Security Certifications & Hardening
Run regulated and high security workloads on Ubuntu
Whatever cybersecurity framework you have chosen, including ISO 27000, NIST, PCI or CIS Controls, Ubuntu Pro on-premise or on public clouds enables your compliance and reduces your operational risk. Access automation for hardening and compliance profiles, such as CIS and DISA-STIG as well as the FIPS 140-2 and Common Criteria certifications.
Comply with established security baselines
The default configuration of Ubuntu balances usability and security. However, systems carrying dedicated workloads can be further hardened to reduce their attack surface. Canonical works with DISA to ensure STIG guides are available for Ubuntu, as well as provides OpenSCAP tooling and automation for the Industry accepted CIS benchmark. Available with Ubuntu Pro on-premise or on public clouds.
See our compliance profilesKnow your defenses
Each Ubuntu release enables state of the art protection against vulnerability exploitation and malware and we publicly detail our choices. Canonical has a public vulnerability disclosure policy and vulnerabilities are not only fixed with automated security updates and livepatches but also publicly disclosed with our security notices. We further provide machine readable OVAL CVE output to be used by OpenSCAP and other 3rd party vulnerability management tools.
See our security featuresAccess certifications for high security environments
Access certification artifacts as well as the necessary tooling for regulated and high security environments. Ubuntu Pro provides access to FIPS 140-2 certified cryptographic packages, allowing you to deploy workloads that need to operate under compliance regimes like FedRAMP, HIPAA, and PCI-DSS. Additionally, some Ubuntu versions have been certified under Common Criteria, providing 3rd party attestation of the security mechanisms in the operating system.
See our certificationsFIPS
A US and Canada government cryptographic module certification of compliance with the FIPS 140 information processing standard
Learn more ›Common Criteria
3rd party attestation of the security mechanisms. Ubuntu has an EAL2 certification recognised by CCRA and EU SOGIS members
Learn more ›DISA-STIG
Ubuntu Pro has the necessary automated tooling to comply with DISA-STIG guidelines on Linux
Learn more ›CIS
Canonical provides Ubuntu Security Guide (USG) for automated audit and compliance with the CIS benchmarks
Learn more ›How does Ubuntu enable your compliance with FIPS, and DISA-STIG?
Learn about the US government security standards and the common challenges faced by organisations in their implementation. See how the Ubuntu Security Guide can transform systems compliance in a few minutes. Get to know how Ubuntu is a secure platform for government agencies and complying organisations to build, operate and innovate with open source applications and technologies.
Ubuntu compliance & hardening profiles
The default configuration of Ubuntu LTS releases, balances between usability, performance and security. However, non general purpose systems can be further hardened to reduce their attack surface. Reducing the attack surface is often part of the compliance with the organization’s cybersecurity framework, but is also a widely accepted security best practice. We recommend using the industry accepted benchmarks below. Click on each benchmark for more detailed information.
Center for Internet Security (CIS) certified benchmarks for Ubuntu systems
Tooling & automation
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Defence Information System Agency (DISA) Security Technical Implementation Guides (STIGs)
Tooling & automation
- Ubuntu 20.04 LTS
Configuration guides
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Ubuntu security certifications
We strive to make Ubuntu the platform of choice in regulated and high security environments. Ubuntu Pro enables access to the certification artifacts as well as the necessary tooling for such environments. The following is a list of the certifications available with Ubuntu Pro. Click on each for more detailed information.
| Ubuntu 16.04 LTS | Ubuntu 18.04 LTS | Ubuntu 20.04 LTS | |
|---|---|---|---|
| FIPS 140-2 Level 1 certification: A US and Canada government cryptographic module certification of compliance with the FIPS 140 data protection standard. US agencies, their service providers or other institutions that comply with similar requirements (e.g., HIPAA, PCI-DSS) are required to comply with FIPS 140. |
Yes: Tooling and automation
|
Yes: Tooling and automation
|
Yes: Tooling and automation
|
| Common Criteria, EAL2, an internationally accepted security certification: A 3rd party attestation of the security mechanisms in the operating system. Ubuntu has a Common Criteria EAL2 certification recognized by CCRA and EU SOGIS members. | Yes | Yes |
Frequently asked questions about security certifications
How do I harden my Ubuntu system?
Hardening always involves a tradeoff with usability and performance. The default configuration of Ubuntu LTS releases, as provided by Canonical, balances between usability, performance and security. However, systems with a dedicated workload are well positioned to benefit from hardening. You can reduce your workload’s attack surface by applying an Industry accepted baseline. At Canonical we recommend applying the Center for Internet Security (CIS) benchmarks for hardening the configuration of Ubuntu.
How do I comply with PCI-DSS?
PCI-DSS is a payment industry standard and any company that stores, processes or transmits payment card or cardholder information is required to comply with it. The standard is defined by the Payment Card Industry council and defines measures and processes to secure online financial transactions. The standard is about making business as usual processes like monitoring of security controls, timely response, review of environmental and organizational changes, as well as review of hardware and software being under support by its vendors. For companies with large volumes of transactions compliance with the standard is enforced by an audit of a Qualified Security Assessor (QSA).
Achieving and maintaining compliance is a complex and costly process that involves business processes in addition to software requirements. Ubuntu by Canonical contains software and security controls, such as disk encryption, password settings configuration, cryptographic compliance with FIPS140-2, CIS hardening as well as a comprehensive Enterprise software maintenance program, to achieve and maintain compliance with the standard.
Contact us