Common Criteria for Ubuntu

Common Criteria for Ubuntu

Common Criteria for Information Technology Security Evaluation (CC) is an international standard. The CC provides a common set of requirements for the security functionality of IT products and for assurance measures applied to these IT products during a security evaluation.

The evaluation process establishes a level of confidence that the security functionality of these IT products and the assurance measures applied to these IT products meet these requirements:

Common Criteria for Information Technology Security Evaluation, April 2017 https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf

Certification Information

Common criteria evaluated configuration is currently available for Ubuntu 16.04.4 LTS (Server) and Ubuntu 18.04.4 LTS (Server).

Architectures Certified

  • amd64
  • s390x
  • ppc64el - 16.04 only

Platform Models Certified

  • Supermicro SYS-5018R-WR
  • IBM z13 (running on LPAR)
  • IBM Power System S822L (PowerNV 8247-22L) - 16.04 only
  • IBM Power System S822LC (PowerNV 8001-22C) - 16.04 only
  • IBM Power System S822LC (PowerNV 8335-GTB) - 16.04 only

Obtaining Common Criteria EAL2 Configuration

Canonical has packaged the scripts and guidelines required to put a system into the Common Criteria EAL2 configuration. This package is available in a private Launchpad PPA and is signed with a unique OpenPGP key to ensure authenticity. This package is available to customers who have purchased qualifying Ubuntu Advantage products.

To access the Common Criteria EAL2 package,you will need to request access to the Common Criteria EAL2 PPA from Canonical. You will be notified once your access has been granted, after which you can obtain your PPA credentials from Launchpad as follows:

  1. Click this link to view your Private PPA subscriptions
  2. Under Archive locate the Common Criteria EAL2 (ppa:ubuntu-advantage/commoncriteria) line and click View on the right
  3. Locate the line starting with deb https://<your-launchpad-id>:<PPA-password>@, where <your-launchpad-id>:<PPA-password> represent your personal Launchpad username and the encoded password created for this PPA.
  4. Select and copy the portion comprising of <your-launchpad-id>:<PPA-password>

Installing the ubuntu-commoncriteria package

The scripts, packages, and documentation needed to setup a system into the certified Common Criteria EAL2 configuration are packaged into the ubuntu-commoncriteria package. This package contains:

  • Ubuntu-16.04-Common-Criteria.tar.gz or Ubuntu-18.04-Common-Criteria.tar.gz - a tarball containing:
    • A mirror of the additional Ubuntu 16.04.4 or Ubuntu 18.04.4 packages required for the evaluated configuration. These packages are not available on the Ubuntu 16.04.4 LTS (Server) ISO or 18.04.4 LTS (Server) ISO.
    • An OpenPGP key to install from the mirror.
    • Post-install scripts that will configure the system into the evaluated configuration.
  • Configure-Ubuntu-16.04-Common-Criteria.sh or Configure-Ubuntu-18.04-Common-Criteria.sh, the main script. This script will check the system for pre-reqs, unpack the tarball, install the OpenPGP key, install the additional software packages, and run the post-install scripts. It will log its progress, command output, and any error messages to /var/log/CC-EAL2-Ubuntu-16.04.4_.log or /var/log/CC-EAL2-Ubuntu-18.04.4_.log
  • Evaluated Configuration Guide that describes how to install and setup the evaluated configuration. It also provides information to ensure secure operation of the system once setup.
  • README

For a system to be put into the Common Criteria EAL2 evaluated configuration it needs to be disconnected from any hostile networks. Therefore the ubuntu-commoncriteria package should be installed on another system that is connected to the internet. This system will be referred to as the “hosting” system. The tarball and main script required to setup the evaluated configuration will then need to be securely copied to the system which should be in the evaluated configuration. This system will be referred to as the Target of Evaluation, or “TOE”.

There are two methods for installing the ubuntu-commoncriteria package. It can be installed using the ubuntu-advantage-tools package available from the Ubuntu Repositories or it can be manually installed and configured. (Currently only the manual installation method is available.)

Automated installation

  1. Ensure that the ubuntu-advantage-tools package is up to datesudo apt update && sudo apt install ubuntu-advantage-tools
  2. Enable CC provisioning via the ubuntu-advantage scriptsudo ubuntu-advantage enable-cc-provisioning <your-launchpad-id>:<PPA-password>
  3. Proceed to Configuring the TOE into the Evaluated Configuration

Manual installation

Setting up the Common Criteria EAL2 repository

  1. Add the unique PPA PGP key onto the system.sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C
  2. Add the commoncriteria PPA repository to the system that ubuntu-commoncriteria package will be installed on. The following command is a single line.sudo add-apt-repository -u 'deb https://<your-launchpad-id>:<PPA-password>@private-ppa.launchpad.net/ubuntu-advantage/commoncriteria/ubuntu xenial main'
  3. Install the ubuntu-commoncriteria package onto the “hosting” system.sudo apt install ubuntu-commoncriteria
  4. Proceed to Configuring the TOE into the Evaluated Configuration

Configuring the TOE into the Evaluated Configuration

  1. On the TOE create a directory “cc-dir”.mkdir cc-dir
  2. Switch to the directory.cd cc-dir
  3. Transfer the main script and the tarball in a secure manner to the TOE, into the newly created directory. Depending on your site’s policy, this can be done with a USB stick or DVD. If the TOE is connected to an administrative LAN, scp can be used.
  4. Run the main script. This script will configure the system to ensure it’s compliant with Common Criteria EAL2. Note: The following command is a single line.sudo ./Configure-Ubuntu-16.04-Common-Criteria.sh Ubuntu-16.04-Common-Criteria.tar.gz
  5. The main script starts by telling you the location of the log file and prompts to determine whether to proceed. Answer yes to continue.
Log file: /var/log/CC-EAL2-Ubuntu-16.04.4\_20180703164952.log
Do you want to proceed? \[N/y\] y
Checking system...
Decompressing tarball...
Checking tarball contents...
Installing PPA key...
Adding temporary APT repository...
Running apt-get update...
Checking for installed packages...
Installing additional packages...
Removing non-compliant packages...
Removing "unattended-upgrades"...
Removing "apport-symptoms"...
Running post installation scripts...
Running post-install script, setumask...
Running post-install script, config-fstab...
Running post-install script, config-auditd...
Running post-install script, config-bootloader...
Running post-install script, config-sshd...
Running post-install script, config-modprobe...
Running post-install script, config-libvirt...
Running post-install script, config-qemu...
Running post-install script, config-apparmor...
Running post-install script, config-pam...
Running post-install script, screen...
Running post-install script, permissions...
Running post-install script, config-alias...
Running post-install script, config-hold-packages...
Common Criteria EAL2 configuration has successfully completed.
The system must reboot for the configuration to take effect.
Reboot the system now? \[N/y\] y
Rebooting...
  1. Answer yes to reboot the system. The system must be rebooted for the evaluated configuration to take effect. Not re-booting could leave the system in an undefined stated.

Note:

The config-bootloader script configures the bootloader for the FIPS kernel module. The system requires a reboot for FIPS mode to become effective.

The config-hold-packages script calls “apt-mark hold” for the specific Ubuntu packages containing security functions relevant to the evaluated configuration. Since the versions of these security functions were part of the certified evaluation, they must not be updated. The apt-mark hold will prevent the packages that contain the security functions from being updated via an automated update.