1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
6 SCAP Security Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
13 The project provides practical security hardening advice for Red Hat
14 products, and also links it to compliance requirements in order to ease
15 deployment activities, such as certification and accreditation. These
16 include requirements in the U.S. government (Federal, Defense, and
17 Intelligence Community) as well as of the financial services and health
18 care industries. For example, high-level and widely-accepted policies
19 such as NIST 800-53 provides prose stating that System Administrators
20 must audit "privileged user actions," but do not define what "privi‐
21 leged actions" are. The SSG bridges the gap between generalized policy
22 requirements and specific implementation guidance, in SCAP formats to
23 support automation whenever possible.
24 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
31 Source Datastream: ssg-firefox-ds.xml
32 The Guide to the Secure Configuration of Firefox is broken into 'pro‐
34 files', groupings of security settings that correlate to a known pol‐
35 icy. Available profiles are:
36 Upstream Firefox STIG
40 Profile ID: xccdf_org.ssgproject.content_profile_stig-firefox-
42 upstream
43 This profile is developed under the DoD consensus model and DISA
45 FSO Vendor STIG process, serving as the upstream development
46 environment for the Firefox STIG.
47 As a result of the upstream/downstream relationship between the
49 SCAP Security Guide project and the official DISA FSO STIG base‐
50 line, users should expect variance between SSG and DISA FSO con‐
51 tent. For official DISA FSO STIG content, refer to
52 http://iase.disa.mil/stigs/app-security/browser-guid‐
53 ance/Pages/index.aspx.
54 While this profile is packaged by Red Hat as part of the SCAP
56 Security Guide package, please note that commercial support of
57 this SCAP content is NOT available. This profile is provided as
58 example SCAP content with no endorsement for suitability or pro‐
59 duction readiness. Support for this profile is provided by the
60 upstream SCAP Security Guide community on a best-effort basis.
61 The upstream project homepage is https://www.open-scap.org/secu‐
62 rity-policies/scap-security-guide/.
63
69 Source Datastream: ssg-jre-ds.xml
70 The Guide to the Secure Configuration of Java Runtime Environment is
72 broken into 'profiles', groupings of security settings that correlate
73 to a known policy. Available profiles are:
74 Java Runtime Environment (JRE) STIG
78 Profile ID: xccdf_org.ssgproject.content_profile_stig-java-
80 upstream
81 The Java Runtime Environment (JRE) is a bundle developed and
83 offered by Oracle Corporation which includes the Java Virtual
84 Machine (JVM), class libraries, and other components necessary
85 to run Java applications and applets. Certain default settings
86 within the JRE pose a security risk so it is necessary to deploy
87 system wide properties to ensure a higher degree of security
88 when utilizing the JRE.
89 The IBM Corporation also develops and bundles the Java Runtime
91 Environment (JRE) as well as Red Hat with OpenJDK.
92
98 Source Datastream: ssg-rhel6-ds.xml
99 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
101 broken into 'profiles', groupings of security settings that correlate
102 to a known policy. Available profiles are:
103 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
107 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
109 This is a *draft* SCAP profile for Red Hat Certified Cloud
111 Providers
112 United States Government Configuration Baseline (USGCB)
115 Profile ID: xccdf_org.ssgproject.content_profile_usgcb-
117 rhel6-server
118 This profile is a working draft for a USGCB submission against
120 RHEL6 Server.
121 CNSSI 1253 Low/Low/Low Control Baseline
124 Profile ID: xccdf_org.ssgproject.content_profile_nist-CL-IL-AL
126 This profile follows the Committee on National Security Systems
128 Instruction (CNSSI) No. 1253, "Security Categorization and Con‐
129 trol Selection for National Security Systems" on security con‐
130 trols to meet low confidentiality, low integrity, and low assur‐
131 ance.
132 Standard System Security Profile for Red Hat Enterprise Linux 6
135 Profile ID: xccdf_org.ssgproject.content_profile_standard
137 This profile contains rules to ensure standard security baseline
139 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
140 tem's workload all of these checks should pass.
