Oracle Linux 8 has received a Common Criteria (CC) Certification which was performed against the National Information Assurance Partnership (NIAP) General Purpose Operating System Protection Profile (OSPP) v4.2.1 as well as several Federal Information Processing Standard-140 (FIPS-140) validations of its cryptographic modules. Oracle Linux Kernel-based Virtual Machine (KVM) and Oracle Linux Virtualization Manager have also completed the first Linux KVM CC evaluation against the NIAP Protection Profile for Virtualization v1.0.
With these certifications, Oracle Linux 8 and Oracle Linux KVM are included on the NIAP Product Compliant List (PCL), a requirement for IT products sold to the United States Department of Defense. US Federal customers who select Oracle Cloud Infrastructure can now opt for a NIAP CC-certified operating system that also includes FIPS-140 validated cryptographic modules.
"Oracle focuses on Linux security because it's important for our customers and because reducing security risks improves Linux overall," said Robert Shimp, senior vice president, infrastructure software product management, Oracle. "Oracle Linux provides options that help ensure administrators have the features and tools they need to deploy their workloads securely using best-in-class solutions and established best practices."
These certifications add to related certifications and advancements that enable Oracle Linux to deliver more security features and improve the speed and stability of operations on-premises and in the cloud.
“Common Criteria evaluations, mutually recognized across 31 countries, are an important demonstration of vendor commitment to product security assurance," said Mary Ann Davidson, chief security officer, Oracle. "Our fifth Common Criteria certificate of Oracle Linux is a result of Oracle’s ongoing efforts to satisfy customer demand for security assurance, both with our assurance programs such as Oracle Software Security Assurance (OSSA), and targeted independent evaluations of key products.”
CC certifications are awarded based upon security evaluations performed by independent, accredited testing laboratories, and the results provide IT product security assurance to commercial, government, and military institutions. Such evaluations, and the criteria upon which they are based, are designed to help establish a comparable level of confidence for IT purchasers and vendors alike. CC certifications are complementary to other compliance programs such as FIPS-140 for cryptographic modules and FedRAMP for cloud security.
"As a systems integrator, consulting firm, and managed services provider, Mythics customers have demanding security requirements––some workloads are the most important ones in this country,” said Erik Benner, vice president of enterprise transformation, Mythics. “Oracle understands our public sector and financial services clients' needs and the importance of secure data encryption. Oracle Linux was the pioneer Linux distribution to achieve NIAP Common Criteria standard certification. This achievement, along with its continued certifications, helps assure users that Oracle Linux is a highly secure system that can be consistently maintained to meet stringent security requirements today and into the future."
Oracle Linux is one of the most secure operating environments deployed on-premises and in the cloud. It ships top-notch security features like Ksplice for kernel, hypervisor, and user space live patching, known exploit detection, secure defaults, and modern Linux kernel support to the enterprise.
For a matrix of Oracle security evaluations currently in progress as well as those completed, please refer to the Oracle Security Evaluations.
The completed CC certification for Oracle Linux 8 was performed against the Protection Profile for General Purpose Operating Systems (OSPP) 4.2.1 and the Functional Package for Secure Shell (SSH), Version 1.0.
The security functionality evaluated as part of the certification included security audit, cryptographic support, identification and authentication, user data protection, self-protection and TLS/SSH protocols.
The completed CC certification for Oracle Linux KVM and Oracle Linux Virtualization Manager demonstrates compliance with the following approved Protection Profile and Extended Packages:
The security functionality evaluated as part of the certification included security audit, cryptographic support, identification and authentication, user data protection, security management and trusted path/channel.
In addition to the Common Criteria Certification, Oracle Linux cryptographic modules are also now FIPS 140-2 validated for the x86_64 and aarch64 platforms on Oracle Linux 7 and Oracle Linux 8. Oracle Linux cryptographic modules enable FIPS-140 compliant operations for use cases such as data protection and integrity, remote administration (SSH, HTTPS TLS, SNMP, and IPSEC), cryptographic key generation, and key/certificate management.
FIPS-140 is a mandatory standard for all cryptographic modules used by the US government. FIPS-140 is required for any cryptography that is a part of a FedRAMP-certified cloud service. For more information about FIPS 140, its importance, and its relationship to cloud authorizations like FedRAMP, please see the blog FIPS-140 and FedRAMP Cloud “Compliance” Explained.
FIPS 140-3 is the current version of the cryptography standard. Several cryptographic modules in Oracle Linux 8 and Oracle Linux 9 have been submitted to NIST Cryptographic Module Validation Program (CMVP) Implementation Under Test List. Customers can continue to make use of FIPS 140-2 modules until replacement FIPS 140-3 modules become available.
Honglin Su leads the product management team for Oracle Linux and Virtualization to help customers transform their traditional data centers to the cloud.
You can follow him on Twitter @honglinsu
Tyrone Stodart works in Oracle’s Security Evaluations team as a Senior Principal Security Analyst, within Oracle Global Product Security. He supports Oracle’s Common Criteria certifications, primarily for operating systems and virtualization products. Tyrone has worked with the Common Criteria standard for over 20 years and is a UK member of ISO SC27 WG3. Tyrone holds an MBA from London Business School and bachelors in engineering from University of Sheffield.