1scap-security-guide(8)      System Manager's Manual     scap-security-guide(8)
2
3
4

NAME

6       SCAP  Security Guide - Delivers security guidance, baselines, and asso‐
7       ciated validation mechanisms utilizing the Security Content  Automation
8       Protocol (SCAP).
9
10
11

DESCRIPTION

13       The  project  provides  practical security hardening advice for Red Hat
14       products, and also links it to compliance requirements in order to ease
15       deployment  activities,  such as certification and accreditation. These
16       include requirements in the  U.S.  government  (Federal,  Defense,  and
17       Intelligence Community) as well as of the financial services and health
18       care industries. For example, high-level and  widely-accepted  policies
19       such  as  NIST 800-53 provides prose stating that System Administrators
20       must audit "privileged user actions," but do not  define  what  "privi‐
21       leged  actions" are. The SSG bridges the gap between generalized policy
22       requirements and specific implementation guidance, in SCAP  formats  to
23       support automation whenever possible.
24
25       The  projects  homepage  is located at: https://www.open-scap.org/secu
26       rity-policies/scap-security-guide
27
28
29

Red Hat Enterprise Linux 6 PROFILES

31       The Red Hat Enterprise Linux 6 SSG content is broken  into  'profiles,'
32       groupings of security settings that correlate to a known policy. Avail‐
33       able profiles are:
34
35       C2S
36              The C2S profile demonstrates compliance against the U.S. Govern‐
37              ment Commercial Cloud Services (C2S) baseline.
38
39              This  baseline  was inspired by the Center for Internet Security
40              (CIS) Red Hat Enterprise Linux 7 Benchmark, v1.1.0 - 04-02-2015.
41              For the SCAP Security Guide project to remain in compliance with
42              CIS' terms and conditions,  specifically  Restrictions(8),  note
43              there  is  no  representation or claim that the C2S profile will
44              ensure a system is in compliance or  consistency  with  the  CIS
45              baseline.
46
47       CS2
48              The CS2 is an example of a customized server profile.
49
50       CSCF-RHEL6-MLS
51              The  CSCF  RHEL6 MLS Core Baseline profile reflects the Central‐
52              ized Super Computing Facility (CSCF) baseline for Red Hat Enter‐
53              prise Linux 6. This baseline has received government ATO through
54              the ICD 503 process, utilizing the CNSSI 1253 cross domain over‐
55              lay.  This  profile  should be considered in active development.
56              Additional tailoring will be needed, such  as  the  creation  of
57              RBAC roles for production deployment.
58
59       desktop
60              The  Desktop  Baseline  profile is for a desktop installation of
61              Red Hat Enterprise Linux 6.
62
63       fisma-medium-rhel6-server
64              A FISMA Medium profile for Red Hat Enterprise Linux 6
65
66       ftp
67              A profile for FTP servers
68
69       nist-cl-il-al
70              The CNSSI 1253 Low/Low/Low Control Baseline for Red  Hat  Enter‐
71              prise Linux 6 Profile follows the Committee on National Security
72              Systems Instruction (CNSSI) No. 1253,  "Security  Categorization
73              and Control Selection for National Security Systems" on security
74              controls to meet low confidentiality,  low  integrity,  and  low
75              assurance."
76
77       pci-dss
