Protected OS «UALinux Secured*Pack» with the conclusion SSSCIP of Ukraine
Protected operating system «UALinux Secured*Pack» based on OS Ubuntu*Pack (hereinafter OS «UALinux Secured*Pack») has a positive expert opinion which is registered with the State Service for Special Communications and Information Protection and is included in the "List of means of technical protection of information permitted to ensure the technical protection of state information resources and information, the requirement for the protection of which is established by law", which allows its use in systems where information with restricted access and personal data circulates.
OS «UALinux Secured*Pack»
is a set of functions and security mechanisms as part of the OS software designed to implement the protection of information with restricted access (IwRA) (including information constituting a state secret; confidential information owned by the state; confidential information about a person (personal data) information, constituting a trade secret, etc.) processed in automated systems (AS) of class 1, AS of class 2 and AS of class 3, built on the basis of a PC/Server (separate and/or combined into a local area network), operating under the control OS «UALinux Secured*Pack».
The set of security services implemented by the functional composition of the OS «UALinux Secured*Pack» constitutes the following security profile: 3.КЦД.={КД-2, КА-1, КА-2, КО-1, КВ-2, ЦД-1, ЦА-1, ЦА-2, ЦВ-2, ДР-1, ДЗ-1, ДС-1, ДВ-1, НР-3, НИ-3, НК-1, НО-3, НЦ-2, НТ-3, НВ-2}.
The developer provides guarantees for the implementation of security services, the development process, delivery and maintenance of the OS «UALinux Secured*Pack» in accordance with the terms of G-3 level guarantees.
OS «UALinux Secured*Pack» allows you to implement the policy of administrative and trust management of access to objects and processes of the OS, provides protection of information that is presented in the form of data files of an arbitrary type (electronic documents, spreadsheets, design drawings, geographic information systems data, database objects data, etc.), interaction interfaces and information flows initiated by OS processes.
- a set of protective equipment fully complies with the current regulatory framework of Ukraine and open international standards
- high resistance to various types/classes of cyber threats and hacker attacks
- full immunity to virus threats (including virus transit)
- open source system - no bookmarks and hidden spyware
- low hardware requirements allow you to install the OS on outdated equipment without upgrading the existing computer fleet
- the ability to use both on servers and in workplaces
- full infrastructure compatibility with most existing software ecosystems
- control of user and process actions when using information objects in accordance with the selected security policy
- domestic product support by its developer
- reduction in the total cost of the product due to the inclusion of a wide range of additional software, including office software (texts, tables, presentations)
- Audit (Audit - AU) - the functionality of the complex protection system, designed to register security events in the system and enable OS users with administrative rights to control the processes and actions of users, monitor how the complex is used, and also configure it correctly;
- System monitoring (System Monitoring - SM) - the functionality of the complex protection system, designed to obtain information about the progress of the boot process, the current state of security and health of OS components, application processes running within the OS user environment and analysis of audit results;
- Identification and authentication of users (Identification and authentication - I&A) - the functionality of the complex protection system based on the calculation and use by access subjects (users) of unique access attributes (username, password, session identifier, electronic certificate, access identifier, etc.) for the implementation their authorization procedures during access to OS objects);
- Authorization of users in the system (Authorization - AU) - the functionality of the complex protection system, which ensures the implementation of the policy of restricting access to objects (selected directories and files contained in them), based on certain attributes of users and objects in the system, and provides functionality for OS administrators to manage this access, allows you to organize joint work of several users with different job duties and rights to access protected information.
- User and role management (URM) the functionality of the complex protection system that defines a role model for managing users and access to OS objects.
- Process management in the OS (Process Management - PM) - the functionality of the complex protection system, which is designed to
- managing process access to OS objects and their initiation policy;
- managing the flow of information and blocking the flow of information, which may lead to a decrease in its level of confidentiality;
- delimitation of application access to selected directories and files contained in them, which makes it possible to protect information from accidental deletion or damage, as well as to ensure compliance with its processing technology.
- Establishment of restrictions (Quota - QU) - OE functionality designed to manage restrictions on the use of computing resources of the OS deployment hardware platform and system resources of the OS kernel, as part of the execution of user applications.
