Transcription
BSI-DSZ-CC-0962-2016forSUSE Linux Enterprise Server Version 12fromSUSE LLC
BSI - Bundesamt für Sicherheit in der Informationstechnik, Postfach 20 03 63, D-53133 BonnPhone 49 (0)228 99 9582-0, Fax 49 (0)228 9582-5477, Infoline 49 (0)228 99 9582-111Certification Report V1.0CC-Zert-327 V5.14
BSI-DSZ-CC-0962-2016 (*)Operating SystemSUSE Linux Enterprise ServerVersion 12fromSUSE LLCPP Conformance:Operating System Protection Profile, Version 2.0,01 June 2010, BSI-CC-PP-0067-2010,OSPP Extended Packages: Advanced Management,Advanced Audit, and Virtualization all Version 2.0,28 May 2010Functionality:PP conformantCommon Criteria Part 2 extendedAssurance:Common Criteria Part 3 conformantEAL 4 augmented by ALC FLR.3The IT Product identified in this certificate has been evaluated at an approved evaluationfacility using the Common Methodology for IT Security Evaluation (CEM), Version 3.1extended by Scheme Interpretations for conformance to the Common Criteria for ITSecurity Evaluation (CC), Version 3.1. CC and CEM are also published as ISO/IEC 15408and ISO/IEC 18045.(*) This certificate applies only to the specific version and release of the product in itsevaluated configuration and in conjunction with the complete Certification Report andNotification. For details on the validity see Certification Report part A chapter 4.The evaluation has been conducted in accordance with the provisions of the certificationscheme of the German Federal Office for Information Security (BSI) and the conclusionsof the evaluation facility in the evaluation technical report are consistent with theevidence adduced.This certificate is not an endorsement of the IT Product by the Federal Office forInformation Security or any other organisation that recognises or gives effect to thiscertificate, and no warranty of the IT Product by the Federal Office for InformationSecurity or any other organisation that recognises or gives effect to this certificate, iseither expressed or implied.SOGISRecognition AgreementCommon CriteriaRecognition ArrangementBonn, 24 February 2016For the Federal Office for Information SecurityBernd KowalskiHead of DepartmentL.S.Bundesamt für Sicherheit in der InformationstechnikGodesberger Allee 185-189 - D-53175 Bonn -Postfach 20 03 63 - D-53133 BonnPhone 49 (0)228 99 9582-0 - Fax 49 (0)228 9582-5477 - Infoline 49 (0)228 99 9582-111
Certification ReportBSI-DSZ-CC-0962-2016This page is intentionally left blank.4 / 46
BSI-DSZ-CC-0962-2016Certification ReportPreliminary RemarksUnder the BSIG1 Act, the Federal Office for Information Security (BSI) has the task ofissuing certificates for information technology products.Certification of a product is carried out on the instigation of the vendor or a distributor,hereinafter called the sponsor.A part of the procedure is the technical examination (evaluation) of the product accordingto the security criteria published by the BSI or generally recognised security criteria.The evaluation is normally carried out by an evaluation facility recognised by the BSI or byBSI itself.The result of the certification procedure is the present Certification Report. This reportcontains among others the certificate (summarised assessment) and the detailedCertification Results.The Certification Results contain the technical description of the security functionality ofthe certified product, the details of the evaluation (strength and weaknesses) andinstructions for the user.1Act on the Federal Office for Information Security (BSI-Gesetz - BSIG) of 14 August 2009,Bundesgesetzblatt I p. 28215 / 46
Certification ReportBSI-DSZ-CC-0962-2016ContentsA. Certification.71. Specifications of the Certification Procedure.72. Recognition Agreements.73. Performance of Evaluation and Certification.84. Validity of the Certification Result.95. Publication.10B. Certification Results.111. Executive Summary.122. Identification of the TOE.133. Security Policy.144. Assumptions and Clarification of Scope.145. Architectural Information.156. Documentation.187. IT Product Testing.188. Evaluated Configuration.229. Results of the Evaluation.2210. Obligations and Notes for the Usage of the TOE.3111. Security Target.3112. Definitions.3213. Bibliography.34C. Excerpts from the Criteria.37CC Part 1:.37CC Part 3:.38D. Annexes.456 / 46
