diff --git a/package.json b/package.json index a61fae292e2..c0fdb4b5ceb 100644 --- a/package.json +++ b/package.json @@ -121,7 +121,7 @@ "url-polyfill": "1.1.12", "url-search-params-polyfill": "8.2.5", "use-query-params": "^2.2.1", - "vanilla-framework": "4.18.5", + "vanilla-framework": "4.20.3", "yup": "1.4.0" }, "resolutions": { diff --git a/requirements.txt b/requirements.txt index b2150aebe1d..5ee1053ed42 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,7 +3,7 @@ canonicalwebteam.http==1.0.4 canonicalwebteam.blog==6.4.4 canonicalwebteam.search==2.1.1 canonicalwebteam.templatefinder==1.0.0 -canonicalwebteam.image-template==1.3.1 +canonicalwebteam.image-template==1.5.0 canonicalwebteam.discourse==5.7.3 python-dateutil==2.8.2 pytz==2022.7.1 diff --git a/static/sass/styles.scss b/static/sass/styles.scss index cd76d5bf934..f3c30fe906a 100644 --- a/static/sass/styles.scss +++ b/static/sass/styles.scss @@ -1780,3 +1780,11 @@ legend { .p-table--mobile-card tr td { white-space: normal; } + +// XXX: Custom styling to remove the full-stop after the counter in 'p-stepped-list' +ol.p-stepped-list.no-full-stop + .p-stepped-list__item + .p-stepped-list__title::before { + content: counter(p-stepped-list-counter); + text-align: left; +} diff --git a/templates/security/cc.html b/templates/security/cc.html index 011e9edb474..5febd8a2483 100644 --- a/templates/security/cc.html +++ b/templates/security/cc.html @@ -1,113 +1,159 @@ {% extends "security/base_security.html" %} +{% from "_macros/vf_hero.jinja" import vf_hero %} + {% block title %}Common Criteria{% endblock %} -{% block meta_description %}Technical details on the Common Criteria security certification for Ubuntu Advantage subscribers.{% endblock meta_description %} +{% block meta_description %} + Technical details on the Common Criteria security certification for Ubuntu Advantage subscribers. +{% endblock meta_description %} + +{% block meta_copydoc %} + https://docs.google.com/document/d/1JLnHR9Xuuc1t6ojrnBuMWir5XABgf1L7WVpGGtlLaBo/edit# +{% endblock meta_copydoc %} -{% block meta_copydoc %}https://docs.google.com/document/d/1JLnHR9Xuuc1t6ojrnBuMWir5XABgf1L7WVpGGtlLaBo/edit#{% endblock meta_copydoc %} +{% block body_class %} + is-paper +{% endblock body_class %} {% block content %} -
-
-
-

Common Criteria

 -

Run high security workloads on the certified configuration of Ubuntu

 -

Developing and deploying open source workloads on regulated and high security environments requires rigid certifications. Ubuntu Pro and Ubuntu Advantage provide access to the necessary artifacts to comply with Common Criteria, an international (ISO/IEC 15408) computer security certification for high security environments.

+ {% call(slot) vf_hero( + title_text='Common Criteria', + subtitle_text='Run high security workloads on the certified configuration of Ubuntu', + layout='50/50' + ) -%} + {%- if slot == 'description' -%}

- Contact us + Developing and running open source workloads on regulated and high security environments requires rigid certifications. Ubuntu Pro provides access to the necessary artifacts to comply with Common Criteria, an international (ISO/IEC 15408) computer security certification for high security environments.

+ {%- endif -%} + {%- if slot == 'cta' -%} + Contact us + {%- endif -%} + {% endcall -%} + +
+
+
+
+

What is Common Criteria?

+
+
+

+ Common Criteria (CC) for Information Technology Security Evaluation is an international standard (ISO/IEC IS 15408) for computer security certification, used by Governments, U.S. Federal agencies, financial institutions and many other organizations dealing with sensitive data. It ensures that products are evaluated by licensed laboratories to verify their security properties and that a common methodology is applied in certification. +

+

+ In brief, it is a common methodology to evaluate products' security controls against a set of security claims. The set of security claims is grouped per product and is called a protection profile. There are different protection profiles that apply to different products. The profile Ubuntu derives its security requirements is the Operating System Protection Profile (OSPP). +

+
-
- {{ image ( - url="https://assets.ubuntu.com/v1/7953a068-security-1.svg", - alt="", - width="224", - height="300", - hi_def=True, - loading="lazy" - ) | safe - }} -
-
-
+ -
-
-
-

What is Common Criteria?

-

Common Criteria (CC) for Information Technology Security Evaluation is an international standard (ISO/IEC IS 15408) for computer security certification, used by Governments, U.S. Federal agencies, financial institutions and many other organizations dealing with sensitive data. It ensures that products are evaluated by licensed laboratories to verify their security properties and that a common methodology is applied in certification.

-

In brief, it is a common methodology to evaluate products' security controls against a set of security claims. The set of security claims is grouped per product and is called a protection profile. There are different protection profiles that apply to different products. The profile Ubuntu derives its security requirements is the Operating System Protection Profile (OSPP).

+
+
+
+
+

+ Where is +
+ Common Criteria accepted? +

+
+
+

+ Internationally a Common Criteria certification is accepted by members of the CCRA agreement and the EU SOGIS members. +

+
-
-
-
-
-
-
-

Where is Common Criteria accepted?

-

Internationally a Common Criteria certification is accepted by members of the CCRA agreement and the EU SOGIS members.

+
+ +
+
+
+
+
+

What gets certified in Ubuntu under Common Criteria?

+
+
+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/fc857049-csec.png", + alt="Csec logo", + width="1800", + height="1013", + hi_def=True, + loading="lazy") | safe + }} +
+
+

+ Ubuntu 18.04 LTS and 16.04 LTS have both been evaluated to assurance level EAL2 through CSEC — The Swedish Certification Body for IT Security. The evaluation testing was performed by atsec Information Security. The following table provides a summary of the releases and platforms that have been certified. +

+
+
+
- -
-
-
-
-
-

What gets certified in Ubuntu under Common Criteria?

-

Ubuntu 18.04 LTS and 16.04 LTS have both been evaluated to assurance level EAL2 through CSEC – The Swedish Certification Body for IT Security. The evaluation testing was performed by atsec Information Security. The following table provides a summary of the releases and platforms that have been certified.

+
+ + + + + + + + + + + + + + + + + + + + + + + +
Ubuntu versionPlatformCertification reportAdditional information
Ubuntu 16.04 LTSx86_64, IBM Power8 and IBM Z + 16.04.4 + + Installation instructions +
Ubuntu 18.04 LTSx86_64 and IBM Z + 18.04.4 + + Installation instructions +
-
- {{ image ( - url="https://assets.ubuntu.com/v1/961a1ad1-csec-logo-removebg-preview.png", - alt="", - width="180", - height="205", - hi_def=True, - loading="lazy" - ) | safe - }} +
+ +
+ +
+
+

+ Contact us › +

- -
-
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - -
Ubuntu versionPlatformCertification reportAdditional information
Ubuntu 16.04 LTSx86_64, IBM Power8 and IBM Z16.04.4Installation instructions
Ubuntu 18.04 LTSx86_64 and IBM Z18.04.4Installation instructions
-

- Contact us -

-
-
+ - -
-
+ +
{% endblock content %} -{% block footer_extra %}{{ marketo }}{% endblock footer_extra %} + +{% block footer_extra %} + {{ marketo }} +{% endblock footer_extra %} diff --git a/templates/security/cis.html b/templates/security/cis.html index ac43c396764..6173c9674ff 100644 --- a/templates/security/cis.html +++ b/templates/security/cis.html @@ -8,155 +8,289 @@ https://docs.google.com/document/d/1bSv8lV9BJoBYh5yog2eYKtvNMitKZetSSBQ3k2Cu5Cw/edit# {% endblock meta_copydoc %} +{% from "_macros/vf_hero.jinja" import vf_hero %} + +{% block body_class %} + is-paper +{% endblock body_class %} + {% block content %} -
-
-
-

CIS Benchmark on Ubuntu

-

Comply with the most widely accepted Linux baseline

-

- The CIS benchmark has hundreds of configuration recommendations, so hardening and auditing a Linux system or a kubernetes cluster manually can be very tedious. To drastically improve this process for enterprises, Canonical provides Ubuntu Security Guide (USG) for automated audit and compliance with the CIS benchmarks. Available with Ubuntu Pro on-premise or on public clouds. -

-

- Contact us - Get Ubuntu Pro -

+ {% call(slot) vf_hero( + title_text='CIS Benchmark on Ubuntu', + subtitle_text='Comply with the most widely accepted Linux baseline', + layout='25/75' + ) -%} + {%- if slot == 'signpost_image' -%} + {{ image(url="https://assets.ubuntu.com/v1/f98af83d-cis-logo-removebg-preview.png", + alt="", + width="144", + height="144", + hi_def=True, + loading="auto") | safe + }} + {%- endif -%} + {%- if slot == 'description' -%} +

+ The CIS benchmark has hundreds of configuration recommendations, so hardening and auditing a Linux system or a kubernetes cluster manually can be very tedious. To drastically improve this process for enterprises, Canonical provides Ubuntu Security Guide (USG) for automated audit and compliance with the CIS benchmarks. Available with Ubuntu Pro on-premise or on public clouds. +

+ {%- endif -%} + {%- if slot == 'cta' -%} + Contact us + Get Ubuntu Pro › + {%- endif -%} + {%- endcall -%} + +
+
+
+
+

What it includes

-
- {{ image ( - url="https://assets.ubuntu.com/v1/f98af83d-cis-logo-removebg-preview.png", - alt="", - width="300", - height="300", - hi_def=True, - loading="auto" - ) | safe - }} +
+
+
+
+
+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/cbc7c87d-Harden%20your%20Linux%20workloads.png", + alt="", + width="852", + height="1278", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe + }} +
+
+
+
+

Harden your Linux workloads

+
+

+ Hardening involves a tradeoff between security and usability. The default configuration of Ubuntu LTS releases, as provided by Canonical, balances between usability, performance and security. However, systems with a dedicated workload are well-positioned to benefit from hardening. Reduce your Linux workload’s attack surface with CIS hardened Ubuntu. +

+
+
+
+
+ + {{ image(url="https://assets.ubuntu.com/v1/e8fb4b4a-Automate%20your%20compliance.png", + alt="", + width="852", + height="1278", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe + }} +
+
+
+
+

Automate your compliance

+
+

+ Applying a baseline with a large set of instructions manually is not only time consuming but also error-prone. According to Verizon data breach investigations report for 2021, misconfigurations were among the top five reasons for data breaches. Apply more than 250 rules in less than 15 minutes while avoiding misconfigurations using Ubuntu Security Guide that automates your CIS compliance. +

+
+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/04e37b30-Audit%20with%20Ubuntu%20Security%20Guide.png", + alt="", + width="852", + height="1278", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe + }} +
+
+
+
+

Audit with Ubuntu Security Guide

+
+

+ An important aspect of secure asset configuration for compliance is monitoring. You need to verify that systems comply with the selected baseline and contain operating system software supported by the vendor. Ubuntu Pro makes the Ubuntu Security Guide available to audit and monitor systems with the OpenSCAP tool. +

+
+
+
+
+
+
+
+
+
+ Get Ubuntu Pro + Learn more about Ubuntu Security Guide › +
-
-
-
-

Harden your Linux workloads

-

- Hardening involves a tradeoff between security and usability. The default configuration of Ubuntu LTS releases, as provided by Canonical, balances between usability, performance and security. However, systems with a dedicated workload are well-positioned to benefit from hardening. Reduce your Linux workload’s attack surface with CIS hardened Ubuntu. -

-
-
-

Automate your compliance

-

- Applying a baseline with a large set of instructions manually is not only time consuming but also error-prone. According to Verizon data breach investigations report for 2021, misconfigurations were among the top five reasons for data breaches. Apply more than 250 rules in less than 15 minutes while avoiding misconfigurations using Ubuntu Security Guide that automates your CIS compliance. -

+
+
+
+
+
+

Configure and apply CIS hardening rules in minutes

+
+
+

+ The compliance tooling has two objectives: it lets our customers harden their Ubuntu systems effortlessly and then quickly audit those systems against the published CIS Ubuntu benchmarks. +

+
-
-

Audit with Ubuntu Security Guide

-

- An important aspect of secure asset configuration for compliance is monitoring. You need to verify that systems comply with the selected baseline and contain operating system software supported by the vendor. Ubuntu Pro makes the Ubuntu Security Guide available to audit and monitor systems with the OpenSCAP tool. -

+
+
+ +
-

- Get Ubuntu Pro - Learn more about Ubuntu Security Guide -

-
-
-
-

Configure and apply CIS hardening rules in minutes

+
+
+
+
+
+

+ Which versions +
+ of Ubuntu have CIS tooling? +

+
+
+

- The compliance tooling has two objectives: it lets our customers harden their Ubuntu systems effortlessly and then quickly audit those systems against the published CIS Ubuntu benchmarks. + Canonical provides OpenSCAP content for auditing systems for compliance with Center for Internet Security (CIS) benchmarks, as well as tooling to automate audit and compliance with the Ubuntu Security Guide.

+
    +
  • Ubuntu 22.04 LTS
    • +
  • Ubuntu 20.04 LTS
    • +
  • Ubuntu 18.04 LTS
    • +
  • Ubuntu 16.04 LTS
    • +
-
- +
+
+
+
+
+ Get CIS tooling with Ubuntu Pro + Learn more about Ubuntu Security Guide › +
-
-
-

Which versions of Ubuntu have CIS tooling?

-

- Canonical provides OpenSCAP content for auditing systems for compliance with Center for Internet Security (CIS) benchmarks, as well as tooling to automate audit and compliance with the Ubuntu Security Guide. -

- -
    -
  • Ubuntu 22.04 LTS
    • -
  • Ubuntu 20.04 LTS
    • -
  • Ubuntu 18.04 LTS
    • -
  • Ubuntu 16.04 LTS
    • -
- -
- Get CIS tooling with Ubuntu Pro - Learn more about Ubuntu Security Guide +
+
+
+
+
+
+

How does Charmed Kubernetes comply with CIS benchmarks?

+
+
+

+ Charmed Kubernetes brings not only extensibility and fully automated operations but is designed to comply with the Kubernetes CIS benchmark by default. It further includes tooling to track cluster compliance. +

+
+
+
+ Read more about Kubernetes and CIS +
+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/ec2c2072-kubernetes-logo.png", + alt="", + width="1800", + height="1013", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe + }} +
-
-
-
-

How does Charmed Kubernetes comply with CIS benchmarks?

