SUSE Linux Enterprise 11 Security Certifications and Features

Security Certifications and Verifications

Carrier Grade Linux (CGL) Registration

SUSE supports the Linux Foundation's Carrier Grade Linux (CGL) specification. SUSE Linux Enterprise 11 also meets the latest CGL 4.0 standard and is CGL registered.

Linux Foundation's Carrier Grade Linux web page

Registration Documents:

FIPS 140-2 standard

SUSE has achieved FIPS (Federal Information Processing Standard) 140-2 validation for OpenSSL. The validation was conducted by atsec and certified by NIST (CMVP).

The FIPS 140-2 standard, "Security Requirements for cryptographic modules", is one of the fundamental security libraries in the Linux and Open Source world. To be certified, a security module is described, tested, and validated against the standard’s eleven requirement areas. The tests also confirm that the module behaves as defined and documented if it runs in FIPS mode.

As a result, with a FIPS-validated version of OpenSSL, U.S. and global users are assured the library behaves in a well-defined way if it runs in FIPS mode.

See more details here.

For Registration Documents, See:

Common Criteria Security Certifications

SUSE received Common Criteria Certificates at Evaluation Assurance Level EAL4, augmented by ALC_FLR.3 (EAL4+) for SUSE Linux Enterprise Server 11 SP2 including KVM virtualization and for SUSE Linux Enterprise Server for System z 11 SP2. To achieve the certifications, SUSE’s products and processes for developing and maintaining its products passed a rigorous security evaluation performed by atsec information security. The certificates were issued by Bundesamt für Sicherheit in der Informationstechnik(BSI), the German Federal Office for IT Security, at the CeBIT expo in Hannover.

The Common Criteria for Information Technology Security Evaluation is an international standard (ISO/IEC 15408). The current applicable version of CC is V3.1R3 and is available at www.commoncriteriaportal.org.

See press release here.

Security Features

AppArmor

This security framework protects your Linux OS and applications from external and internal threats and zero-day attacks. AppArmor® comes with default policies for quick deployment so you can secure mission-critical applications quickly. Security profiles completely define what system resources individual programs can access and with what privileges. AppArmor also includes learning-based tools and advanced statistical analytics that simplify the development of customized policies, even for the most complex applications. Additionally, changing security policies with AppArmor is dynamic, eliminating the need to reboot the system.

Trusted Platform Module (TPM) support

SUSE Linux Enterprise Server includes support for the TPM standard, which facilitates the authentication of common hardware devices.

UEFI Secure Boot

SUSE Linux Enterprise Server support for UEFI Secure Boot secures the boot process by preventing the loading of drivers or OS loaders that are not signed with an acceptable digital signature. See the details here.

Security-Enhanced Linux (SELinux)

In addition to AppArmor, SELinux capabilities have been added to SUSE Linux Enterprise Server. While these capabilities are not enabled by default, customers can choose to run SELinux with SUSE Linux Enterprise Server.

OpenSCAP

OpenSCAP tools and libraries are added in SUSE Linux Enterprise Server 11 Service Pack 2. OpenSCAP is a set of open source libraries providing a path for integration of SCAP (Security Content Automation Protocol). SCAP is a collection of standards managed by NIST with the goal of providing a standard language for the expression of Computer Network Defense related information. For more information about SCAP, see http://nvd.nist.gov.

SHA-256 Hash Algorithm in opencryptoki CCA Token

SUSE Linux Enterprise Server 11 Service Pack 3 includes opencryptoki 2.4.2. This comes with a CCA token that exploits the SHA-256 hash algorithm provided by System z crypto hardware.

Other security-related features:

Function SUSE features
System Hardening YaST2 Security Center
Intrusion Detection (Filesystem) AIDE (Advanced Intrusion Detection Environment)
Fine-grained access rights Filesystem POSIX capabilities
Encryption capabilities Three ways: "Full Disk"—Volume—File System (eCryptFS)

Request a Call

Call or complete the form below to talk to a Sales representative. Looking for Support? Submit a service request.

* Required Fields

First Name is a required field
Last Name is a required field
Email is a required field
Company is a required field
Phone is a required field
City is a required field
Country is a required field
Address is a required field
Zip/Postal Code is a required field
State is a required field
Comments is a required field

Read our Privacy Policy.

Request a Call