s of the Certification ProcedureCertification ReportThe certification body conducts the procedure according to the criteria laid down in thefollowing: Act on the Federal Office for Information Security2 BSI Certification and Approval Ordinance3 BSI Schedule of Costs4 Special decrees issued by the Bundesministerium des Innern (Federal Ministry of theInterior) DIN EN ISO/IEC 17065 standard BSI certification: Scheme documentation describing the certification process(CC-Produkte) [3] BSI certification: Scheme documentation on requirements for the Evaluation Facility, itsapproval and licencing process (CC-Stellen) [3] Common Criteria for IT Security Evaluation (CC), Version 3.1 5 [1] also published asISO/IEC 15408. Common Methodology for IT Security Evaluation (CEM), Version 3.1 [2] also publishedas ISO/IEC 18045. BSI certification: Application Notes and Interpretation of the Scheme (AIS) [4]2.Recognition AgreementsIn order to avoid multiple certification of the same product in different countries a mutualrecognition of IT security certificates - as far as such certificates are based on ITSEC orCC - under certain conditions was agreed.2.1.European Recognition of ITSEC/CC – Certificates (SOGIS-MRA)The SOGIS-Mutual Recognition Agreement (SOGIS-MRA) Version 3 became effective inApril 2010. It defines the recognition of certificates for IT-Products at a basic recognitionlevel and, in addition, at higher recognition levels for IT-Products related to certain SOGISTechnical Domains only.2Act on the Federal Office for Information Security (BSI-Gesetz - BSIG) of 14 August 2009,Bundesgesetzblatt I p. 28213Ordinance on the Procedure for Issuance of Security Certificates and approval by the Federal Office forInformation Security (BSI-Zertifizierungs- und -Anerkennungsverordnung - BSIZertV) of 17 December2014, Bundesgesetzblatt 2014, part I, no. 61, p. 22314Schedule of Cost for Official Procedures of the Bundesamt für Sicherheit in der Informationstechnik(BSI-Kostenverordnung, BSI-KostV) of 03 March 2005, Bundesgesetzblatt I p. 5195Proclamation of the Bundesministerium des Innern of 12 February 2007 in the Bundesanzeiger dated23 February 2007, p. 37307 / 46
Certification ReportBSI-DSZ-CC-0962-2016The basic recognition level includes Common Criteria (CC) Evaluation Assurance LevelsEAL 1 to EAL 4 and ITSEC Evaluation Assurance Levels E1 to E3 (basic). For"Smartcards and similar devices" a SOGIS Technical Domain is in place. For "HW Deviceswith Security Boxes" a SOGIS Technical Domains is in place, too. In addition, certificatesissued for Protection Profiles based on Common Criteria are part of the recognitionagreement.The new agreement has been signed by the national bodies of Austria, Finland, France,Germany, Italy, The Netherlands, Norway, Spain, Sweden and the United Kingdom. Thecurrent list of signatory nations and approved certification schemes, details on recognition,and the history of the agreement can be seen on the website at https://www.sogisportal.eu.The SOGIS-MRA logo printed on the certificate indicates that it is recognised under theterms of this agreement by the nations listed above.This certificate is recognized under SOGIS-MRA for all assurance components selected.2.2.International Recognition of CC – Certificates (CCRA)The international arrangement on the mutual recognition of certificates based on the CC(Common Criteria Recognition Arrangement, CCRA-2014) has been ratified on 08September 2014. It covers CC certificates based on collaborative Protection Profiles (cPP)(exact use), CC certificates based on assurance components up to and including EAL 2 orthe assurance family Flaw Remediation (ALC FLR) and CC certificates for ProtectionProfiles and for collaborative Protection Profiles (cPP).The CCRA-2014 replaces the old CCRA signed in May 2000 (CCRA-2000). Certificatesbased on CCRA-2000, issued before 08 September 2014 are still under recognitionaccording to the rules of CCRA-2000. For on 08 September 2014 ongoing certificationprocedures and for Assurance Continuity (maintenance and re-certification) of oldcertificates a transition period on the recognition of certificates according to the rules ofCCRA-2000 (i.e. assurance components up to and including EAL 4 or the assurancefamily Flaw Remediation (ALC FLR)) is defined until 08 September 2017.As of September 2014 the signatories of the new CCRA-2014 are governmentrepresentatives from the following nations: Australia, Austria, Canada, Czech Republic,Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan,Malaysia, The Netherlands, New Zealand, Norway, Pakistan, Republic of Korea,Singapore, Spain, Sweden, Turkey, United Kingdom, and the United States.The current list of signatory nations and approved certification schemes can be seen onthe website: http://www.commoncriteriaportal.org.The Common Criteria Recognition Arrangement logo printed on the certificate indicatesthat this certification is recognised under the terms of this agreement by the nations listedabove.As this certificate is a re-certification of a certificate issued according to CCRA-2000 thiscertificate is recognized according to the rules of CCRA-2000, i.e. for all assurancecomponents selected.3.Performance of Evaluation and CertificationThe certification body monitors each individual evaluation to ensure a uniform procedure, auniform interpretation of the criteria and uniform ratings.8 / 46
