1scap-security-guide(8)      System Manager's Manual     scap-security-guide(8)
2
3
4

NAME

6       SCAP  Security Guide - Delivers security guidance, baselines, and asso‐
7       ciated validation mechanisms utilizing the Security Content  Automation
8       Protocol (SCAP).
9
10
11

DESCRIPTION

13       The  project  provides  practical security hardening advice for Red Hat
14       products, and also links it to compliance requirements in order to ease
15       deployment  activities,  such as certification and accreditation. These
16       include requirements in the  U.S.  government  (Federal,  Defense,  and
17       Intelligence Community) as well as of the financial services and health
18       care industries. For example, high-level and  widely-accepted  policies
19       such  as  NIST 800-53 provides prose stating that System Administrators
20       must audit "privileged user actions," but do not  define  what  "privi‐
21       leged  actions" are. The SSG bridges the gap between generalized policy
22       requirements and specific implementation guidance, in SCAP  formats  to
23       support automation whenever possible.
24
25       The  projects  homepage  is located at: https://www.open-scap.org/secu
26       rity-policies/scap-security-guide
27
28
29

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 6

31       Source Datastream:  ssg-centos6-ds.xml
32
33       The Guide to the Secure Configuration of Red Hat Enterprise Linux 6  is
34       broken  into  'profiles', groupings of security settings that correlate
35       to a known policy. Available profiles are:
36
37
38
39       Desktop Baseline
40
41              Profile ID:  xccdf_org.ssgproject.content_profile_desktop
42
43              This profile is for a desktop installation of Red Hat Enterprise
44              Linux 6.
45
46
47       Standard System Security Profile for Red Hat Enterprise Linux 6
48
49              Profile ID:  xccdf_org.ssgproject.content_profile_standard
50
51              This profile contains rules to ensure standard security baseline
52              of a Red Hat Enterprise Linux 6 system. Regardless of your  sys‐
53              tem's workload all of these checks should pass.
54
55
56       PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
57
58              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
59
60              This is a *draft* profile for PCI-DSS v3.
61
62
63       Server Baseline
64
65              Profile ID:  xccdf_org.ssgproject.content_profile_server
66
67              This  profile  is  for  Red  Hat  Enterprise Linux 6 acting as a
68              server.
69
70
71
72
73

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

75       Source Datastream:  ssg-centos7-ds.xml
76
77       The Guide to the Secure Configuration of Red Hat Enterprise Linux 7  is
78       broken  into  'profiles', groupings of security settings that correlate
79       to a known policy. Available profiles are:
80
81
82
83       Standard System Security Profile for Red Hat Enterprise Linux 7
84
85              Profile ID:  xccdf_org.ssgproject.content_profile_standard
86
87              This profile contains rules to ensure standard security baseline
88              of  a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
89              tem's workload all of these checks should pass.
90
91
92       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
93
94              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
95
96              Ensures  PCI-DSS  v3.2.1  security  configuration  settings  are
97              applied.
98
99
100
101
102

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 8

104       Source Datastream:  ssg-centos8-ds.xml
105
106       The  Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
107       broken into 'profiles', groupings of security settings  that  correlate
108       to a known policy. Available profiles are:
109
110
111
112       Standard System Security Profile for Red Hat Enterprise Linux 8
113
114              Profile ID:  xccdf_org.ssgproject.content_profile_standard
115
116              This profile contains rules to ensure standard security baseline
117              of a Red Hat Enterprise Linux 8 system. Regardless of your  sys‐
118              tem's workload all of these checks should pass.
119
120
121       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
122
123              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
124
125              Ensures  PCI-DSS  v3.2.1  security  configuration  settings  are
126              applied.
127
128
129
130
131

Profiles in Guide to the Secure Configuration of Chromium

133       Source Datastream:  ssg-chromium-ds.xml
134
135       The Guide to the Secure Configuration of Chromium is broken into  'pro‐
136       files',  groupings  of security settings that correlate to a known pol‐
137       icy. Available profiles are:
138
139
140
141       Upstream STIG for Google Chromium
142
143              Profile ID:  xccdf_org.ssgproject.content_profile_stig
144
145              This profile is developed under the DoD consensus model and DISA
146              FSO  Vendor  STIG  process,  serving as the upstream development
147              environment for the Google Chromium STIG.
148
149              As a result of the upstream/downstream relationship between  the
150              SCAP Security Guide project and the official DISA FSO STIG base‐
151              line, users should expect variance between SSG and DISA FSO con‐
152              tent.    For   official   DISA   FSO   STIG  content,  refer  to
153              http://iase.disa.mil/stigs/app-security/browser-guid
154              ance/Pages/index.aspx.
155
156              While  this  profile  is packaged by Red Hat as part of the SCAP
157              Security Guide package, please note that commercial  support  of
158              this  SCAP content is NOT available. This profile is provided as
159              example SCAP content with no endorsement for suitability or pro‐
160              duction  readiness.  Support for this profile is provided by the
161              upstream SCAP Security Guide community on a  best-effort  basis.
162              The upstream project homepage is https://www.open-scap.org/secu
163              rity-policies/scap-security-guide/.
164
165
166
167
168

