Canonical has received Common Criteria EAL2 certification. The evaluation covers a fresh install of Ubuntu 16.04.4 LTS on one of the supported platforms listed in the certification report.

Common Criteria (CC) for Information Technology Security Evaluation is an international standard (ISO/IEC IS 15408) for Computer security certification. It provides an assurance that a product satisfies a defined set of security requirements. The security requirements for the evaluation are specified in the Security Target. The certification is based on the Operating System Protection Profile (OSPP) together with an extended requirement for virtualization. The evaluation was obtained through CSEC – The Swedish Certification Body for IT Security. The consulting for the evaluation was performed by atsec Information Security, a U.S. Govt and BSI accredited laboratory. The certification report is available on the CSEC website for more information.

Canonical has obtained an EAL2 certification which is recognized in 30 countries who are members of CCRA. This is a mandatory requirement for Government usage and also in financial institutions and organizations dealing with sensitive data.  

How to Obtain Ubuntu Common Criteria certified configuration?

CC configuration requires a specific set of software and hardware that was used in the certification. The software bits that would put a system in evaluated configuration are available to Ubuntu Advanced  customers. This includes utilities to make the EAL2 configuration changes, additional packages, and the Evaluated Configuration Guide. The Evaluated Configuration Guide is a security guide that explains how to set up the evaluated configuration, and provides information to administrators and ordinary users to ensure secure operation of the system.

After a fresh install of Ubuntu 16.04.4 LTS server following the instructions in the evaluated configuration guide,  the additional software bits are executed to put the system into the EAL2 configuration. The EAL2 configuration includes the Ubuntu FIPS packages offering stronger cryptography.

Please contact a Canonical sales representative for details.

Canonical has entered the security certifications space by achieving a few important security certifications for the first time on Ubuntu.

Canonical has achieved  FIPS 140-2 Level 1 certification for several cryptographic modules on Ubuntu 16.04. Canonical has also achieved Common Criteria EAL2 certification for Ubuntu 16.04. In addition, Defense Information System Agency (DISA) has published Ubuntu 16.04 Security Technical Implementation Guide (STIG) allowing Ubuntu for use by Federal agencies. Center for Internet Security (CIS) has also been publishing benchmarks for Ubuntu which hardens the configuration of Ubuntu systems to make them more secure.

Canonical has made its security certification offerings available to all Ubuntu Advantage “Server Advanced” customers.

FIPS 140-2

FIPS 140-2 is a US government computer security standard. It defines security requirements related to the design and implementation of a cryptographic module. It is a requirement for U.S Federal agencies to use FIPS 140-2 validated cryptography to protect sensitive information. The standard puts stringent requirements on testing and ensuring that the cryptographic implementations meet the standards and work as expected. The testing and validation must be performed by a laboratory, which is accredited under the Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) and is part of NIST’s National Voluntary Laboratory Accreditation Program (NVLAP). The validation testing for Ubuntu 16.04 was performed by atsec Information Security, a U.S. Govt and BSI accredited laboratory.

Anyone deploying systems for U.S. Federal government use including the cloud services are required to use FIPS 140-2 compliant systems. FIPS 140-2 is also used commonly outside of US Federal space. It has been adopted in regulated industries like finance, healthcare, legal and manufacturing and few others where there are Federal regulations on data security.

Canonical has validated the following cryptographic modules for Ubuntu 16.04:

• OpenSSH-Client validated level 1 May 2017 (#2907)
• OpenSSH-Server validated level 1 May 2017 (#2906)
• OpenSSL validated level 1 April 2017 (#2888)
• Kernel Crypto API validated level 1 July 2017 (#2962)
• Strongswan validated level 1 July 2017 (#2978)

The modules are certified on Intel x86_64, IBM Power8 and IBM Z hardware platforms.

Common Criteria

Common Criteria (CC) for Information Technology Security Evaluation is an international standard ISO/IEC IS 15408 for Computer security certification. It validates that a product satisfies a defined set of security requirements. Ubuntu 16.04 has been evaluated to assurance level EAL2 through CSEC – The Swedish Certification Body for IT Security. The consulting and evaluation was performed by atsec Information Security. The certification report is available on the CSEC website for more information.

Common Criteria is an internationally recognized set of standards used by Federal agencies, financial institutions and many other organizations dealing with sensitive data. The evaluation was performed on Intel x86_64, IBM Power8 and IBM Z hardware platforms.

STIG

Security Technical Implementation Guides (STIG) are developed by Defense Information System Agency (DISA) for the US Department of Defense (DoD). They are configuration guidelines for hardening systems to improve security. They contain technical guidance which when implemented, locks down software and systems to mitigate malicious attacks.

DISA has in conjunction with Canonical developed a STIG for Ubuntu 16.04, and published it on their website here.

CIS Benchmark

Center for Internet Security (CIS) is a non-profit organization that uses a consensus process to release benchmarks to safeguard organizations against cyber attacks. The benchmark contains configuration checklists to harden a system making it less vulnerable to malicious attacks. The consensus review process consists of subject matter experts who provide perspective on different backgrounds like audit and compliance, security research, consulting and software development. Each benchmark undergoes two phases of consensus review. In the first phase, a benchmark is drafted with the help of subject matter experts and a initial version of the benchmark is published. In the second phase, feedback from the wider internet community is reviewed and incorporated into the benchmark.  Canonical has actively participated in the drafting of Ubuntu 16.04 and Ubuntu 18.04 benchmarks. CIS has also published benchmarks for Ubuntu 12.04 and 14.04 releases. The Ubuntu benchmarks can be downloaded from their website.

Thanks for joining me!

Good company in a journey makes the way seem shorter. — Izaak Walton