-

- Charmed Kubernetes brings not only extensibility and fully automated operations but is designed to comply with the Kubernetes CIS benchmark by default. It further includes tooling to track cluster compliance. -

+
+
+
+
+

What is CIS?

+
+

- Read more about Kubernetes and CIS + The Center for Internet Security (CIS) is a non-profit organisation with a mission to “make the connected world a safer place by developing, validating, and promoting timely best practice solutions against pervasive cyber threats”. CIS uses a consensus process to release benchmarks to safeguard organisations against cyber attacks. The consensus review process consists of subject matter experts who provide perspective on different backgrounds like audit and compliance, security research, consulting and software development. The benchmarks are considered a necessary complement in the implementation of a cybersecurity framework, and are the most widely accepted Industry benchmarks to harden a system today. Canonical actively participates in the drafting benchmarks of Ubuntu LTS releases.

-
- {{ image ( - url="https://assets.ubuntu.com/v1/990738e2-kubernetes-cloud.svg", - alt="", - width="263", - height="150", - hi_def=True, - loading="lazy" - ) | safe - }} -
-
+
+
+
+
+
+

What are the CIS Controls?

+
+
+

+ CIS controls is a framework of security best practices that harness the collective experience of the CIS subject matter experts from actual attacks and effective defenses. CIS controls are referenced by International and National frameworks such ETSI’s critical security controls, NIST Cybersecurity framework, and others. +

+
+
+
-

What is CIS?

-

- The Center for Internet Security (CIS) is a non-profit organisation with a mission to “make the connected world a safer place by developing, validating, and promoting timely best practice solutions against pervasive cyber threats”. CIS uses a consensus process to release benchmarks to safeguard organisations against cyber attacks. The consensus review process consists of subject matter experts who provide perspective on different backgrounds like audit and compliance, security research, consulting and software development. The benchmarks are considered a necessary complement in the implementation of a cybersecurity framework, and are the most widely accepted Industry benchmarks to harden a system today. Canonical actively participates in the drafting benchmarks of Ubuntu LTS releases. -

+
+ {{ image(url="https://assets.ubuntu.com/v1/b6d62770-What%20are%20the%20CIS%20Controls.png", + alt="", + width="2464", + height="1028", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe + }} +
-
-
-

What are the CIS Controls?

-

- CIS controls is a framework of security best practices that harness the collective experience of the CIS subject matter experts from actual attacks and effective defenses. CIS controls are referenced by International and National frameworks such ETSI’s critical security controls, NIST Cybersecurity framework, and others. -

+
+
+
+
+

How do benchmarks relate with CIS Controls?

+
+
+

+ The benchmarks map to CIS controls and are designed to additionally reduce the system’s attack surface to mitigate the most common attacks. For that reason, they are considered a necessary complement in the implementation of a cybersecurity framework, and are the most widely accepted Industry benchmark to harden a system today. +

+
-
+
+
-

How do benchmarks relate with CIS Controls?

-

- The benchmarks map to CIS controls and are designed to additionally reduce the system’s attack surface to mitigate the most common attacks. For that reason, they are considered a necessary complement in the implementation of a cybersecurity framework, and are the most widely accepted Industry benchmark to harden a system today. -

- Contact us +

+ Contact us › +

diff --git a/templates/security/disa-stig.html b/templates/security/disa-stig.html index 1fabc008531..2643b25624d 100644 --- a/templates/security/disa-stig.html +++ b/templates/security/disa-stig.html @@ -1,163 +1,194 @@ {% extends "security/base_security.html" %} +{% from "_macros/vf_hero.jinja" import vf_hero %} + {% block title %}Ubuntu DISA-STIG compliance | Security{% endblock %} {% block meta_description %}Technical details on the Ubuntu DISA-STIG guide for Linux.{% endblock %} {% block meta_copydoc %} - https://docs.google.com/document/d/1zJwZzc-cERj9YKNXFtmrXwynJptyT7-D3qCNzBctRfo/edit# + https://docs.google.com/document/d/1zJwZzc-cERj9YKNXFtmrXwynJptyT7-D3qCNzBctRfo/edit?tab=t.0 {% endblock meta_copydoc %} +{% block body_class %} + is-paper +{% endblock body_class %} + {% block content %} -
-
-
-

DISA-STIG on Ubuntu

-

Comply with the DISA Security Technical Implementation Guide

-

- Security Technical Implementation Guides (STIG) are developed by the Defense Information System Agency (DISA) for the U.S. Department of Defense (DoD). Ubuntu Pro on public cloud and Ubuntu Pro (Infra) have the necessary certifications and controls to comply with DISA-STIG guidelines on Linux. -

- Contact us - Get Ubuntu Pro (Infra) -
-
+ {% call(slot) vf_hero( + title_text='DISA-STIG on Ubuntu', + subtitle_text='Comply with the DISA Security
Technical Implementation Guide', + layout='25/75' + ) -%} + {%- if slot == 'signpost_image' -%} +
{{ image ( - url="https://assets.ubuntu.com/v1/ef01809f-DISA-logo-transparent.png", - alt="DISA-STIG logo", - width="720", - height="264", + url="https://assets.ubuntu.com/v1/92754de5-disa.png", + alt="", + width="852", + height="204", hi_def=True, loading="auto" ) | safe }}
-
-
- -
-
-
+ {%- endif -%} + {%- if slot == 'description' -%} +

+ Security Technical Implementation Guides (STIG) are developed by the Defense Information System Agency (DISA) for the U.S. Department of Defense (DoD). Ubuntu Pro on public cloud and Ubuntu Pro (Infra) have the necessary certifications and controls to comply with DISA-STIG guidelines on Linux. +

+ {%- endif -%} + {%- if slot == 'cta' -%} + Contact us + Get Ubuntu Pro (Infra) › + {%- endif -%} + {%- if slot == 'image' -%} +
+ {{ image(url="https://assets.ubuntu.com/v1/f759a607-hero.png", + alt="", + width="3696", + height="1540", + hi_def=True, + loading="auto", + fmt="jpg", + attrs={"class": "p-image-container__image"}) | safe + }} +
+ {%- endif -%} + {% endcall -%} -
-
-
-

How does Ubuntu enable your compliance with FIPS, and DISA-STIG?

+
+
+
+
+

+ How does Ubuntu enable your compliance with FIPS, +
+ and DISA-STIG? +

+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/497f33c2-how-ubuntu-enables-webinar.png", + alt="", + width="1800", + height="1013", + hi_def=False, + loading="lazy") | safe + }} +

- Learn about the US government security standards and the common challenges faced by organisations in their implementation. See how the Ubuntu Security Guide can transform systems compliance in a few minutes. Get to know how Ubuntu is a secure platform for government agencies and complying organisations to build, operate and innovate with open source applications and technologies. + Learn about the US government security standards and the common challenges faced by organizations in their implementation. See how the Ubuntu Security Guide can transform systems compliance in a few minutes. Get to know how Ubuntu is a secure platform for government agencies and complying organizations to build, operate and innovate with open source applications and technologies.

- Contact us -
-
-
- - - +
+ Contact us + Watch the webinar ›
-
+
+
+
+
+

What is DISA-STIG?

+
+
+
+

+ The Defense Information System Agency (DISA) is a US Department of Defense combat support agency. It provides and operates information infrastructure to support military operations and national-level leadership. The Security Technical Implementation Guide (STIG) is a configuration standard consisting of guidelines for hardening systems to improve a system's security posture. It can be seen as a checklist for securing protocols, services, or servers to improve the overall security by reducing the attack surface. +

+
+
+
-

What is DISA-STIG?

-

- The Defense Information System Agency (DISA) is a US Department of Defense combat support agency. It provides and operates information infrastructure to support military operations and national-level leadership. The Security Technical Implementation Guide (STIG) is a configuration standard consisting of guidelines for hardening systems to improve a system’s security posture. It can be seen as a checklist for securing protocols, services, or servers to improve the overall security by reducing the attack surface. -

+
+ {{ image(url="https://assets.ubuntu.com/v1/3c7382e4-what-is-disa.png", + alt="", + width="3696", + height="1541", + hi_def=True, + loading="lazy", + fmt="jpg", + attrs={"class": "p-image-container__image"}) | safe + }} +
-
-
-

DISA-STIG for Ubuntu

-

- Together with Canonical, DISA has developed STIGs for Ubuntu. The U.S. DoD provides the STIG checklist, which can be viewed using STIG viewer, and SCAP content for auditing. The versions of Ubuntu that have STIGs available by DISA are marked on the table below. -

- - - - - - - - - - - - - - - - - -
Ubuntu 16.04 LTSUbuntu 18.04 LTSUbuntu 20.04 LTS
- {{ image ( - url="https://assets.ubuntu.com/v1/ef01809f-DISA-logo-transparent.png", - alt="DISA logo", - width="136", - height="50", - hi_def=True, - attrs={"style": "vertical-align: middle;"}, - loading="lazy" - ) | safe - }} - - Defense Information System Agency Security Technical Implementation Guides (STIGs) and Supplemental Automation Content for Ubuntu - - {{ image(url="https://assets.ubuntu.com/v1/2ccda8d7-tick-orange.svg", alt="Yes: Configuration guide", width="14", height="14", hi_def=True, loading="lazy",) | safe }} - - {{ image(url="https://assets.ubuntu.com/v1/2ccda8d7-tick-orange.svg", alt="Yes: Configuration guide", width="14", height="14", hi_def=True, loading="lazy",) | safe }} - - Yes: Tooling and automation -
-
    -
  • - Yes: Configuration guide - Configuration guide -
    • -
  • - Yes - Tooling and automation -
    • -
- Read more about Ubuntu tooling and automation +
+
+
+
+

DISA-STIG for Ubuntu

+
+
+
+

+ Together with Canonical, DISA has developed STIGs for Ubuntu. The U.S. DoD provides the STIG checklist, which can be viewed using STIG viewer, and SCAP content for auditing. The versions of Ubuntu that have STIGs available by DISA are marked on the table below. +

+
+ Read more about Ubuntu tooling and automation › +
+
+ +
+

+ DISA Security Technical Implementation Guides (STIGs) and Supplemental Automation Content for Ubuntu +

+
+
    +
  • +
    +
    Ubuntu 16.04 LTS
    +
    Configuration guide
    +
    +
    • +
  • +
    +
    Ubuntu 18.04 LTS
    +
    Configuration guide
    +
    +
    • +
  • +
    +
    Ubuntu 20.04 LTS
    +
    Tooling and automation
    +
    +
    • +
  • +
    +
    Ubuntu 22.04 LTS
    +
    Tooling and automation
    +
    +
    • +
+
-
-
-
-

How to audit and comply with DISA-STIG?

-
    +
    +
    +
    +
    +

    + How to audit and comply +
    + with DISA-STIG? +

    +
    +
    +
    1. -

      Auditing

      +

      Auditing

      -

      Using the Ubuntu Security Guide auditing is as simple as:

      +
      +

      Using the Ubuntu Security Guide for auditing is as simple as:

      sudo usg audit disa_stig
      @@ -165,26 +196,102 @@

      Auditing

    2. -

      Compliance

      +
      +

      Compliance

      -

      Using the Ubuntu Security Guide applying the necessary rules for compliance is as simple as:

      +
      +

      Using the Ubuntu Security Guide for applying the necessary rules for compliance is as simple as:

      sudo usg fix disa_stig
      +
      + Read more about Ubuntu Security Guide › +
      -
      3. -
    -

    - Read more about Ubuntu Security Guide -

    +
    + +
+
+
+ +
+
+
+
+

+ Canonical is offering +
+ Expanded Security Maintenance +

+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/82d84ea0-canonical-is-offering.png", + alt="", + width="1800", + height="1014", + hi_def=True, + loading="lazy") | safe + }} +
+

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

+
+ Find out more about ESM › +
- {% with first_item="_security_discussion", second_item="_security_esm", third_item="_security_further_reading" %} - {% include "shared/contextual_footers/_contextual_footer.html" %} - {% endwith %} +
+
+
+
+

Resources

+
+
+
+
+

Join the discussion

+
+
+ +
+
+
+
+
+

Further reading

+
+
+ +
+
+
+
+
-
-
-

- Ubuntu Security disclosure and embargo policy -

+ + {% call(slot) vf_hero( + title_text='Ubuntu Security disclosure and embargo policy', + layout='50/50-full-width-image' + ) -%} + {%- if slot == 'description' -%}

Valid since: October 2020 Last updated: October 2023 @@ -20,106 +30,201 @@

Canonical and the Ubuntu Security Team participate in responsible disclosure and collaborate with the wider community on security issues. This describes how to contact the Ubuntu Security Team, what you can expect when you contact us, and what we expect from you.