141 DISA STIG for Red Hat Enterprise Linux 6
144 Profile ID: xccdf_org.ssgproject.content_profile_stig-
146 rhel6-disa
147 This profile contains configuration checks that align to the
149 DISA STIG for Red Hat Enterprise Linux 6.
150 In addition to being applicable to RHEL6, DISA recognizes this
152 configuration baseline as applicable to the operating system
153 tier of Red Hat technologies that are based off RHEL6, such as
154 RHEL Server, RHV-H, RHEL for HPC, RHEL Workstation, and Red Hat
155 Storage deployments.
156 Server Baseline
159 Profile ID: xccdf_org.ssgproject.content_profile_server
161 This profile is for Red Hat Enterprise Linux 6 acting as a
163 server.
164 CSCF RHEL6 MLS Core Baseline
167 Profile ID: xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS
169 This profile reflects the Centralized Super Computing Facility
171 (CSCF) baseline for Red Hat Enterprise Linux 6. This baseline
172 has received government ATO through the ICD 503 process, utiliz‐
173 ing the CNSSI 1253 cross domain overlay. This profile should be
174 considered in active development. Additional tailoring will be
175 needed, such as the creation of RBAC roles for production
176 deployment.
177 C2S for Red Hat Enterprise Linux 6
180 Profile ID: xccdf_org.ssgproject.content_profile_C2S
182 This profile demonstrates compliance against the U.S. Government
184 Commercial Cloud Services (C2S) baseline. nThis baseline was
185 inspired by the Center for Internet Security (CIS) Red Hat
186 Enterprise Linux 6 Benchmark, v1.2.0 - 06-25-2013. For the SCAP
187 Security Guide project to remain in compliance with CIS' terms
188 and conditions, specifically Restrictions(8), note there is no
189 representation or claim that the C2S profile will ensure a sys‐
190 tem is in compliance or consistency with the CIS baseline.
191 FTP Server Profile (vsftpd)
194 Profile ID: xccdf_org.ssgproject.content_profile_ftp-server
196 This is a profile for the vsftpd FTP server.
198 Example Server Profile
201 Profile ID: xccdf_org.ssgproject.content_profile_CS2
203 This profile is an example of a customized server profile.
205 Desktop Baseline
208 Profile ID: xccdf_org.ssgproject.content_profile_desktop
210 This profile is for a desktop installation of Red Hat Enterprise
212 Linux 6.
213 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
216 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
218 This is a *draft* profile for PCI-DSS v3.
220 FISMA Medium for Red Hat Enterprise Linux 6
223 Profile ID: xccdf_org.ssgproject.content_profile_fisma-medium-
225 rhel6-server
226 FISMA Medium for Red Hat Enterprise Linux 6.
228
234 Source Datastream: ssg-rhel7-ds.xml
235 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
237 broken into 'profiles', groupings of security settings that correlate
238 to a known policy. Available profiles are:
239 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
243 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
245 This profile contains the minimum security relevant configura‐
247 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
248 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
249 Standard System Security Profile for Red Hat Enterprise Linux 7
252 Profile ID: xccdf_org.ssgproject.content_profile_standard
254 This profile contains rules to ensure standard security baseline
256 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
257 tem's workload all of these checks should pass.
258 Criminal Justice Information Services (CJIS) Security Policy
261 Profile ID: xccdf_org.ssgproject.content_profile_cjis
263 This profile is derived from FBI's CJIS v5.4 Security Policy. A
265 copy of this policy can be found at the CJIS Security Policy
266 Resource Center:
267 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
269 center
270 Unclassified Information in Non-federal Information Systems and Organi‐
273 zations (NIST 800-171)
274 Profile ID: xccdf_org.ssgproject.content_pro‐
276 file_nist-800-171-cui
277 From NIST 800-171, Section 2.2: Security requirements for pro‐
279 tecting the confidentiality of CUI in non-federal information
280 systems and organizations have a well-defined structure that
281 consists of:
282 (i) a basic security requirements section; (ii) a derived secu‐
284 rity requirements section.
285 The basic security requirements are obtained from FIPS Publica‐
287 tion 200, which provides the high-level and fundamental security
288 requirements for federal information and information systems.
289 The derived security requirements, which supplement the basic
290 security requirements, are taken from the security controls in
291 NIST Special Publication 800-53.
292 This profile configures Red Hat Enterprise Linux 7 to the NIST
294 Special Publication 800-53 controls identified for securing Con‐
295 trolled Unclassified Information (CUI).
