SUSE® Linux Enterprise 12 Security CertificationsCommon Criteria, FIPS, PCI DSS, DISA STIG, ... What's All This About?

Thomas BiegeTeam Lead Maintenance/Security

thomas@suse.com

2

3

Evaluation – Validation – Certification

Certification

Evaluation

Examine claims made about a target. “Claims” do not need to be based on standards.

Compare behavior of the software / module against an existing standard or expected behavior.

Validation

Security Certifications that matter

5

Common Criteria

• ISO/IEC 15408 (ITSEC, CTCPEC, TCSEC)

• Accepted by 26 countries

• Tested and verified by independent 3rd party (the

evaluator), at different Evaluation Assurance Levels

• Certificate created by government agency

• Includes development processes, IT infrastructure,

physical security, and HR procedures

“How can I be sure to get the security functionsI need?”

6

FIPS 140-2

• Federal Information Processing Standard (FIPS)

‒ FISMA, NIST SP 800, FedGov, financial industry

‒ Certificate is issued by NIST (US) and CSE (Canada)

• FIPS 140-2 ensures that

‒ Crypto algorithms/modes follow the newest standard

‒ No obvious crypto weakness exists

‒ No outdated algorithms or too short keys are used

‒ Self tests and integrity checks with each invocation of CM

“How can I be sure my ciphers are correctand up-to-date?”

7

DISA STIG

• DISA = Defense Information Systems Agency

• STIG = Security Technical Implementation Guides

• Secure configuration guides for military field users

• Mandatory requirement

• US DoD customers through DISA

“How can I lockdown my system tomake it less vulnerable?”

8

PCI DSS (Payment Card Industry)

• Conformance Certification for a customers

environment

• Covers more than the Operating System

→ an Operating System cannot be PCI DSS “certified”

• SUSE Linux Enterprise Server can be configured and

deployed to fulfill PCI DSS requirements

9

BSI IT Grundschutz (IT baseline protection)

• ISO/IEC 27001

• Information Security Management System (ISMS)

• Business Continuity Management (BCM)

• Certification of customers' environment

• Covers more than the Operating System

→ an Operating System cannot be ITGS “certified”

• Requires Common Criteria for higher security levels

• SLES can be configured to comply with required

measurements

SUSE Linux Enterprise 12Security Certifications Summary

11

Common Criteria Certification

• Certification Body:

• Evaluation Lab:

• Target of Evaluation (TOE): SLES12

• Protection Profile: OSPP 2.0 (including advanced

management, advanced audit, and virtualization)

• With augmentation for Flaw Remediation (FLR)

• EAL4, with mutual recognition!

12

Common Criteria Certification

• Architectures‒ x86-64 (Intel and AMD)‒ s390x

• Virtualization with KVM

• First time SELinux is used to separate VMs

• With btrfs and full system rollback...

• … or with full disk encryption

• Audit, IPSec, SSH, ...

• Installation via a special ISO (also contains FIPS

modules)

13

FIPS 140-2

Architectures‒ x86-64‒ other architectures might follow

Modules1. Kernel2. OpenSSL3. libgcrypt4. OpenSSH Client5. OpenSSH Server6. NSS (Level 2, depends on CC)7. StrongSWAN (IPSec)8. (Disk encryption)

14

FIPS 140-2 Status according to NIST

Module Name Vendor Name IUT In Review Coordination Finalization

SUSE Mozilla-NSS SUSE LLC

SUSE LLC

SUSE LLC Certificate received (#2464)

SUSE LLC

SUSE LLC

SUSE LLC

SUSE LLC Certificate received (#2435)

Review Pending

SUSE Linux Enterprise Server 12 - StrongSwan Cryptographic Module

SUSE Linux Enterprise Server 12 libgcrypt Cryptographic Module

SUSE Linux Enterprise Server 12 - OpenSSH Server Module

SUSE Linux Enterprise Server 12 - OpenSSH Client Module

SUSE Linux Enterprise Server 12 - Kernel Crypto API Cryptographic Module version 1.0

SUSE Linux Enterprise Server 12 OpenSSL Module

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf (2015-10-30)

15

Dependencies of FIPS CSMs

openssllibgcrypt NSS

CC EAL4+

kernelCrypto

API

FIPS 140-2 Level 2 requires an OS with CC EAL2, at least

opensshserver

opensshclient

strongswan

IKE v1/v2

EDC

dm_cryptcryptsetup PBKDF

PBKDFcryptoalgos

initializeIPSec

initialize block ciphers

in SUSE Linux Enterprise 12

16

DISA STIG

• SUSE is currently developing STIGs based on:

‒ General Purpose Operating System SRG

‒ Web Server SRG

‒ Project officially started with US Gov in June 2015

• Further development may cover:

‒ matching SCAP / OVAL content for automation

‒ cooperation with technology partners and community

‒ further roles / SRGs based on demand

17

PCI DSS (Payment Card Industry)

• Covers more than the Operating System→ an Operating System cannot be PCI DSS “certified”

• SUSE Linux Enterprise Server can be configured and deployed to fulfill PCI DSS requirements

• We provide consulting

• NEW: How-to guide for SLES12 is in preparation

18

Dependencies of Certifications

Common Criteria

(Security)

FIPS 140-2

(Crypto)

ARCH¹RNG²

STIG DISA

US-Mil

PCI DSS

Finance

BSI ITGrundschutz

DE-Gov

¹ ARCH = Security Architecture Document² RNG = Random Number Generator

19

When will certifications be available?

• FIPS 140-2‒ openssl Cert#2435 received this August‒ libgcrypt Cert#2464 received this October‒ waiting on CMVP only now

• Common Criteria‒ Q1 2016 (est.)

• DISA STIG‒ Q1 CY 2016 (est.)

• PCI DSS Guide‒ H1 CY 2016 (est.)

20

21

Thank you.

22

Your Questions!

Corporate HeadquartersMaxfeldstrasse 590409 NurembergGermany

+49 911 740 53 0 (Worldwide)www.suse.com

Join us on:www.opensuse.org

23

Unpublished Work of SUSE LLC. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.