+ {%- endif -%} + {%- if slot == 'image' -%} +
+ {{ image(url="https://assets.ubuntu.com/v1/13de40ac-hero.png", + alt="", + width="2464", + height="1027", + hi_def=True, + loading="auto", + attrs={"class": "p-image-container__image"}) | safe + }} +
+ {% endif -%} + {% endcall -%} + +
+
+
+
+

About Canonical

+
+
+

+ Canonical publishes the Ubuntu operating system in collaboration with a community of Ubuntu developers. Canonical also publishes other software projects such as LXD, MAAS, Juju, snapd, Snapcraft, Landscape, Launchpad and Mir. +

+

+ Canonical's Ubuntu Security Team tends to the security needs of the Ubuntu operating system and serves as a point of contact for Canonical-authored software, both proprietary and open-source, as well as Canonical-owned and -managed infrastructure. +

+

+ Please contact us if you believe you have found a security issue in Ubuntu, Canonical software or Canonical services. +

+
-

-
+
-
-
-
-

- About Canonical -

-

- Canonical publishes the Ubuntu operating system in collaboration with a community of Ubuntu developers. Canonical also publishes other software projects such as LXD, MAAS, Juju, snapd, Snapcraft, Landscape, Launchpad and Mir. -

-

- Canonical's Ubuntu Security Team tends to the security needs of the Ubuntu operating system and serves as a point of contact for Canonical-authored software, both proprietary and open-source, as well as Canonical-owned and -managed infrastructure. -

-

- Please contact us if you believe you have found a security issue in Ubuntu, Canonical software or Canonical services. -

-

- How to report an issue to us -

-

- You may report issues to the Ubuntu Security Team via the Launchpad.net bug reporting interface (ubuntu-bug <packagename> is the most convenient way to get to the bug reporting form). Please be aware that Launchpad.net will send email in plaintext in response to bug reports. -

-

- You may also send email to security@ubuntu.com. Email may optionally be encrypted to OpenPGP key 4072 60F7 616E CE4D 9D12 4627 98E9 740D C345 39E0: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x407260f7616ece4d9d12462798e9740dc34539e0 -

-

- If you have a deadline for public disclosure, please let us know. -

-

- Scope -

-

- Ubuntu is built on the contributions of thousands of projects. Usually issues that affect Ubuntu will affect other projects and other Linux distributions. Sometimes we may ask reporters to contact upstream developers. -

-

- The Ubuntu distribution is divided into multiple pockets: main, universe, restricted, and multiverse. Packages in main are supported by the Ubuntu Security Team. Packages in universe and multiverse are supported by the community; the Ubuntu Security Team can sponsor fixes prepared and tested by community members. -

-

- Packages in restricted are supported by Canonical's business partners. The Ubuntu Security Team can coordinate with our partners. -

-

- Software written by Canonical, but delivered outside of Ubuntu, is supported by different teams at Canonical. The Ubuntu Security Team is happy to coordinate communication between external entities (i.e. analysts, reporters) and supporting teams within Canonical, as well as provide guidance and feedback. -

-

- The Canonical Launchpad code hosting service, Canonical Snap Store, and Canonical Juju Charm Store allows anyone to publish software to users. Launchpad, the Snap Store, and the Juju Charm Store provide a way to contact publishers. As per the terms and conditions for these services, publishers are solely responsible for support of their software. If you believe any of these services are being used to host or distribute malicious software, this can be reported either to the Ubuntu Security team or to the relevant platform as appropriate. -

-

- Ubuntu and Canonical software is distributed through many channels: Canonical-operated download sites, public cloud providers, and community-operated mirrors. Sometimes security issues may be due to customizations at specific providers or distributors; in which case we may ask reporters to contact another party for support. -

-

- Out of scope -

-

- We will not issue CVEs or fixes for software that is no longer supported. Please check if found issues affect supported versions of software. -

-

- Not all bugs are vulnerabilities. We use a common understanding of Internet-connected multi-user computers where some of the user accounts may have privileges. Because of this, our idea of what constitutes a vulnerability may not match definitions used by other organizations. We cannot promise every issue reported to us as a security vulnerability will be handled as one; when we differ, we will endeavor to explain our reasoning. -

-

- What to expect from us -

-

- We intend to provide an initial response to reporters within two business days. -

-

- The Ubuntu Security Team can assign CVE numbers for issues in Canonical software, as well as anything shipped in Ubuntu. We may direct the reporter to use cveform.mitre.org for publicly known issues in non-Canonical software to avoid duplicate assignments. -

-

- For issues that are not yet publicly known, we will abide by any embargoes as necessary. We reserve the right to release fixes before an embargo has expired if other parties disclose the issue before the agreed upon embargo date or if there is evidence of abuse. -

-

- We may or may not provide further information to reporters about similar issues. We may or may not ask reporters to collaborate on solutions or work-arounds. We may or may not ask reporters for assistance testing solutions or work-arounds. -

-

- We are not affiliated with any bug bounty programs. We do not ourselves pay for bug reports, in either our software or our infrastructure. -

-

- We are happy to give credit to reporters in our CVE assignments and in our Ubuntu Security Notices. We will use known identities of discoverers, with no affiliations, in our USNs. -

-

- Disclosure timelines -

-

- When we assign a CVE, we intend to publish CVE details within one week after we provide update notifications or release new versions of software. We may publish CVE details before we provide fixes. Reporters are free to prepare whatever content they wish. We would like exploits and proof of concept exploits to be held private for at least one week after fixes are published to allow our users adequate time to test and install updates before exploits are easily available. -

-

- Safe harbour -

-

- Ubuntu is proudly built on the contributions of thousands and our security is no exception. We welcome responsible research into the security of our software to make Ubuntu and Canonical software secure for everyone. -

-

- However, we do not welcome active security probing of Canonical or Ubuntu infrastructure and services. If you believe you have found a security issue in Canonical or Ubuntu infrastructure or services please contact us. -

+
+
+
+
+

How to report an issue to us

+
-
-
+
+
+
    +
  1. +
    +
    +

    Launchpad.net bug reporting interface

    +
    +
    +

    + You may report issues to the Ubuntu Security Team via the Launchpad.net bug reporting interface. This is the most convenient way to get to the bug reporting form. Please be aware that Launchpad.net will send email in plaintext in response to bug reports. +

    + 
    ubuntu-bug <packagename>
    +
    +
    +
    2. +
  2. +
    +
    +

    Email

    +
    +
    +

    + You may also send email to security@ubuntu.com. Email may optionally be encrypted to: +

    + 
    OpenPGP key 4072 60F7 616E CE4D 9D12 4627 98E9 740D C345 39E0:
+https://keyserver.ubuntu.com/pks/lookup?
+op=get&search=0x407260f7616ece4d9d12462798e9740dc34539e0
    +
    +
    +
    3. +
+

If you have a deadline for public disclosure, please let us know.

+
+
+
+ +
+
+
+
+

Scope

+
+
+

+ Ubuntu is built on the contributions of thousands of projects. Usually issues that affect Ubuntu will affect other projects and other Linux distributions. Sometimes we may ask reporters to contact upstream developers. +

+

+ The Ubuntu distribution is divided into multiple pockets: main, universe, restricted, and multiverse. Packages in main are supported by the Ubuntu Security Team. Packages in universe and multiverse are supported by the community; the Ubuntu Security Team can sponsor fixes prepared and tested by community members. +

+

+ Packages in restricted are supported by Canonical's business partners. The Ubuntu Security Team can coordinate fixes with our partners. +

+

+ Software written by Canonical, but delivered outside of Ubuntu, is supported by different teams at Canonical. The Ubuntu Security Team is happy to coordinate communication between external entities (i.e. analysts, reporters) and supporting teams within Canonical, as well as provide guidance and feedback. +

+

+ The Canonical Launchpad code hosting service, Canonical Snap Store, and Canonical Juju Charm Store allows anyone to publish software to users. Launchpad, the Snap Store, and the Juju Charm Store provide a way to contact publishers. As per the terms and conditions for these services, publishers are solely responsible for support of their software. If you believe any of these services are being used to host or distribute malicious software, this can be reported either to the Ubuntu Security team or to the relevant platform as appropriate. +

+

+ Ubuntu and Canonical software is distributed through many channels: Canonical-operated download sites, public cloud providers, and community-operated mirrors. Sometimes security issues may be due to customizations at specific providers or distributors; in which case we may ask reporters to contact another party for support. +

+
+
+
+
+
+
+
+

Out of scope

+
+
+

+ We will not issue CVEs or fixes for software that is no longer supported. Please check if found issues affect supported versions of software. +

+

+ Not all bugs are vulnerabilities. We use a common understanding of Internet-connected multi-user computers where some of the user accounts may have privileges. Because of this, our idea of what constitutes a vulnerability may not match definitions used by other organizations. We cannot promise every issue reported to us as a security vulnerability will be handled as one; when we differ, we will endeavor to explain our reasoning. +

+
+
+
+ +
+
+
+
+
+

What to expect from us

+
+
+

We intend to provide an initial response to reporters within two business days.

+

+ The Ubuntu Security Team can assign CVE numbers for issues in Canonical software, as well as anything shipped in Ubuntu. We may direct the reporter to use cveform.mitre.org for publicly known issues in non-Canonical software to avoid duplicate assignments. +

+

+ For issues that are not yet publicly known, we will abide by any embargoes as necessary. We reserve the right to release fixes before an embargo has expired if other parties disclose the issue before the agreed upon embargo date or if there is evidence of abuse. +

+

+ We may or may not provide further information to reporters about similar issues. We may or may not ask reporters to collaborate on solutions or work-arounds. We may or may not ask reporters for assistance testing solutions or work-arounds. +

+

+ We are not affiliated with any bug bounty programs. We do not ourselves pay for bug reports, in either our software or our infrastructure. +

+

+ We are happy to give credit to reporters in our CVE assignments and in our Ubuntu Security Notices. We will use real names of discoverers, with no affiliations, in our USNs. +

+
+
+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/1af4bfae-What%20to%20expect%20from%20us.png", + alt="", + width="2464", + height="1027", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe + }} +
+
+
+ +
+
+
+
+

Disclosure timelines

+
+
+

+ When we assign a CVE, we intend to publish CVE details within one week after we provide update notifications or release new versions of software. We may publish CVE details before we provide fixes. Reporters are free to prepare whatever content they wish. We would like exploits and proof of concept exploits to be held private for at least one week after fixes are published to allow our users adequate time to test and install updates before exploits are easily available. +

+
+
+
+ +
+
+
+
+

Safe harbor

+
+
+

+ Ubuntu is proudly built on the contributions of thousands and our security is no exception. We welcome responsible research into the security of our software to make Ubuntu and Canonical software secure for everyone. +

+

+ However, we do not welcome active security probing of Canonical or Ubuntu infrastructure and services. If you believe you have found a security issue in Canonical or Ubuntu infrastructure or services please contact us. +

+
+
+
- {% endblock content %} +{% endblock content %} diff --git a/templates/security/docker-images.html b/templates/security/docker-images.html index 273af0b276c..23138c57152 100644 --- a/templates/security/docker-images.html +++ b/templates/security/docker-images.html @@ -1,151 +1,266 @@ {% extends "security/base_security.html" %} +{% from "_macros/vf_hero.jinja" import vf_hero %} +{% from "_macros/vf_rich-vertical-list.jinja" import vf_rich_vertical_list %} +{% from "_macros/vf_tiered-list.jinja" import vf_tiered_list %} + {% block title %}LTS Docker Images{% endblock %} -{% block meta_description %}The LTS Docker Image Portfolio on Docker Hub and public cloud container registries provides compliant, secure application images, with a long term maintenance commitment by Canonical.{% endblock meta_description %} +{% block meta_description %} + The LTS Docker Image Portfolio on Docker Hub and public cloud container registries provides compliant, secure application images, with a long term maintenance commitment by Canonical. +{% endblock meta_description %} -{% block meta_copydoc %}https://docs.google.com/document/d/1zZibtjU141e4mBxo_0PtfYxJ6e5fyaaAdFZ6v945XAM/edit{% endblock meta_copydoc %} +{% block meta_copydoc %} + https://docs.google.com/document/d/1zZibtjU141e4mBxo_0PtfYxJ6e5fyaaAdFZ6v945XAM/edit +{% endblock meta_copydoc %} {% block content %} - -
-
-
-

Long Term Supported
OCI Images

 -

Hardened container images, with stable tracks from development to production. Up to ten years guaranteed security maintenance from Canonical's trusted repositories.

- 

$ docker pull ubuntu/nginx

+ {% call(slot) vf_hero( + title_text='Long Term Supported OCI Images', + layout='50/50-full-width-image' + ) -%} + {%- if slot == 'description' -%}

- Get commercial support - Explore the images › + Hardened container images, with stable tracks from development to production. Up to ten years guaranteed security maintenance from Canonical's trusted repositories.

+ {%- endif -%} + {%- if slot == 'cta' -%} + Get commercial support + Explore the images › + {%- endif -%} + {%- if slot == 'image' -%} +
+ {{ image(url="https://assets.ubuntu.com/v1/6faa08d1-hero.png", + alt="", + width="2464", + height="1028", + hi_def=True, + loading="auto", + attrs={"class": "p-image-container__image"}) | safe + }} +
+ {% endif -%} + {% endcall -%} + +
+
+
+
+

Critical CVE fixes in 24 hours

+
+
+

+ Scanning container images for vulnerabilities is now widespread, but fixing them requires dedicated skills and infrastructure. Trusted provenance is key. +

+

+ The LTS Docker Image Portfolio provides ready-to-use application base images, free of high and critical CVEs. Images are built on the same secure infrastructure that builds Ubuntu, and updated automatically when apps or dependencies are fixed. +

+
+ Explore our CVE-fixing track record › +
+
-
- {{ - image( - url="https://assets.ubuntu.com/v1/25c42877-simplified-software-management-2.svg", - alt="", - height="220", - width="220", - hi_def=True, - loading="auto", - ) | safe - }} -
-
-
- -
-
-
- {{ - image( - url="https://assets.ubuntu.com/v1/50dea393-fixes+in+24hrs.svg", - alt="", - height="210", - width="210", - hi_def=True, - loading="auto", - ) | safe - }} -
-
-

Critical CVE fixes in 24 hours

-

Scanning container images for vulnerabilities is now widespread, but fixing them requires dedicated skills and infrastructure. Trusted provenance is key.

-

The LTS Docker Image Portfolio provides ready-to-use application base images, free of high and critical CVEs. Images are built on the same secure infrastructure that builds Ubuntu, and updated automatically when apps or dependencies are fixed.

- Explore our CVE-fixing track record › -
-
-
- -
-
-

Our Commitment

-
    -
  • Minimum 5 years of 24/7 security updates from Canonical
    • -
  • Fixes for high and critical Common Vulnerabilities and Exposures (CVEs)
    • -
  • The Ubuntu distribution base image and application layers
    • -
  • All major architectures
    • -
  • Designed for layering - "FROM public.ecr.aws/lts/mysql"
    • -
-

+

+ + {% call(slot) vf_rich_vertical_list( + title_text="Our Commitment", + list_item_tick_style="tick", + is_flipped=true + ) -%} + + {%- if slot == 'image' -%} +
+ {{ image(url="https://assets.ubuntu.com/v1/4dcb1735-our-commitment.png", + alt="", + width="1200", + height="1801", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe + }} +
+ {%- endif -%} + {%- if slot == 'list_item_1' -%} + Minimum 5 years of 24/7 security updates from Canonical + {%- endif -%} + {%- if slot == 'list_item_2' -%} + Fixes for high and critical Common Vulnerabilities and Exposures (CVEs) + {%- endif -%} + {%- if slot == 'list_item_3' -%} + The Ubuntu distribution base image and application layers + {%- endif -%} + {%- if slot == 'list_item_4' -%} + All major architectures + {%- endif -%} + {%- if slot == 'list_item_5' -%} + Designed for layering - "FROM public.ecr.aws/lts/mysql" + {%- endif -%} + {%- if slot == 'cta' -%} Learn more about the Ubuntu release cadence › -

-
-
- -
-
-
- {{ image(url="https://assets.ubuntu.com/v1/8b0a474a-Microsoft_.NET_logo.svg", - alt="Microsft .NET logo", - width="230", - height="230", - hi_def=True, - loading="auto") | safe }} -
-
-

Use case: Building .NET apps on Ubuntu LTS

-

Getting started with .NET on Ubuntu is straightforward and efficient with Canonical-maintained ultra-small container images. Developers now have production-grade container images to ship their .NET apps on Ubuntu. Predictable release cadence aligned with Ubuntu LTS and .NET LTS releases guarantees security and stability, long-term. Security patches and support are available to Ubuntu Ppro customers, including on the Microsoft Azure platform.

