Linux: Updated security overview and RHEL 10 commands (#35616)

AttinderPalSingh · AnnaMHuff · web-flow · commit 904746fee89b · 2025-11-24T17:57:57.000-07:00
* Linux: Updated security overview and RHEL 10 commands

* PR review: Fix grammar and phrasing in availability group guide

Acrolinx fixes: Corrected minor grammatical errors and improved consistency in phrasing.

---------

Co-authored-by: Anna Huff &lt;v-annahuff@microsoft.com&gt;
diff --git a/docs/linux/sql-server-linux-availability-group-cluster-pacemaker.md b/docs/linux/sql-server-linux-availability-group-cluster-pacemaker.md
@@ -4,7 +4,7 @@ description: Learn to create a three-node cluster on Red Hat, SUSE, or Ubuntu, a
 author: rwestMSFT
 ms.author: randolphwest
 ms.reviewer: amitkh-msft
-ms.date: 10/20/2025
+ms.date: 11/24/2025
 ms.service: sql
 ms.subservice: linux
 ms.topic: how-to
@@ -75,6 +75,13 @@ Each node in the cluster must have an appropriate subscription for RHEL and the
    sudo subscription-manager list --available
    ```
 
+   > [!NOTE]  
+   > For **RHEL 10**, the list command is as follows:
+   >
+   > ```bash
+   > sudo subscription-manager repos --list
+   > ```
+
    From the list of available pools, note the pool ID for the high availability subscription.
 
 1. Update the following script. Replace `<pool id>` with the pool ID for high availability from the preceding step. Run the script to attach the subscription.
@@ -103,6 +110,12 @@ Each node in the cluster must have an appropriate subscription for RHEL and the
    sudo subscription-manager repos --enable=rhel-9-for-x86_64-highavailability-rpms
    ```
 
+   **RHEL 10**
+
+   ```bash
+   sudo subscription-manager repos --enable=rhel-10-for-x86_64-highavailability-rpms
+   ```
+
 For more information, see [Pacemaker - The Open Source, High Availability Cluster](https://clusterlabs.org/pacemaker/).
 
 After you have configured the subscription, complete the following steps to configure Pacemaker:
@@ -308,13 +321,13 @@ The procedure for creating an availability group for high availability differs b
 
 To complete the following end-to-end scenario, you need three machines to deploy the three nodes cluster. The following steps outline how to configure these servers.
 
-### Setup and configure the operating system on each cluster node
+### Set up and configure the operating system on each cluster node
 
-The first step is to configure the operating system on the cluster nodes. For this walk through, use SLES 12 SP3 with a valid subscription for the HA add-on.
+The first step is to configure the operating system on the cluster nodes. For this walk-through, use SLES 12 SP3 with a valid subscription for the HA add-on.
 
 #### Install and configure SQL Server service on each cluster node
 
-1. Install and setup [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] service on all nodes. For detailed instructions, see [Installation guidance for SQL Server on Linux](sql-server-linux-setup.md).
+1. Install and set up [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] service on all nodes. For detailed instructions, see [Installation guidance for SQL Server on Linux](sql-server-linux-setup.md).
 
 1. Designate one node as primary and other nodes as secondaries. Use these terms throughout this guide.
 
diff --git a/docs/linux/sql-server-linux-security-overview.md b/docs/linux/sql-server-linux-security-overview.md
@@ -1,41 +1,103 @@
 ---
-title: Security Limitations for SQL Server on Linux
-description: Learn about SQL Server on Linux restrictions, including how using keys stored in Azure Key Vault and extensible Key Management aren't supported.
+title: Security Considerations for SQL Server on Linux
+description: Learn about SQL Server on Linux security overview, security best practices, restrictions, including how using keys stored in Azure Key Vault and extensible Key Management aren't supported.
 author: rwestMSFT
 ms.author: randolphwest
-ms.date: 10/14/2025
+ms.date: 11/24/2025
 ms.service: sql
 ms.subservice: linux
-ms.topic: conceptual
+ms.topic: article
 ms.custom:
   - linux-related-content
 ---
-# Security limitations for SQL Server on Linux
+# Security considerations for SQL Server on Linux
 
 [!INCLUDE [SQL Server - Linux](../includes/applies-to-version/sql-linux.md)]
 
-[!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] on Linux currently has the following limitations:
+Securing [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] on Linux is an ongoing process because Linux is a heterogeneous and continuously evolving operating system. Our goal is to help our customers improve security incrementally, building on what they already have and refining over time. This page serves as an index of key practices and resources for securing [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] on Linux.
 
