SUSE Linux Enterprise 11 Security Certifications and Features
Security Certifications and Verifications
Carrier Grade Linux (CGL) Registration
SUSE supports the Linux Foundation's Carrier Grade Linux (CGL) specification. SUSE Linux Enterprise 11 also meets the latest CGL 4.0 standard and is CGL registered.
Linux Foundation's Carrier Grade Linux web page
FIPS 140-2 standard
SUSE has achieved FIPS (Federal Information Processing Standard) 140-2 validation for OpenSSL. The validation was conducted by atsec and certified by NIST (CMVP).
The FIPS 140-2 standard, "Security Requirements for cryptographic modules", is one of the fundamental security libraries in the Linux and Open Source world. To be certified, a security module is described, tested, and validated against the standard’s eleven requirement areas. The tests also confirm that the module behaves as defined and documented if it runs in FIPS mode.
As a result, with a FIPS-validated version of OpenSSL, U.S. and global users are assured the library behaves in a well-defined way if it runs in FIPS mode.
See more details here.
For Registration Documents, See:
Common Criteria Security Certifications
SUSE received Common Criteria Certificates at Evaluation Assurance Level EAL4, augmented by ALC_FLR.3 (EAL4+) for SUSE Linux Enterprise Server 11 SP2 including KVM virtualization and for SUSE Linux Enterprise Server for System z 11 SP2. To achieve the certifications, SUSE’s products and processes for developing and maintaining its products passed a rigorous security evaluation performed by atsec information security. The certificates were issued by Bundesamt für Sicherheit in der Informationstechnik(BSI), the German Federal Office for IT Security, at the CeBIT expo in Hannover.
The Common Criteria for Information Technology Security Evaluation is an international standard (ISO/IEC 15408). The current applicable version of CC is V3.1R3 and is available at www.commoncriteriaportal.org.
See press release here.
This security framework protects your Linux OS and applications from external and internal threats and zero-day attacks. AppArmor® comes with default policies for quick deployment so you can secure mission-critical applications quickly. Security profiles completely define what system resources individual programs can access and with what privileges. AppArmor also includes learning-based tools and advanced statistical analytics that simplify the development of customized policies, even for the most complex applications. Additionally, changing security policies with AppArmor is dynamic, eliminating the need to reboot the system.
Trusted Platform Module (TPM) support
SUSE Linux Enterprise Server includes support for the TPM standard, which facilitates the authentication of common hardware devices.
UEFI Secure Boot
SUSE Linux Enterprise Server support for UEFI Secure Boot secures the boot process by preventing the loading of drivers or OS loaders that are not signed with an acceptable digital signature. See the details here.
Security-Enhanced Linux (SELinux)
In addition to AppArmor, SELinux capabilities have been added to SUSE Linux Enterprise Server. While these capabilities are not enabled by default, customers can choose to run SELinux with SUSE Linux Enterprise Server.
OpenSCAP tools and libraries are added in SUSE Linux Enterprise Server 11 Service Pack 2. OpenSCAP is a set of open source libraries providing a path for integration of SCAP (Security Content Automation Protocol). SCAP is a collection of standards managed by NIST with the goal of providing a standard language for the expression of Computer Network Defense related information. For more information about SCAP, see http://nvd.nist.gov.
SHA-256 Hash Algorithm in opencryptoki CCA Token
SUSE Linux Enterprise Server 11 Service Pack 3 includes opencryptoki 2.4.2. This comes with a CCA token that exploits the SHA-256 hash algorithm provided by System z crypto hardware.
Other security-related features:
|System Hardening||YaST2 Security Center|
|Intrusion Detection (Filesystem)||AIDE (Advanced Intrusion Detection Environment)|
|Fine-grained access rights||Filesystem POSIX capabilities|
|Encryption capabilities||Three ways: "Full Disk"—Volume—File System (eCryptFS)|