnerable?”
8
PCI DSS (Payment Card Industry)
• Conformance Certification for a customers environment
• Covers more than the Operating System
→ an Operating System cannot be PCI DSS “certified”
• SUSE Linux Enterprise Server can be configured and deployed to fulfill PCI DSS requirements
BSI IT Grundschutz (IT baseline
protection)
• ISO/IEC 27001
• Information Security Management System (ISMS)
• Business Continuity Management (BCM)
• Certification of customers' environment
• Covers more than the Operating System
→ an Operating System cannot be ITGS “certified”
• Requires Common Criteria for higher security levels
• SLES can be configured to comply with required measurements
SUSE Linux Enterprise 12
Security Certifications Summary
Common Criteria Certification
• Certification Body:
• Evaluation Lab:
• Target of Evaluation (TOE): SLES12
• Protection Profile: OSPP 2.0 (including advanced management, advanced audit, and virtualization)
• With augmentation for Flaw Remediation (FLR)
• EAL4, with mutual recognition!
12
Common Criteria Certification
• Architectures
‒ x86-64 (Intel and AMD)
‒ s390x
• Virtualization with KVM
• First time SELinux is used to separate VMs
• With btrfs and full system rollback...
• … or with full disk encryption
• Audit, IPSec, SSH, ...
• Installation via a special ISO (also contains FIPS modules)
FIPS 140-2
Architectures
‒ x86-64
‒ other architectures might follow
Modules
1. Kernel 2. OpenSSL 3. libgcrypt
4. OpenSSH Client 5. OpenSSH Server
6. NSS (Level 2, depends on CC) 7. StrongSWAN (IPSec)
8. (Disk encryption)
14
FIPS 140-2 Status according to NIST
Module Name Vendor Name IUT In Review Coordination Finalization
SUSE Mozilla-NSS SUSE LLC
SUSE LLC
SUSE LLC Certificate received (#2464)
SUSE LLC
SUSE LLC
SUSE LLC
SUSE LLC Certificate received (#2435)
Review Pending
SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module
SUSE Linux Enterprise Server 12 libgcrypt Cryptographic Module
SUSE Linux Enterprise Server 12 - OpenSSH Server Module
SUSE Linux Enterprise Server 12 - OpenSSH Client Module
SUSE Linux Enterprise Server 12 - Kernel Crypto API Cryptographic Module version 1.0 SUSE Linux Enterprise Server 12 OpenSSL Module
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf (2015-10-30)
Dependencies of FIPS CSMs
openssl
libgcrypt NSS
CC EAL4+
kernel Crypto API
FIPS 140-2 Level 2 requires an OS with CC EAL2, at least openssh
server openssh client
strongswan IKE v1/v2
EDC
dm_crypt
cryptsetup PBKDF
PBKDF crypto
algos
initialize IPSec
initialize block ciphers
in SUSE Linux Enterprise 12
16
DISA STIG
• SUSE is currently developing STIGs based on:
‒ General Purpose Operating System SRG
‒ Web Server SRG
‒ Project officially started with US Gov in June 2015
• Further development may cover:
‒ matching SCAP / OVAL content for automation
‒ cooperation with technology partners and community
‒ further roles / SRGs based on demand
PCI DSS (Payment Card Industry)
• Covers more than the Operating System
→ an Operating System cannot be PCI DSS “certified”
• SUSE Linux Enterprise Server can be configured and deployed to fulfill PCI DSS requirements
• We provide consulting
• NEW: How-to guide for SLES12 is in preparation
18
Dependencies of Certifications
Common Criteria (Security) FIPS 140-2
(Crypto)
ARCH¹ RNG² STIG DISA
US-Mil
PCI DSS Finance
BSI IT
Grundschutz DE-Gov
¹ ARCH = Security Architecture Document
² RNG = Random Number Generator
When will certifications be available?
• FIPS 140-2
‒ openssl Cert#2435 received this August
‒ libgcrypt Cert#2464 received this October
‒ waiting on CMVP only now
• Common Criteria
‒ Q1 2016 (est.)
• DISA STIG
‒ Q1 CY 2016 (est.)
• PCI DSS Guide
‒ H1 CY 2016 (est.)
20
Thank you.
22
Your Questions!
Corporate Headquarters Maxfeldstrasse 5
90409 Nuremberg Germany
+49 911 740 53 0 (Worldwide) www.suse.com
Join us on:
www.opensuse.org
Unpublished Work of SUSE LLC. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC.
Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole
discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
