I have not tried SELinux on suse, and maybe this is the wrong place to ask. But, I assume some people in this form work on suse as well so here are my questions:
How well does SeLinux work on opensuse/suse as compared to a default version of RH?
Is suse working on getting the crypto systems FIPS140-2 certified?
I ask those for two reasons. I have been involved in DFARS requirements in the defense industry, and I assume AWS is going to win the $10 billion DoD cloud program. Once that contract goes through most US defense contractors are probably going to jump on that solution over Azure.I would hate to see suse miss out on this opportunity.
I may have posted this to the wrong section of the form. Please move it if I have. I am just curious about others thoughts and opinions.
I’ve only configured SELinux to know how to do it and understand any issues that might be involved (Last I looked at this was late last year).
I can only say that at least what I looked at last year was a lot easier than what I remembered many years earlier, the procedure for switchover and applying an existing policy is not that difficult anymore. But, of course you should still follow up with testing to verify that for whatever reason you need to use SELinux (other than that it’s only a regulatory requirement) is working.
If you’re implementing virtualization on your SELinux box, you should take a look at the following post
Like many similar Federal security standards, I find them oftentimes not very useful(IMO they should never be an objective because they are often too low to be practically effective) but if it’s a requirement of course you need to provide or publish a statement of compliance. Note that this particular standard defines 4 levels of effectiveness which should be part of your statement. I don’t know that a list exists for overall OS, but you can do a search on any particular security module you intend to use like “fips 140-2 openssl”
The FIPS part is what the defense contractors are struggling with, but the US government is not backing down on it. Since it is under the heading:
SYSTEM AND COMMUNICATION PROTECTION
3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI
I do understand the FIPS standard and validation of an crypto system is dificult both in the process and because changes afterwards invalidates it. However, it is a requirement the industry is trying to deal with.
As is often the case,
IMO you should focus on the testing and validation, which means contacting the authorized test labs.
Those are the people who should actually understand what is tested and how to test, and would then publish results.
My point and question was more around the fact that Ubuntu and Red hat have already performed FIPS validation through NIST to compete in that space. I was probably to vague since I don’t really like typing their names
I was wondering where the commercial end of SuSE was. Honestly, I didn’t want to post to their form because I would think it would be a distraction, but figured some of those same individuals bleed over into this form.
The bottom line of all certification processes, such as, for example, the certification for FIPS140-2, is that:
The certification process has to be funded.
So, given the fact that fairy godmothers are rather rare, it is unlikely that, the someone associated with the openSUSE community will provide the funding needed for certification of things such as FIPS140-2.
On the other hand, given that, the modern world is the way it is, SUSE GmbH is a commercial enterprise and is, therefore, confronted with these issues. For example, this presentation made at SUSECon in the year 2014: <https://www.susecon.com/doc/2015/sessions/BOV20062.pdf>.
Building on the Enterprise Linux OS certified with Common Criteria EAL4+ and FIPS 140-2 provides you verified security functionality and quality assurance. Whether you are doing business with Federal Government, FISMA regulated entities or global organizations, deploying systems with appropriate security certifications sets up a solid foundation.
With SUSE Linux Enterprise Server, security certifications stay valid with OS version updates, so costly re-certifications are avoided and stability of systems is maintained.