- Read about .NET support on Ubuntu › + {%- endif -%} + {% endcall -%} + +
+
+
+
+

+ Use case: +
+ Building .NET apps on Ubuntu LTS +

+
+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/98571792-net.png", + alt="Microsft .NET logo", + width="1200", + height="801", + hi_def=True, + loading="lazy") | safe + }} +
+
+

+ Getting started with .NET on Ubuntu is straightforward and efficient with Canonical-maintained ultra-small container images. +

+

+ Developers now have production-grade container images to ship their .NET apps on Ubuntu. Predictable release cadence aligned with Ubuntu LTS and .NET LTS releases guarantees security and stability, long-term. Security patches and support are available to Ubuntu Ppro customers, including on the Microsoft Azure platform. +

+
+ Read about .NET support on Ubuntu › +
+
-
-
- -
-
-

FAQ on the LTS Docker Image Portfolio

-

Where are the images?

-

On Amazon ECR Public and Docker Hub, images are provided in three groups:

-
    -
  • Ubuntu on Docker Hub and ECR Public have development releases with security updates
    • -
  • LTS ("Canonical") on ECR Public has Free LTS images with up to five years fixes
    • -
  • Customer-only content with up to ten years of fixes. Contact us.
    • -
-

All of our Docker Hub repositories are exempted from per-user rate limits.

-

Are these Official Images on Docker Hub?

-

Several images from the Canonical LTS Docker Image Portfolio are free Docker Official Image versions during their five year standard security maintenance period. The Ubuntu base image is available both as an official image on Docker hub and through the LTS and Ubuntu namespaces on Amazon ECR Public.

-

Is the LTS Docker Image Portfolio a free or a commercial offering?

-

Both. Some LTS Docker Images have a free five year maintenance period, based on the underlying Ubuntu LTS free standard security maintenance period. After five years, these LTS images will get five more years of security patches through the Expanded Security Maintenance (ESM) program. The ESM program is available with our Ubuntu Pro subscriptions. Some images don't get the free five initial LTS years, but still are eligible for the 10-year ESM program. On each image's documentation, the support dates and LTS/ESM logos indicate the current support status for every version. As with Ubuntu interim releases, ongoing development images are released regularly and receive free security updates while they are the current version. Read more.

- -

Is there a long-term commitment? How long?

-

ESM Images are security-maintained for the full ten year period of their underlying Ubuntu LTS release. Some applications will have versions on multiple Ubuntu LTS versions. In each case, the image is maintained for the full life of the underlying Ubuntu LTS.

-

Can I use these images to build other applications?

-

Yes. Our hardened images are optimised for the developer experience, layering, and minimality. Each image is engineered to be clean, without layering artefacts, making it an ideal foundation for enterprise continuous integration and golden images. If you are an ISV, Canonical can offer embedded terms for redistribution and specific support. Get in touch.

-

Can I enable FIPS mode on Ubuntu-based container images?

-

Yes, with a valid Ubuntu Pro subscription. Hosts or nodes running the hardened Ubuntu-based container images must be covered with Ubuntu Pro subscriptions. You can read more about how to enable FIPS mode on container images in this blog post.

-
-
- -
-
-
- {{ - image( - url="https://assets.ubuntu.com/v1/407cbd49-canonical-cloud.svg", - alt="", - height="150", - width="230", - hi_def=True, - loading="lazy", - ) | safe +
+ +
+ {%- call(slot) vf_tiered_list(is_description_full_width_on_desktop=true) -%} + {%- if slot == 'title' -%} +

FAQ on the LTS Docker Image Portfolio

+ {%- endif -%} + + {%- if slot == 'list_item_title_1' -%} +

Where are the images?

+ {%- endif -%} + {%- if slot == 'list_item_description_1' -%} +

On Amazon ECR Public and Docker Hub, images are provided in three groups:

+
+
    +
  • + Ubuntu on Docker Hub and ECR Public have development releases with security updates +
    • +
  • + LTS ("Canonical") on ECR Public has Free LTS images with up to five years fixes +
    • +
  • + Customer-only content with up to ten years of fixes. Contact us. +
    • +
+
+

All of our Docker Hub repositories are exempted from per-user rate limits.

+ {%- endif -%} + + {%- if slot == 'list_item_title_2' -%} +

+ Are these Official Images +
+ on Docker Hub? +

+ {%- endif -%} + {%- if slot == 'list_item_description_2' -%} +

+ Several images from the Canonical LTS Docker Image Portfolio are free Docker Official Image versions during their five year standard security maintenance period. The Ubuntu base image is available both as an official image on Docker hub and through the LTS and Ubuntu namespaces on Amazon ECR Public. +

+ {%- endif -%} + + {%- if slot == 'list_item_title_3' -%} +

Is the LTS Docker Image Portfolio
a free or a commercial offering?

+ {%- endif -%} + {%- if slot == 'list_item_description_3' -%} +

+ Both. Some LTS Docker Images have a free five year maintenance period, based on the underlying Ubuntu LTS free standard security maintenance period. After five years, these LTS images will get five more years of security patches through the Expanded Security Maintenance (ESM) program. The ESM program is available with our Ubuntu Pro subscriptions. Some images don't get the free five initial LTS years, + but still are eligible for the 10-year ESM program. On each image's documentation, the support dates and LTS/ESM logos indicate the current support status for every version. As with Ubuntu interim releases, ongoing development images are released regularly and receive free security updates while they are the current version. +

+
+ Read more › +
+ {%- endif -%} + + {%- if slot == 'list_item_title_4' -%} +

Is there a long-term commitment? How long?

+ {%- endif -%} + {%- if slot == 'list_item_description_4' -%} +

+ ESM Images are security-maintained for the full ten year period of their underlying Ubuntu LTS release. Some applications will have versions on multiple Ubuntu LTS versions. In each case, the image is maintained for the full life of the underlying Ubuntu LTS. +

+
+ Read more › +
+ {%- endif -%} + + {%- if slot == 'list_item_title_5' -%} +

Can I use these images
to build other applications?

+ {%- endif -%} + {%- if slot == 'list_item_description_5' -%} +

+ Yes. Our hardened images are optimised for the developer experience, layering, and minimality. Each image is engineered to be clean, without layering artefacts, making it an ideal foundation for enterprise continuous integration and golden images. If you are an ISV, Canonical can offer embedded terms for redistribution and specific support. +

+
+ Get in touch › +
+ {%- endif -%} + + {%- if slot == 'list_item_title_6' -%} +

Can I enable FIPS mode
on Ubuntu-based container images?

+ {%- endif -%} + {%- if slot == 'list_item_description_6' -%} +

+ Yes, with a valid Ubuntu Pro subscription. Hosts or nodes running the hardened Ubuntu-based container images must be covered with Ubuntu Pro subscriptions. You can read more about how to enable FIPS mode on container images in this blog post. +

+ {%- endif -%} + {% endcall -%} +
+ +
+
+ {{ image(url="https://assets.ubuntu.com/v1/f50399ab-secure-your-cloud.png", + alt="", + width="2464", + height="1028", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe }}
-
-
+ +
+ +
+
+
+

Secure your cloud solutions

-

Would you like to discuss your specific use case with us? Our team is here to help you secure your cloud solutions, starting with secure Docker images.

+
+

- Get in touch + Would you like to discuss your specific use case with us? Our team is here to help you secure your cloud solutions, starting with secure Docker images. +

+
+

+ Get in touch

-
-
+
-{% with first_item="_support_landscape", second_item="_support_contact_us", third_item="_further_reading" %}{% include "shared/contextual_footers/_contextual_footer.html" %}{% endwith %} + {% include "/shared/forms/form-template.html" %} - -
- {% endblock content %} -{% block footer_extra %}{{ marketo }}{% endblock footer_extra %} + +{% block footer_extra %} + {{ marketo }} +{% endblock footer_extra %} diff --git a/templates/security/fips.html b/templates/security/fips.html index 7025e5aab25..3220e79e3ae 100644 --- a/templates/security/fips.html +++ b/templates/security/fips.html @@ -6,360 +6,603 @@ Details on the Ubuntu FIPS security certification for Ubuntu Advantage and Ubuntu Pro subscribers. {% endblock %} +{% from "_macros/vf_hero.jinja" import vf_hero %} +{% from "_macros/vf_tiered-list.jinja" import vf_tiered_list %} + +{% block body_class %} + is-paper +{% endblock body_class %} + {% block meta_copydoc %} https://docs.google.com/document/d/1moTJCAtFXKD7ZXrxB-EB7GPVyZRTSIdkP-0BhPZl69M/edit# {% endblock meta_copydoc %} {% block content %} - -
-
-
-

FIPS for Ubuntu

-

FIPS 140 validated cryptography for Linux workloads on Ubuntu

-

- Developing and running Linux workloads for U.S. government regulated and high-security environments requires a long and expensive validation process. Reduce your accreditation timeline and pass on your validation costs with the FIPS 140 certified cryptographic packages of Ubuntu Pro on-premise or on Public Clouds. -

-

- Contact us - Get Ubuntu Pro -

-
-
- {{ image ( - url="https://assets.ubuntu.com/v1/9f048bd7-NIST_logo.svg", - alt="NIST logo", - width="252", - height="66", - hi_def=True, - loading="auto" - ) | safe + {% call(slot) vf_hero( + title_text='FIPS for Ubuntu', + subtitle_text='FIPS 140 validated cryptography for Linux workloads on Ubuntu', + layout='50/50' + ) -%} + {%- if slot == 'description' -%} +

+ Developing and running Linux workloads for U.S. government regulated and high-security environments requires a long and expensive validation process. Reduce your accreditation timeline and pass on your validation costs with the FIPS 140 certified cryptographic packages of Ubuntu Pro on-premise or on Public Clouds. +

+ {%- endif -%} + {%- if slot == 'cta' -%} + Contact us + Get Ubuntu Pro + {%- endif -%} + {%- if slot == 'image' -%} +
+ {{ image(url="https://assets.ubuntu.com/v1/b3df178b-hero-img.png", + alt="", + width="1800", + height="1200", + hi_def=True, + loading="auto", + attrs={"class": "p-image-container__image"},) | safe }}
-
-
+ {%- endif -%} + {% endcall -%} -
-
-
-

Run regulated workloads

-
-

- U.S Federal agencies and anyone deploying systems and cloud services for Federal government agency use, whether directly or through contractors, are required to run workloads with FIPS 140 validated cryptography. FIPS 140 has also been adopted outside of the public sector in industries where data security is heavily regulated, such as financial services (PCI-DSS), healthcare (HIPAA), and other sectors. Ubuntu Pro provides FIPS 140 certified cryptographic packages. -

-
-
-

Reduce your compliance costs

-
-

- Developing applications that comply with FIPS 140 can be a challenging task. Validating the used cryptography in-house involves a long and expensive process that requires cryptography expertise and involves reviews from a 3rd party lab and NIST. All these introduce costs and complexity that may delay your launch. Ensure that you ship on time and reduce both validation costs and time by using the Ubuntu validated standard open source packages. The Ubuntu Pro packages are validated on common CPU types and are also available for use on the public cloud. -

-
-
-

Get NIST certified compliance

-
-

- FIPS 140 ensures that cryptographic algorithms known to be secure are used for data protection, and they are thoroughly tested and attested by a laboratory accredited under the NIST’s Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) in the US and CCCS’s Cryptographic Module Validation Program (CMVP) in Canada. Ubuntu Pro provides you with cryptographic packages that are tested and attested by atsec Information Security, a NIST accredited laboratory. -

-
-
-
+ {%- call(slot) vf_tiered_list(is_list_full_width_on_tablet=true) -%} + {%- if slot == 'title' -%} +

The benefits of FIPS for Ubuntu

+ {%- endif -%} + + {%- if slot == 'list_item_title_1' -%} +

Run regulated workloads

+ {%- endif -%} + + {%- if slot == 'list_item_description_1' -%}

- Read more about FIPS - Contact us + US federal agencies and anyone deploying systems and cloud services for Federal government agency use, whether directly or through contractors, are required to run workloads with FIPS 140 validated cryptography. FIPS 140 has also been adopted outside of the public sector in industries where data security is heavily regulated, such as financial services (PCI-DSS), healthcare (HIPAA), and other sectors. Ubuntu Pro provides FIPS 140 certified cryptographic packages.

-
-
+ {%- endif -%} -
-
-

What is FIPS?

+ {%- if slot == 'list_item_title_2' -%} +

Reduce your compliance costs

+ {%- endif -%} + + {%- if slot == 'list_item_description_2' -%}

- FIPS 140 is a U.S. and Canada Government data protection standard. It defines security requirements related to the design and implementation of a cryptographic module. The reason for a data protection standard dedicated to cryptography is because cryptography today is omnipresent, and is very hard to get right in a constantly expanding threat model such as today’s Internet. The standard ensures that cryptographic algorithms known to be secure are used for data protection, and they are thoroughly tested and attested by a 3rd party. The testing and validation must be performed by a laboratory, which is accredited under the Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) and is part of NIST's National Voluntary Laboratory Accreditation Program (NVLAP) in the US and CCCS's Cryptographic Module Validation Program (CMVP) in Canada. + Developing applications that comply with FIPS 140 can be a challenging task. Validating the used cryptography in-house involves a long and expensive process that requires cryptography expertise and involves reviews from a 3rd party lab and NIST. All these introduce costs and complexity that may delay your launch. Ensure that you ship on time and reduce both validation costs and time by using the Ubuntu validated standard open source packages. The Ubuntu Pro packages are validated on common CPU types and are also available for use on the public cloud.

+ {%- endif -%} + + {%- if slot == 'list_item_title_3' -%} +

Get NIST certified compliance

+ {%- endif -%} + + {%- if slot == 'list_item_description_3' -%}

- FIPS 140-2 is required under multiple compliance regimes, such as the Federal Risk and Authorization Management Program (FedRAMP), the Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). + FIPS 140 ensures that cryptographic algorithms known to be secure are used for data protection, and they are thoroughly tested and attested by a laboratory accredited under the NIST’s Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) in the US and CCCS’s Cryptographic Module Validation Program (CMVP) in Canada. Ubuntu Pro provides you with cryptographic packages that are tested and attested by atsec Information Security, a NIST accredited laboratory.