Profiles in Guide to the Secure Configuration of Debian 8

170       Source Datastream:  ssg-debian8-ds.xml
171
172       The Guide to the Secure Configuration of Debian 8 is broken into  'pro‐
173       files',  groupings  of security settings that correlate to a known pol‐
174       icy. Available profiles are:
175
176
177
178       Profile for ANSSI DAT-NT28 Average (Intermediate) Level
179
180              Profile          ID:           xccdf_org.ssgproject.content_pro‐
181              file_anssi_np_nt28_average
182
183              This  profile contains items for GNU/Linux installations already
184              protected by multiple higher level security stacks.
185
186
187       Profile for ANSSI DAT-NT28 High (Enforced) Level
188
189              Profile          ID:           xccdf_org.ssgproject.content_pro‐
190              file_anssi_np_nt28_high
191
192              This  profile contains items for GNU/Linux installations storing
193              sensitive informations that can be accessible  from  unauthenti‐
194              cated or uncontroled networks.
195
196
197       Profile for ANSSI DAT-NT28 Restrictive Level
198
199              Profile          ID:           xccdf_org.ssgproject.content_pro‐
200              file_anssi_np_nt28_restrictive
201
202              This profile contains items for GNU/Linux installations  exposed
203              to unauthenticated flows or multiple sources.
204
205
206       Standard System Security Profile for Debian 8
207
208              Profile ID:  xccdf_org.ssgproject.content_profile_standard
209
210              This profile contains rules to ensure standard security baseline
211              of a Debian 8 system. Regardless of your system's  workload  all
212              of these checks should pass.
213
214
215       Profile for ANSSI DAT-NT28 Minimal Level
216
217              Profile          ID:           xccdf_org.ssgproject.content_pro‐
218              file_anssi_np_nt28_minimal
219
220              This profile contains items to be applied systematically.
221
222
223
224
225

Profiles in Guide to the Secure Configuration of JBoss EAP 6

227       Source Datastream:  ssg-eap6-ds.xml
228
229       The Guide to the Secure Configuration of JBoss EAP  6  is  broken  into
230       'profiles',  groupings  of  security settings that correlate to a known
231       policy. Available profiles are:
232
233
234
235       STIG for JBoss Enterprise Application Platform 6
236
237              Profile ID:  xccdf_org.ssgproject.content_profile_stig
238
239              This is a *draft* profile for STIG. This profile is being devel‐
240              oped under the DoD consensus model to become a STIG in coordina‐
241              tion with DISA FSO.
242
243
244
245
246

Profiles in Guide to the Secure Configuration of Fedora

248       Source Datastream:  ssg-fedora-ds.xml
249
250       The Guide to the Secure Configuration of Fedora is  broken  into  'pro‐
251       files',  groupings  of security settings that correlate to a known pol‐
252       icy. Available profiles are:
253
254
255
256       Standard System Security Profile for Fedora
257
258              Profile ID:  xccdf_org.ssgproject.content_profile_standard
259
260              This profile contains rules to ensure standard security baseline
261              of a Fedora system.  Regardless of your system's workload all of
262              these checks should pass.
263
264
265       OSPP - Protection Profile for General Purpose Operating Systems
266
267              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
268
269              This profile reflects mandatory configuration  controls  identi‐
270              fied  in  the NIAP Configuration Annex to the Protection Profile
271              for General Purpose Operating Systems (Protection  Profile  Ver‐
272              sion 4.2).
273
274              As  Fedora  OS is moving target, this profile does not guarantee
275              to provide security levels required from  US  National  Security
276              Systems.  Main goal of the profile is to provide Fedora develop‐
277              ers with hardened environment similar to the one mandated by  US
278              National Security Systems.
279
280
281       PCI-DSS v3 Control Baseline for Fedora
282
283              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
284
285              Ensures  PCI-DSS  v3 related security configuration settings are
286              applied.
287
288
289
290
291

