Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Canonical
on 26 September 2018

Canonical’s Current Security Certifications


Canonical has entered the security certifications space by achieving a few important security certifications for the first time on Ubuntu.

Canonical has achieved FIPS 140-2 Level 1 certification for several cryptographic modules on Ubuntu 16.04. Canonical has also achieved Common Criteria EAL2 certification for Ubuntu 16.04. In addition, Defense Information System Agency (DISA) has published Ubuntu 16.04 Security Technical Implementation Guide (STIG) allowing Ubuntu for use by Federal agencies. Center for Internet Security (CIS) has also been publishing benchmarks for Ubuntu which hardens the configuration of Ubuntu systems to make them more secure.

Canonical has made its security certification offerings available to all Ubuntu Advantage “Server Advanced” customers.

FIPS 140-2

FIPS 140-2 is a US government computer security standard. It defines security requirements related to the design and implementation of a cryptographic module. It is a requirement for U.S Federal agencies to use FIPS 140-2 validated cryptography to protect sensitive information. The standard puts stringent requirements on testing and ensuring that the cryptographic implementations meet the standards and work as expected. The testing and validation must be performed by a laboratory, which is accredited under the Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) and is part of NIST’s National Voluntary Laboratory Accreditation Program (NVLAP). The validation testing for Ubuntu 16.04 was performed by atsec Information Security, a U.S. Govt and BSI accredited laboratory.

Anyone deploying systems for U.S. Federal government use including the cloud services are required to use FIPS 140-2 compliant systems. FIPS 140-2 is also used commonly outside of US Federal space. It has been adopted in regulated industries like finance, healthcare, legal and manufacturing and few others where there are Federal regulations on data security.

Canonical has validated the following cryptographic modules for Ubuntu 16.04:

OpenSSH-Client validated level 1 May 2017 (#2907)
OpenSSH-Server validated level 1 May 2017 (#2906)
OpenSSL validated level 1 April 2017 (#2888)
Kernel Crypto API validated level 1 July 2017 (#2962)
Strongswan validated level 1 July 2017 (#2978)

The modules are certified on Intel x86_64, IBM Power8 and IBM Z hardware platforms.

Common Criteria

Common Criteria (CC) for Information Technology Security Evaluation is an international standard ISO/IEC IS 15408 for Computer security certification. It validates that a product satisfies a defined set of security requirements. Ubuntu 16.04 has been evaluated to assurance level EAL2 through CSEC – The Swedish Certification Body for IT Security. The consulting and evaluation was performed by atsec Information Security. The certification report is available on the CSEC website for more information.

Common Criteria is an internationally recognized set of standards used by Federal agencies, financial institutions and many other organizations dealing with sensitive data. The evaluation was performed on Intel x86_64, IBM Power8 and IBM Z hardware platforms.

STIG

Security Technical Implementation Guides (STIG) are developed by Defense Information System Agency (DISA) for the US Department of Defense (DoD). They are configuration guidelines for hardening systems to improve security. They contain technical guidance which when implemented, locks down software and systems to mitigate malicious attacks.

DISA has in conjunction with Canonical developed a STIG for Ubuntu 16.04, and published it on their website here.

CIS Benchmark

Center for Internet Security (CIS) is a non-profit organization that uses a consensus process to release benchmarks to safeguard organizations against cyber attacks. The benchmark contains configuration checklists to harden a system making it less vulnerable to malicious attacks. The consensus review process consists of subject matter experts who provide perspective on different backgrounds like audit and compliance, security research, consulting and software development. Each benchmark undergoes two phases of consensus review. In the first phase, a benchmark is drafted with the help of subject matter experts and a initial version of the benchmark is published. In the second phase, feedback from the wider internet community is reviewed and incorporated into the benchmark. Canonical has actively participated in the drafting of Ubuntu 16.04 and Ubuntu 18.04 benchmarks. CIS has also published benchmarks for Ubuntu 12.04 and 14.04 releases. The Ubuntu benchmarks can be downloaded from their website.

Register for our upcoming webinar to discover more about Canonical and Ubuntu’s security certifications.

Register for webinar

This article was written by Vineetha Kamath. The original article can be found here. 

Related posts


Luci Stanescu
28 October 2024

Imagining the future of Cybersecurity

Ubuntu Security

October 2024 marks the 20th anniversary of Ubuntu. The cybersecurity landscape has significantly shifted since 2004. If you have been following the Ubuntu Security Team’s special three-part series podcast that we put out to mark Cybersecurity Awareness Month, you will have listened to us talk about significant moments that have shaped the ...


Canonical
4 December 2024

Canonical announces Ubuntu Security Research Alliance Program 

Canonical announcements Article

Today, Canonical, the publisher of Ubuntu, announced its new Ubuntu Security Research Alliance Program, a free partnership between Canonical and open source vulnerability scanning organizations. The goal is to ensure vulnerability data is more transparent and standardized, while improving on-platform security for Ubuntu users through more ...


eslerm
19 November 2024

Needrestart local privilege escalation vulnerability fixes available

Ubuntu Article

Qualys discovered vulnerabilities which allow a local attacker to gain root privileges in the needrestart package (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, and CVE-2024-11003) and a related issue in libmodule-scandeps-perl (CVE-2024-10224). The vulnerabilities affect Debian, Ubuntu and other Linux distributions. Canonical’s securit ...