78              The  PCI-DSS  v3 Control Baseline Profile for Red Hat Enterprise
79              Linux 6 is a *draft* profile for PCI-DSS v3
80
81       rht-ccp
82              The Red Hat Corporate Profile for Certified Cloud Providers  (RH
83              CCP)  profile  is  a  *draft* SCAP profile for Red Hat Certified
84              Cloud Providers.
85
86       server
87              The Server Baseline profile is for Red Hat  Enterprise  Linux  6
88              acting as a server.
89
90       standard
91              The  Standard  System  Security Profile contains rules to ensure
92              standard security baseline of Red Hat Enterprise Linux 6 system.
93              Regardless  of your system's workload all of these checks should
94              pass.
95
96       stig-rhel6-disa
97              The Security Technical Implementation Guides (STIGs) and the NSA
98              Guides are the configuration standards for DOD IA and IA-enabled
99              devices/systems. Since  1998,  DISA  Field  Security  Operations
100              (FSO)  has played a critical role enhancing the security posture
101              of DoD's security systems by providing  the  Security  Technical
102              Implementation  Guides  (STIGs).  This  profile was created as a
103              collaboration effort between the National Security Agency,  DISA
104              FSO, and Red Hat.
105
106              As  a result of the upstream/downstream relationship between the
107              SCAP Security Guide project and the official DISA FSO STIG base‐
108              line, users should expect variance between SSG and DISA FSO con‐
109              tent. For additional information relating to STIGs, please refer
110              to the DISA FSO webpage at http://iase.disa.mil/stigs/
111
112              While  this  profile  is packaged by Red Hat as part of the SCAP
113              Security Guide package, please note that commercial  support  of
114              this  SCAP content is NOT available. This profile is provided as
115              example SCAP content with no endorsement for suitability or pro‐
116              duction  readiness.  Support for this profile is provided by the
117              upstream SCAP Security Guide community on a  best-effort  basis.
118              The upstream project homepage is https://www.open-scap.org/secu
119              rity-policies/scap-security-guide.
120
121              This profile is being developed under the DoD consensus model to
122              become a STIG in coordination with DISA FSO.
123
124       usgcb-rhel6-server
125              The  purpose of the United States Government Configuration Base‐
126              line (USGCB) initiative  is  to  create  security  configuration
127              baselines  for  Information  Technology products widely deployed
128              across the federal agencies. The USGCB baseline evolved from the
129              Federal  Desktop Core Configuration mandate. The USGCB is a Fed‐
130              eral government-wide initiative that provides guidance to  agen‐
131              cies on what should be done to improve and maintain an effective
132              configuration settings focusing primarily on security.
133
134              NOTE: While the current content maps to USGCB  requirements,  it
135              has NOT been validated by NIST as of yet. This content should be
136              considered draft, we are highly interested in feedback.
137
138              For additional information relating to USGCB,  please  refer  to
139              the NIST webpage at http://usgcb.nist.gov/usgcb_content.html.
140
141
142

