SUSE Linux Enterprise 12 Security Certifications Common Criteria, FIPS, PCI DSS, DISA STIG,... What's All This About? Thomas Biege Team Lead Maintenance/Security thomas@suse.com
2
Evaluation Validation Certification Validation Compare behavior of the software / module against an existing standard or expected behavior. Evaluation Examine claims made about a target. Claims do not need to be based on standards. Certification 3
Security Certifications that matter
Common Criteria How can I be sure to get the security functions I need? ISO/IEC 15408 (ITSEC, CTCPEC, TCSEC) Accepted by 26 countries Tested and verified by independent 3 rd party (the evaluator), at different Evaluation Assurance Levels Certificate created by government agency Includes development processes, IT infrastructure, physical security, and HR procedures 5
FIPS 140-2 How can I be sure my ciphers are correct and up-to-date? Federal Information Processing Standard (FIPS) FISMA, NIST SP 800, FedGov, financial industry Certificate is issued by NIST (US) and CSE (Canada) FIPS 140-2 ensures that Crypto algorithms/modes follow the newest standard No obvious crypto weakness exists No outdated algorithms or too short keys are used Self tests and integrity checks with each invocation of CM 6
DISA STIG How can I lockdown my system to make it less vulnerable? DISA = Defense Information Systems Agency STIG = Security Technical Implementation Guides Secure configuration guides for military field users Mandatory requirement US DoD customers through DISA 7
PCI DSS (Payment Card Industry) Conformance Certification for a customers environment Covers more than the Operating System an Operating System cannot be PCI DSS certified SUSE Linux Enterprise Server can be configured and deployed to fulfill PCI DSS requirements 8
BSI IT Grundschutz (IT baseline protection) ISO/IEC 27001 Information Security Management System (ISMS) Business Continuity Management (BCM) Certification of customers' environment Covers more than the Operating System an Operating System cannot be ITGS certified Requires Common Criteria for higher security levels SLES can be configured to comply with required measurements 9
SUSE Linux Enterprise 12 Security Certifications Summary
Common Criteria Certification Certification Body: Evaluation Lab: Target of Evaluation (TOE): SLES12 Protection Profile: OSPP 2.0 (including advanced management, advanced audit, and virtualization) With augmentation for Flaw Remediation (FLR) EAL4, with mutual recognition! 11
Common Criteria Certification Architectures x86-64 (Intel and AMD) s390x Virtualization with KVM First time SELinux is used to separate VMs With btrfs and full system rollback... or with full disk encryption Audit, IPSec, SSH,... Installation via a special ISO (also contains FIPS modules) 12
FIPS 140-2 Architectures x86-64 other architectures might follow Modules 1. Kernel 2. OpenSSL 3. libgcrypt 4. OpenSSH Client 5. OpenSSH Server 6. NSS (Level 2, depends on CC) 7. StrongSWAN (IPSec) 8. (Disk encryption) 13
FIPS 140-2 Status according to NIST Module Name Vendor Name IUT Review In Review Coordination Finalization Pending SUSE Mozilla-NSS SUSE LLC SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module SUSE Linux Enterprise Server 12 libgcrypt Cryptographic Module SUSE Linux Enterprise Server 12 - OpenSSH Server Module SUSE Linux Enterprise Server 12 - OpenSSH Client Module SUSE Linux Enterprise Server 12 - Kernel Crypto API Cryptographic Module version 1.0 SUSE Linux Enterprise Server 12 OpenSSL Module SUSE LLC SUSE LLC Certificate received (#2464) SUSE LLC SUSE LLC SUSE LLC SUSE LLC Certificate received (#2435) http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140inprocess.pdf (2015-10-30) 14
Dependencies of FIPS CSMs in SUSE Linux Enterprise 12 openssh server openssh client strongswan IKE v1/v2 EDC FIPS 140-2 Level 2 requires an OS with CC EAL2, at least CC EAL4+ libgcrypt openssl initialize IPSec NSS crypto algos PBKDF dm_crypt cryptsetup PBKDF kernel Crypto API initialize block ciphers 15
DISA STIG SUSE is currently developing STIGs based on: General Purpose Operating System SRG Web Server SRG Project officially started with US Gov in June 2015 Further development may cover: matching SCAP / OVAL content for automation cooperation with technology partners and community further roles / SRGs based on demand 16
PCI DSS (Payment Card Industry) Covers more than the Operating System an Operating System cannot be PCI DSS certified SUSE Linux Enterprise Server can be configured and deployed to fulfill PCI DSS requirements We provide consulting NEW: How-to guide for SLES12 is in preparation 17
Dependencies of Certifications STIG DISA US-Mil PCI DSS Finance BSI IT Grundschutz DE-Gov FIPS 140-2 (Crypto) ARCH¹ RNG² Common Criteria (Security) ¹ ARCH = Security Architecture Document ² RNG = Random Number Generator 18
When will certifications be available? FIPS 140-2 openssl Cert#2435 received this August libgcrypt Cert#2464 received this October waiting on CMVP only now Common Criteria Q1 2016 (est.) DISA STIG Q1 CY 2016 (est.) PCI DSS Guide H1 CY 2016 (est.) 19
20
21
Your Questions! Thank you. 22
Corporate Headquarters Maxfeldstrasse 5 90409 Nuremberg Germany +49 911 740 53 0 (Worldwide) www.suse.com Join us on: www.opensuse.org 23
Unpublished Work of SUSE LLC. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.