Profiles in Guide to the Secure Configuration of Firefox

293       Source Datastream:  ssg-firefox-ds.xml
294
295       The Guide to the Secure Configuration of Firefox is broken  into  'pro‐
296       files',  groupings  of security settings that correlate to a known pol‐
297       icy. Available profiles are:
298
299
300
301       Upstream Firefox STIG
302
303              Profile ID:  xccdf_org.ssgproject.content_profile_stig
304
305              This profile is developed under the DoD consensus model and DISA
306              FSO  Vendor  STIG  process,  serving as the upstream development
307              environment for the Firefox STIG.
308
309              As a result of the upstream/downstream relationship between  the
310              SCAP Security Guide project and the official DISA FSO STIG base‐
311              line, users should expect variance between SSG and DISA FSO con‐
312              tent.    For   official   DISA   FSO   STIG  content,  refer  to
313              http://iase.disa.mil/stigs/app-security/browser-guid
314              ance/Pages/index.aspx.
315
316              While  this  profile  is packaged by Red Hat as part of the SCAP
317              Security Guide package, please note that commercial  support  of
318              this  SCAP content is NOT available. This profile is provided as
319              example SCAP content with no endorsement for suitability or pro‐
320              duction  readiness.  Support for this profile is provided by the
321              upstream SCAP Security Guide community on a  best-effort  basis.
322              The upstream project homepage is https://www.open-scap.org/secu
323              rity-policies/scap-security-guide/.
324
325
326
327
328

Profiles in Guide to the Secure Configuration of JBoss Fuse 6

330       Source Datastream:  ssg-fuse6-ds.xml
331
332       The Guide to the Secure Configuration of JBoss Fuse 6  is  broken  into
333       'profiles',  groupings  of  security settings that correlate to a known
334       policy. Available profiles are:
335
336
337
338       STIG for JBoss Fuse 6
339
340              Profile ID:  xccdf_org.ssgproject.content_profile_stig
341
342              This is a *draft* profile for STIG. This profile is being devel‐
343              oped under the DoD consensus model to become a STIG in coordina‐
344              tion with DISA FSO.
345
346
347       STIG for Apache ActiveMQ
348
349              Profile ID:  xccdf_org.ssgproject.content_profile_amq-stig
350
351              This is a *draft* profile for STIG. This profile is being devel‐
352              oped under the DoD consensus model to become a STIG in coordina‐
353              tion with DISA FSO.
354
355
356       Standard System Security Profile for JBoss
357
358              Profile ID:  xccdf_org.ssgproject.content_profile_standard
359
360              This profile contains rules to ensure standard security baseline
361              of JBoss Fuse. Regardless of your system's workload all of these
362              checks should pass.
363
364
365
366
367

Profiles in Guide to the Secure Configuration of Java Runtime Environment

369       Source Datastream:  ssg-jre-ds.xml
370
371       The Guide to the Secure Configuration of Java  Runtime  Environment  is
372       broken  into  'profiles', groupings of security settings that correlate
373       to a known policy. Available profiles are:
374
375
376
377       Java Runtime Environment (JRE) STIG
378
379              Profile ID:  xccdf_org.ssgproject.content_profile_stig
380
381              The Java Runtime Environment (JRE) is  a  bundle  developed  and
382              offered  by  Oracle  Corporation which includes the Java Virtual
383              Machine (JVM), class libraries, and other  components  necessary
384              to  run  Java applications and applets. Certain default settings
385              within the JRE pose a security risk so it is necessary to deploy
386              system  wide  properties  to  ensure a higher degree of security
387              when utilizing the JRE.
388
389              The IBM Corporation also develops and bundles the  Java  Runtime
390              Environment (JRE) as well as Red Hat with OpenJDK.
391
392
393
394
395