BSI-DSZ-CC-0962-2016Certification ReportThe product SUSE Linux Enterprise Server, Version 12 has undergone the certificationprocedure at BSI. This is a re-certification based on BSI-DSZ-CC-0852-2013. Specificresults from the evaluation process BSI-DSZ-CC-0852-2013 were re-used.The evaluation of the product SUSE Linux Enterprise Server, Version 12 was conductedby atsec information security GmbH. The evaluation was completed on 19 February 2016.atsec information security GmbH is an evaluation facility (ITSEF) 6 recognised by thecertification body of BSI.For this certification procedure the sponsor and applicant is: SUSE LLC.The product was developed by: SUSE LLC.The certification is concluded with the comparability check and the production of thisCertification Report. This work was completed by the BSI.4.Validity of the Certification ResultThis Certification Report only applies to the version of the product as indicated. Theconfirmed assurance package is only valid on the condition that all stipulations regarding generation, configuration and operation, as given in thefollowing report, are observed, the product is operated in the environment described, as specified in the following reportand in the Security Target.For the meaning of the assurance levels please refer to the excerpts from the criteria atthe end of the Certification Report or in the CC itself.The Certificate issued confirms the assurance of the product claimed in the Security Targetat the date of certification. As attack methods evolve over time, the resistance of thecertified version of the product against new attack methods needs to be re-assessed.Therefore, the sponsor should apply for the certified product being monitored within theassurance continuity program of the BSI Certification Scheme (e.g. by a re-certification).Specifically, if results of the certification are used in subsequent evaluation and certificationprocedures, in a system integration process or if a user's risk management needs regularlyupdated results, it is recommended to perform a re-assessment on a regular e.g. annualbasis.In order to avoid an indefinite usage of the certificate when evolved attack methods requirea re-assessment of the products resistance to state of the art attack methods, themaximum validity of the certificate has been limited. The certificate issued on 24 February2016 is valid until 23 February 2021. Validity can be re-newed by re-certification.The owner of the certificate is obliged:1. when advertising the certificate or the fact of the product's certification, to refer tothe Certification Report as well as to provide the Certification Report, the SecurityTarget and user guidance documentation mentioned herein to any customer of theproduct for the application and usage of the certified product,2. to inform the Certification Body at BSI immediately about vulnerabilities of theproduct that have been identified by the developer or any third party after issuanceof the certificate,6Information Technology Security Evaluation Facility9 / 46
Certification ReportBSI-DSZ-CC-0962-20163. to inform the Certification Body at BSI immediately in the case that security relevantchanges in the evaluated life cycle, e.g. related to development and production sitesor processes, occur, or the confidentiality of documentation and information relatedto the Target of Evaluation (TOE) or resulting from the evaluation and certificationprocedure where the certification of the product has assumed this confidentialitybeing maintained, is not given any longer. In particular, prior to the dissemination ofconfidential documentation and information related to the TOE or resulting from theevaluation and certification procedure that do not belong to the deliverablesaccording to the Certification Report part B, or for those where no disseminationrules have been agreed on, to third parties, the Certification