Ubuntu Security Certifications

Common criteria is not supported on anything other than Ubuntu 16.04.4

Bug #1922796 reported by David Coronel on 2021-04-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu Security Certifications	Fix Released	Undecided	Unassigned

Bug Description

As our documentation reports on https://security-certs.docs.ubuntu.com/en/cc-16:

"Common criteria evaluated configuration is currently available for Ubuntu 16.04.4 LTS (Server)."

This is particularly an issue for Ubuntu Pro customers who would want to use common criteria, since the latest Ubuntu Pro images already come with Ubuntu 16.04.7 and won't allow customers to enable common criteria even with the manual method described in the link above. As far as I know it's not trivial either to downgrade from Ubuntu 16.04.7 to 16.04.4.

Here is what happens on an Ubuntu Pro 16.04.7 system when trying to manually enable CC-EAL (without using the UA client, which also doesn't work. See bug https://github.com/canonical/ubuntu-advantage-client/issues/1527.):

====================
ubuntu@xenialpro:~$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C
Executing: /tmp/tmp.naEcO4QzJW/gpg.1.sh --keyserver
keyserver.ubuntu.com
--recv-keys
A166877412DAC26E73CEBF3FF6C280178D13028C
gpg: requesting key 8D13028C from hkp server keyserver.ubuntu.com
gpg: key 8D13028C: "Launchpad PPA for ubuntu-advantage" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

ubuntu@xenialpro:~$ sudo add-apt-repository -u 'deb https://<user>:<password>@private-ppa.launchpad.net/ubuntu-advantage/commoncriteria/ubuntu xenial main'

ubuntu@xenialpro:~$ sudo apt install ubuntu-commoncriteria
[...]
Unpacking ubuntu-commoncriteria (1.0.16.04.1) ...
Setting up ubuntu-commoncriteria (1.0.16.04.1) ...

ubuntu@xenialpro:~$ mkdir cc-dir
ubuntu@xenialpro:~$ cd cc-dir

ubuntu@xenialpro:~/cc-dir$ cp /usr/lib/common-criteria/Configure-Ubuntu-16.04-Common-Criteria.sh ./
ubuntu@xenialpro:~/cc-dir$ cp /usr/lib/common-criteria/Ubuntu-16.04-Common-Criteria.tar.gz ./

ubuntu@xenialpro:~/cc-dir$ sudo ./Configure-Ubuntu-16.04-Common-Criteria.sh Ubuntu-16.04-Common-Criteria.tar.gz
Log file: /var/log/CC-EAL2-Ubuntu-16.04.4_20210406201104.log

This script will configure the system to ensure it's compliant
with Common Criteria EAL2.

Do you want to proceed? [N/y] y
Checking system...
This script should be run in a Ubuntu 16.04.4 system
====================

And the script exits with an error code 1.

Concerning Ubuntu Pro: I think we should either allow common criteria to work on 16.04.7 or we should remove it from our Ubuntu Pro documentation/datasheets/etc. because I don't see how we could let customers use common criteria on Ubuntu Pro today, yet it's part of the offering.

Revision history for this message

David Coronel (davecore) wrote on 2021-04-08:

Download full text (3.5 KiB)

NOTE: The following method is not tested/recommended/supported by Canonical

Just for fun I removed the 16.04.4 check from the common criteria check and ran it on an Ubuntu 16.04 Pro instance (16.04.7) and it ran well enough.

I edited the script Configure-Ubuntu-16.04-Common-Criteria.sh and commented out the following line:

#if [[ "$DISTRIB_DESCRIPTION" != 'Ubuntu 16.04.4 LTS' ]]; then
# abort "This script should be run in a Ubuntu 16.04.4 system"
#fi

I then ran the script again:

$ sudo ./Configure-Ubuntu-16.04-Common-Criteria.sh Ubuntu-16.04-Common-Criteria.tar.gz

But it ended with this error after just a few seconds:

Some of the required packages are not installed: ebtables libvirt-bin qemu-kvm

So I installed those packages and ran the script again:

$ sudo apt install ebtables libvirt-bin qemu-kvm
$ sudo ./Configure-Ubuntu-16.04-Common-Criteria.sh Ubuntu-16.04-Common-Criteria.tar.gz

And this time it went through all the way:

Log file: /var/log/CC-EAL2-Ubuntu-16.04.4_20210408153319.log

This script will configure the system to ensure it's compliant
with Common Criteria EAL2.

Do you want to proceed? [N/y] y
Checking system...
Decompressing tarball...
Checking tarball contents...
Installing PPA key...
Adding temporary APT repository...
Running apt-get update...
Checking for installed packages...
Installing additional packages...
Removing non-compliant packages...
Removing "unattended-upgrades"...
Removing "apport-symptoms"...
Running post installation scripts...
Running post-install script, setumask...
Running post-install script, config-fstab...
Running post-install script, config-auditd...
Running post-install script, config-bootloader...
Running post-install script, config-sshd...
Running post-install script, config-modprobe...
Running post-install script, config-libvirt...
Running post-install script, config-qemu...
Running post-install script, config-apparmor...
Running post-install script, config-pam...
Running post-install script, screen...
Running post-install script, permissions...
Running post-install script, config-alias...
Running post-install script, config-hold-packages...
Common Criteria EAL2 configuration has successfully completed.
The system must reboot for the configuration to take effect.