296 United States Government Configuration Baseline
299 Profile ID: xccdf_org.ssgproject.content_profile_ospp
301 This compliance profile reflects the core set of security
303 related configuration settings for deployment of Red Hat Enter‐
304 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
305 agencies. Development partners and sponsors include the U.S.
306 National Institute of Standards and Technology (NIST), U.S.
307 Department of Defense, the National Security Agency, and Red
308 Hat.
309 This baseline implements configuration requirements from the
311 following sources:
312 - Committee on National Security Systems Instruction No. 1253
314 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
315 800-171) - NIST 800-53 control selections for MODERATE impact
316 systems (NIST 800-53) - U.S. Government Configuration Baseline
317 (USGCB) - NIAP Protection Profile for General Purpose Operating
318 Systems v4.0 (OSPP v4.0) - DISA Operating System Security
319 Requirements Guide (OS SRG)
320 For any differing configuration requirements, e.g. password
322 lengths, the stricter security setting was chosen. Security
323 Requirement Traceability Guides (RTMs) and sample System Secu‐
324 rity Configuration Guides are provided via the scap-security-
325 guide-docs package.
326 This profile reflects U.S. Government consensus content and is
328 developed through the OpenSCAP/SCAP Security Guide initiative,
329 championed by the National Security Agency. Except for differ‐
330 ences in formatting to accommodate publishing processes, this
331 profile mirrors OpenSCAP/SCAP Security Guide content as minor
332 divergences, such as bugfixes, work through the consensus and
333 release processes.
334 C2S for Red Hat Enterprise Linux 7
337 Profile ID: xccdf_org.ssgproject.content_profile_C2S
339 This profile demonstrates compliance against the U.S. Government
341 Commercial Cloud Services (C2S) baseline.
342 This baseline was inspired by the Center for Internet Security
344 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
345 For the SCAP Security Guide project to remain in compliance with
347 CIS' terms and conditions, specifically Restrictions(8), note
348 there is no representation or claim that the C2S profile will
349 ensure a system is in compliance or consistency with the CIS
350 baseline.
351 DISA STIG for Red Hat Enterprise Linux 7
354 Profile ID: xccdf_org.ssgproject.content_profile_stig-
356 rhel7-disa
357 This profile contains configuration checks that align to the
359 DISA STIG for Red Hat Enterprise Linux V1R4.
360 In addition to being applicable to RHEL7, DISA recognizes this
362 configuration baseline as applicable to the operating system
363 tier of Red Hat technologies that are based off RHEL7, such as:
364 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
366 Workstation and Desktop - Red Hat Virtualization Hypervisor
367 (RHV-H) - Red Hat Enterprise Linux for HPC - Red Hat Storage
368 OSPP - Protection Profile for General Purpose Operating Systems v. 4.2
371 Profile ID: xccdf_org.ssgproject.content_profile_ospp42
373 This profile reflects mandatory configuration controls identi‐
375 fied in the NIAP Configuration Annex to the Protection Profile
376 for General Purpose Operating Systems (Protection Profile Ver‐
377 sion 4.2).
378 This Annex is consistent with CNSSI-1253, which requires US
380 National Security Systems to adhere to certain configuration
381 parameters. Accordingly, configuration guidance produced accord‐
382 ing to the requirements of this Annex is suitable for use in US
383 National Security Systems.
384 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
387 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
389 Ensures PCI-DSS v3.2.1 related security configuration settings
391 are applied.
392 Health Insurance Portability and Accountability Act (HIPAA)
395 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
397 The HIPAA Security Rule establishes U.S. national standards to
399 protect individuals’ electronic personal health information that
400 is created, received, used, or maintained by a covered entity.
401 The Security Rule requires appropriate administrative, physical
402 and technical safeguards to ensure the confidentiality,
403 integrity, and security of electronic protected health informa‐
404 tion.
405 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
407 Security Rule identified for securing of electronic protected
408 health information.
409
415 Source Datastream: ssg-rhel8-ds.xml
416 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
418 broken into 'profiles', groupings of security settings that correlate
419 to a known policy. Available profiles are:
420 OSPP - Protection Profile for General Purpose Operating Systems
424 Profile ID: xccdf_org.ssgproject.content_profile_ospp
426 This profile reflects mandatory configuration controls identi‐
428 fied in the NIAP Configuration Annex to the Protection Profile
429 for General Purpose Operating Systems (Protection Profile Ver‐
430 sion 4.2).
