Security

SUSE Linux Enterprise

Security Certifications
and Features
Security Certifications and
Verifications
FIPS 140-2 standard

SUSE has achieved FIPS (Federal Information Processing Standard) 140-2

validation for OpenSSL for SUSE Linux Enterprise Server 11 SP2. The validation
was conducted by atsec and certified by NIST/CSE (CMVP).
Currently we validate several core cryptographic modules for SUSE Linux
Enterprise Server 12. The FIPS publication 140-2, "Security Requirements for
Cryptographic Modules," is a U.S. government computer security standard. Many
other industry standards like DSS and DISA SRG/STIG depend on FIPS 140-2
certified cryptography modules. The tests and requirements of FIPS 140-2 assure
that the cryptograhic systems that are validated comply with the newest
standards use appropriate key length and create correct ciphertext and keys. The
validation also confirms that the module behaves as defined and documented if it
runs in FIPS mode.
The following modules are/will be certified:
SUSE Linux Enterprise Server 12 GA

openssl

kernel

openssh client

openssh server

strongswan

libgcrypt

mozilla-nss

SUSE Linux Enterprise Server 11 SP2

openssl

Common Criteria Security

Certifications
SUSE received Common Criteria Certificates at Evaluation Assurance Level EAL4,
augmented by ALC_FLR.3 (EAL4+) for SUSE Linux Enterprise Server 12 BSI-DSZ-CC0962-2016 and SUSE Linux Enterprise Server 11 SP2(BSI-DSZ-CC-07872013 and BSI-DSZ-CC-0852-2013) including KVM virtualization on x86_64 and IBM
System z. To achieve the certifications, the SUSE products and processes for
developing and maintaining its products passed a rigorous security evaluation
performed by atsec information security. The certificates were issued
by Bundesamt fr Sicherheit in der Informationstechnik (BSI). the German
Federal Office for IT Security. The Common Criteria for Information Technology
Security Evaluation is an international standard (ISO/IEC 15408) recognized by 26
countries worldwide.

FSTEC

Federal Service for Technic and Export Control is responsible for information
security and protection of Russian technology. SUSE Linux Enterprise Server 11
SP3 is FSTEC certified (POCC RU.0001.0100).

System Hardening

System hardening is the process of securely configuring computer systems to

eliminate as many security risks as possible. Comprehensive system hardening
configurations can be made in the YaST2 Security Center. There are also guides
about security and hardening elements and procedures that are best applied to a
server both during installation and post-installation and that aim to improve the
fitness of the system for the purposes demanded by administrators. The following
guides are:
SUSE Linux Enterprise 12 Security and Hardening Guide

SUSE Linux Enterprise 11 Security and Hardening Guide

SAP HANA Hardening Guide

A DISA STIG for a General Purpose Operating System (GPOS) and for web-servers
for SUSE Linux Enterprise 12 will be available soon

Security Features

UEFI Secure Boot

SUSE Linux Enterprise Server support for UEFI Secure Boot secures the boot
process by preventing the loading of drivers or OS loaders that are not signed
with an acceptable digital signature. See the details here.

OpenSCAP

OpenSCAP tools and libraries have been added in SUSE Linux Enterprise Server
since SUSE Linux Enterprise Server 11 Service Pack 2. OpenSCAP is a set of open
source libraries providing a path for integration of SCAP (Security Content
Automation Protocol). SCAP is a collection of standards managed by NIST with the
goal of providing a standard language for the expression of Computer Network
Defense-related information. For more information about SCAP,
see http://scap.nist.gov.

Firewall

SUSE Linux products come with a packet-filter which is enabled by default and
can be configured with YaST2 or from the command line to adjust to the needs of
a specific deployment.

Audit Subsystem

The Linux Audit Framework allows detailed logging of security-relevant events

and creates an audit trail that allows tracking down the root of a possible
security violation. This audit system is compliant with the requirements of a
Common Criteria Evaluation at EAL4.