Profiles in Guide to the Secure Configuration of Red Hat OpenShift Container

397       Platform 3
398       Source Datastream:  ssg-ocp3-ds.xml
399
400       The Guide to the Secure Configuration of Red  Hat  OpenShift  Container
401       Platform  3  is  broken into 'profiles', groupings of security settings
402       that correlate to a known policy. Available profiles are:
403
404
405
406       Open Computing Information Security Profile for OpenShift Master Node
407
408              Profile ID:  xccdf_org.ssgproject.content_profile_opencis-master
409
410              This baseline was inspired by the Center for  Internet  Security
411              (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
412
413              For  the  ComplianceAsCode  project to remain in compliance with
414              CIS' terms and conditions,  specifically  Restrictions(8),  note
415              there  is  no  representation  or claim that the OpenCIS profile
416              will ensure a system is in compliance or  consistency  with  the
417              CIS baseline.
418
419
420       Open Computing Information Security Profile for OpenShift Node
421
422              Profile ID:  xccdf_org.ssgproject.content_profile_opencis-node
423
424              This  baseline  was inspired by the Center for Internet Security
425              (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
426
427              For the ComplianceAsCode project to remain  in  compliance  with
428              CIS'  terms  and  conditions, specifically Restrictions(8), note
429              there is no representation or claim  that  the  OpenCIS  profile
430              will  ensure  a  system is in compliance or consistency with the
431              CIS baseline.
432
433
434
435
436

Profiles in Guide to the Secure Configuration of Oracle Linux 7

438       Source Datastream:  ssg-ol7-ds.xml
439
440       The Guide to the Secure Configuration of Oracle Linux 7 is broken  into
441       'profiles',  groupings  of  security settings that correlate to a known
442       policy. Available profiles are:
443
444
445
446       Security Profile of Oracle Linux 7 for SAP
447
448              Profile ID:  xccdf_org.ssgproject.content_profile_sap
449
450              This profile contains rules for Oracle Linux 7 Operating  System
451              in  compliance  with  SAP note 2069760 and SAP Security Baseline
452              Template version 1.9 Item I-8 and section  4.1.2.2.   Regardless
453              of your system's workload all of these checks should pass.
454
455
456       DRAFT - DISA STIG for Oracle Linux 7
457
458              Profile ID:  xccdf_org.ssgproject.content_profile_stig
459
460              This is a *draft* profile for STIG for Oracle Linux 7.
461
462
463       Standard System Security Profile for Oracle Linux 7
464
465              Profile ID:  xccdf_org.ssgproject.content_profile_standard
466
467              This profile contains rules to ensure standard security baseline
468              of Oracle Linux 7 system. Regardless of your  system's  workload
469              all of these checks should pass.
470
471
472       PCI-DSS v3 Control Baseline Draft for Oracle Linux 7
473
474              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
475
476              Ensures  PCI-DSS  v3 related security configuration settings are
477              applied.
478
479
480
481
482

Profiles in Guide to the Secure Configuration of Oracle Linux 8

484       Source Datastream:  ssg-ol8-ds.xml
485
486       The Guide to the Secure Configuration of Oracle Linux 8 is broken  into
487       'profiles',  groupings  of  security settings that correlate to a known
488       policy. Available profiles are:
489
490
491
492       Criminal Justice Information Services (CJIS) Security Policy
493
494              Profile ID:  xccdf_org.ssgproject.content_profile_cjis
495
496              This profile is derived from FBI's CJIS v5.4 Security Policy.  A
497              copy  of  this  policy  can be found at the CJIS Security Policy
498              Resource Center:
499
500              https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
501              center
502
503
504       Health Insurance Portability and Accountability Act (HIPAA)
505
506              Profile ID:  xccdf_org.ssgproject.content_profile_hipaa
507
508              The  HIPAA  Security Rule establishes U.S. national standards to
509              protect individuals’ electronic personal health information that
510              is  created,  received, used, or maintained by a covered entity.
511              The Security Rule requires appropriate administrative,  physical
512              and   technical   safeguards   to  ensure  the  confidentiality,
513              integrity, and security of electronic protected health  informa‐
514              tion.
515
516              This  profile  configures  Oracle  Linux 8 to the HIPAA Security
517              Rule identified for  securing  of  electronic  protected  health
518              information.
519
520
521       Standard System Security Profile for Oracle Linux 8
522
523              Profile ID:  xccdf_org.ssgproject.content_profile_standard
524
525              This profile contains rules to ensure standard security baseline
526              of Oracle Linux 8 system. Regardless of your  system's  workload
527              all of these checks should pass.
528
529
530       [DRAFT] OSPP - Protection Profile for General Purpose Operating Systems
531
532              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
533
534              This  profile  reflects mandatory configuration controls identi‐
535              fied in the NIAP Configuration Annex to the  Protection  Profile
536              for  General  Purpose Operating Systems (Protection Profile Ver‐
537              sion 4.2).
538
539              This profile is currently under review. Use of this profile does
540              not  denote  or  guarantee  NIAP approval or certification until
541              this profile has been approved by NIAP.
542
543
544       Unclassified Information in Non-federal Information Systems and Organi‐
545       zations (NIST 800-171)
546
547              Profile ID:  xccdf_org.ssgproject.content_profile_cui
548
549              From  NIST  800-171, Section 2.2: Security requirements for pro‐
550              tecting the confidentiality of  CUI  in  nonfederal  information
551              systems  and  organizations  have  a well-defined structure that
552              consists of:
553
554              (i) a basic security requirements section; (ii) a derived  secu‐
555              rity requirements section.
556
557              The  basic security requirements are obtained from FIPS Publica‐
558              tion 200, which provides the high-level and fundamental security
559              requirements  for  federal  information and information systems.
560              The derived security requirements, which  supplement  the  basic
561              security  requirements,  are taken from the security controls in
562              NIST Special Publication 800-53.
563
564              This profile configures Oracle Linux 8 to the NIST Special  Pub‐
565              lication  800-53  controls  identified  for  securing Controlled
566              Unclassified Information (CUI).
567
568
569       PCI-DSS v3 Control Baseline Draft for Oracle Linux 8
570
571              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
572
573              Ensures PCI-DSS v3 related security configuration  settings  are
574              applied.
575
576
577
578
579

