Security Certifications & Hardening
Run regulated and high security workloads on Ubuntu
Whatever cybersecurity framework you have chosen, including ISO 27000, NIST, PCI or CIS Controls, Ubuntu Pro and Ubuntu Advantage enable your compliance and reduce your operational risk. Access automation for hardening and compliance profiles, such as CIS and DISA-STIG as well as the FIPS 140-2 and Common Criteria certifications.
Comply with established security baselines
The default configuration of Ubuntu balances usability and security. However, systems carrying dedicated workloads can be further hardened to reduce their attack surface. Canonical works with DISA to ensure STIG guides are available for Ubuntu, and we provide OpenSCAP tooling and automation for the Industry accepted CIS benchmark. Available with Ubuntu Advantage and Ubuntu Pro.
See our compliance profilesKnow your defenses
Each Ubuntu release enables state of the art protection against vulnerability exploitation and malware and we publicly detail our choices. Canonical has a public vulnerability disclosure policy and vulnerabilities are not only fixed with automated security updates and livepatches but also publicly disclosed with our security notices. We further provide machine readable OVAL CVE output to be used by OpenSCAP and other 3rd party vulnerability management tools.
See our security featuresAccess certifications for high security environments
Access to certification artifacts as well as the necessary tooling for regulated and high security environments. Ubuntu Advantage and Ubuntu Pro provide access to FIPS 140-2 certified cryptographic packages, allowing you to deploy workloads that need to operate under compliance regimes like FedRAMP, HIPAA, and PCI-DSS. Additionally, Ubuntu versions have been certified under Common Criteria, providing 3rd party attestation of the security mechanisms in the operating system.
See our certificationsFIPS certification and CIS compliance with Ubuntu
Learn about Ubuntu CIS and FIPS certified components to enable operating under compliance regimes like FedRAMP, HIPAA, PCI and ISO. Get all of your compliance questions answered in our upcoming webinar to ensure you and your team are, and remain, compliant.
Ubuntu compliance & hardening profiles
The default configuration of Ubuntu LTS releases, balances between usability, performance and security. However, non general purpose systems can be further hardened to reduce their attack surface. Reducing the attack surface is often part of the compliance with the organization’s cybersecurity framework, but is also a widely accepted security best practice. We recommend using the industry accepted benchmarks below. Click on each benchmark for more detailed information.
| Ubuntu 16.04 LTS | Ubuntu 18.04 LTS | Ubuntu 20.04 LTS | |
|---|---|---|---|
| Center for Internet Security (CIS) certified benchmarks for Ubuntu systems |
|
|
|
| Defence Information System Agency (DISA) Security Technical Implementation Guides (STIGs) |
|
|
|
- Yes Certified tooling & automation
-
STIG guide
Ubuntu security certifications
We strive to make Ubuntu the platform of choice in regulated and high security environments. Ubuntu Advantage enables access to the certification artifacts as well as the necessary tooling for such environments. The following is a list of the certifications available with Ubuntu Advantage and Ubuntu Pro on public clouds. Click on each for more detailed information.
| Ubuntu 16.04 LTS | Ubuntu 18.04 LTS | Ubuntu 20.04 LTS | |
|---|---|---|---|
| FIPS 140-2 Level 1 certification: A US and Canada government cryptographic module certification of compliance with the FIPS140-2 data protection standard. US agencies, their service providers or other institutions that comply with similar requirements (e.g., HIPAA, PCI-DSS) are required to comply with FIPS 140-2. |
Yes: Tooling and automation
|
Yes: Tooling and automation
|
Yes: Tooling and automation
|
| Common Criteria, EAL2, an internationally accepted security certification: A 3rd party attestation of the security mechanisms in the operating system. Ubuntu has a Common Criteria EAL2 certification recognized by CCRA and EU SOGIS members. | Yes | Yes |
- Yes Tooling & automation
Frequently asked questions about security certifications
How do I harden my Ubuntu system?
Hardening always involves a tradeoff with usability and performance. The default configuration of Ubuntu LTS releases, as provided by Canonical, balances between usability, performance and security. However, systems with a dedicated workload are well positioned to benefit from hardening. You can reduce your workload’s attack surface by applying an Industry accepted baseline. At Canonical we recommend applying the Center for Internet Security (CIS) benchmarks for hardening the configuration of Ubuntu.
How do I comply with PCI-DSS?
PCI-DSS is a payment industry standard and any company that stores, processes or transmits payment card or cardholder information is required to comply with it. The standard is defined by the Payment Card Industry council and defines measures and processes to secure online financial transactions. The standard is about making business as usual processes like monitoring of security controls, timely response, review of environmental and organizational changes, as well as review of hardware and software being under support by its vendors. For companies with large volumes of transactions compliance with the standard is enforced by an audit of a Qualified Security Assessor (QSA).
Achieving and maintaining compliance is a complex and costly process that involves business processes in addition to software requirements. Ubuntu by Canonical contains software and security controls, such as disk encryption, password settings configuration, cryptographic compliance with FIPS140-2, CIS hardening as well as a comprehensive Enterprise software maintenance program, to achieve and maintain compliance with the standard.