+ {%- endif -%} + + {%- if slot == 'cta' -%} + Contact us + Read more about FIPS › + {%- endif -%} + {%- endcall -%} + +
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/273c35bb-fips-140.png", + alt="", + width="3696", + height="1540", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"},) | safe + }} +
+
+
+ +
+
+
+
+

What is FIPS?

+
+
+

+ FIPS 140 is a U.S. and Canada Government data protection standard. It defines security requirements related to the design and implementation of a cryptographic module. The reason for a data protection standard dedicated to cryptography is because cryptography today is omnipresent, and is very hard to get right in a constantly expanding threat model such as today’s Internet. The standard ensures that cryptographic algorithms known to be secure are used for data protection, and they are thoroughly tested and attested by a 3rd party. The testing and validation must be performed by a laboratory, which is accredited under the Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) and is part of NIST's National Voluntary Laboratory Accreditation Program (NVLAP) in the US and CCCS's Cryptographic Module Validation Program (CMVP) in Canada. +

+

+ FIPS 140-2 is required under multiple compliance regimes, such as the Federal Risk and Authorization Management Program (FedRAMP), the Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). +

+
-
-
-
-

How Ubuntu enables your compliance with FedRAMP, FISMA, FIPS and DISA-STIG

+
+
+
+
+

How Ubuntu enables your compliance with FedRAMP, FISMA, FIPS, and DISA-STIG

+
+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/4d506669-how-ubuntu-webinar.png", + alt="", + width="1800", + height="1013", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"},) | safe + }} +
+

Learn about the US government security standards and the common challenges faced by organizations in their implementation. See how the Ubuntu Security Guide can transform systems compliance in a few minutes. Get to know how Ubuntu is a secure platform for government agencies and complying organizations to build, operate and innovate with open source applications and technologies.

- Contact us -
-
-
- - - +
+ Contact us + Watch the How Ubuntu enables your compliance with FedRAMP, FISMA, FIPS, and DISA-STIG webinar ›
-
-
-

Access FIPS images on the public cloud

-

- FIPS can be enabled on Ubuntu Pro cloud images, while Ubuntu Pro FIPS cloud images simplify the experience as they come preconfigured with FIPS 140 certified packages optimised for the cloud. You can quickly navigate the marketplace to find the FIPS-enabled images below. -

-
-
-
-

Ubuntu Pro FIPS 16.04

-
-
- - Microsoft Azure Marketplace - - - AWS marketplace - - - Google Cloud - +
+
+
+
+
+

Access FIPS images on the public cloud

-
-
-

Ubuntu Pro FIPS 18.04

-
-
- - Microsoft Azure Marketplace - - - AWS marketplace - - - Google Cloud - +
+

+ FIPS can be enabled on Ubuntu Pro cloud images, while Ubuntu Pro FIPS cloud images simplify the experience as they come preconfigured with FIPS 140 certified packages optimized for the cloud. You can quickly navigate the marketplace to find the FIPS-enabled images below. +

-
-

Ubuntu Pro FIPS 20.04

-
- +
+
+
+

Ubuntu Pro FIPS 16.04

+
+
+
+ +
+ {{ image(url="https://assets.ubuntu.com/v1/6855a62e-azure.png", + alt="", + width="852", + height="481", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"},) | safe + }} +
+

Microsoft Azure

+ +
+
+ +
+ {{ image(url="https://assets.ubuntu.com/v1/8438f094-aws.png", + alt="", + width="852", + height="481", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"},) | safe + }} +
+

AWS

+ +
+
+ +
+ {{ image(url="https://assets.ubuntu.com/v1/1f69f2c2-gcp.png", + alt="", + width="852", + height="481", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"},) | safe + }} +
+

GCP

+ +
+
+
+
+

Ubuntu Pro FIPS 18.04

+
+
+
+ +
+ {{ image(url="https://assets.ubuntu.com/v1/6855a62e-azure.png", + alt="", + width="852", + height="481", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"},) | safe + }} +
+

Microsoft Azure

+ +
+
+ +
+ {{ image(url="https://assets.ubuntu.com/v1/8438f094-aws.png", + alt="", + width="852", + height="481", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"},) | safe + }} +
+

AWS

+ +
+
+ +
+ {{ image(url="https://assets.ubuntu.com/v1/1f69f2c2-gcp.png", + alt="", + width="852", + height="481", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"},) | safe + }} +
+

GCP

+ +
+
+
+
+

Ubuntu Pro FIPS 20.04

+
+
+ +
+ {{ image(url="https://assets.ubuntu.com/v1/6855a62e-azure.png", + alt="", + width="852", + height="481", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"},) | safe + }} +
+

Microsoft Azure

+ +
+
+ +
+ {{ image(url="https://assets.ubuntu.com/v1/8438f094-aws.png", + alt="", + width="852", + height="481", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"},) | safe + }} +
+

AWS

+ +
+
+ +
+ {{ image(url="https://assets.ubuntu.com/v1/1f69f2c2-gcp.png", + alt="", + width="852", + height="481", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"},) | safe + }} +
+

GCP

+ +
+
-
-

- Interested in FIPS for container images? Read more on this blog. -

+
+
+
+

+ Interested in FIPS for container images? Read more on this blog. +

+
+
-
-
-

Certified packages under FIPS 140

-

- The following list contains the FIPS 140 validated components that are available with Ubuntu Pro. The validated modules are API and ABI compatible with the default Ubuntu packages. The validation testing for Ubuntu was performed by atsec Information Security, a NIST accredited laboratory. -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Ubuntu 16.04 LTS -
- on x86-64, IBM Power8 and IBM Z - 		- Ubuntu 18.04 LTS -
- on x86-64 and IBM Z - 		- Ubuntu 20.04 LTS -
- on x86-64 and IBM Z -
Linux Kernel (GA) Crypto API - #2962, - #3724 - - #3647, #4018, #3664 (AWS), -
- #3683 (Azure), #3954 (GCP) - 		- #4366, #4132 (AWS), #4126 (Azure), #4127 (GCP) -
OpenSSH client - #2907 - - #3633 - - #4292 -
OpenSSL - #2888, - #3725 - - #3622, - #3980 -
OpenSSH server - #2906 - - #3632 -
libgcrypt - #3748 - - #3902 -
StrongSwan - #2978 - - #3648 - - #4046 -
- Read more about FIPS - Access the FIPS validated modules +
+
+
+
+
+

+ Certified packages +
+ under FIPS 140-2 +

+
+
+

+ The following list contains the FIPS 140-2 validated components that are available with Ubuntu Pro. The validated modules are API and ABI compatible with the default Ubuntu packages. The validation testing for Ubuntu was performed by atsec Information Security, a NIST accredited laboratory. Certifications under FIPS 140-2 will be moved to the historical list after September 2026 (although these products can still be purchased and used), and new products are expected to be certified under FIPS 140-3. +

+
+
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + Ubuntu 16.04 LTS +
+ on x86-64, IBM Power8 and IBM Z + 		+ Ubuntu 18.04 LTS +
+ on x86-64 and IBM Z + 		+ Ubuntu 20.04 LTS +
+ on x86-64 and IBM Z +
Linux Kernel (GA) Crypto API + #2962, + #3724 + + #3647, #4018, #3664 (AWS), +
+ #3683 (Azure), #3954 (GCP) + 		+ #4366, #4132 (AWS), #4126 (Azure), #4127 (GCP) +
OpenSSH client + #2907 + + #3633 + + #4292 +
OpenSSL + #2888, + #3725 + + #3622, + #3980 + + #4292 +
OpenSSH server + #2906 + + #3632 + + #4292 +
libgcrypt + #3748 + + #3902 +
StrongSwan + #2978 + + #3648 + + #4046 +
+
+
+
+
+
+ Access the FIPS validated modules + Read more about FIPS › +
+
-
-
-

FIPS packages and security updates

-

- Each FIPS 140 certificate is valid for 5 years. However, vulnerabilities happen, and it is our goal to publish fixed packages quickly, irrespective of their certification status. We therefore provide two alternative options. An option to remain with the certified cryptographic packages (called the 'fips' option), and an option to use the certified packages but include security fixes (called the 'fips-updates' option) when available. Check our documentation pages on how to enable these options. -

-

- We strongly recommend enabling the 'fips-updates' option that includes the security fixes. The packages from the 'fips-updates' option are updated to include high and critical security fixes during the whole product lifecycle including the Expanded Security Maintenance (ESM) phase. -

+
+
+
+
+
+

+ Certified packages +
+ under FIPS 140-3 +

+
+
+

+ FIPS 140-3 is a combined effort of NIST and ISO with the Security and Testing requirements for cryptographic modules being published as ISO/IEC 19790 and ISO/IEC 24759. The following list contains the FIPS 140-3 validated components that are available with Ubuntu Pro. The validated modules are API and ABI compatible with the default Ubuntu packages. The validation testing for Ubuntu was performed by atsec Information Security, a NIST accredited laboratory. +

+
+
+
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + Ubuntu 22.04 LTS +
+ on x86-64, ARM64 and IBM Z +
Linux Kernel (GA) Crypto API + #4894 +
GnuTLS + #4855 +
OpenSSL + #4794 +
libgcrypt + #4793 +
StrongSwan + #4911 +
+
+
+
+
+
+
+ Access the FIPS validated modules + Read more about FIPS › +
+
-
+
+
+
+
+
+

+ FIPS packages +
+ and security updates +

+
+
+

+ Each FIPS 140 certificate is valid for 5 years. However, vulnerabilities happen, and it is our goal to publish fixed packages quickly, irrespective of their certification status. We therefore provide two alternative options. An option to remain with the certified cryptographic packages (called the 'fips' option), and an option to use the certified packages but include security fixes (called the 'fips-updates' option) when available. Check our documentation pages on how to enable these options. +

+

+ We strongly recommend enabling the 'fips-updates' option that includes the security fixes. The packages from the 'fips-updates' option are updated to include high and critical security fixes during the whole product lifecycle including the Expanded Security Maintenance (ESM) phase. +

+
+
+
-

Free for personal use

-

- Canonical provides Ubuntu Pro subscriptions, which include FIPS, free of charge for individuals on up to 5 machines. For our community of Ubuntu members, we will gladly increase that to 50 machines. -

- Get a free subscription +
+
+ {{ image(url="https://assets.ubuntu.com/v1/35204ee3-fips-packages.png", + alt="", + width="3696", + height="1541", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"},) | safe + }} +
+
-
-
-

FIPS 140-3 and Ubuntu

-

- In September 2021, NIST phased out FIPS 140-2. Certifications under FIPS 140-2 will be moved to the historical list after September 2026 (although these products can still be purchased and used), and new products are expected to be certified under FIPS 140-3. FIPS 140-3 is a combined effort of NIST and ISO with the Security and Testing requirements for cryptographic modules being published as ISO/IEC 19790 and ISO/IEC 24759. Canonical is preparing Ubuntu for the new certification, and will provide FIPS 140-3 certified cryptographic packages on future LTS releases of Ubuntu, starting with 22.04 Jammy Jellyfish. -

+
+
+
+
+

Free for personal use

+
+
+

+ Canonical provides Ubuntu Pro subscriptions, which include FIPS, free of charge for individuals on up to 5 machines. For our community of Ubuntu members, we will gladly increase that to 50 machines. +