Body at BSI has to beinformed.In case of changes to the certified version of the product, the validity can be extended tothe new versions and releases, provided the sponsor applies for assurance continuity (i.e.re-certification or maintenance) of the modified product, in accordance with the proceduralrequirements, and the evaluation does not reveal any security deficiencies.5.PublicationThe product SUSE Linux Enterprise Server, Version 12 has been included in the BSI list ofcertified products, which is published regularly (see also Internet: https://www.bsi.bund.deand [5]). Further information can be obtained from BSI-Infoline 49 228 9582-111.Further copies of this Certification Report can be requested from the developer 7 of theproduct. The Certification Report may also be obtained in electronic form at the internetaddress stated above.7SUSE LLC1800 South Novell PlaceProvo, UT 84606USA10 / 46
BSI-DSZ-CC-0962-2016B.Certification ReportCertification ResultsThe following results represent a summary of the Security Target of the sponsor for the Target of Evaluation, the relevant evaluation results from the evaluation facility, and complementary notes and stipulations of the certification body.11 / 46
Certification Report1.BSI-DSZ-CC-0962-2016Executive SummaryThe Target of Evaluation (TOE) is SUSE Linux Enterprise Server 12, a highly-configurableLinux-based operating system.The Security Target [6] is the basis for this certification. It is based on the certifiedProtection Profile Operating System Protection Profile, Version 2.0, 01 June 2010,BSI-CC-PP-0067-2010, and three OSPP Extended Packages [8]: Advanced Management, Version 2.0, 28 May 2010, Advanced Audit, Version 2.0, 28 May 2010, Virtualization, Version 2.0, 28 May 2010The TOE Security Assurance Requirements (SAR) are based entirely on the assurancecomponents defined in Part 3 of the Common Criteria (see part C or [1], Part 3 for details).The TOE meets the assurance requirements of the Evaluation Assurance Level EAL 4augmented by ALC FLR.3.The TOE Security Functional Requirements (SFR) relevant for the TOE are outlined in theSecurity Target [6], chapter 6.2. They are selected from Common Criteria Part 2 and someof them are newly defined. Thus the TOE is CC Part 2 extended.The TOE Security Functional Requirements are implemented by the following TOESecurity Functionality:TOE Security FunctionalityAddressed issueAuditingThe Lightweight Audit Framework (LAF) is designed to be anaudit system making Linux compliant with the requirements fromCommon Criteria.The TOE can be deployed as an audit server that receives auditlogs from other TOEinstances.Cryptographic supportThe TOE provides cryptographically secured communication toallow remote entities to log into the TOE. In addition, the TOEprovides confidentiality protected data storage using the devicemapper target dm crypt.Packet filterThe TOE provides a stateless and stateful packet filter forregular IP-based communication.Identification and AuthenticationUser identification and authentication in the TOE includes allforms of interactive login (e.g. using the SSH protocol or log inat the local console) as well as identity changes through the suor sudo command.Discretionary Access ControlDAC allows owners of named objects to control the accesspermissions to these objects.Authoritative Access ControlThe TOE supports authoritative or mandatory access controlVirtual machine environmentsThe TOE implements the host system for virtual machines.Security ManagementThe security management facilities provided by the TOE areusable by authorized users and/or authorized administrators tomodify the configuration of TSF.Table 1: TOE Security FunctionalitiesFor more details please refer to the Security Target [6], chapter 1.5.2.2.12 / 46
BSI-DSZ-CC-0962-2016Certification ReportThe assets to be protected by the TOE are defined in the Security Target [6], chapter 3.1.1.Based on these assets the TOE Security Problem is defined in terms of Assumptions,Threats and Organisational Security Policies. This is outlined in the Security Target [6],chapter 3.This certification covers the configurations of the TOE as outlined in chapter 8.The vulnerability assessment results as stated within this certificate do not include a ratingfor those cryptographic algorithms and their implementation suitable for encryption anddecryption (see BSIG Section 9, Para. 4, Clause 2).The certification results only apply to the version of the product indicated in the certificateand on the condition