Certified versions - a rake that we choose
As you know - the use of certified software versions is written in a variety of documents regulators. And (unfortunately) this reality with which everyone lives. This article will not list the provisions of the documents according to which it is necessary to use certified (or otherwise, “passed the conformity assessment procedure”) products or the size of fines for non-use. Instead, typical problems with which customers who are forced to use certified software will turn to technical support will be considered.
If someone has recently been forced to switch to certified versions and has not yet passed on all the rakes - we ask under the cat.
As an introduction. A selection of typical problems was formed in preparation for one of the conferences based on calls to our technical support. Therefore, I immediately warn you that although the certification procedure is the same for all market participants, the examples will indicate for which company they operate. And the nuances have a place to be. Say Doctor Web distributions for FSTEC / FSB-certified products are different (since the update zones should differ according to the same requirements), while Kaspersky Lab has a single distribution kit, apparently the update zones are separated by other means.
Entry is over, let's move on to the problems.
')
Problem number 1. Do you work for ... (name of a specific OS or product)
There are several problems here. Let us consider examples.
Let's start with the fact that this selection of answers was made on the eve of the conference "Practice of implementing the program" Digital Economy "based on Astra Linux solutions", so instead of the ellipsis it should have been Astra Linux Special Edition Smolensk version 1.6. And the certified version (and of course non-certified too) works on this version. But users do not have the right to use it. The fact is that certification rules require that products submitted for certification be tested to support certain operating systems. And in the form attached to the certified distribution, all these operating systems are listed. And if Astra Linux version 1.6 is not specified in the form - you cannot use it, although the product (whose system requirements are “glibc 2.12 and higher”) works perfectly on this version.
Support for operating systems that meet the described requirements, as they are released, is included in the list of supported in the form, but the manufacturer cannot simply do so. It is necessary to go through the inspection control procedure. And it is not fast - well, not less than four months.
We are asked a question - is it impossible to synchronize in advance the release of new operating systems and the passage of IC? Alas, but it will not work. Since in addition to the mentioned Astra Linux we are required to support AltLinux, Windows and so on. And their release dates, alas, fall at different times.
Accordingly, the recommendation - check in advance that your chosen OS supports all the certified products you need.
All this is inconvenient for both users and manufacturers (users require support from them), but, alas, this is the current procedure.
And sometimes it happens that the user's question, we answer that the certified version of such a OS or product does not support. And here, too, there is often a problem with the current procedure. So everyone knows that the number of distributions of the same Linux is enormous, and the use of a certified Linux distribution is not always necessary. And the user can easily come with a request for support with a rare distribution. And with the manufacturer for the inclusion of each version of the OS or product require money. And considerable ones. In sum, comparable to sales of certified versions. Therefore, when preparing for certification, only highly demanded operating systems are included in the list of supported ones. Although the certified version will work on a much larger number of products.
The situation with certification under the requirements of the Ministry of Defense is slightly different. Here is a list of operating systems and products that need to be supported, coming down from the MO. Therefore, in response to a user request for support of a certain OS, they may well be told that this OS is not included in the list of required MOs.
A completely opposite situation with the same Windows 10. The builds of this OS in fact are completely different operating systems. And although Windows 10 is formally on the form - the new build will be supported only after the next IR. Yes, at least four months later, or even later.
Many believe that certified versions benefit manufacturers. Maybe someone is beneficial, but at the level of protective software it is a rare hemorrhoids for both the manufacturer and users. And hemorrhoids are very, very expensive.
Problem number 2. "I have updated!"
As is known, according to the current procedure, the manufacturer should update its software in case of detection of vulnerabilities. There is an ambush here too. Updating is possible only through the IR procedure. Yeah. Four months and pay money. And if you do not release a certified update - your product can not be used.
Well, then weeping Yaroslavna from the vendor. We released an update, the user must deliver it. Do you think everything is simple?
Free downloadable certified distributions can not be placed. You need to either buy a media package or contact technical support - and then still buy a media package. We will see why.
As already mentioned, if a certified distribution kit is needed urgently and it is impossible to wait for the delivery of a media package, the client can contact support and request links for downloading certified versions and a form. Which will be given to him. Documents for payment of a previously purchased certified media package must be attached to the request. Why documents? For the vendor to make sure that the client is the one who requests the links, and not anyone.
In addition to references to distributions, technical support will send links to the form and recommendation of the following type.
Make it a must!
After that, you need to buy the mentioned media package, since the certified software is not just a distribution kit you received. Certified software is:
What is included in the media package? Again, as an example, a media package for Dr.Web 11 certified by FSTEC of Russia:
Yes, the holographic sticker that was previously supposed to be glued to a CD is still alive.
But the key / serial number when you upgrade do not need to buy. The key (I’m not saying for all vendors, but Doctor Web does) is the same for both certified and non-certified versions. Thus, if you switch from standard to certified versions, you do not need to change the key.
How many media packs do you need?
It is not necessary to reinstall the already installed software after receiving the media pack from the DVD.
Problem number 3. I want to test!
As mentioned above, there can be no certified distributions in free access. The key can (as mentioned above) be used from the non-certified version, but the distributions themselves must be requested. Again, I will not say for everyone, but Doctor Web indicates that it is the certified version that is required when ordering a demo key. If there is a key, then distributions can be requested either from the company through which you make purchases or through technical support from the vendor.
When ordering, you must specify the type of certification. The most common MO, FSTEC, FSB.
Problem number 4. How to get updates for a closed network?
No need to use an additional server, put it outside the network and transfer updates inside! A common mistake by the way. As a rule, vendors have the opportunity to download updates using a special utility. Again, Doctor Web has such a part of ES and you can separately request this utility (drwreploader) from technical support.
Why do you need a utility? When copying manually can accumulate unnecessary files that need to be deleted.
Problem number 5. About the signature.
This is a specific AstraLinux problem. The fact is that in certain modes of its operation, the packages have a digital signature of “NPO RusBITech”.
No need to sign certified packages again! They are already signed up if AstraLinux support is listed on the form. After the signature, the checksums change and will no longer correspond to those indicated in the form.
If you have questions, ask, I will try to answer.
If someone has recently been forced to switch to certified versions and has not yet passed on all the rakes - we ask under the cat.
As an introduction. A selection of typical problems was formed in preparation for one of the conferences based on calls to our technical support. Therefore, I immediately warn you that although the certification procedure is the same for all market participants, the examples will indicate for which company they operate. And the nuances have a place to be. Say Doctor Web distributions for FSTEC / FSB-certified products are different (since the update zones should differ according to the same requirements), while Kaspersky Lab has a single distribution kit, apparently the update zones are separated by other means.
Entry is over, let's move on to the problems.
')
Problem number 1. Do you work for ... (name of a specific OS or product)
There are several problems here. Let us consider examples.
Let's start with the fact that this selection of answers was made on the eve of the conference "Practice of implementing the program" Digital Economy "based on Astra Linux solutions", so instead of the ellipsis it should have been Astra Linux Special Edition Smolensk version 1.6. And the certified version (and of course non-certified too) works on this version. But users do not have the right to use it. The fact is that certification rules require that products submitted for certification be tested to support certain operating systems. And in the form attached to the certified distribution, all these operating systems are listed. And if Astra Linux version 1.6 is not specified in the form - you cannot use it, although the product (whose system requirements are “glibc 2.12 and higher”) works perfectly on this version.
Support for operating systems that meet the described requirements, as they are released, is included in the list of supported in the form, but the manufacturer cannot simply do so. It is necessary to go through the inspection control procedure. And it is not fast - well, not less than four months.
We are asked a question - is it impossible to synchronize in advance the release of new operating systems and the passage of IC? Alas, but it will not work. Since in addition to the mentioned Astra Linux we are required to support AltLinux, Windows and so on. And their release dates, alas, fall at different times.
Accordingly, the recommendation - check in advance that your chosen OS supports all the certified products you need.
All this is inconvenient for both users and manufacturers (users require support from them), but, alas, this is the current procedure.
And sometimes it happens that the user's question, we answer that the certified version of such a OS or product does not support. And here, too, there is often a problem with the current procedure. So everyone knows that the number of distributions of the same Linux is enormous, and the use of a certified Linux distribution is not always necessary. And the user can easily come with a request for support with a rare distribution. And with the manufacturer for the inclusion of each version of the OS or product require money. And considerable ones. In sum, comparable to sales of certified versions. Therefore, when preparing for certification, only highly demanded operating systems are included in the list of supported ones. Although the certified version will work on a much larger number of products.
The situation with certification under the requirements of the Ministry of Defense is slightly different. Here is a list of operating systems and products that need to be supported, coming down from the MO. Therefore, in response to a user request for support of a certain OS, they may well be told that this OS is not included in the list of required MOs.
A completely opposite situation with the same Windows 10. The builds of this OS in fact are completely different operating systems. And although Windows 10 is formally on the form - the new build will be supported only after the next IR. Yes, at least four months later, or even later.
Many believe that certified versions benefit manufacturers. Maybe someone is beneficial, but at the level of protective software it is a rare hemorrhoids for both the manufacturer and users. And hemorrhoids are very, very expensive.
Problem number 2. "I have updated!"
As is known, according to the current procedure, the manufacturer should update its software in case of detection of vulnerabilities. There is an ambush here too. Updating is possible only through the IR procedure. Yeah. Four months and pay money. And if you do not release a certified update - your product can not be used.
Well, then weeping Yaroslavna from the vendor. We released an update, the user must deliver it. Do you think everything is simple?
Free downloadable certified distributions can not be placed. You need to either buy a media package or contact technical support - and then still buy a media package. We will see why.
As already mentioned, if a certified distribution kit is needed urgently and it is impossible to wait for the delivery of a media package, the client can contact support and request links for downloading certified versions and a form. Which will be given to him. Documents for payment of a previously purchased certified media package must be attached to the request. Why documents? For the vendor to make sure that the client is the one who requests the links, and not anyone.
In addition to references to distributions, technical support will send links to the form and recommendation of the following type.
The form should be printed, in the section “Special Marks” you should make notes on the replacement of the form RU.72110450.00300-10 30 02 with a holographic label (the sign of conformity of the certification system) with the updated form RU.72110450.00300-10 30 02 amendment 4.
On the replaced form RU.72110450.00300-10 30 02 you can add - “The form has been canceled. The certification system certification mark (holographic sticker) is valid. The replaced form should be kept together with the updated one to preserve the certification system compliance mark.
Make it a must!
After that, you need to buy the mentioned media package, since the certified software is not just a distribution kit you received. Certified software is:
- having passed the compliance check in the System of Certification of Information Security Means in accordance with the requirements of state standards and regulatory documents on information security;
- certified for compliance with the requirements specified in these requirements. The most well-known, but not the only, certificates are certificates of the FSTEC of Russia and the Federal Security Service of Russia;
- the distribution kit of which corresponds to the reference copy subjected to certification tests, which is confirmed by the corresponding entries in the accompanying documentation for certified software (form) and a special holographic conformity mark with a unique number that identifies this copy in the state accounting system of certified products;
- installed and configured in accordance with certified parameters;
- controlled during operation;
- each certified copy which is registered in the register of certified products. The manufacturer is obliged to mark the means of protection and ensure unhindered access of officials of the bodies that control the certified means of protection to the account information.
What is included in the media package? Again, as an example, a media package for Dr.Web 11 certified by FSTEC of Russia:
- Branded box (as a means of distribution);
- License certificate;
- 3 DVDs in branded envelopes with certified Dr.Web distributions and documentation;
- Form with a holographic label, which contains;
- reference checksum values ​​of certified products.
Yes, the holographic sticker that was previously supposed to be glued to a CD is still alive.
But the key / serial number when you upgrade do not need to buy. The key (I’m not saying for all vendors, but Doctor Web does) is the same for both certified and non-certified versions. Thus, if you switch from standard to certified versions, you do not need to change the key.
How many media packs do you need?
- 1 legal entity = 1 media package;
- If a client has several remote branches, you need as many media packages as there are branches. When checking from the regulator, it is more convenient to have a certified media package on site.
It is not necessary to reinstall the already installed software after receiving the media pack from the DVD.
Problem number 3. I want to test!
As mentioned above, there can be no certified distributions in free access. The key can (as mentioned above) be used from the non-certified version, but the distributions themselves must be requested. Again, I will not say for everyone, but Doctor Web indicates that it is the certified version that is required when ordering a demo key. If there is a key, then distributions can be requested either from the company through which you make purchases or through technical support from the vendor.
When ordering, you must specify the type of certification. The most common MO, FSTEC, FSB.
Problem number 4. How to get updates for a closed network?
No need to use an additional server, put it outside the network and transfer updates inside! A common mistake by the way. As a rule, vendors have the opportunity to download updates using a special utility. Again, Doctor Web has such a part of ES and you can separately request this utility (drwreploader) from technical support.
Why do you need a utility? When copying manually can accumulate unnecessary files that need to be deleted.
Problem number 5. About the signature.
This is a specific AstraLinux problem. The fact is that in certain modes of its operation, the packages have a digital signature of “NPO RusBITech”.
No need to sign certified packages again! They are already signed up if AstraLinux support is listed on the form. After the signature, the checksums change and will no longer correspond to those indicated in the form.
If you have questions, ask, I will try to answer.
Source: https://habr.com/ru/post/457534/
All Articles