- System availability (High availability - HA) - the functionality of an integrated protection system designed to ensure an appropriate level of stability of processes and OS modules before failures and execution errors, as well as support mechanisms for restoring the functionality of the OS and protected objects.
- Process isolation and protection against unauthorized reuse of objects (Process isolation - PI) - the functionality of an integrated protection system that provides protection for user processes from unauthorized initiation and excess of authority, control of the integrity of processes during their execution and separation of the virtual memory space used by processes.
- Data storage security in the OS (Data Storage Security - DSS) - the functionality of a comprehensive protection system that provides:
- protection of OS objects that are stored in the file system;
- control over the import of information from removable media;
- control over the export of information to removable media with the possibility of registering removable media and limiting (for certain users) the list of removable media used only by registered ones;
- guaranteed destruction of information with restricted access when deleting the corresponding files;
- monitoring the integrity of the application software (SW) and the software of the complex, as well as blocking the download of programs whose integrity has been violated, which allows for protection against viruses and compliance with the technology for processing protected information;
- control over the use of disk space by users, excludes the possibility of blocking by one of the users of the ability of other users to work;
- the ability to block user interface devices (keyboard, mouse, monitor) during his absence;
- monitoring the integrity and self-testing of the complex at startup and at the request of the administrator;
- System update and software installation manager (update manager - UM) - the functionality of an integrated protection system that implements downloads and installations of OS update packages and additional software packages from reliable sources.
- Support for secure data transfer protocols (Network and Communication Security - NCS) - the functionality of an integrated security system that implements data encryption mechanisms using common cryptographic protection libraries certified in the field of cryptographic information protection.
- Protection of external connections to host interfaces - the functionality of an integrated protection system designed to protect the logical interaction interfaces that are provided by the OS in the process of processing received and transit information flows.
- SELinux/AppArmor - Implementation of Mandatory User and Process Access Control (MAC), Multi-Layer Security (MLS), and Multi-Category Security (MCS) mechanisms in the Linux kernel.
- The purpose of the access policy implemented by SELinux is to provide the ability to control privileges based on the roles that a user can hold, and then to limit the scope of influence that a role can have by defining allowed combinations of roles and domains.
- AppArmor is a predictive protection software tool based on security policies that determine which system resources and with what privileges can be accessed by an application running on systems. AppArmor allows the system administrator to restrict the capabilities of programs using program profiles. Profiles can allow features such as network access, raw socket access, and permission to read, write, or execute files on the appropriate paths. AppArmor complements the traditional Unix selective access control (DAC) system by providing mandatory access control (MAC).
The Protected OS «UALinux Secured*Pack» will satisfy the requirements for reliability, compliance with international open and state standards and information security to the maximum.
OS «UALinux Secured*Pack» can be used on workstations and servers of distributed computing networks. The composition of the installation packages allows you to provide the necessary functionality of the OS as part of the deployment:
- пenterprises and organizations of the public sector, in whose activities it is supposed to use a specialized secure software environment for processing information with any classification of secrecy, including higher, in automated systems AC-1, AC-2, AC-3 (for example, automated workers places (AWP) class AC 1 for RSA)
- enterprises and organizations of the non-state sector need to use an automated workplace or a server with increased protection both from local hacking and from the possible introduction of malicious software agents
- ensuring the security of information and telecommunication systems (ITS)
- secure automated workers places users (both localized and as part of ITS)
- protected virtual machines
- secure functional servers as part of local and distributed ITS (databases, e-mail, file servers, web servers (site hosting), etc.)
- specialized servers providing infrastructure for local and distributed ITS (network router, secure network gateways and filters, IPS / IDS systems, DNS, DHCP, NTP servers, SYSlog servers and sensors of SIEM systems (cybersecurity event management systems, directory servers (SAMBA, Kerberos, LDAP, Radius), etc.).
and many others areas of application...
More detailed information is given in the documentation OS «UALinux Secured*Pack». Functional Specifications". You can also
OS «UALinux Secured*Pack» is developed on the basis of Ubuntu*Pack. You can for testing (is not secured version)
OS «UALinux Secured*Pack» is already used by the following organizations:
Ministry of Health Ukraine
State Service of Special Communications and Information Protection of Ukraine
Security Service of Ukraine
The State Emergency Service of Ukraine
National Security and Defense Council of Ukraine
and others.