+
+ Get a free subscription +
+
- {% with first_item="_security_discussion", second_item="_security_esm", third_item="_security_further_reading" %} - {% include "shared/contextual_footers/_contextual_footer.html" %} - {% endwith %} - - -
+ {% include "/shared/forms/form-template.html" %} {% endblock content %} diff --git a/templates/security/form-data.json b/templates/security/form-data.json new file mode 100644 index 00000000000..2c127642c59 --- /dev/null +++ b/templates/security/form-data.json @@ -0,0 +1,673 @@ +{ + "form": { + "/security": { + "templatePath": "/security/index.html", + "childrenPaths": [ + "/security/fips" + ], + "isModal": true, + "modalId": "contact-modal", + "formData": { + "title": "The Ubuntu experts", + "introText": "Canonical certifies, secures and enables enterprise open source on Ubuntu. Tell us about your project so we bring the right team to the conversation.", + "formId": "1257", + "returnUrl": "/security#contact-form-success", + "lpUrl": "https://ubuntu.com/security/contact-us", + "product": "" + }, + "fieldsets": [ + { + "title": "Tell us about your project", + "id": "about-your-project", + "noCommentsFromLead": true, + "fields": [ + { + "type": "long-text", + "id": "about-your-project", + "label": "About your project" + } + ] + }, + { + "title": "If you use Ubuntu, which version(s) are you using?", + "id": "ubuntu-versions", + "inputType": "checkbox-visibility", + "fields": [ + { + "fieldTitle": "LTS within standard support", + "options": [ + { + "type": "checkbox", + "id": "24-04", + "value": "24.04 LTS", + "label": "24.04 LTS" + }, + { + "type": "checkbox", + "id": "22-04", + "value": "22.04 LTS", + "label": "22.04 LTS" + }, + { + "type": "checkbox", + "id": "20-04", + "value": "20.04 LTS", + "label": "20.04 LTS" + } + ] + }, + { + "fieldTitle": "LTS out of standard support", + "options": [ + { + "type": "checkbox", + "id": "18-04", + "value": "18.04 LTS", + "label": "18.04 LTS" + }, + { + "type": "checkbox", + "id": "16-04", + "value": "16.04 LTS", + "label": "16.04 LTS" + }, + { + "type": "checkbox", + "id": "14-04", + "value": "14.04 LTS", + "label": "14.04 LTS" + } + ] + }, + { + "fieldTitle": "Outdated or non-LTS releases non-LTS release", + "options": [ + { + "type": "checkbox", + "id": "22-10", + "value": "22.10", + "label": "non-LTS release" + }, + { + "type": "checkbox", + "id": "12-04", + "value": "12.04 LTS", + "label": "12.04 LTS" + } + ] + }, + { + "fieldTitle": "Other", + "options": [ + { + "type": "checkbox", + "id": "dont-use-ubuntu-today", + "value": "I don't use Ubuntu today", + "label": "I don't use Ubuntu today" + }, + { + "type": "checkbox", + "id": "i-dont'know", + "value": "I don't know", + "label": "I don't know" + } + ] + } + ] + }, + { + "title": "What kind of device are you using?", + "id": "kind-of-device", + "isRequired": true, + "inputType": "checkbox", + "fields": [ + { + "type": "checkbox", + "id": "desktop-workstation", + "value": "desktop/workstation", + "label": "Desktop workstation" + }, + { + "type": "checkbox", + "id": "physical-server", + "value": "physical/server", + "label": "Physical server" + }, + { + "type": "checkbox", + "id": "public-cloud", + "value": "public/cloud", + "label": "Public cloud" + }, + { + "type": "checkbox", + "id": "virtual-machine", + "value": "virtual/machine", + "label": "Virtual machine" + }, + { + "type": "checkbox", + "id": "iot-edge-device", + "value": "iot/edge device", + "label": "IoT/Edge device" + } + ] + }, + { + "title": "How many devices?", + "id": "how-many-machines", + "inputName": "how-many-machines-do-you-have", + "inputType": "radio", + "isRequired": true, + "fields": [ + { + "type": "radio", + "id": "less-5-machines", + "value": "less than 5", + "label": "< 5 machines" + }, + { + "type": "radio", + "id": "5-to-15-machines", + "value": "5 to 15 machines", + "label": "5 - 15 machines" + }, + { + "type": "radio", + "id": "15-to-50-machines", + "value": "15 to 50 machines", + "label": "15 - 50 machines" + }, + { + "type": "radio", + "id": "50-to-100-machines", + "value": "50 to 100 machines", + "label": "50 - 100 machines" + }, + { + "type": "radio", + "id": "greater-than-100", + "value": "greater than 100", + "label": "> 100 machines" + } + ] + }, + { + "title": "How do you consume open source?", + "id": "how-do-you-consume-open-source", + "fields": [ + { + "type": "checkbox", + "id": "ubuntu-repositories", + "value": "Ubuntu repositories", + "label": "Ubuntu repositories" + }, + { + "type": "checkbox", + "id": "github-upstream", + "value": "GitHub/Upstream", + "label": "GitHub/Upstream" + }, + { + "type": "checkbox", + "id": "internally-approved-repository", + "value": "Internally approved repository", + "label": "Internally approved repository" + }, + { + "type": "checkbox", + "id": "i-dont-know", + "value": "I don't know", + "label": "I don't know" + } + ] + }, + { + "title": "Do you have specific compliance or hardening requirements?", + "id": "hardening-requirements", + "fields": [ + { + "type": "checkbox", + "id": "pci", + "value": "PCI-DSS", + "label": "PCI-DSS" + }, + { + "type": "checkbox", + "id": "hipaa", + "value": "HIPAA", + "label": "HIPAA" + }, + { + "type": "checkbox", + "id": "fisma", + "value": "FISMA", + "label": "FISMA" + }, + { + "type": "checkbox", + "id": "fips-140", + "value": "FIPS 140", + "label": "FIPS 140" + }, + { + "type": "checkbox", + "id": "ncsc", + "value": "NCSC", + "label": "NCSC" + }, + { + "type": "checkbox", + "id": "disa-stig", + "value": "DISA-STIG", + "label": "DISA-STIG" + }, + { + "type": "checkbox", + "id": "fedramp", + "value": "FedRAMP", + "label": "FedRAMP" + }, + { + "type": "checkbox", + "id": "cis-benchmark", + "value": "CIS Benchmark", + "label": "CIS Benchmark" + } + ] + }, + { + "title": "Who is responsible for tracking, testing and applying CVE patches in a timely manner?", + "id": "responsible-for-tracking", + "fields": [ + { + "type": "checkbox", + "id": "individual-developers", + "value": "Individual developers", + "label": "Individual developers" + }, + { + "type": "checkbox", + "id": "project-team", + "value": "The project team", + "label": "The project team" + }, + { + "type": "checkbox", + "id": "third-party-vendor", + "value": "Third-party vendor", + "label": "Third-party vendor" + }, + { + "type": "checkbox", + "id": "i-dont-know", + "value": "I don't know", + "label": "I don't know" + } + ] + }, + { + "title": "What advice are you looking for?", + "id": "advice", + "noCommentsFromLead": true, + "fields": [ + { + "type": "long-text", + "id": "advice", + "label": "Tell us about your challenges and your goals" + } + ] + }, + { + "title": "How should we get in touch?", + "id": "about-you", + "noCommentsFromLead": true, + "fields": [ + { + "type": "text", + "id": "firstName", + "label": "First name", + "isRequired": true + }, + { + "type": "text", + "id": "lastName", + "label": "Last name", + "isRequired": true + }, + { + "type": "text", + "id": "company", + "label": "Company", + "isRequired": false + }, + { + "type": "text", + "id": "jobTitle", + "label": "Job title", + "isRequired": false + }, + { + "type": "email", + "id": "email", + "label": "Email address", + "isRequired": true + }, + { + "type": "tel", + "id": "phone", + "label": "Mobile/cell phone number", + "isRequired": true + }, + { + "type": "country", + "id": "country", + "label": "Country", + "isRequired": false + } + ] + } + ] + }, + "/security/docker-images": { + "templatePath": "/security/docker-images.html", + "isModal": true, + "modalId": "contact-modal", + "formData": { + "title": "Secure and stable OCI images", + "introText": "Canonical supports container images for Ubuntu and many open source applications. We empower developers with a consistent developer experience from hosts to containers. We cover enterprises with up to 10-year security patches. This short survey will help us bring the right team to start a meaningful conversation.", + "formId": "3785", + "returnUrl": "/security/docker-images#contact-form-success", + "lpUrl": "https://ubuntu.com/security/contact-us?product=docker", + "product": "" + }, + "fieldsets": [ + { + "title": "What do you value the most in container images?", + "id": "value-container-images", + "inputType": "checkbox", + "fields": [ + { + "type": "checkbox", + "id": "value-minimal-size", + "value": "Minimal size", + "label": "Minimal size" + }, + { + "type": "checkbox", + "id": "value-technical-support", + "value": "Technical support", + "label": "Technical support" + }, + { + "type": "checkbox", + "id": "value-direct-pull-access", + "value": "Direct pull access", + "label": "Direct pull access" + }, + { + "type": "checkbox", + "id": "value-long-term-versions", + "value": "Long-term versions", + "label": "Long-term versions" + }, + { + "type": "checkbox", + "id": "value-developer-experience", + "value": "Developer experience", + "label": "Developer experience" + }, + { + "type": "checkbox", + "id": "value-free-of-vulnerability", + "value": "Free of vulnerability", + "label": "Free of vulnerability" + }, + { + "type": "checkbox", + "id": "value-trusted-provenance", + "value": "Trusted provenance", + "label": "Trusted provenance" + }, + { + "type": "checkbox", + "id": "value-compliance", + "value": "Compliance (FIPS, CIS hardening...)", + "label": "Compliance (FIPS, CIS hardening...)" + } + ] + }, + { + "title": "What applications would you like as prebuilt images?", + "id": "apps-prebuild-images", + "inputType": "checkbox", + "fields": [ + { + "type": "checkbox", + "id": "applications-NGINX", + "value": "NGINX", + "label": "NGINX" + }, + { + "type": "checkbox", + "id": "applications-Apache", + "value": "Apache", + "label": "Apache" + }, + { + "type": "checkbox", + "id": "applications-Redis", + "value": "Redis", + "label": "Redis" + }, + { + "type": "checkbox", + "id": "applications-MySQL", + "value": "MySQL", + "label": "MySQL" + }, + { + "type": "checkbox", + "id": "applications-PostgreSQL", + "value": "PostgreSQL", + "label": "PostgreSQL" + }, + { + "type": "checkbox", + "id": "applications-other-databases", + "value": "Other databases", + "label": "Other databases" + }, + { + "type": "checkbox", + "id": "applications-NodeJS", + "value": "NodeJS", + "label": "NodeJS" + }, + { + "type": "checkbox", + "id": "applications-Python", + "value": "Python", + "label": "Python" + }, + { + "type": "checkbox", + "id": "applications-dot-net", + "value": ".NET", + "label": ".NET" + }, + { + "type": "checkbox", + "id": "applications-Java", + "value": "Java (OpenJDK)", + "label": "Java (OpenJDK)" + }, + { + "type": "checkbox", + "id": "applications-distroless-images", + "value": "Distroless images", + "label": "Distroless images" + }, + { + "type": "checkbox", + "id": "applications-other-runtimes", + "value": "Other runtimes", + "label": "Other runtimes" + }, + { + "type": "checkbox", + "id": "applications-Cassandra", + "value": "Cassandra", + "label": "Cassandra" + }, + { + "type": "checkbox", + "id": "applications-Grafana", + "value": "Grafana", + "label": "Grafana" + }, + { + "type": "checkbox", + "id": "applications-Prometheus", + "value": "Prometheus", + "label": "Prometheus" + }, + { + "type": "checkbox", + "id": "applications-Memcached", + "value": "Memcached", + "label": "Memcached" + }, + { + "type": "checkbox", + "id": "applications-other", + "value": "Others", + "label": "Others" + } + ] + }, + { + "title": "What best describes your use case?", + "id": "use-case", + "inputType": "checkbox", + "fields": [ + { + "type": "checkbox", + "id": "use-case-Public-Cloud", + "value": "Public Cloud", + "label": "Public Cloud" + }, + { + "type": "checkbox", + "id": "use-case-Kubernetes", + "value": "Kubernetes", + "label": "Kubernetes" + }, + { + "type": "checkbox", + "id": "use-case-CI-CD", + "value": "CI/CD", + "label": "CI/CD" + }, + { + "type": "checkbox", + "id": "use-case-Multi-stage-builds", + "value": "Multi stage builds", + "label": "Multi stage builds" + }, + { + "type": "checkbox", + "id": "use-case-Private-Cloud", + "value": "Private Cloud", + "label": "Private Cloud" + }, + { + "type": "checkbox", + "id": "use-case-Docker-Swarm", + "value": "Docker Swarm", + "label": "Docker Swarm" + }, + { + "type": "checkbox", + "id": "use-case-Custom-Business-Apps", + "value": "Custom Business Apps", + "label": "Custom Business Apps" + }, + { + "type": "checkbox", + "id": "use-case-Edge-computing", + "value": "Edge computing", + "label": "Edge computing" + }, + { + "type": "checkbox", + "id": "use-case-CaaS-PaaS", + "value": "CaaS/PaaS", + "label": "CaaS/PaaS" + }, + { + "type": "checkbox", + "id": "use-case-Other-Kubernetes", + "value": "Other Kubernetes", + "label": "Other Kubernetes" + }, + { + "type": "checkbox", + "id": "use-case-Restricted-Network", + "value": "Restricted Network (Firewall)", + "label": "Restricted Network (Firewall)" + }, + { + "type": "checkbox", + "id": "use-case-AI-ML", + "value": "AI/ML", + "label": "AI/ML" + } + ] + }, + { + "title": "Anything more that would help us bring the right team?", + "id": "summarize-your-applications-ummarize in a few words your applications-u're looking for?", + "fields": [ + { + "type": "long-text", + "id": "summarize-your-applications-ummarize in a few words your applications-u're looking for?", + "label": "summarize-your-applications-ummarize in a few words your applications-u're looking for?" + } + ] + }, + { + "title": "How should we get in touch?", + "id": "about-you", + "noCommentsFromLead": true, + "fields": [ + { + "type": "text", + "id": "firstName", + "label": "First name", + "isRequired": true + }, + { + "type": "text", + "id": "lastName", + "label": "Last name", + "isRequired": true + }, + { + "type": "email", + "id": "email", + "label": "Email address", + "isRequired": true + }, + { + "type": "tel", + "id": "phone", + "label": "Mobile/cell phone number", + "isRequired": true + } + ] + } + ] + } + } + } \ No newline at end of file diff --git a/templates/security/index.html b/templates/security/index.html index 6f3854054b6..f5b1a1e7c7b 100644 --- a/templates/security/index.html +++ b/templates/security/index.html @@ -6,337 +6,388 @@ Companies around the world rely on Ubuntu for secure open source solutions. We work with our customers to meet the highest security standards. {% endblock %} +{% from "_macros/vf_hero.jinja" import vf_hero %} + {% block meta_copydoc %} https://docs.google.com/document/d/1yEocR1WXQvN_B1L1yBYrG_0D7ikS6QhcOz27sYs-teI/edit {% endblock meta_copydoc %} +{% block body_class %} + is-paper +{% endblock body_class %} + {% block content %} -
-
-
-

Dedicated to the security of Ubuntu

-

- Since its inception in 2004, Ubuntu has been built on a foundation of enterprise-grade, industry leading security practices. From our toolchain to the suite of packages we use and from our update process to our industry standard certifications, Canonical never stops working to keep Ubuntu at the forefront of safety and reliability. -

-

- Watch the Ubuntu cybersecurity webinar - Contact us -

-
-
- {{ image(url="https://assets.ubuntu.com/v1/c3814c0a-shields-security-white.svg", + {% call(slot) vf_hero( + title_text='Dedicated to the security of Ubuntu', + layout='50/50-full-width-image' + ) -%} + {%- if slot == 'description' -%} +

+ Since its inception in 2004, Ubuntu has been built on a foundation of enterprise-grade, industry leading security practices. From our toolchain to the suite of packages we use and from our update process to our industry standard certifications, Canonical never stops working to keep Ubuntu at the forefront of safety and reliability. +

+ {%- endif -%} + {%- if slot == 'cta' -%} + Contact us + Watch the Ubuntu cybersecurity webinar › + {%- endif -%} + {%- if slot == 'image' -%} +
+ {{ image(url="https://assets.ubuntu.com/v1/99a76c31-hero.png", alt="", - height="185", - width="325", + width="2464", + height="1028", hi_def=True, - loading="auto") | safe + loading="auto", + attrs={"class": "p-image-container__image"}) | safe }}
+ {% endif -%} + {% endcall -%} + +
+
+
+
+
+ Need information about the CRA? Canonical is committed to delivering Cyber Resilience Act (CRA) compliant Ubuntu. To learn more, visit our dedicated webpage on the CRA and its requirements, or contact our sales team. +
+
+
- {% include "shared/_cra-banner.html" %} - -
-
-
-

Secure out of the box

-

- All Canonical products are built with unrivalled security in mind — and tested to ensure they deliver it. Your Ubuntu software is secure from the moment you install it, and will remain so as Canonical ensures security updates are always available on Ubuntu first. -

-

- Learn more about Ubuntu’s security features -

+
+
+
+
+

An OS you can trust

-
-

Hardening at scale

-

- The default configuration of Ubuntu LTS releases balances between usability, performance and security. However, non general purpose systems can be further hardened to reduce their attack surface. Canonical provides certified tooling for automated audit and hardening. Comply with widely accepted industry hardening profiles, including CIS and DISA-STIG. -

-

- Learn more about hardening Ubuntu › -

-
-
-

Certified compliance

-

- Canonical offers a range of tools to enable organisations to manage their desktop fleet and cloud with specific compliance requirements. A FIPS (Federal Information Processing Standard) certified version of Ubuntu is also available to comply to US government standards. -

-

- Learn more about Ubuntu with FIPS 140 › -

+
+
+
+
+
+
+
+

Securely designed

+
+

+ All Canonical products are built with unrivaled security in mind — and tested to ensure they deliver it. Your Ubuntu software is secure from the moment you install it, and will remain so as Canonical ensures security updates are always available on Ubuntu first. +

+
+

+ Learn more about
Ubuntu's security features › +

+
+
+ +
+
+
+

Hardening at scale

+
+ +

+ The default configuration of Ubuntu LTS releases balances between usability, performance and security. However, non general purpose systems can be further hardened to reduce their attack surface. Canonical provides certified tooling for automated audit and hardening. Comply with widely accepted industry hardening profiles, including CIS and DISA-STIG. +

+
+

+ Learn more about
hardening Ubuntu › +

+
+
+ +
+
+
+

Certified compliance

+
+

+ Canonical offers a range of tools to enable organizations to manage their desktop fleet and cloud with specific compliance requirements. A FIPS (Federal Information Processing Standard) certified version of Ubuntu is also available to comply to US government standards. +

+
+

+ Learn more about
Ubuntu with FIPS 140 › +

+
+
+
-
-
-
+
+
+
+

Cybersecurity and Compliance with Ubuntu

+
+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/b1ba7501-webinar.png", + alt="", + width="1200", + height="676", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe + }} +
+

Learn about cybersecurity and zero trust as well as the common challenges faced in the implementation of cybersecurity programs, including challenges in vulnerability management, secure configuration of software and defenses against malware. See how Canonical and Ubuntu can help manage these challenges and lay the software foundation of a successful cybersecurity program.