431 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
434 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
436 Ensures PCI-DSS v3.2.1 related security configuration settings
438 are applied.
439
446 To scan your system utilizing the OpenSCAP utility against the ospp
447 profile:
448 oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-
450 results.xml --report /tmp/`hostname`-ssg-results.html --oval-results
451 /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
452 Additional details can be found on the projects wiki page:
454 https://www.github.com/OpenSCAP/scap-security-guide/wiki
455
459 /usr/share/xml/scap/ssg/content
460 Houses SCAP content utilizing the following naming conventions:
461 SCAP Source Datastreams: ssg-{product}-ds.xml
463 CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
465 CPE OVAL Content: ssg-{product}-cpe-oval.xml
467 OVAL Content: ssg-{product}-oval.xml
469 XCCDF Content: ssg-{product}-xccdf.xml
471 /usr/share/doc/scap-security-guide/guides/
473 HTML versions of SSG profiles.
474 /usr/share/scap-security-guide/ansible/
476 Contains Ansible Playbooks for SSG profiles.
477 /usr/share/scap-security-guide/bash/
479 Contains Bash roles for SSG profiles.
480
483 The SCAP Security Guide, an open source project jointly maintained by
484 Red Hat and the NSA, provides XCCDF and OVAL content for Red Hat tech‐
485 nologies. As an open source project, community participation extends
486 into U.S. Department of Defense agencies, civilian agencies, academia,
487 and other industrial partners.
488 SCAP Security Guide is provided to consumers through Red Hat's Extended
490 Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security
491 Guide content is considered "vendor provided."
492 Note that while Red Hat hosts the infrastructure for this project and
494 Red Hat engineers are involved as maintainers and leaders, there is no
495 commercial support contracts or service level agreements provided by
496 Red Hat.
497 Support, for both users and developers, is provided through the SCAP
499 Security Guide community.
500 Homepage: https://www.open-scap.org/security-policies/scap-security-
502 guide
503 Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-
505 security-guide
506
510 SCAP Security Guide content is considered vendor (Red Hat) provided
511 content. Per guidance from the U.S. National Institute of Standards
512 and Technology (NIST), U.S. Government programs are allowed to use Ven‐
513 dor produced SCAP content in absence of "Governmental Authority" check‐
514 lists. The specific NIST verbage:
515 http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
516
520 DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT
521 products incorporated into DoD information systems shall be configured
522 in accordance with DoD-approved security configuration guidelines" and
523 tasks Defense Information Systems Agency (DISA) to "develop and provide
524 security configuration guidance for IA and IA-enabled IT products in
525 coordination with Director, NSA." The output of this authority is the
526 DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
527 the process of moving the STIGs towards the use of the NIST Security
528 Content Automation Protocol (SCAP) in order to "automate" compliance
529 reporting of the STIGs.
530 Through a common, shared vision, the SCAP Security Guide community
532 enjoys close collaboration directly with NSA, NIST, and DISA FSO. As
533 stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
534 Version 1, Release 2, issued on 03-JUNE-2013:
535 "The consensus content was developed using an open-source project
537 called SCAP Security Guide. The project's website is https://www.open-
538 scap.org/security-policies/scap-security-guide. Except for differences
539 in formatting to accomodate the DISA STIG publishing process, the con‐
540 tent of the Red Hat Enterprise Linux 6 STIG should mirrot the SCAP
541 Security Guide content with only minor divergence as updates from mul‐
542 tiple sources work through the concensus process."
543 The DoD STIG for Red Hat Enterprise Linux 6 was released June 2013.
545 Currently, the DoD Red Hat Enterprise Linux 6 STIG contains only XCCDF
546 content and is available online: http://iase.disa.mil/stigs/os/unix-
547 linux/Pages/red-hat.aspx
548 Content published against the iase.disa.mil website is authoritative
550 STIG content. The SCAP Security Guide project, as noted in the STIG
551 overview, is considered upstream content. Unlike DISA FSO, the SCAP
552 Security Guide project does publish OVAL automation content. Individual
553 programs and C&A evaluators make program-level determinations on the
554 direct usage of the SCAP Security Guide. Currently there is no blanket
555 approval.
556
560 oscap(8)
561
565 Please direct all questions to the SSG mailing list:
566 https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
567version 1 26 Jan 2013 scap-security-guide(8)