Compliance automation
Run regulated and high security workloads on Ubuntu
Ubuntu Pro has been designed to simplify your security compliance burden for frameworks such as NIST, FedRAMP, PCI-DSS, ISO27001, or CIS. Pro includes security vulnerability patching for up to 12 years, FIPS-validated cryptographic modules, and automated system hardening for CIS and DISA STIG, and can be deployed on-premise or in the public cloud.
An OS you can trust
Access certifications
for high security environments
Ubuntu Pro provides access to FIPS 140 certified cryptographic packages, allowing you to deploy workloads that need to operate under compliance regimes like FedRAMP, HIPAA, and PCI-DSS. Canonical works with NIST-approved testing labs to certify the core cryptographic modules within Ubuntu for FIPS 140 requirements, enabling applications to use these libraries in compliance with the FIPS standard.
Automate hardening
with the Ubuntu Security Guide
The default configuration of Ubuntu balances usability and security. However, systems carrying dedicated workloads can be further hardened to reduce their attack surface. Canonical provides the Ubuntu Security Guide to automatically harden systems to DISA STIG and CIS benchmarks profiles, and generate audit reports. Available with Ubuntu Pro on-premise or ready-built on public clouds.
Fix security vulnerabilities
across the estate
Each Ubuntu LTS release enables state of the art protection against vulnerability exploitation and malware. Canonical has a public vulnerability disclosure policy and vulnerabilities are fixed with automated security updates and kernel livepatches and publicly disclosed with our security notices. We further provide machine readable OVAL CVE output to be used by OpenSCAP and other 3rd party vulnerability management tools. Critical CVEs are typically patched within 24 hours.
Available on-prem and in the cloud
Resources
How does Ubuntu enable your compliance
with FIPS, and DISA-STIG?
The operating system is the cornerstone of a security compliance program. Ubuntu Pro enables functionality such as FIPS-certified crypto libraries and system hardening with the Ubuntu Security Guide to help meet stringent government security standards. Watch this webinar to find out more.
Maximizing security and compliance
in the US public sector with Ubuntu Pro
Navigating the maze of complex compliance requirements facing the US Public Sector is a daunting prospect. Confusing abbreviations and terminology only make charting this course more difficult. If you’re looking to understand what FIPS, FedRAMP, and DISA-STIG are all about, this whitepaper is for you.
A guide to Infrastructure Hardening
The ever-present threats of ransomware and data breaches make it imperative to lock down systems and prevent attackers from gaining a foothold. Using industry best-practice guidelines such as the CIS benchmarks, this whitepaper will walk you through the process of hardening Linux-based deployments.
Ubuntu compliance
& hardening profiles
The default configuration of Ubuntu LTS releases balances between usability, performance, and security. Mission-critical systems can be further hardened to reduce their attack surface. Reducing the attack surface is a widely accepted security best practice, and is often required by cybersecurity frameworks. Canonical works with industry leading organizations, such as CIS and DISA, to produce security hardening benchmarks for Ubuntu.
These security benchmarks contain hundreds of steps which can be prohibitively time-consuming to apply manually, so we provide the Ubuntu Security Guide (USG) – a tool based on OpenSCAP – to automate the process. USG can generate remediation scripts to harden a system in one procedure, as well as producing audit reports detailing the hardening rules that have been applied. USG profiles are available for CIS benchmarks and DISA STIGs.
USG profile:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
USG profile:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Configuration guides:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Ubuntu FIPS certifications
We strive to make Ubuntu the platform of choice in regulated and high-security environments. Ubuntu Pro enables access to the certification artifacts as well as the necessary tooling for such environments. The following is a list of the certifications available with Ubuntu Pro. Click on each for more detailed information.
These modules are NIST-certified:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
These modules have been assessed by a NIST-approved testing laboratory and are awaiting final certification by CMVP:
- Ubuntu 22.04 LTS
Frequently asked questions about security certifications
How do I harden my Ubuntu system?
Hardening always involves a tradeoff with usability and performance. The default configuration of Ubuntu LTS releases, as provided by Canonical, balances between usability, performance, and security. However, systems with a dedicated workload are well positioned to benefit from hardening. You can reduce your workload's attack surface by applying an Industry-accepted baseline. At Canonical we recommend applying the Center for Internet Security (CIS) benchmarks for hardening the configuration of Ubuntu.
How do I comply with PCI-DSS?
PCI-DSS is a payment industry standard and any company that stores, processes, or transmits payment card or cardholder information is required to comply with it. The standard is defined by the Payment Card Industry council and defines measures and processes to secure online financial transactions. The standard is about making business as usual processes like monitoring of security controls, timely response, review of environmental and organizational changes, as well as review of hardware and software being under support by its vendors. For companies with large volumes of transactions compliance with the standard is enforced by an audit of a Qualified Security Assessor (QSA).
Achieving and maintaining compliance is a complex and costly process that involves business processes in addition to software requirements. Ubuntu by Canonical contains software and security controls, such as disk encryption, password settings configuration, cryptographic compliance with FIPS140-2, CIS hardening, as well as a comprehensive Enterprise software maintenance program, to achieve and maintain compliance with the standard.