-

+

Contact us -

-
-
-
- - - + Watch the Cybersecurity & Compliance with Ubuntu webinar ›
-
-
-

Find out more

-
-
-
-

- - {{ image ( - url="https://assets.ubuntu.com/v1/b061c401-White+paper.svg", - alt="", - width="54", - height="47", - hi_def=True, - loading="lazy" - ) | safe - }} - -

- -

- A small to medium-size business guide to cybersecurity › -

-
-
-

- - {{ image ( - url="https://assets.ubuntu.com/v1/5edefef9-Datasheet.svg", - alt="", - width="54", - height="47", - hi_def=True, - loading="lazy" - ) | safe - }} - -

- -

- Cybersecurity with Ubuntu datasheet › -

+
+
+
+
+

Find out more

-
-

- - {{ image ( - url="https://assets.ubuntu.com/v1/b061c401-White+paper.svg", - alt="", - width="54", - height="47", - hi_def=True, - loading="lazy" - ) | safe - }} - -

-

- Ubuntu Core security › -

+
+
+
+

Whitepapers

+
+
+ +
+
+
+
+
+

Datasheet

+
+
+ +
+
-
+
-

Canonical puts security at the heart of Ubuntu

+
+
+

Canonical puts security at the heart of Ubuntu

+
-
-
    -
  • -
    -

    Fast fixes

    -

    - No system is 100% secure and vulnerabilities will always arise. What matters is the speed and success with which they are resolved — and nobody makes fixes available faster than Canonical. -

    -
    -
    • -
  • -
    -

    Automatic updates

    -

    - Security updates are provided for ten years for long term support (LTS) releases. With the default configuration for unattended upgrades (16.04 and after), these updates get applied to your system automatically. -

    -
    -
    • -
  • -
    -

    Livepatch

    -

    - The Ubuntu Livepatch Service enables live automatic security fixes to the kernel without rebooting. This service reduces unplanned downtime while maintaining compliance and security. -

    -
    -
    • -
  • -
    -

    10 years of support

    -

    - A new LTS (Long Term Support) version of Ubuntu is released every two years, for desktop and server. Both versions receive updates and are supported for ten years. -

    -
    -
    • -
  • -
    -

    Expanded security

    -

    - Canonical offers Expanded Security Maintenance (ESM) for infrastructure and applications to provide kernel livepatches and vulnerability fixes through a secure and private archive. -

    -
    -
    • -
  • -
    -

    FIPS

    -

    - Ubuntu provides you with FIPS 140 certified cryptographic packages enabling Linux workloads to run on U.S. government regulated and high security environments. -

    -
    -
    • -
  • -
    -

    Designed to be secure

    -

    - Linux is based on Unix. It inherits Discretionary Access Control and includes Mandatory Access Control via AppArmor. -

    +
    +
    +
    +
    +
    +
    +

    Fast fixes

    +

    + No system is 100% secure and vulnerabilities will always arise. What matters is the speed and success with which they are resolved — and nobody makes fixes available faster than Canonical. +

    +
    +
    +

    Automatic updates

    +

    + Security updates are provided for ten years for long term support (LTS) releases. With the default configuration for unattended upgrades (16.04 and after), these updates get applied to your system automatically. +

    +
    +
    +

    Livepatch

    +

    + The Ubuntu Livepatch Service enables live automatic security fixes to the kernel without rebooting. This service reduces unplanned downtime while maintaining compliance and security. +

    +
    -
    • -
  • -
    -

    Protected VMs

    - +
    +
    +
    +
    +
    +

    10 years of support

    +

    + A new LTS (Long Term Support) version of Ubuntu is released every two years, for desktop and server. Both versions receive updates and are supported for ten years. +

    +
    +
    +

    Expanded security

    +

    + Canonical offers Expanded Security Maintenance (ESM) for infrastructure and applications to provide kernel livepatches and vulnerability fixes through a secure and private archive. +

    +
    +
    +

    FIPS

    +

    + Ubuntu provides you with FIPS 140 certified cryptographic packages enabling Linux workloads to run on U.S. government regulated and high security environments. +

    +
    -
    • -
  • -
    -

    Secure snap packages

    -

    - Software packages delivered as strict-mode snaps are fully confined using AppArmor, device cgroups, and seccomp. -

    +
    +
    +
    +
    +
    +

    Designed to be secure

    +

    + Linux is based on Unix. It inherits Discretionary Access Control and includes Mandatory Access Control via AppArmor. +

    +
    +
    +

    Protected VMs

    +

    + LXD containers, libvirt VMs and OpenStack VMs are protected by AppArmor by default. A rich set of profiles are provided so users can opt-in to protection for other applications. +

    +
    +
    +

    Secure snap packages

    +

    Software packages delivered as strict-mode snaps are fully confined using AppArmor, device cgroups, and seccomp.

    +
    -
    • -
+
+
- {% include "shared/_case-study-itstrategen.html" %} +
+
+
+
+

Learn how ITstrategen keeps their applications secure with Ubuntu

+
+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/d2c94444-it-strategen.png", + alt="", + width="1200", + height="801", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe + }} +
+
+

+ The security of customer data is of the utmost importance to ITstrategen, which is why Ubuntu is their server operating system of choice. +

+
+ Get the ITstrategen case study › +
+
+
+
-
+
+

Ubuntu is trusted by

-
+
- {{ image(url="https://assets.ubuntu.com/v1/b7693339-logo-bloomberg.svg", + {{ image(url="https://assets.ubuntu.com/v1/528b1e1d-Bloomberg-Logo.png", alt="Bloomberg", - height="28", - width="144", + width="313", + height="313", hi_def=True, loading="lazy", attrs={"class": "p-logo-section__logo"}) | safe }}
- {{ image(url="https://assets.ubuntu.com/v1/d8f890fb-logo-at%26t.svg", - alt="AT&T", - height="88", - width="88", + {{ image(url="https://assets.ubuntu.com/v1/288bb95d-AT&T-Logo.png", + alt="AT&T", + width="290", + height="313", hi_def=True, loading="lazy", attrs={"class": "p-logo-section__logo"}) | safe }}
- {{ image(url="https://assets.ubuntu.com/v1/03a06060-logo-deutschetelekom.svg", - alt="Deutsche Telekom", - height="32", - width="144", + {{ image(url="https://assets.ubuntu.com/v1/799cb482-Walmart-logo.png", + alt="Walmart", + width="355", + height="313", hi_def=True, loading="lazy", attrs={"class": "p-logo-section__logo"}) | safe }}
- {{ image(url="https://assets.ubuntu.com/v1/e0f7037f-logo-ebay.svg", + {{ image(url="https://assets.ubuntu.com/v1/86b85fcd-deutsche-telekom.png", + alt="Deutsche Telekom", + width="313", + height="313", + hi_def=True, + loading="auto|lazy", + attrs={"class": "p-logo-section__logo"}) | safe + }} +
+
+ {{ image(url="https://assets.ubuntu.com/v1/14bd7913-ebay-logo.png", alt="Ebay", - height="55", - width="144", + width="232", + height="313", hi_def=True, loading="lazy", attrs={"class": "p-logo-section__logo"}) | safe }}
- {{ image(url="https://assets.ubuntu.com/v1/4d6054f9-logo-cisco.svg", + {{ image(url="https://assets.ubuntu.com/v1/2b182a31-cisco-logo.png", alt="Cisco", - height="76", - width="144", + width="189", + height="313", hi_def=True, loading="lazy", attrs={"class": "p-logo-section__logo"}) | safe }}
- {{ image(url="https://assets.ubuntu.com/v1/73135672-ntt-logo.svg", + {{ image(url="https://assets.ubuntu.com/v1/207d453e-NTT-logo.png", alt="NTT", - height="53", - width="144", + width="254", + height="313", hi_def=True, loading="lazy", attrs={"class": "p-logo-section__logo"}) | safe }}
- {{ image(url="https://assets.ubuntu.com/v1/8393d534-logo-bestbuy.svg", + {{ image(url="https://assets.ubuntu.com/v1/3d62574d-bestbuy-logo.png", alt="Best Buy", - height="84", - width="144", + width="140", + height="313", hi_def=True, - loading="lazy", + loading="auto|lazy", attrs={"class": "p-logo-section__logo"}) | safe }}
- {{ image(url="https://assets.ubuntu.com/v1/0c18b0ae-paypal_logo.svg", - alt="PayPal", - height="36", - width="144", + {{ image(url="https://assets.ubuntu.com/v1/b7cd4edf-paypal-logo.png", + alt="Paypal", + width="280", + height="313", hi_def=True, loading="lazy", attrs={"class": "p-logo-section__logo"}) | safe @@ -347,91 +398,161 @@

Ubuntu is trusted by

-
-
-
+
+
+
+

Find out why the UK Government puts Ubuntu in first place for security

+
+

- CESG, the security arm of the UK government rated Ubuntu as the most secure operating system of the 11 they tested. -

-

- Read the UK Gov Report Summarycase study + Communications-Electronics Security Group (CESG), the security arm of the UK government rated Ubuntu as the most secure operating system of the 11 they tested.

-
-
- {{ image(url="https://assets.ubuntu.com/v1/7953a068-security-1.svg", - alt="", - height="240", - width="200", - hi_def=True, - loading="lazy", - attrs={"class": "u-hide--small u-hide--medium"}) | safe - }} +
+ Read the UK Gov Report Summarycase study › +
-
-
-
-

Helping you manage security

-

- Every Long Term Support (LTS) release of Ubuntu comes with five years of free security and maintenance updates for the main OS. Canonical also offers a number of additional products and services to help manage the security of your Ubuntu systems. -

+
+
+
+
+
+

Helping you manage security

+
+
+

+ Every Long Term Support (LTS) release of Ubuntu comes with five years of free security and maintenance updates for the main OS. Canonical also offers a number of additional products and services to help manage the security of your Ubuntu systems. +

+
-
-
-

Reduce downtime and unplanned work

-

+

+
+
+
+ {{ image(url="https://assets.ubuntu.com/v1/13fc2636-reduce-downtime.png", + alt="", + width="568", + height="853", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe + }} +
+
+
+
+

Reduce downtime and unplanned work

+
+

The Ubuntu Livepatch service eliminates the need for unplanned maintenance windows for high and critical severity kernel vulnerabilities by patching the Linux kernel while the system runs. Reduce fire drills while keeping uninterrupted service with Ubuntu Livepatch service for up to ten years.

-

- Learn more about the Livepatch Service › -

+
+

+ Learn more about
the Livepatch Service › +

+
-
-

Be compliant and FIPS certified

-

+ +

+
+
+ {{ image(url="https://assets.ubuntu.com/v1/38b96c59-be-compliant.png", + alt="", + width="568", + height="853", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe + }} +
+
+
+
+

Be compliant and FIPS certified

+
+

Developing and running workloads for high security and government regulated environments requires a long and expensive validation process. Reduce your accreditation timeline and pass on your validation costs with the FIPS 140 and Common Criteria certifications available with Ubuntu Advantage and Pro.

-

- Learn more about Ubuntu certifications › -

+
+

+ Learn more about
Ubuntu certifications › +

+
-
-
-
-

Manage security updates with Landscape

-

+ +

+
+
+ {{ image(url="https://assets.ubuntu.com/v1/2ef83b71-manage-security.png", + alt="", + width="568", + height="853", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe + }} +
+
+
+
+

Manage security updates with Landscape

+
+

Landscape is the leading management tool to deploy, monitor and manage your Ubuntu servers and desktops. Landscape gives the ability to centrally view and manage the security updates that have been applied to their systems and, critically, the security updates which have not yet been applied.

-

- Get Landscape -

+
+

+ Get Landscape › +

+
-
-

Expand your Ubuntu security maintenance

-

+ +

+
+
+ {{ image(url="https://assets.ubuntu.com/v1/ec15ce25-expand-your-ubuntu.png", + alt="", + width="568", + height="853", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe + }} +
+
+
+
+

Expand your Ubuntu security maintenance

+
+

Canonical offers Expanded Security Maintenance (ESM), to Ubuntu Pro customers to provide important security fixes for the kernel and essential user space packages, toolchains, and applications. These updates are delivered via a secure, private archive exclusively available to Canonical customers.

-

- Watch our security compliance webinar now › -

+
+

+ Watch our
security compliance webinar now › +

+
-
-
-
+
+
+
+

Ubuntu Pro

-

All of our security products are available for a one off fee.

+
+
+

All of our security products are available for a one off fee.

- Ubuntu Pro is the professional package of tools, technology and expertise from Canonical, helping organisations around the world get the most out of their Ubuntu deployments. It includes access to: + Ubuntu Pro is the professional package of tools, technology and expertise from Canonical, helping organizations around the world get the most out of their Ubuntu deployments. It includes access to:

-
    +
    +
    • Livepatch: automatic kernel security hotfixes without rebooting
    • FIPS: certified cryptographic modules available for compliance requirements
    • Landscape: the systems management tool for using Ubuntu at scale
      • @@ -441,53 +562,32 @@

      Ubuntu Pro

    • Knowledge Base: a private archive of expert-written articles and tutorials
    • Optional support: phone and web-based support at multiple service levels
    -

    +

    Purchase Ubuntu Pro -

    -

    Contact us about Ubuntu Pro › -

    +
-
-
-
-

Talk to a member of our team

-

We can recommend a security solution that best suits the needs of your organisation.