-- A standard password policy is provided. `MUST_CHANGE` is the only option you can configure. When the `CHECK_POLICY` option is enabled, it enforces only the default policy provided by [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)], and doesn't apply the Windows password policies defined in the Active Directory group policies.
-- Extensible Key Management isn't supported in [!INCLUDE [sssql22-md](../includes/sssql22-md.md)] CU 11 and earlier versions. Extensible Key Management is only supported through Azure Key Vault (AKV).
-- [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] authentication mode can't be disabled.
-- Password expiration is hard-coded to 90 days if you use [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] authentication.
-- Using keys stored in the Azure Key Vault isn't supported in [!INCLUDE [sssql22-md](../includes/sssql22-md.md)] CU 11 and earlier versions.
-- [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] generates its own self-signed certificate for encrypting connections. [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] can be configured to use a user provided certificate for TLS.
-- SQL Server on Linux deployments aren't FIPS compliant. 
+## Begin with a secure Linux system
+
+This article assumes that you deployed [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] on a hardened and secured Linux system. Security measures vary by Linux distribution. For more information, see [Get started with SQL Server on SELinux](sql-server-linux-security-selinux.md).
+
+Security practices vary based on the Linux distribution you're using. For detailed guidance, contact your distribution provider and review their recommended best practices. You can also refer to documentation such as:
+
+- [Red Hat Enterprise Linux security hardening](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/index)
+- [Ubuntu: Security suggestions](https://documentation.ubuntu.com/server/explanation/security/security_suggestions/)
+
+Always validate your chosen platform and configuration in a controlled test environment before deploying to production.
+
+## Apply SQL Server security guidance
+
+[!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] on Linux offers a robust security framework combining multiple layers of protection.
+
+- Create accounts and database users under the principle of least privilege.
+
+- Use advanced features like row-level security and dynamic data masking for granular access control.
+
+- File system security is enforced through strict ownership and permissions under `/var/opt/mssql`, ensuring only the `mssql` user and group have appropriate access.
+
+- For enterprise integration, Active Directory authentication enables Kerberos-based single sign-on (SSO), centralized password policies, and group-based access management.
+
+- Encrypted connections safeguard data in transit using TLS, with options for server or client-initiated encryption, and support for certificates that meet industry standards.
+
+Together, these capabilities deliver a comprehensive approach to securing [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] deployments on Linux. Review and implement recommendations from these key resources:
+
+- [Walkthrough for the security features of SQL Server on Linux](sql-server-linux-security-get-started.md)
+- [SQL Server on Linux - Security and permissions guide](sql-server-linux-security-permissions-guide.md)
+- [Active Directory authentication for SQL Server on Linux](sql-server-linux-active-directory-auth-overview.md)
+- [Tutorial: Use adutil to configure Active Directory authentication with SQL Server on Linux](sql-server-linux-ad-auth-adutil-tutorial.md)
+- [Encrypt connections to SQL Server on Linux](sql-server-linux-encrypted-connections.md)
+
+## SQL Server auditing on Linux
 
-> [!NOTE]  
-> If you don't plan to connect your [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] containers to Windows Active Directory, the password expiration is hard-coded to 90 days, if you use [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] authentication only. To work around this issue, consider changing the [CHECK_EXPIRATION policy](../t-sql/statements/alter-login-transact-sql.md).
+[!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] on Linux supports the built-in [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] Audit feature, enabling you to track and log server-level and database-level events for compliance and security monitoring.
 
-For more information about security features available in [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)], see the [Security for SQL Server Database Engine and Azure SQL Database](../relational-databases/security/security-center-for-sql-server-database-engine-and-azure-sql-database.md).
+- [Create a Server Audit and Server Audit Specification](../relational-databases/security/auditing/create-a-server-audit-and-server-audit-specification.md)
+
+## Common best practices
+
+- Regularly update the Linux operating system and [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)].
+- Dedicate production servers exclusively to [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] workloads.
+- Apply the [principle of least privilege](https://techcommunity.microsoft.com/blog/azuresqlblog/security-the-principle-of-least-privilege-polp/2067390) for accounts and services.
+- [Disable the SA account as a best practice](#disable-the-sa-account-as-a-best-practice).
+
+For common security best practices on Windows and Linux, refer to [SQL Server security best practices](../relational-databases/security/sql-server-security-best-practices.md)
 
 ## Disable the SA account as a best practice
 
 [!INCLUDE [connect-with-sa](includes/connect-with-sa.md)]
 
+## Security limitations for SQL Server on Linux
+
+[!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] on Linux currently has the following limitations:
+
+- Starting with [!INCLUDE [sssql25-md](../includes/sssql25-md.md)] on Linux, you can enforce custom password policy. For more information, see [Set custom password policy for SQL logins in SQL Server on Linux](sql-server-linux-custom-password-policy.md).
+
+  In [!INCLUDE [sssql22-md](../includes/sssql22-md.md)] on Linux and earlier versions, we provide a standard password policy:
+
+  - `MUST_CHANGE` is the only option you can configure.
+
+  - With the `CHECK_POLICY` option enabled, only the default policy provided by [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] is enforced, and doesn't apply the Windows password policies defined in the Active Directory group policies.
+
+  - Password expiration is hard-coded to 90 days if you use [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] authentication. To work around this issue, consider changing the [ALTER LOGIN](../t-sql/statements/alter-login-transact-sql.md).
+
+- Extensible Key Management (EKM) is only supported through Azure Key Vault (AKV) in [!INCLUDE [sssql22-md](../includes/sssql22-md.md)] CU12 onward, and isn't available in earlier versions. Third party EKM providers aren't supported for [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] on Linux operating systems.
+
+- [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] authentication mode can't be disabled.
+
+- [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] generates its own self-signed certificate for encrypting connections. You can configure [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] to use a user-provided certificate for TLS.
+
+- [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] on Linux deployments aren't FIPS compliant.
+
+## Secure SQL Server on Linux Container Deployments
+
+For information about securing [!INCLUDE [ssnoversion-md](../includes/ssnoversion-md.md)] containers, see [Secure SQL Server Linux containers](sql-server-linux-docker-container-security.md).
+
 ## Related content
 
 - [Walkthrough for the security features of SQL Server on Linux](sql-server-linux-security-get-started.md)
 - [SQL Server on Linux - Security and permissions guide](sql-server-linux-security-permissions-guide.md)
 - [Configure SQL Server on Linux with the mssql-conf tool](sql-server-linux-configure-mssql-conf.md)
 - [Editions and supported features of SQL Server 2022 on Linux](sql-server-linux-editions-and-components-2022.md)
+- [Security for SQL Server Database Engine and Azure SQL Database](../relational-databases/security/security-center-for-sql-server-database-engine-and-azure-sql-database.md)
