Certification Report - Canonical Ubuntu Server 18.04 LTS

?rendetyp: 6

Diarienummer: 20FMV108-30:1 Dokument ID

SEKRETESS

Enligt offentlighets- och Sekretesslagen (2009:400)

2020-12-11

F?rsvarets materielverk Swedish Defence Material Administration

Enligt s?kerhetsskyddslagen (2018:585)

Swedish Certification Body for IT Security

Certification Report - Canonical Ubuntu Server 18.04 LTS

Issue: 1.0, 2020-Dec-11

Authorisation: Jerry Johansson, Lead Certifier , CSEC

Swedish Certification Body for IT Security Certification Report - Canonical Ubuntu Server 18.04 LTS

Table of Contents

1

Executive Summary

3

2

Identification

5

3

Security Policy

6

3.1

Auditing

6

3.2

Cryptographic Support

6

3.3

Packet Filter

6

3.4

Identification and Authentication

7

3.5

Discretionary Access Control

7

3.6

Authoritative Access Control

7

3.7

Virtual Machine Environments

7

3.8

Security Management

7

4

Assumptions and Clarification of Scope

8

4.1

Assumptions

8

4.2

Organizational Security Policies

9

4.3

Clarification of Scope

9

5

Architectural Information

11

6

Documentation

12

7

IT Product Testing

13

7.1

Developer Testing

13

7.2

Evaluator Testing

13

7.3

Penetration Testing

13

8

Evaluated Configuration

14

9

Results of the Evaluation

15

10

Evaluator Comments and Recommendations

16

11

Certifier Comments and Recommendations

17

12

Glossary

18

13

Bibliography

19

Appendix A Scheme Versions

20

A.1

Quality Management System

20

A.2

Scheme Notes

20

20FMV108-30:1

1.0

2020-12-11 2 (20)

Swedish Certification Body for IT Security Certification Report - Canonical Ubuntu Server 18.04 LTS

1

Executive Summary

The Target of Evaluation, TOE, is a Linux-based general-purpose operating system. The TOE also includes a virtualization environment based on the Linux KVM technology, where Ubuntu implements the host system for the virtual machine environment and management of the virtual machines. The TOE is intended to operate in a networked environment with other instantiations of the TOE as well as other wellbehaved peer systems operating within the same management domain.

The TOE has been evaluated on the following two hardware platforms:

- IBM s390x (z architecture mainframe) with IBM z14 processors

- Supermicro SYS-5018R-WR server with Xeon processor.

The TOE is delivered via download in the form of an ISO image. A SHA-256 checksum is calculated and signed, by several trusted entities within Canonical Group Limited, using a GPG signing key. These values are made publicly available and are to be used for verification of the TOE.

As the TOE is a general purpose operating system, there are many possible configurations and modifications that can be made in the Linux kernel. The evaluation only covers a subset of all possible operational modes of Ubuntu, which is described in chapter 8 Evaluated configuration.

The ST do not claim conformance to any protection profiles. The ST does however derive its security functional requirements from the Operating System Protection Profile v2.0 with the extended package for virtualization.

There are ten assumptions being made in the ST regarding the secure usage and environment of the TOE. The TOE relies on these to counter the eleven threats and comply with the four organisational security policies (OSPs) in the ST. The assumptions, the threats and the OSPs are described in chapter 4 Assumptions and Clarification of Scope.

The evaluation has been performed by atsec information security AB in their premises in Danderyd, Sweden, and to some extent in the approved foreign location in Austin, Texas, USA, and was completed on the 19th of November 2020.

The evaluation was conducted in accordance with the requirements of Common Criteria, version 3.1, release 5, and the Common Methodology for IT Security Evaluation, version 3.1, release 5. The evaluation was performed at the evaluation assurance level EAL 2, augmented by ALC_FLR.3 Systematic flaw remediation.

atsec information security AB is a licensed evaluation facility for Common Criteria under the Swedish Common Criteria Evaluation and Certification Scheme. atsec information security AB is is also accredited by the Swedish accreditation body SWEDAC according to ISO/IEC 17025 for Common Criteria evaluation.

The certifier monitored the activities of the evaluator by reviewing all successive versions of the evaluation reports. The certifier determined that the evaluation results confirm the security claims in the Security Target [ST], and have been reached in agreement with the requirements of the Common Criteria and the Common Methodology for evaluation assurance level:

EAL 2 + ALC_FLR.3.

20FMV108-30:1

1.0

2020-12-11 3 (20)

Swedish Certification Body for IT Security Certification Report - Canonical Ubuntu Server 18.04 LTS

The certification results only apply to the versions of the products indicated in the certificate, and on the condition that all the stipulations in the Security Target [ST] are met. This certificate is not an endorsement of the IT product by CSEC or any other organization that recognizes or gives effect to this certificate, and no warranty of the IT product by CSEC or any other organization that recognizes or gives effect to this certificate is either expressed or implied.

20FMV108-30:1

1.0

2020-12-11 4 (20)

Swedish Certification Body for IT Security Certification Report - Canonical Ubuntu Server 18.04 LTS

2

Identification

Certification Identification

Certification ID

CSEC2019029

Name and version of the certified IT product

Ubuntu 18.04.4 LTS

Security Target Identification Security Target for Ubuntu 18.04 LTS, 2020-12-02, version 1.0

EAL

EAL 2 + ALC_FLR.3

Sponsor

Canonical Group Ltd.

Developer

Canonical Group Ltd.

ITSEF

atsec information security AB

Common Criteria version

3.1 release 5

CEM version

3.1 release 5

QMS version

1.24

Scheme Notes Release

17

Recognition Scope

CCRA, SOGIS, EA/MLA

Certification date

2020-12-11

20FMV108-30:1

1.0

2020-12-11 5 (20)

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download