Profiles in Guide to the Secure Configuration of openSUSE

581       Source Datastream:  ssg-opensuse-ds.xml
582
583       The  Guide to the Secure Configuration of openSUSE is broken into 'pro‐
584       files', groupings of security settings that correlate to a  known  pol‐
585       icy. Available profiles are:
586
587
588
589       Standard System Security Profile for openSUSE
590
591              Profile ID:  xccdf_org.ssgproject.content_profile_standard
592
593              This profile contains rules to ensure standard security baseline
594              of an openSUSE system. Regardless of your system's workload  all
595              of these checks should pass.
596
597
598
599
600

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 6

602       Source Datastream:  ssg-rhel6-ds.xml
603
604       The  Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
605       broken into 'profiles', groupings of security settings  that  correlate
606       to a known policy. Available profiles are:
607
608
609
610       FTP Server Profile (vsftpd)
611
612              Profile ID:  xccdf_org.ssgproject.content_profile_ftp-server
613
614              This is a profile for the vsftpd FTP server.
615
616
617       CNSSI 1253 Low/Low/Low Control Baseline
618
619              Profile ID:  xccdf_org.ssgproject.content_profile_nist-CL-IL-AL
620
621              This  profile follows the Committee on National Security Systems
622              Instruction (CNSSI) No. 1253, "Security Categorization and  Con‐
623              trol  Selection  for National Security Systems" on security con‐
624              trols to meet low confidentiality, low integrity, and low assur‐
625              ance.
626
627
628       CSCF RHEL6 MLS Core Baseline
629
630              Profile ID:  xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS
631
632              This  profile  reflects the Centralized Super Computing Facility
633              (CSCF) baseline for Red Hat Enterprise Linux  6.  This  baseline
634              has received government ATO through the ICD 503 process, utiliz‐
635              ing the CNSSI 1253 cross domain overlay. This profile should  be
636              considered  in active development.  Additional tailoring will be
637              needed, such as  the  creation  of  RBAC  roles  for  production
638              deployment.
639
640
641       FISMA Medium for Red Hat Enterprise Linux 6
642
643              Profile  ID:  xccdf_org.ssgproject.content_profile_fisma-medium-
644              rhel6-server
645
646              FISMA Medium for Red Hat Enterprise Linux 6.
647
648
649       DISA STIG for Red Hat Enterprise Linux 6
650
651              Profile ID:  xccdf_org.ssgproject.content_profile_stig
652
653              This profile contains configuration checks  that  align  to  the
654              DISA STIG for Red Hat Enterprise Linux 6.
655
656              In  addition  to being applicable to RHEL6, DISA recognizes this
657              configuration baseline as applicable  to  the  operating  system
658              tier  of  Red Hat technologies that are based off RHEL6, such as
659              RHEL Server,  RHV-H, RHEL for HPC, RHEL Workstation, and Red Hat
660              Storage deployments.
661
662
663       Desktop Baseline
664
665              Profile ID:  xccdf_org.ssgproject.content_profile_desktop
666
667              This profile is for a desktop installation of Red Hat Enterprise
668              Linux 6.
669
670
671       Standard System Security Profile for Red Hat Enterprise Linux 6
672
673              Profile ID:  xccdf_org.ssgproject.content_profile_standard
674
675              This profile contains rules to ensure standard security baseline
676              of  a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
677              tem's workload all of these checks should pass.
678
679
680       United States Government Configuration Baseline (USGCB)
681
682              Profile     ID:      xccdf_org.ssgproject.content_profile_usgcb-
683              rhel6-server
684
685              This  profile  is a working draft for a USGCB submission against
686              RHEL6 Server.
687
688
689       Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
690
691              Profile ID:  xccdf_org.ssgproject.content_profile_rht-ccp
692
693              This is a *draft* SCAP  profile  for  Red  Hat  Certified  Cloud
694              Providers
695
696
697       C2S for Red Hat Enterprise Linux 6
698
699              Profile ID:  xccdf_org.ssgproject.content_profile_C2S
700
701              This profile demonstrates compliance against the U.S. Government
702              Commercial Cloud Services (C2S) baseline.   nThis  baseline  was
703              inspired  by  the  Center  for  Internet  Security (CIS) Red Hat
704              Enterprise Linux 6 Benchmark, v1.2.0 - 06-25-2013.  For the SCAP
705              Security  Guide  project to remain in compliance with CIS' terms
706              and conditions, specifically Restrictions(8), note there  is  no
707              representation  or claim that the C2S profile will ensure a sys‐
708              tem is in compliance or consistency with the CIS baseline.
709
710
711       PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
712
713              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
714
715              This is a *draft* profile for PCI-DSS v3.
716
717
718       Example Server Profile
719
720              Profile ID:  xccdf_org.ssgproject.content_profile_CS2
721
722              This profile is an example of a customized server profile.
723
724
725       Server Baseline
726
727              Profile ID:  xccdf_org.ssgproject.content_profile_server
728
729              This profile is for Red Hat  Enterprise  Linux  6  acting  as  a
730              server.
731
732
733
734
735