Filesystem Encryption
Data at rest should be encrypted when it is "confidential," especially when it is
stored on mobile devices and external storage devices. SUSE Linux Enterprise
supports full disk encryption as well as encrypted containers and partitions.

Transport Layer Security

For the encryption of data transmissions over untrusted networks Transport Layer
Security (TLS) can be used by many services included in SUSE Linux products.

Security Updates

Software will never be free from flaws. SUSE Linux offers online security and
non-security updates that keep your systems secure during their lifetime.
The security features mentioned above have met PCI DSS requirements for
operating systems and will help you in creating an IT environment with SUSE
Linux that is PCI DSS-compliant.

Process Hardening
We build many of our software packages with extra security measures that
protect the running process against many exploitation techniques involving
memory flaws.

AppArmor

This security framework protects your Linux OS and applications from external
and internal threats and zero-day attacks. AppArmor comes with default
policies for quick deployment so you can secure mission-critical applications
quickly. Security profiles completely define what system resources individual
programs can access and with what privileges. AppArmor also includes learningbased tools and advanced statistical analytics that simplify the development of
customized policies, even for the most complex applications. Additionally,
changing security policies with AppArmor is dynamic, eliminating the need to
reboot the system.

Security-Enhanced Linux
(SELinux)

In addition to AppArmor, SELinux capabilities have been added to SUSE Linux

Enterprise Server. SELinux is a Linux kernel security module that provides a
mechanism for supporting access control security policies, including United
States Department of Defense-style mandatory access controls (MAC). While
these capabilities are not enabled by default, customers can choose to run
SELinux with SUSE Linux Enterprise Server.

SUSE | Por qu SUSE Linux es la plataforma lder de

Linux para SAP

Con el Programa de Proveedores de Servicios de Nube de SUSE, los

Proveedores de Servicios pueden permitir que sus clientes obtengan el

mximo provecho de su software de aplicaciones empresariales SAP

HANA y SAP con disminucin del tiempo de inactividad, mayor eficiencia
operativa e innovacin acelerada. Pueden utilizar sus datos
empresariales en tiempo real con la potencia de SAP y la fiabilidad,
disponibilidad y capacidad de servicio de SUSE Linux Enterprise Server
para aplicaciones SAP. Esta es la nica solucin que admite servidores
x86-64 y IBM Power Systems.

Mejor rendimiento general y tiempo de valoracin

SAP y SUSE validaron y certificaron el SUSE Linux Enterprise Server
para aplicaciones SAP conjuntamente para eliminar posibles
incompatibilidades de software. Como resultado, SUSE Linux
Enterprise Server para Aplicaciones SAP proporciona consistentemente
un tiempo de actividad y un rendimiento excepcionales, incluso bajo
cargas completas de CPU y alto estrs de memoria.

Mayor
disponibilidad
de
servicios
Los sistemas SAP modernos que ejecutan cargas de trabajo crticas
deben cumplir con los ms altos estndares de disponibilidad para sus
servicios SAP. SUSE Linux Enterprise Server para aplicaciones SAP est
diseado para maximizar la disponibilidad de servicios de las bases de
datos SAP HANA y las aplicaciones de misin crtica de SAP. La
reversin completa del sistema reduce el tiempo de inactividad
resultante de problemas de aplicacin inesperados despus de una
actualizacin. Al agregar la extensin SUSE Linux Enterprise Live
Patching, el kernel de Linux puede actualizarse sin tiempo de
inactividad para las aplicaciones SAP.

Disminuir
el
tiempo
de
implementacin
Reduzca el tiempo de implementacin de SAP de das a horas con el
asistente de instalacin de SUSE. El asistente de instalacin de SUSE
Linux Enterprise Server para aplicaciones SAP instala las soluciones de
software de SAP y sus infraestructuras Linux subyacentes. Este
proceso integra y simplifica sin problemas la instalacin de
aplicaciones SAP.
https://josejuandom.wordpress.com/2012/08/03/sistemas-operativos-suselinux/
https://www.suse.com/support/security/certifications