that all the stipulations are kept as detailed in this CertificationReport. This certificate is not an endorsement of the IT product by the Federal Office forInformation Security (BSI) or any other organisation that recognises or gives effect to thiscertificate, and no warranty of the IT product by BSI or any other organisation thatrecognises or gives effect to this certificate, is either expressed or implied.2.Identification of the TOEThe Target of Evaluation (TOE) is called:SUSE Linux Enterprise Server, Version 12The following table outlines the TOE deliverables:NoIdentifierTypeForm ofDelivery1SLE-12-Server-DVD-x86 64-CC-Respin-A-DVD1.iso(SHA256: 3fb36cceb06b3b)ISOD/L2SLE-12-Server-DVD-x86 64-CC-Respin-A-DVD2.iso(SHA256: 68c979978ca7e7)ISOD/L3SLE-12-Server-DVD-x86 64-CC-Respin-A-DVD3.iso(SHA256: espin-A-DVD1.iso(SHA256: espin-A-DVD2.iso(SHA256: espin-A-DVD3.iso(SHA256: -0.16.1.noarch.rpm(SHA256: f96beb63de4809)RPM contains the "Evaluated Configuration Guide" [10]This is the version for x86 64 and it is available at:https://download.suse.com/Download?buildid 0.16.1.noarch.rpm(SHA256: 36eb6edca87444)RPM contains the "Evaluated Configuration Guide" [10]This is the version for s390x and it is available at:https://download.suse.com/Download?buildid FdQP4afr8G0%7eRPMD/LTable 2: Deliverables of the TOEThe delivery of the TOE is electronic download only in the form of DVD ISO imagesaccording to the ECG [10]. The TOE's downloadable parts are shown in Scope of TOE13 / 46
Certification ReportBSI-DSZ-CC-0962-2016Supply (section 2). The packages the make up the TOE are digitally signed using GPG.The key of the developer is contained on the installation DVD, as described in the ECG.The developer provides and operates the download site and provides checksums for thedownloaded images that enable the user to verify the integrity of the download. In additionthis certification report provides SHA256 checksums in table 2 for aditional integrityverification.The ECG is a central document to the evaluation. It defines how to install and configurethe TOE. It is being shipped as part of a signed RPM package and is thus integrityprotected as well.3.Security PolicyThe Security Policy is expressed by the set of Security Functional Requirements andimplemented by the TOE. It covers the following issues: Auditing, Cryptographic support,Packet filter, Identification and Authentication, Discretionary Access Control, AuthoritativeAccess Control, Virtual machine environments and Security Management.4.Assumptions and Clarification of ScopeThe Assumptions defined in the Security Target and some aspects of Threats andOrganisational Security Policies are not covered by the TOE itself. These aspects lead tospecific security objectives to be fulfilled by the TOE-Environment. The following topics areof relevance: Those responsible for the TOE are competent and trustworthy If the TOE relies on remote trusted IT systems to support the enforcement of its policy,those systems provide the functions required by the TOE and are sufficiently protected. Those responsible for the TOE must establish and implement procedures to ensure thatinformation is protected in an appropriate manner (e.g. network cabling, DAC protectionson security-relevant files, etc.). Those responsible for the TOE must ensure that the system is installed and configuredin a secure manner. Authorized users of the TOE must ensure that the comprehensive diagnostics facilitiesprovided by the product are invoked at every scheduled preventative maintenanceperiod. Those responsible for the TOE must ensure that the TOE is protected from physicalattacks. Those responsible for the TOE must ensure that procedures and/or mechanisms areprovided to assure that after system failure or other discontinuity, recovery without aprotection (security) compromise is achieved. Those responsible for the TOE must ensure that remote trusted IT systems are underthe same management domain as the TOE. The trusted IT systems executing the TOE supports the enforcement of the securitypolicy.Details can be found in the Security Target [6], chapter 4.2.14 / 46