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

737       Source Datastream:  ssg-rhel7-ds.xml
738
739       The  Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
740       broken into 'profiles', groupings of security settings  that  correlate
741       to a known policy. Available profiles are:
742
743
744
745       [DRAFT]  DISA  STIG  for  Red  Hat Enterprise Linux Virtualization Host
746       (RHELH)
747
748              Profile ID:  xccdf_org.ssgproject.content_profile_rhelh-stig
749
750              This *draft* profile contains configuration checks that align to
751              the  DISA  STIG for Red Hat Enterprise Linux Virtualization Host
752              (RHELH).
753
754
755       DISA STIG for Red Hat Enterprise Linux 7
756
757              Profile ID:  xccdf_org.ssgproject.content_profile_stig
758
759              This profile contains configuration checks  that  align  to  the
760              DISA STIG for Red Hat Enterprise Linux V1R4.
761
762              In  addition  to being applicable to RHEL7, DISA recognizes this
763              configuration baseline as applicable  to  the  operating  system
764              tier of Red Hat technologies that are based off RHEL7, such as:
765
766              -  Red  Hat  Enterprise  Linux Server - Red Hat Enterprise Linux
767              Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
768              Hat Storage
769
770
771       Criminal Justice Information Services (CJIS) Security Policy
772
773              Profile ID:  xccdf_org.ssgproject.content_profile_cjis
774
775              This  profile is derived from FBI's CJIS v5.4 Security Policy. A
776              copy of this policy can be found at  the  CJIS  Security  Policy
777              Resource Center:
778
779              https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
780              center
781
782
783       Health Insurance Portability and Accountability Act (HIPAA)
784
785              Profile ID:  xccdf_org.ssgproject.content_profile_hipaa
786
787              The HIPAA Security Rule establishes U.S. national  standards  to
788              protect individuals’ electronic personal health information that
789              is created, received, used, or maintained by a  covered  entity.
790              The  Security Rule requires appropriate administrative, physical
791              and  technical  safeguards  to   ensure   the   confidentiality,
792              integrity,  and security of electronic protected health informa‐
793              tion.
794
795              This profile configures Red Hat Enterprise Linux 7 to the  HIPAA
796              Security  Rule  identified  for securing of electronic protected
797              health information.
798
799
800       VPP - Protection Profile for Virtualization v. 1.0 for Red  Hat  Enter‐
801       prise Linux Hypervisor (RHELH)
802
803              Profile ID:  xccdf_org.ssgproject.content_profile_rhelh-vpp
804
805              This  compliance  profile  reflects  the  core  set  of security
806              related configuration settings for deployment of Red Hat  Enter‐
807              prise  Linux  Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
808              gence, and Civilian agencies.  Development partners and sponsors
809              include  the U.S. National Institute of Standards and Technology
810              (NIST),  U.S.  Department  of  Defense,  the  National  Security
811              Agency, and Red Hat.
812
813              This  baseline  implements  configuration  requirements from the
814              following sources:
815
816              - Committee on National Security Systems  Instruction  No.  1253
817              (CNSSI  1253)  -  NIST  800-53  control  selections for MODERATE
818              impact systems (NIST 800-53)  -  U.S.  Government  Configuration
819              Baseline  (USGCB)  -  NIAP Protection Profile for Virtualization
820              v1.0 (VPP v1.0)
821
822              For any  differing  configuration  requirements,  e.g.  password
823              lengths,  the  stricter  security  setting  was chosen. Security
824              Requirement Traceability Guides (RTMs) and sample  System  Secu‐
825              rity  Configuration  Guides  are provided via the scap-security-
826              guide-docs package.
827
828              This profile reflects U.S. Government consensus content  and  is
829              developed  through  the  ComplianceAsCode project, championed by
830              the National Security Agency. Except for differences in  format‐
831              ting  to  accommodate publishing processes, this profile mirrors
832              ComplianceAsCode content as minor divergences, such as bugfixes,
833              work through the consensus and release processes.
834
835
836       Standard System Security Profile for Red Hat Enterprise Linux 7
837
838              Profile ID:  xccdf_org.ssgproject.content_profile_standard
839
840              This profile contains rules to ensure standard security baseline
841              of a Red Hat Enterprise Linux 7 system. Regardless of your  sys‐
842              tem's workload all of these checks should pass.
843
844
845       United States Government Configuration Baseline
846
847              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
848
849              This  compliance  profile  reflects  the  core  set  of security
850              related configuration settings for deployment of Red Hat  Enter‐