Reboot the system now? [N/y] y
Rebooting...

After the reboot I noticed this message when I SSH’d back in:

Starting session in 10 seconds

And there’s a log file with the results:

$ head CC-EAL2-Ubuntu-16.04.4_20210408153319.log
This script will configure the system to ensure it's compliant
with Common Criteria EAL2.
Checking system...
Decompressing tarball...
Checking tarball contents...
Installing PPA key...
Adding temporary APT repository...
Running apt-get update...
Get:1 file:/tmp/cc.Gj8E5U1bjX/mirror xenial InRelease [24.3 kB]
Hit:2 http://azure.archive.ubuntu.com/ubuntu xenial InRelease

NOTE: The following method is not tested/recommended/supported by Canonical

Just for fun I removed the 16.04.4 check from the common criteria check and ran it on an Ubuntu 16.04 Pro instance (16.04.7) and it ran well enough.

I edited the script Configure-Ubuntu-16.04-Common-Criteria.sh and commented out the following line:

#if [[ "$DISTRIB_DESCRIPTION" != 'Ubuntu 16.04.4 LTS' ]]; then
#       abort "This script should be run in a Ubuntu 16.04.4 system"
#fi

I then ran the script again:

$ sudo ./Configure-Ubuntu-16.04-Common-Criteria.sh Ubuntu-16.04-Common-Criteria.tar.gz

But it ended with this error after just a few seconds:

Some of the required packages are not installed: ebtables libvirt-bin qemu-kvm

So I installed those packages and ran the script again:

$ sudo apt install ebtables libvirt-bin qemu-kvm
$ sudo ./Configure-Ubuntu-16.04-Common-Criteria.sh Ubuntu-16.04-Common-Criteria.tar.gz

And this time it went through all the way:

Log file: /var/log/CC-EAL2-Ubuntu-16.04.4_20210408153319.log

This script will configure the system to ensure it's compliant
with Common Criteria EAL2.

Do you want to proceed? [N/y] y
Checking system...
Decompressing tarball...
Checking tarball contents...
Installing PPA key...
Adding temporary APT repository...
Running apt-get update... 
Checking for installed packages...
Installing additional packages...
Removing non-compliant packages...
Removing "unattended-upgrades"...
Removing "apport-symptoms"...
Running post installation scripts...
Running post-install script, setumask...
Running post-install script, config-fstab...
Running post-install script, config-auditd...
Running post-install script, config-bootloader...
Running post-install script, config-sshd...
Running post-install script, config-modprobe...
Running post-install script, config-libvirt...
Running post-install script, config-qemu...
Running post-install script, config-apparmor...
Running post-install script, config-pam...
Running post-install script, screen...
Running post-install script, permissions...
Running post-install script, config-alias...
Running post-install script, config-hold-packages...
Common Criteria EAL2 configuration has successfully completed.
The system must reboot for the configuration to take effect.

Reboot the system now? [N/y] y
Rebooting...

After the reboot I noticed this message when I SSH’d back in:

Starting session in 10 seconds

And there’s a log file with the results:

$ head CC-EAL2-Ubuntu-16.04.4_20210408153319.log
This script will configure the system to ensure it's compliant
with Common Criteria EAL2.
Checking system...
Decompressing tarball...
Checking tarball contents...
Installing PPA key...
Adding temporary APT repository...
Running apt-get update... 
Get:1 file:/tmp/cc.Gj8E5U1bjX/mirror xenial InRelease [24.3 kB]
Hit:2 http://azure.archive.ubuntu.com/ubuntu xenial InRelease

$ tail CC-EAL2-Ubuntu-16.04.4_20210408153319.log
/tmp/cc.Gj8E5U1bjX/post-inst/config-hold-packages: zlib1g set on hold.
/tmp/cc.Gj8E5U1bjX/post-inst/checkerror: --- Starting execution of /tmp/cc.Gj8E5U1bjX/post-inst/checkerror ---
/tmp/cc.Gj8E5U1bjX/post-inst/checkerror: Common Criteria Evaluated Configuration
Common Criteria Evaluated Configuration
/tmp/cc.Gj8E5U1bjX/post-inst/checkerror: successfully established
successfully established
Common Criteria EAL2 configuration has successfully completed.
The system must reboot for the configuration to take effect.
Rebooting...
./Configure-Ubuntu-16.04-Common-Criteria.sh: line 274: 13348 Terminated              reboot

Revision history for this message

Adam Bell (arbell) wrote on 2022-03-23:

Hi @davecore,

I believe that this has been resolved since it was reported: I was able to run through this process on 16.04.7 using the cc-eal stream on the UA tool.

Please ping me internally if this is still an issue on your side!

Changed in ubuntu-security-certifications:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.