Red Hat Enterprise Linux 7 PROFILES

144       The  Red  Hat Enterprise Linux 7 SSG content is broken into 'profiles,'
145       groupings of security settings that correlate to a known policy. Avail‐
146       able profiles are:
147
148       C2S
149              The C2S profile demonstrates compliance against the U.S. Govern‐
150              ment Commercial Cloud Services (C2S) baseline.
151
152              This baseline was inspired by the Center for  Internet  Security
153              (CIS) Red Hat Enterprise Linux 7 Benchmark, v1.1.0 - 04-02-2015.
154              For the SCAP Security Guide project to remain in compliance with
155              CIS'  terms  and  conditions, specifically Restrictions(8), note
156              there is no representation or claim that the  C2S  profile  will
157              ensure  a  system  is  in compliance or consistency with the CIS
158              baseline.
159
160       cjis-rhel7-server
161              The Criminal Justice Information Services Security Policy  is  a
162              *draft*  profile  for CJIS v5.4. The scope of this profile is to
163              configure Red Hat Enteprise Linux 7 against the U. S. Department
164              of Justice, FBI CJIS Security Policy.
165
166       common
167              The  common  profile is intended to be used as a base, universal
168              profile for scanning of general-purpose Red Hat Enterprise Linux
169              systems.
170
171       docker-host
172              The  Standard  Docker  Host  Security  Profile contains rules to
173              ensure standard security baseline of Red Hat Enterprise Linux  7
174              system  running the docker daemon.  This discussion is currently
175              being  held  on  open-scap-list@redhat.com  and   scap-security-
176              guide@lists.fedorahosted.org.
177
178       ospp
179              This  profile is developed in partnership with the U.S. National
180              Institute of Science and Technology (NIST), U.S.  Department  of
181              Defense, the National Security Agency, and Red Hat. The USGCB is
182              intended to be the core set of  security  related  configuration
183              settings by which all federal agencies should comply.
184
185       pci-dss
186              The  PCI-DSS  v3 Control Baseline Profile for Red Hat Enterprise
187              Linux 7 is a *draft* profile for PCI-DSS v3
188
189       rht-ccp
190              The Red Hat Corporate Profile for Certified Cloud Providers  (RH
191              CCP)  profile  is  a  *draft* SCAP profile for Red Hat Certified
192              Cloud Providers.
193
194       standard
195              The Standard System Security Profile contains  rules  to  ensure
196              standard security baseline of Red Hat Enterprise Linux 7 system.
197              Regardless of your system's workload all of these checks  should
198              pass.
199
200       stig-rhel7-disa
201              The DISA STIG for Red Hat Enterprise Linux 7 Server V1R4.
202
203              The Security Technical Implementation Guides (STIGs) and the NSA
204              Guides are the configuration standards for DOD IA and IA-enabled
205              devices/systems.  Since  1998,  DISA  Field  Security Operations
206              (FSO) has played a critical role enhancing the security  posture
207              of  DoD's  security  systems by providing the Security Technical
208              Implementation Guides (STIGs). This profile  was  created  as  a
209              collaboration  effort between the National Security Agency, DISA
210              FSO, and Red Hat.
211
212              As a result of the upstream/downstream relationship between  the
213              SCAP Security Guide project and the official DISA FSO STIG base‐
214              line, users should expect variance between SSG and DISA FSO con‐
215              tent. For additional information relating to STIGs, please refer
216              to the DISA FSO webpage at http://iase.disa.mil/stigs/
217
218              While this profile is packaged by Red Hat as part  of  the  SCAP
219              Security  Guide  package, please note that commercial support of
220              this SCAP content is NOT available. This profile is provided  as
221              example SCAP content with no endorsement for suitability or pro‐
222              duction readiness. Support for this profile is provided  by  the
223              upstream  SCAP  Security Guide community on a best-effort basis.
224              The upstream project homepage is https://www.open-scap.org/secu
225              rity-policies/scap-security-guide.
226
227              This  profile  is  developed  under  the  DoD consensus model to
228              become a STIG in coordination with DISA FSO.
229
230       nist-800-171-cui
231              Unclassified Information in Non-federal Information Systems  and
232              Organizations (NIST 800-171)
233
234              From  NIST  800-171, Section 2.2: Security requirements for pro‐
235              tecting the confidentiality of  CUI  in  nonfederal  information
236              systems  and  organizations  have  a well-defined structure that
237              consists of: (i) a basic security requirements section; and (ii)
238              a  derived  security  requirements  section.  The basic security
239              requirements are obtained from FIPS Publication 200, which  pro‐
240              vides  the  high-level and fundamental security requirements for
241              federal information and information systems. The  derived  secu‐
242              rity  requirements, which supplement the basic security require‐
243              ments, are taken from the security controls in NIST Special Pub‐
244              lication 800-53.
245
246              This  profile  configures Red Hat Enterprise Linux 7 to the NIST
247              Special Publication 800-53 controls identified for securing Con‐
248              trolled Unclassified Information (CUI).
249
250
251

EXAMPLES

253       To  scan  your  system  utilizing the OpenSCAP utility against the ospp
254       profile:
255
256       oscap  xccdf  eval  --profile   ospp   --results   /tmp/`hostname`-ssg-
257       results.xml  --report  /tmp/`hostname`-ssg-results.html  --oval-results
258       /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
259
260       Additional  details  can  be  found  on   the   projects   wiki   page:
261       https://www.github.com/OpenSCAP/scap-security-guide/wiki
262
263
264

FILES

266       /usr/share/xml/scap/ssg/content
267              Houses SCAP content utilizing the following naming conventions:
268
269              CPE_Dictionaries: ssg-{profile}-cpe-dictionary.xml
270
271              CPE_OVAL_Content: ssg-{profile}-cpe-oval.xml
272
273              OVAL_Content: ssg-{profile}-oval.xml
274
275              XCCDF_Content: ssg-{profile}-xccdf.xml
276
277       /usr/share/doc/scap-security-guide/guides/
278              HTML versions of SSG profiles.
279
280
281

