Henry Coggill
on 29 June 2023
Complying with US government security standards such as FIPS, FedRAMP, and DISA-STIG is essential for federal agencies and any business that deploys systems and services for U.S. government use. However, maintaining a compliant IT ecosystem is a major undertaking, as each regulation brings a host of specialised requirements. And dealing with the never-ending stream of security vulnerabilities that require patching only adds to this task.
The operating system is the cornerstone of a successful compliance strategy, since it provides the foundation for cryptography, system hardening, and managing security vulnerabilities. Modern organisations need a reliable operating system that can not only power their workloads, but also enable their security and compliance strategies – and Ubuntu is uniquely positioned to fulfil that role.
This article will explore how Ubuntu can support compliance with US federal government regulations, ease the pain of dealing with security vulnerabilities, while also empowering users to take advantage of the best of open source.
FIPS 140-2
FIPS 140-2 is perhaps the most prevalent IT security and compliance regulation for government use cases – it is a data protection standard which requires that cryptographic modules be validated against exacting and comprehensize security requirements. Ubuntu supports FIPS 140 on Linux with a series of validated components: the Linux Kernel Crypto API, OpenSSL and OpenSSH, libgcrypt, and strongSwan.
FIPS validation takes a long time, but security vulnerabilities can emerge at any point, and Canonical endeavours to publish fixes as quickly as possible, irrespective of their certification status.
With that in mind, Ubuntu users can choose from two FIPS modes: ‘FIPS-updates’ and ‘strict FIPS’. The former includes ongoing fixes and is the recommended mode for organisations prioritising security, whereas the latter contains certified packages only which remain vulnerable to the latest exploits.
To streamline compliance throughout the rest of their IT ecosystems, organisations should ensure that every application they deploy utilises the FIPS-validated core of Ubuntu to take advantage of the certification.
Companies should avoid applications that embed unvalidated cryptographic modules, or use Ubuntu libraries in ways that do not conform to their security policies. Applications should either consume high level languages or use the validated cryptography APIs directly.
On public clouds, Ubuntu Pro FIPS listings offer out-of-the-box, FIPS-compliant Linux images for Azure, AWS and GCP.
FIPS 140-3 is the latest version of the NIST standard, and future Ubuntu releases will be certified against FIPS 140-3 – Ubuntu 22.04 LTS is undergoing certification under 140-3 at the moment. Existing 140-2 certificates will remain valid until 2026.
DISA-STIG – automated hardening
Organisations deploying solutions for the US Department of Defence must comply with DISA-STIG hardening guidelines. Meeting these requirements can be particularly challenging and time-consuming since DISA-STIG contains over 200 rules that must be applied manually.
Ubuntu transforms DISA-STIG compliance by enabling an unprecedented level of hardening automation. The Ubuntu Security Guide is a compliance-as-code tool that can automatically fix the overwhelming majority of compliance rule violations, eliminating the need to manually address each issue.
Utilising OpenSCAP, Ubuntu users can effortlessly audit their systems and generate a report on compliance status, then use the Ubuntu Security Guide to apply fixes.
Pre-hardened DISA-STIG compliant Ubuntu containers are now available directly through Platform One IronBank, enabling a secure supply chain through zero-distance delivery from source to production.
FedRAMP – compliance in the cloud
FedRAMP is a federal government program that provides a standardised approach to security and risk assessment for cloud services. FedRAMP authorisation is required for any cloud service that holds federal data.
Ubuntu is the most widely used Linux operating system across all leading public clouds, including Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Each of these vendors offers FedRAMP-certified environments, and in these spaces, certification typically applies to any available Ubuntu images as well.
Managing security vulnerabilities
Keeping systems up-to-date with the latest security patches is one of the most significant IT challenges facing modern businesses, and overcoming this challenge is a central element of the Ubuntu value proposition.
Each LTS release of Ubuntu benefits from ten years of security updates with an Ubuntu Pro subscription. Throughout this period, the Ubuntu security team takes in vulnerability reports every day from MITRE, NVD, and other sources to continuously develop and publish fixes as soon as security issues are discovered – often before vulnerabilities are even made public.
This security patching covers the open source packages that form the base of Ubuntu Main repository (2,300 packages), as well as over 23,000+ packages in the Ubuntu Universe repository, which include web servers, databases and development tools. Together, they form a single trusted secure repository that covers all the open source software that users require.
Ensuring uptime with Kernel Livepatch
For production systems it is imperative to apply critical security patches, but disruption by rebooting is also not preferred. Canonical Livepatch provides the ability to deploy security fixes to the Linux kernel without the need for rebooting, allowing you to maintain 5-9s or greater uptime. Livepatch is available with Ubuntu Pro, and is enabled on Ubuntu LTS kernels from 16.04 onwards, as well as Hardware Enablement (HWE) kernels from version 6.2 in Ubuntu 22.04. Livepatch is also compatible with FIPS kernels provided FIPS updates are enabled.
Livepatch is available with Ubuntu Pro, and is enabled on Ubuntu LTS kernels from 16.04 onwards, as well as Hardware Enablement (HWE) kernels from version 6.2 in Ubuntu 22.04. Livepatch is also compatible with FIPS kernels provided FIPS updates are enabled.
Learn more about Linux security patches: best practices for risk-mitigation and uptime here.
Active Directory integration for Identity and Access Management (IAM) compliance
Linux desktops, including Debian and Ubuntu, have supported Active Directory integration for a long time through SSSD; however, that was limited to authentication and a small subset of related security policies. Canonical has released ADsys, our new Active Directory client, which allows for:
• Native Group Policy Object support for both machine and user policies targeting dconf settings on the client machine.
• Privilege management, allowing the possibility to grant or revoke superuser privileges for the default local user, and Active Directory users and groups.
• Custom scripts execution, giving the possibility to schedule shell scripts to be executed at startup, shutdown, login and logout.
• Active Directory Administrative Templates for all supported versions of Ubuntu.
• Native user authentication with Azure Active Directory (Azure AD), enabling users on Microsoft 365 (M365) Enterprise plans to authenticate Ubuntu desktops with the same credentials they use for M365 or Azure.
ADSys is supported on Ubuntu starting from 20.04.2 LTS, and tested with Windows Server 2019. These features align the Active Directory management experience of Ubuntu as closely as possible to the one available in Windows.
US government regulatory compliance
Ubuntu and the ecosystem surrounding it drastically simplify the process of keeping systems up-to-date with security vulnerabilities and compliant.
The federal regulatory landscape is highly complex, but specialised Ubuntu images provide a variety of certifications out-of-the-box, and the Canonical team is on hand to provide bespoke assistance with any compliance challenge. To learn more, get in touch today.