851              prise  Linux  7.x  into U.S. Defense, Intelligence, and Civilian
852              agencies.  Development partners and sponsors  include  the  U.S.
853              National  Institute  of  Standards  and  Technology (NIST), U.S.
854              Department of Defense, the National  Security  Agency,  and  Red
855              Hat.
856
857              This  baseline  implements  configuration  requirements from the
858              following sources:
859
860              - Committee on National Security Systems  Instruction  No.  1253
861              (CNSSI  1253)  -  NIST Controlled Unclassified Information (NIST
862              800-171) - NIST 800-53 control selections  for  MODERATE  impact
863              systems  (NIST  800-53) - U.S. Government Configuration Baseline
864              (USGCB) - NIAP Protection Profile for General Purpose  Operating
865              Systems  v4.0  (OSPP  v4.0)  -  DISA  Operating  System Security
866              Requirements Guide (OS SRG)
867
868              For any  differing  configuration  requirements,  e.g.  password
869              lengths,  the  stricter  security  setting  was chosen. Security
870              Requirement Traceability Guides (RTMs) and sample  System  Secu‐
871              rity  Configuration  Guides  are provided via the scap-security-
872              guide-docs package.
873
874              This profile reflects U.S. Government consensus content  and  is
875              developed  through  the OpenSCAP/SCAP Security Guide initiative,
876              championed by the National Security Agency. Except  for  differ‐
877              ences  in  formatting  to accommodate publishing processes, this
878              profile mirrors OpenSCAP/SCAP Security Guide  content  as  minor
879              divergences,  such  as  bugfixes, work through the consensus and
880              release processes.
881
882
883       OSPP - Protection Profile for General Purpose Operating Systems v. 4.2
884
885              Profile ID:  xccdf_org.ssgproject.content_profile_ospp42
886
887              This profile reflects mandatory configuration  controls  identi‐
888              fied  in  the NIAP Configuration Annex to the Protection Profile
889              for General Purpose Operating Systems (Protection  Profile  Ver‐
890              sion 4.2).
891
892              This  Annex  is  consistent  with  CNSSI-1253, which requires US
893              National Security Systems to  adhere  to  certain  configuration
894              parameters. Accordingly, configuration guidance produced accord‐
895              ing to the requirements of this Annex is suitable for use in  US
896              National Security Systems.
897
898
899       Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
900
901              Profile ID:  xccdf_org.ssgproject.content_profile_rht-ccp
902
903              This  profile  contains the minimum security relevant configura‐
904              tion settings recommended by Red Hat, Inc for Red Hat Enterprise
905              Linux 7 instances deployed by Red Hat Certified Cloud Providers.
906
907
908       C2S for Red Hat Enterprise Linux 7
909
910              Profile ID:  xccdf_org.ssgproject.content_profile_C2S
911
912              This profile demonstrates compliance against the U.S. Government
913              Commercial Cloud Services (C2S) baseline.
914
915              This baseline was inspired by the Center for  Internet  Security
916              (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
917
918              For the SCAP Security Guide project to remain in compliance with
919              CIS' terms and conditions,  specifically  Restrictions(8),  note
920              there  is  no  representation or claim that the C2S profile will
921              ensure a system is in compliance or  consistency  with  the  CIS
922              baseline.
923
924
925       Unclassified Information in Non-federal Information Systems and Organi‐
926       zations (NIST 800-171)
927
928              Profile ID:  xccdf_org.ssgproject.content_profile_cui
929
930              From NIST 800-171, Section 2.2: Security requirements  for  pro‐
931              tecting  the  confidentiality  of CUI in non-federal information
932              systems and organizations have  a  well-defined  structure  that
933              consists of:
934
935              (i)  a basic security requirements section; (ii) a derived secu‐
936              rity requirements section.
937
938              The basic security requirements are obtained from FIPS  Publica‐
939              tion 200, which provides the high-level and fundamental security
940              requirements for federal information  and  information  systems.
941              The  derived  security  requirements, which supplement the basic
942              security requirements, are taken from the security  controls  in
943              NIST Special Publication 800-53.
944
945              This  profile  configures Red Hat Enterprise Linux 7 to the NIST
946              Special Publication 800-53 controls identified for securing Con‐
947              trolled Unclassified Information (CUI).
948
949
950       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
951
952              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
953
954              Ensures  PCI-DSS  v3.2.1  security  configuration  settings  are
955              applied.
956
957
958
959
960

