Results 1 to 8 of 8

Thread: SElinux and FIPS140-2

  1. #1

    Default SElinux and FIPS140-2

    I have read through this part of the manual:

    https://doc.opensuse.org/documentati...a.selinux.html

    I have not tried SELinux on suse, and maybe this is the wrong place to ask. But, I assume some people in this form work on suse as well so here are my questions:

    How well does SeLinux work on opensuse/suse as compared to a default version of RH?

    Is suse working on getting the crypto systems FIPS140-2 certified?

    I ask those for two reasons. I have been involved in DFARS requirements in the defense industry, and I assume AWS is going to win the $10 billion DoD cloud program. Once that contract goes through most US defense contractors are probably going to jump on that solution over Azure.I would hate to see suse miss out on this opportunity.

    I may have posted this to the wrong section of the form. Please move it if I have. I am just curious about others thoughts and opinions.

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,296
    Blog Entries
    2

    Default Re: SElinux and FIPS140-2

    I've only configured SELinux to know how to do it and understand any issues that might be involved (Last I looked at this was late last year).

    I can only say that at least what I looked at last year was a lot easier than what I remembered many years earlier, the procedure for switchover and applying an existing policy is not that difficult anymore. But, of course you should still follow up with testing to verify that for whatever reason you need to use SELinux (other than that it's only a regulatory requirement) is working.

    If you're implementing virtualization on your SELinux box, you should take a look at the following post

    https://forums.opensuse.org/showthre...53#post2843153

    I remember that another possibly important Forum thread referenced in that post is worth looking at if you can find it but I'm unable to locate it.

    As for Federal cryptographic standards like FIPS_140-2, I'd recommend you first know what the standard is
    https://en.wikipedia.org/wiki/FIPS_140-2

    Like many similar Federal security standards, I find them oftentimes not very useful(IMO they should never be an objective because they are often too low to be practically effective) but if it's a requirement of course you need to provide or publish a statement of compliance. Note that this particular standard defines 4 levels of effectiveness which should be part of your statement. I don't know that a list exists for overall OS, but you can do a search on any particular security module you intend to use like "fips 140-2 openssl"

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3

    Default Re: SElinux and FIPS140-2

    The specification is pretty sparse. It is here:

    https://nvlpubs.nist.gov/nistpubs/Sp...SP.800-171.pdf

    The FIPS part is what the defense contractors are struggling with, but the US government is not backing down on it. Since it is under the heading:

    SYSTEM AND COMMUNICATION PROTECTION
    3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

    I do understand the FIPS standard and validation of an crypto system is dificult both in the process and because changes afterwards invalidates it. However, it is a requirement the industry is trying to deal with.
    .

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,296
    Blog Entries
    2

    Default Re: SElinux and FIPS140-2

    Quote Originally Posted by d3vnull View Post
    The specification is pretty sparse. It is here:

    https://nvlpubs.nist.gov/nistpubs/Sp...SP.800-171.pdf

    The FIPS part is what the defense contractors are struggling with, but the US government is not backing down on it. Since it is under the heading:

    SYSTEM AND COMMUNICATION PROTECTION
    3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

    I do understand the FIPS standard and validation of an crypto system is dificult both in the process and because changes afterwards invalidates it. However, it is a requirement the industry is trying to deal with.
    .
    As is often the case,
    IMO you should focus on the testing and validation, which means contacting the authorized test labs.
    Those are the people who should actually understand what is tested and how to test, and would then publish results.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  5. #5

    Default Re: SElinux and FIPS140-2

    Quote Originally Posted by tsu2 View Post
    As is often the case,
    IMO you should focus on the testing and validation, which means contacting the authorized test labs.
    Those are the people who should actually understand what is tested and how to test, and would then publish results.

    TSU
    My point and question was more around the fact that Ubuntu and Red hat have already performed FIPS validation through NIST to compete in that space. I was probably to vague since I don't really like typing their names

    I was wondering where the commercial end of SuSE was. Honestly, I didn't want to post to their form because I would think it would be a distraction, but figured some of those same individuals bleed over into this form.

  6. #6
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,559

    Cool Re: SElinux and FIPS140-2

    The bottom line of all certification processes, such as, for example, the certification for FIPS140-2, is that:
    • The certification process has to be funded.

    So, given the fact that fairy godmothers are rather rare, it is unlikely that, the someone associated with the openSUSE community will provide the funding needed for certification of things such as FIPS140-2.

    On the other hand, given that, the modern world is the way it is, SUSE GmbH is a commercial enterprise and is, therefore, confronted with these issues. For example, this presentation made at SUSECon in the year 2014: <https://www.susecon.com/doc/2015/sessions/BOV20062.pdf>.

    AFAICS, the bottom line with respect to the certifications currently held by SUSE GmbH is, "Please contact your local SUSE GmbH sales person" …

  7. #7
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,559

    Cool Re: SElinux and FIPS140-2

    Found it!!! -- When I logged out of the openSUSE Forum and took an inquisitive look into the SUSE page …
    <https://www.suse.com/solutions/enterprise-linux/> -- section about half way down the page -- "Secure" tab:
    Building on the Enterprise Linux OS certified with Common Criteria EAL4+ and FIPS 140-2 provides you verified security functionality and quality assurance. Whether you are doing business with Federal Government, FISMA regulated entities or global organizations, deploying systems with appropriate security certifications sets up a solid foundation.

    With SUSE Linux Enterprise Server, security certifications stay valid with OS version updates, so costly re-certifications are avoided and stability of systems is maintained.

  8. #8

    Default Re: SElinux and FIPS140-2

    Hey! That is awesome. Thank you for finding that for me. I am glad to see SUSE is on track to conquer the US market.

    Much appreciated.

    Also, 5hank you for the SELinux link to the older post.

    Quote Originally Posted by dcurtisfra View Post
    Found it!!! -- When I logged out of the openSUSE Forum and took an inquisitive look into the SUSE page …
    <https://www.suse.com/solutions/enterprise-linux/> -- section about half way down the page -- "Secure" tab:

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •