Certified versions - the rake that we choose
As you know, the use of certified versions of software is spelled out in various regulator documents. And (unfortunately) this given, with which everyone lives. This article will not enumerate the provisions of documents according to which it is necessary to use certified (or otherwise “passed the verification of conformity procedure”) products or the amount of fines for non-use. Instead, typical problems that customers who have to use certified software contact technical support will be addressed.
If someone has recently been forced to switch to certified versions and has not yet completed all the rakes - we ask for a cat.
As an introduction. A selection of typical problems was formed in preparation for one of the conferences on the basis of calls to our technical support. Therefore, I immediately warn that although the certification procedure is the same for all market participants, the examples will indicate for which company they operate. And the nuances have a place to be. Let's say that Doctor Web distributions for products certified according to the requirements of the FSTEC / FSB are different (since update zones should be different for the same requirements), and Kaspersky Lab has a single distribution, apparently update zones are separated by other methods.
Entry is completed, move on to the problems.
Problem number 1. And you work on ... (name of a specific OS or product)
There are several problems at once. Let's look at examples.
To begin with, this selection of answers was made on the eve of the conference “The Practice of Implementing the Digital Economy Program Based on Astra Linux Solutions,” so instead of the ellipsis there should have been Astra Linux Special Edition Smolensk version 1.6. And the certified version (and naturally uncertified too) work on this version. But users are not allowed to use it. The fact is that certification rules require that products submitted for certification be tested to support certain operating systems. And the form enclosed with the certified distribution lists all of these operating systems. And if Astra Linux version 1.6 is not specified in the form, you cannot use it, although the product (whose system requirements is “glibc 2.12 and higher”) fully works on this version.
Support for operating systems that meet the described requirements, as they become available, is included in the list of supported in the form, but the manufacturer simply cannot do this. It is necessary to go through the inspection control procedure. And she's not fast - well, no less than four months.
We are asked the question - is it impossible to synchronize the release of new OS and the passage of IR in advance? Alas, it will not work. Since besides the mentioned Astra Linux, we also need support for AltLinux, Windows and so on. And their release dates, alas, are at different times.
Accordingly, the recommendation is to check in advance that the OS of your choice is supported by all the certified products you need.
All this is inconvenient for both users and manufacturers (users require support from them), but, alas, this is the current procedure.
And sometimes it happens that we answer a user’s question that the certified version doesn’t support a certain OS or product. And here, too, often the problem is in the current procedure. So everyone knows that the number of distributions of the same Linux is enormous, while using a certified Linux distribution is not always necessary. And the user can easily come up with a support request with a rare distribution. And from the manufacturer for the inclusion of each version of the OS or product require money. And considerable. In total, comparable to the sales revenue of certified versions. Therefore, in preparation for certification, only very popular OSs are included in the list of supported ones. Although the certified version will work on a much larger number of products.
The situation with certification under the requirements of the Ministry of Defense is slightly different. Here is a list of OSs and products that need to be supported that comes down from MO Therefore, in response to a user’s request for support of a certain OS, they may well be answered that this OS is not included in the list of required MOs.
A completely opposite situation with the same Windows 10. Builds of this OS in fact are completely different OS. And although formally there is Windows 10 in the form, support for the new build will be only after the next IR. Yes, at least four months later, or even later.
Many are confident that certified versions are beneficial to manufacturers. It may be beneficial to someone, but at the level of protective software this is a rare hemorrhoids for both the manufacturer and users. Moreover, hemorrhoids are very, very expensive.
Problem number 2. “I am updated!”
As you know, according to the current procedure, the manufacturer must, in case of vulnerabilities, update its software. There is an ambush here. Updating is possible only through the IR procedure. Yeah. Four months and pay the money. And if you do not release a certified update, your product cannot be used.
Well then, Yaroslavna’s crying from the vendor. We released the update, the user must install it. You think everything is simple?
Certified distributions cannot be freely downloaded. You need to either buy a media package or contact technical support - and then still buy a media package. Let’s figure out why.
As already mentioned, if a certified distribution is urgently needed and it is impossible to wait for the delivery of a media package, then the client can contact the support service and request links for downloading certified versions and the form. Which will be provided to him. The request must be accompanied by documents on the payment of a previously purchased certified media package. Why documents? So that the vendor is convinced that it is the client who requests the links, and not just anyone.
In addition to links to distributions, technical support will send links to the form and recommendation of the following type.
This must be done!
After that, you need to buy the mentioned media package, since certified software is not just the distribution you received. Certified software is:
What is included in the media package? Again, as an example, a media package for versions of Dr.Web 11 certified by the FSTEC of Russia:
Yes, the holographic sticker that was supposed to be glued onto a CD was still alive.
But you do not need to buy a key / serial number during the upgrade. The key (I won’t tell you all vendors, but Doctor Web has it) is the same for both certified and non-certified versions. Thus, if you switch from regular to certified versions, you do not need to change the key.
How many media packages are needed?
You do not need to reinstall already installed software after receiving a media package from a DVD.
Problem number 3. I want to test!
As mentioned above, there can be no certified versions in the public domain of distributions. The key can (as mentioned above) be used from an uncertified version, but the distributions themselves need to be requested. Again, I won’t say it for everyone, but Doctor Web can indicate that the certified version is required when ordering a demo key. If there is a key, then distributions can be requested either from the company through which you make purchases or through vendor technical support.
When ordering, you need to specify the type of certification. The most common are MO, FSTEC, FSB.
Problem number 4. How to get updates for a closed network?
No need to use an additional server, install it outside the network and transfer updates inside! A common mistake by the way. As a rule, vendors have the opportunity to download updates using a special utility. Again, Doctor Web has it as part of ES and you can separately request this utility (drwreploader) from tech support.
Why do I need a utility? When copying manually, extra files that need to be deleted may accumulate.
Problem number 5. About the signature.
This is a specific AstraLinux problem. The fact is that in certain modes of its operation, the presence of digital signature packages of NPO RusBITech is checked.
No need to sign certified packages again! They are already signed if AstraLinux support is indicated on the form. After the signature, the checksums are changed and will no longer correspond to those indicated in the form.
If you have questions, ask, I will try to answer.
If someone has recently been forced to switch to certified versions and has not yet completed all the rakes - we ask for a cat.
As an introduction. A selection of typical problems was formed in preparation for one of the conferences on the basis of calls to our technical support. Therefore, I immediately warn that although the certification procedure is the same for all market participants, the examples will indicate for which company they operate. And the nuances have a place to be. Let's say that Doctor Web distributions for products certified according to the requirements of the FSTEC / FSB are different (since update zones should be different for the same requirements), and Kaspersky Lab has a single distribution, apparently update zones are separated by other methods.
Entry is completed, move on to the problems.
Problem number 1. And you work on ... (name of a specific OS or product)
There are several problems at once. Let's look at examples.
To begin with, this selection of answers was made on the eve of the conference “The Practice of Implementing the Digital Economy Program Based on Astra Linux Solutions,” so instead of the ellipsis there should have been Astra Linux Special Edition Smolensk version 1.6. And the certified version (and naturally uncertified too) work on this version. But users are not allowed to use it. The fact is that certification rules require that products submitted for certification be tested to support certain operating systems. And the form enclosed with the certified distribution lists all of these operating systems. And if Astra Linux version 1.6 is not specified in the form, you cannot use it, although the product (whose system requirements is “glibc 2.12 and higher”) fully works on this version.
Support for operating systems that meet the described requirements, as they become available, is included in the list of supported in the form, but the manufacturer simply cannot do this. It is necessary to go through the inspection control procedure. And she's not fast - well, no less than four months.
We are asked the question - is it impossible to synchronize the release of new OS and the passage of IR in advance? Alas, it will not work. Since besides the mentioned Astra Linux, we also need support for AltLinux, Windows and so on. And their release dates, alas, are at different times.
Accordingly, the recommendation is to check in advance that the OS of your choice is supported by all the certified products you need.
All this is inconvenient for both users and manufacturers (users require support from them), but, alas, this is the current procedure.
And sometimes it happens that we answer a user’s question that the certified version doesn’t support a certain OS or product. And here, too, often the problem is in the current procedure. So everyone knows that the number of distributions of the same Linux is enormous, while using a certified Linux distribution is not always necessary. And the user can easily come up with a support request with a rare distribution. And from the manufacturer for the inclusion of each version of the OS or product require money. And considerable. In total, comparable to the sales revenue of certified versions. Therefore, in preparation for certification, only very popular OSs are included in the list of supported ones. Although the certified version will work on a much larger number of products.
The situation with certification under the requirements of the Ministry of Defense is slightly different. Here is a list of OSs and products that need to be supported that comes down from MO Therefore, in response to a user’s request for support of a certain OS, they may well be answered that this OS is not included in the list of required MOs.
A completely opposite situation with the same Windows 10. Builds of this OS in fact are completely different OS. And although formally there is Windows 10 in the form, support for the new build will be only after the next IR. Yes, at least four months later, or even later.
Many are confident that certified versions are beneficial to manufacturers. It may be beneficial to someone, but at the level of protective software this is a rare hemorrhoids for both the manufacturer and users. Moreover, hemorrhoids are very, very expensive.
Problem number 2. “I am updated!”
As you know, according to the current procedure, the manufacturer must, in case of vulnerabilities, update its software. There is an ambush here. Updating is possible only through the IR procedure. Yeah. Four months and pay the money. And if you do not release a certified update, your product cannot be used.
Well then, Yaroslavna’s crying from the vendor. We released the update, the user must install it. You think everything is simple?
Certified distributions cannot be freely downloaded. You need to either buy a media package or contact technical support - and then still buy a media package. Let’s figure out why.
As already mentioned, if a certified distribution is urgently needed and it is impossible to wait for the delivery of a media package, then the client can contact the support service and request links for downloading certified versions and the form. Which will be provided to him. The request must be accompanied by documents on the payment of a previously purchased certified media package. Why documents? So that the vendor is convinced that it is the client who requests the links, and not just anyone.
In addition to links to distributions, technical support will send links to the form and recommendation of the following type.
The form should be printed out, in the “Special Marks” section, notes should be made about replacing the form RU.72110450.00300-10 30 02 with a holographic sticker (certification system conformity mark) with the updated form RU.72110450.00300-10 30 02 rev. 4.
On the replaced form RU.72110450.00300-10 30 02 you can add - “The form has been canceled. The certification mark of conformity (holographic sticker) is valid. The replaced form should be kept together with the updated one to preserve the certification mark of conformity.
This must be done!
After that, you need to buy the mentioned media package, since certified software is not just the distribution you received. Certified software is:
- passed conformity check in the Certification System of information protection means in accordance with the requirements of state standards and regulatory documents on information protection;
- certified for compliance with the parameters specified in these requirements. The most famous, but not the only, certificates are certificates of the FSTEC of Russia and the FSB of Russia;
- the distribution of which corresponds to the reference copy that underwent certification tests, which is confirmed by the corresponding entries in the accompanying documentation for certified software (form), and a special holographic mark of conformity with a unique number that identifies this copy in the state accounting system of certified products;
- installed and configured in accordance with certified parameters;
- controlled during operation;
- each certified copy, which is recorded in the register of certified products. The manufacturer must label the protective equipment and provide unhindered access for officials of the bodies exercising control of certified protective equipment to accounting information.
What is included in the media package? Again, as an example, a media package for versions of Dr.Web 11 certified by the FSTEC of Russia:
- Company box (as a means of distribution);
- License certificate;
- 3 DVD-ROMs in company envelopes with certified Dr.Web distributions and documentation;
- Form with a holographic sticker, which contains;
- reference checksums of certified products.
Yes, the holographic sticker that was supposed to be glued onto a CD was still alive.
But you do not need to buy a key / serial number during the upgrade. The key (I won’t tell you all vendors, but Doctor Web has it) is the same for both certified and non-certified versions. Thus, if you switch from regular to certified versions, you do not need to change the key.
How many media packages are needed?
- 1 legal entity = 1 media set;
- If the client has several remote branches, you need as many media sets as there are branches. When checking by the regulator, it is more convenient to have a certified media package in place.
You do not need to reinstall already installed software after receiving a media package from a DVD.
Problem number 3. I want to test!
As mentioned above, there can be no certified versions in the public domain of distributions. The key can (as mentioned above) be used from an uncertified version, but the distributions themselves need to be requested. Again, I won’t say it for everyone, but Doctor Web can indicate that the certified version is required when ordering a demo key. If there is a key, then distributions can be requested either from the company through which you make purchases or through vendor technical support.
When ordering, you need to specify the type of certification. The most common are MO, FSTEC, FSB.
Problem number 4. How to get updates for a closed network?
No need to use an additional server, install it outside the network and transfer updates inside! A common mistake by the way. As a rule, vendors have the opportunity to download updates using a special utility. Again, Doctor Web has it as part of ES and you can separately request this utility (drwreploader) from tech support.
Why do I need a utility? When copying manually, extra files that need to be deleted may accumulate.
Problem number 5. About the signature.
This is a specific AstraLinux problem. The fact is that in certain modes of its operation, the presence of digital signature packages of NPO RusBITech is checked.
No need to sign certified packages again! They are already signed if AstraLinux support is indicated on the form. After the signature, the checksums are changed and will no longer correspond to those indicated in the form.
If you have questions, ask, I will try to answer.