BSI-DSZ-CC-0962-20165.Certification ReportArchitectural InformationSLES is a general purpose, multi-user, multi-tasking Linux based operating system. Itprovides a platform for a variety of applications. In addition, virtual machines provide anexecution environment for a large number of different operating systems.The SELinux LSM is configured to enforce the authoritative access control policy. Thefollowing access control rules are enforced by enabled LSM:Isolation of virtual machines from each other by assigning each process implementing avirtual machine and its resources a unique label. Access between virtual machines andresources is only permitted if the label of the virtual machine and the accessed resource isidentical.The SLES evaluation covers a potentially distributed network of systems running theevaluated versions and configurations of SLES as well as other peer systems operatingwithin the same management domain. The hardware platforms selected for the evaluationconsist of machines which are available when the evaluation has completed and to remainavailable for a substantial period of time afterwards.The TOE Security Functions (TSF) consist of functions of SUSE Linux Enterprise Serverthat run in kernel mode plus a set of trusted processes. These are the functions thatenforce the security policy as defined in this Security Target. Tools and commandsexecuted in user mode that are used by an administrative user need also to be trusted tomanage the system in a secure way. But as with other operating system evaluations theyare not considered to be part of this TSF.The hardware, the BIOS firmware and potentially other firmware layers between thehardware and the TOE are considered to be part of the TOE environment.The TOE includes standard networking applications, including applications allowing accessof the TOE via cryptographically protected communication channels, such as SSH.System administration tools include the standard command line tools. A graphical userinterface for system administration or any other operation is not included in the evaluatedconfiguration.The TOE environment also includes applications that are not evaluated, but are used asunprivileged tools to access public system services. For example a network server using aport above 1024 may be used as a normal application running without root privileges ontop of the TOE. The additional documentation specific for the evaluated configurationprovides guidance how to set up such applications on the TOE in a secure way.5.1.TOE Structure and Security FunctionsThe TOE is structured in much the same way as many other operating systems, especiallyUnix-type operating systems. It consists of a kernel, which runs in the privileged state ofthe processor and provides services to applications (which can be used by calling kernelservices via the system call interface). Direct access to the hardware is restricted to thekernel, so whenever an application wants to access hardware like disk drives, networkinterfaces or other peripheral devices, it has to call kernel services. The kernel then checksif the application has the required access rights and privileges and either performs theservice or rejects the request.The kernel is also responsible for separating the different user processes. This is done bythe management of the virtual and real memory of the TOE which ensures that processes15 / 46
Certification ReportBSI-DSZ-CC-0962-2016executing with different attributes cannot directly access memory areas of other processesbut have to do so using the inter-process communication mechanism provided by thekernel as part of its system call interface.The TSF of the TOE also include a set of trusted processes, which when initiated by auser, operate with extended privileges. The programs that represent those trustedprocesses on the file system are protected by the file system discretionary access controlsecurity function enforced by the kernel.In addition, the execution of the TOE is controlled by a set of configuration files, which arealso called the TSF database. Those configuration files are also protected by the filesystem discretionary access control security function enforced by the kernel.The kernel acts as a hypervisor for the virtual machine support of the TOE. It uses thevirtualization support of the underlying processor to provide virtual machines with therequired kernel support in KVM and user space support via libvirt.Normal users – after they have been successfully authenticated by a defined trustedprocess – can start untrusted applications where the kernel enforces t
The CCRA-2014 replaces the old CCRA signed in May 2000 (CCRA-2000). Certificates based on CCRA-2000, issued before 08 September 2014 are still under recognition according to the rules of CCRA-2000. For on 08 September 2014 ongoing certification procedures and for Assurance Continuity (maintenance and re-certification) of old