- -
+
-
- {{ image(url="https://assets.ubuntu.com/v1/c4b290c8-Contact+us.svg", - alt="", - height="178", - width="250", - hi_def=True, - loading="lazy",) | safe - }} -
+
+
+

Find a security solution that best suits the needs of your organization.

+

+ Talk to a member of our team › +

-
-
-
- {{ image(url="https://assets.ubuntu.com/v1/7076ef2d-ubuntu-documents.svg", - alt="", - height="178", - width="145", - hi_def=True, - loading="lazy",) | safe - }} -
-
+
+
+
+

Ubuntu security disclosure policy

+
+

Canonical and the Ubuntu Security Team participate in responsible disclosure and collaborate with the wider community on security issues. For more information on how to contact the Ubuntu Security Team and expectations, please refer to our Ubuntu Security disclosure and embargo policy. @@ -496,17 +596,88 @@

Ubuntu security disclosure policy

- {% with first_item="_security_discussion", second_item="_security_esm", third_item="_security_further_reading" %} - {% include "shared/contextual_footers/_contextual_footer.html" %} - {% endwith %} - - -
+
+
+
+
+

Resources

+
+
+
+
+

Join the discussion

+
+
+ +
+
+
+
+
+

Canonical is offering Expanded Security Maintenance

+
+
+

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

+
+ Find out more about ESM › +
+
+
+
+
+
+ +
+
+
+
+

+ Latest from our blog › +

+
+
+
+
+
+ + +
+ + {% include "/shared/forms/form-template.html" %} + + + {# djlint:off #} + + {# djlint:on #} {% endblock content %} diff --git a/templates/security/oval.html b/templates/security/oval.html index 63853e7eb61..9ff8bdcb96d 100644 --- a/templates/security/oval.html +++ b/templates/security/oval.html @@ -1,265 +1,225 @@ {% extends "security/base_security.html" %} +{% from "_macros/vf_hero.jinja" import vf_hero %} + {% block title %}Ubuntu Oval | Security{% endblock %} -{% block meta_description %}Parameters and methods for consuming Ubuntu OVAL data. OVAL is used by the Ubuntu Security Team for CVE tracking and management.{% endblock %} +{% block meta_description %} + Parameters and methods for consuming Ubuntu OVAL data. OVAL is used by the Ubuntu Security Team for CVE tracking and management. +{% endblock %} -{% block meta_copydoc %}https://docs.google.com/document/d/1hBG6NIfBIrixIV753fsOiEymmeuFIF-KOhiDkV68PRY/edit{% endblock meta_copydoc %} +{% block meta_copydoc %} + https://docs.google.com/document/d/1hBG6NIfBIrixIV753fsOiEymmeuFIF-KOhiDkV68PRY/edit +{% endblock meta_copydoc %} {% block content %} -
-
-
-

- Ubuntu OVAL data -

+ + {% call(slot) vf_hero( + title_text='Ubuntu OVAL data', + layout='25/75' + ) -%} + {%- if slot == 'description' -%}

Canonical's Security Team produces Ubuntu OVAL, a structured, machine-readable dataset for all supported Ubuntu releases. It can be used to evaluate and manage security risks related to any existing Ubuntu components. It is based on the Open Vulnerability and Assessment Language (OVAL).

-
-
- {{ - image( - url="https://assets.ubuntu.com/v1/eb653b8e-oval_logo.png", - alt="", - width="250", - height="164", - hi_def=True, - loading="auto", - ) | safe + {%- endif -%} + {%- if slot =='signpost_image' -%} + {{ image(url="https://assets.ubuntu.com/v1/97cb005e-oval-logo.png", + alt="Oval logo", + width="858", + height="333", + hi_def=True, + loading="auto", + attrs={"class": "u-hide--small u-hide--medium"}) | safe }} + {%- endif -%} + {%- if slot == 'image' -%} +
+ {{ image(url="https://assets.ubuntu.com/v1/7761320f-hero.png", + alt="", + width="2464", + height="1027", + hi_def=True, + loading="auto", + attrs={"class": "p-image-container__image"}) | safe + }} +
+ {% endif -%} + {% endcall -%} + +
+
+
+
+

How we use Ubuntu OVAL

+
+
+

+ Ubuntu OVAL uses the OVAL vulnerability and patch definitions to enable auditing for Common Vulnerabilities and Exposures (CVEs) and to determine whether a particular patch, via an Ubuntu Security Notice (USN), is appropriate for the local system. +

+

+ Ubuntu OVAL also allows for any third-party Security Content Automation Protocol (SCAP) compliant tools to accurately scan an Ubuntu system or an official Ubuntu cloud image for vulnerabilities. +

+
+ See the Ubuntu Security Notices +
+
-
-
+
-
-
-
-

- How we use Ubuntu OVAL -

-

- Ubuntu OVAL uses the OVAL vulnerability and patch definitions to enable auditing for Common Vulnerabilities and Exposures (CVEs) and to determine whether a particular patch, via an Ubuntu Security Notice (USN), is appropriate for the local system. -

-

- Ubuntu OVAL also allows for any third-party Security Content Automation Protocol (SCAP) compliant tools to accurately scan an Ubuntu system or an official Ubuntu cloud image for vulnerabilities. -

- See the Ubuntu Security Notices +
+
+
+
+

Using Ubuntu's OVAL data

+
-
- {{ - image( - url="https://assets.ubuntu.com/v1/f880a3bd-Enterprise+support.svg", - alt="", - width="200", - height="200", - hi_def=True, - loading="lazy", - ) | safe - }} +
+
+
+
-
-
- -
-
-

- Using Ubuntu's OVAL data -

-
-
-
-
    -
  1. -

    - Using OpenSCAP -

    -
    -

    - Download the compressed XML: -

    +
      +
    1. +
      +
      +

      Using OpenSCAP

      +
      +
      +

      Download the compressed XML:

      wget https://security-metadata.canonical.com/oval/com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
      -

      - Uncompress the data: -

      +
      +

      Uncompress the data:

      bunzip2 com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
      -

      - Use OpenSCAP to evaluate the OVAL and generate an html report: -

      +
      +

      Use OpenSCAP to evaluate the OVAL and generate an html report:

      oscap oval eval --report report.html com.ubuntu.$(lsb_release -cs).usn.oval.xml
      +

      - The output is generated in the file report.html, open it using your browser: + The output is generated in the file report.html, open it using your browser: 

      xdg-open report.html
      -

      - File naming convention: -

      +
      +

      File naming convention:

      com.ubuntu.<example release name>.usn.oval.xml.bz2
      -
      -
      2. -
    2. -

      - Scanning an Official Cloud Image -

      -
      -

      - To scan an Ubuntu Official Cloud Image for known vulnerabilities, the manifest file and xml data can be used together. Unlike above where we were able to use the lsb_release command, you will need to manually enter the URL for the OVAL data. -

      -

      - Note: In the example below we are using focal/20.04, you would replace 'focal' with the version you are inspecting. -

      - 
      wget https://security-metadata.canonical.com/oval/oci.com.ubuntu.focal.usn.oval.xml.bz2
-bunzip2 oci.com.ubuntu.focal.usn.oval.xml.bz2
      -

      - Download the manifest file for the image -

      - 
      wget -O manifest https://cloud-images.ubuntu.com/releases/focal/release/ubuntu-20.04-server-cloudimg-amd64-root.manifest
      -

      - Use OpenSCAP to evaluate the OVAL and generate an html report -

      - 
      oscap oval eval --report report.html oci.com.ubuntu.focal.usn.oval.xml
      -

      - The output is generated in the file report.html, open it using your browser -

      - 
      xdg-open report.html
      -

      - File naming convention: -

      - 
      oci.com.ubuntu.<example release name>.usn.oval.xml.bz2
      -
      -
      3. -
    +
-
- {{ - image( - url="https://assets.ubuntu.com/v1/2670bd16-OpenScap-logo.svg", - alt="", - width="210", - height="46", - hi_def=True, - loading="lazy", - ) | safe - }} + +
  • +
    +
    +
    +
    -
    • -
    - -
    -
    -
    -

    - Ubuntu OVAL data parameters -

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    - Parameter - - Description -
    - CVE_ID - - CVE number as reported by MITRE -
    - USN - - Corresponding Ubuntu Security Notice -
    - Description - - A short description of the security risk addressed -
    - Severity - - CVE or USN severity as defined by the Ubuntu Security team -
    - Affected Platform - - Affected Ubuntu release(s), incl ESM -
    - Title - - CVE number, affected Ubuntu release(s), and Severity -
    - Public date - - The date on which a CVE was publicly announced -
    - Public date of USN - - The date on which a USN was published -
    - Reference - - Links to more information about the issue -
    - BugReport - - Link to bugreport about the issue -
    -

    - - Note: The above parameters are included in the OVAL xml file, but not all are shown in the resulting generated OpenSCAP report. - -

    +
    +
    +

    Scanning an
    Official Cloud Image

    +
    +
    +

    + To scan an Ubuntu Official Cloud Image for known vulnerabilities, the manifest file and xml data can be used together. Unlike above where we were able to use the lsb_release command, you will need to manually enter the URL for the OVAL data. +

    +

    In the example below we are using focal/20.04, you would replace 'focal' with the version you are inspecting.

    + 
    wget https://security-metadata.canonical.com/oval/oci.com.ubuntu.focal.usn.oval.xml.bz2
    bunzip2 oci.com.ubuntu.focal.usn.oval.xml.bz2
    +
    +

    Download the manifest file for the image

    + 
    wget -O manifest https://cloud-images.ubuntu.com/releases/focal/release/ubuntu-20.04-server-cloudimg-amd64-root.manifest
    +
    +

    Use OpenSCAP to evaluate the OVAL and generate an html report

    + 
    oscap oval eval --report report.html oci.com.ubuntu.focal.usn.oval.xml
    +
    +

    + The output is generated in the file report.html, open it using your browser +

    + 
    xdg-open report.html
    +
    +

    File naming convention:

    + 
    oci.com.ubuntu.<example release name>.usn.oval.xml.bz2
    +
    + + +
    + +
    +
    +
    +
    +

    Ubuntu OVAL data parameters

    +
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ParameterDescription
    CVE_IDCVE number as reported by MITRE
    USNCorresponding Ubuntu Security Notice
    DescriptionA short description of the security risk addressed
    SeverityCVE or USN severity as defined by the Ubuntu Security team
    Affected PlatformAffected Ubuntu release(s), incl ESM
    TitleCVE number, affected Ubuntu release(s), and Severity
    Public dateThe date on which a CVE was publicly announced
    Public date of USNThe date on which a USN was published
    ReferenceLinks to more information about the issue
    BugReportLink to bugreport about the issue
    + + Note: The above parameters are included in the OVAL xml file, but not all are shown in the resulting generated OpenSCAP report. + +
    -
    +
    +
    -
    -
    -
    -

    - How Ubuntu OVAL data works -

    +
    +
    +
    +
    +
    +

    How Ubuntu OVAL data works

    +
    +

    As software vulnerabilities are discovered, they are assigned CVE identifiers by MITRE and other organizations. Canonical triages these CVEs to determine whether the vulnerabilities affect software distributed within Ubuntu. The results of this triage are then used to generate the CVE OVAL. The CVE OVAL can be used to assess the local system for vulnerabilities.

    @@ -268,19 +228,19 @@

    -
    - {{ - image( - url="https://assets.ubuntu.com/v1/ce2c3422-how-OVAL-data-works-diagram.svg", - alt="", - width="682", - height="290", - hi_def=True, - loading="lazy", - - ) | safe +
    +
    +
    + {{ image(url="https://assets.ubuntu.com/v1/4745474d-how-ubuntu-oval.png", + alt="", + width="3696", + height="1541", + hi_def=True, + loading="lazy", + attrs={"class": "p-image-container__image"}) | safe }}
    -
    +
    +
    - {% endblock content %} +{% endblock content %} diff --git a/templates/shared/_case-study-itstrategen.html b/templates/shared/_case-study-itstrategen.html deleted file mode 100644 index 71042289b5f..00000000000 --- a/templates/shared/_case-study-itstrategen.html +++ /dev/null @@ -1,22 +0,0 @@ -
    -
    -
    -

    Learn how ITstrategen keeps their applications secure with Ubuntu

    -

    The security of customer data is of the utmost importance to ITstrategen, which is why Ubuntu is their server operating system of choice.

    - Read the case study -
    - -
    - {{ - image( - url="https://assets.ubuntu.com/v1/3e31f0f5-ITstrategen+logo.svg", - alt="", - width="250", - height="56", - hi_def=True, - loading="auto", - ) | safe - }} -
    -
    -
    diff --git a/templates/shared/forms/interactive/docker-images.html b/templates/shared/forms/interactive/docker-images.html deleted file mode 100644 index 19874ba08fc..00000000000 --- a/templates/shared/forms/interactive/docker-images.html +++ /dev/null @@ -1,341 +0,0 @@ - diff --git a/yarn.lock b/yarn.lock index 9882138636c..7b3fdeae427 100644 --- a/yarn.lock +++ b/yarn.lock @@ -7418,10 +7418,10 @@ v8-to-istanbul@^9.0.1: "@types/istanbul-lib-coverage" "^2.0.1" convert-source-map "^2.0.0" -vanilla-framework@4.18.5: - version "4.18.5" - resolved "https://registry.yarnpkg.com/vanilla-framework/-/vanilla-framework-4.18.5.tgz#038e3bbeaeca49ae6cf6a074e0ed83901818eae6" - integrity sha512-UuYI6se/IV/u9YfzYPIs2FNJapgi9ld7F3s9IbjeR0yCvfH1HCjfZdDPD23tkQDBHiT6wNT6wugXDqFnunVJfQ== +vanilla-framework@4.20.3: + version "4.20.3" + resolved "https://registry.yarnpkg.com/vanilla-framework/-/vanilla-framework-4.20.3.tgz#a306e80f32f5c6b6f107c02e64cc642c6eb32148" + integrity sha512-8nE8BxHRckdjo8VYW0jVLK9JMz1XAoTZcKGweg0jM8cV+/D313pPyomEeODAD1qq66yf/W0RfHTXv/wp0AaYfQ== vanilla-framework@4.9.0: version "4.9.0"