STATEMENT OF SUPPORT

283       The  SCAP  Security Guide, an open source project jointly maintained by
284       Red Hat and the NSA, provides XCCDF and OVAL content for Red Hat  tech‐
285       nologies.  As  an  open source project, community participation extends
286       into U.S. Department of Defense agencies, civilian agencies,  academia,
287       and other industrial partners.
288
289       SCAP Security Guide is provided to consumers through Red Hat's Extended
290       Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security
291       Guide content is considered "vendor provided."
292
293       Note  that  while Red Hat hosts the infrastructure for this project and
294       Red Hat engineers are involved as maintainers and leaders, there is  no
295       commercial  support  contracts  or service level agreements provided by
296       Red Hat.
297
298       Support, for both users and developers, is provided  through  the  SCAP
299       Security Guide community.
300
301       Homepage:    https://www.open-scap.org/security-policies/scap-security-
302       guide
303
304       Mailing   List:   https://lists.fedorahosted.org/mailman/listinfo/scap-
305       security-guide
306
307
308

DEPLOYMENT TO U.S. CIVILIAN GOVERNMENT SYSTEMS

310       SCAP  Security  Guide  content  is considered vendor (Red Hat) provided
311       content.  Per guidance from the U.S. National  Institute  of  Standards
312       and Technology (NIST), U.S. Government programs are allowed to use Ven‐
313       dor produced SCAP content in absence of "Governmental Authority" check‐
314       lists.           The           specific          NIST          verbage:
315       http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
316
317
318

DEPLOYMENT TO U.S. MILITARY SYSTEMS

320       DoD Directive (DoDD) 8500.1 requires that "all  IA  and  IA-enabled  IT
321       products  incorporated into DoD information systems shall be configured
322       in accordance with DoD-approved security configuration guidelines"  and
323       tasks Defense Information Systems Agency (DISA) to "develop and provide
324       security configuration guidance for IA and IA-enabled  IT  products  in
325       coordination  with Director, NSA."  The output of this authority is the
326       DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
327       the  process  of  moving the STIGs towards the use of the NIST Security
328       Content Automation Protocol (SCAP) in order  to  "automate"  compliance
329       reporting of the STIGs.
330
331       Through  a  common,  shared  vision,  the SCAP Security Guide community
332       enjoys close collaboration directly with NSA, NIST, and  DISA  FSO.  As
333       stated  in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
334       Version 1, Release 2, issued on 03-JUNE-2013:
335
336       "The consensus content  was  developed  using  an  open-source  project
337       called  SCAP Security Guide. The project's website is https://www.open-
338       scap.org/security-policies/scap-security-guide.  Except for differences
339       in  formatting to accomodate the DISA STIG publishing process, the con‐
340       tent of the Red Hat Enterprise Linux 6  STIG  should  mirrot  the  SCAP
341       Security  Guide content with only minor divergence as updates from mul‐
342       tiple sources work through the concensus process."
343
344       The DoD STIG for Red Hat Enterprise Linux 6  was  released  June  2013.
345       Currently,  the DoD Red Hat Enterprise Linux 6 STIG contains only XCCDF
346       content and is  available  online:  http://iase.disa.mil/stigs/os/unix-
347       linux/Pages/red-hat.aspx
348
349       Content  published  against  the iase.disa.mil website is authoritative
350       STIG content. The SCAP Security Guide project, as  noted  in  the  STIG
351       overview,  is  considered  upstream  content. Unlike DISA FSO, the SCAP
352       Security Guide project does publish OVAL automation content. Individual
353       programs  and  C&A  evaluators make program-level determinations on the
354       direct usage of the SCAP Security Guide.  Currently there is no blanket
355       approval.
356
357
358

SEE ALSO

360       oscap(8)
361
362
363

AUTHOR

365       Please    direct    all    questions   to   the   SSG   mailing   list:
366       https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
367
368
369
370version 1                         26 Jan 2013           scap-security-guide(8)
Impressum