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 8

962       Source Datastream:  ssg-rhel8-ds.xml
963
964       The Guide to the Secure Configuration of Red Hat Enterprise Linux 8  is
965       broken  into  'profiles', groupings of security settings that correlate
966       to a known policy. Available profiles are:
967
968
969
970       Criminal Justice Information Services (CJIS) Security Policy
971
972              Profile ID:  xccdf_org.ssgproject.content_profile_cjis
973
974              This profile is derived from FBI's CJIS v5.4 Security Policy.  A
975              copy  of  this  policy  can be found at the CJIS Security Policy
976              Resource Center:
977
978              https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
979              center
980
981
982       Health Insurance Portability and Accountability Act (HIPAA)
983
984              Profile ID:  xccdf_org.ssgproject.content_profile_hipaa
985
986              The  HIPAA  Security Rule establishes U.S. national standards to
987              protect individuals’ electronic personal health information that
988              is  created,  received, used, or maintained by a covered entity.
989              The Security Rule requires appropriate administrative,  physical
990              and   technical   safeguards   to  ensure  the  confidentiality,
991              integrity, and security of electronic protected health  informa‐
992              tion.
993
994              This  profile configures Red Hat Enterprise Linux 8 to the HIPAA
995              Security Rule identified for securing  of  electronic  protected
996              health information.
997
998
999       Standard System Security Profile for Red Hat Enterprise Linux 8
1000
1001              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1002
1003              This profile contains rules to ensure standard security baseline
1004              of a Red Hat Enterprise Linux 8 system. Regardless of your  sys‐
1005              tem's workload all of these checks should pass.
1006
1007
1008       Protection Profile for General Purpose Operating Systems
1009
1010              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
1011
1012              This  profile  reflects mandatory configuration controls identi‐
1013              fied in the NIAP Configuration Annex to the  Protection  Profile
1014              for  General  Purpose Operating Systems (Protection Profile Ver‐
1015              sion 4.2).
1016
1017
1018       Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1019
1020              Profile ID:  xccdf_org.ssgproject.content_profile_rht-ccp
1021
1022              This profile contains the minimum security  relevant  configura‐
1023              tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1024              Linux 8 instances deployed by Red Hat Certified Cloud Providers.
1025
1026
1027       Unclassified Information in Non-federal Information Systems and Organi‐
1028       zations (NIST 800-171)
1029
1030              Profile ID:  xccdf_org.ssgproject.content_profile_cui
1031
1032              From  NIST  800-171, Section 2.2: Security requirements for pro‐
1033              tecting the confidentiality of  CUI  in  nonfederal  information
1034              systems  and  organizations  have  a well-defined structure that
1035              consists of:
1036
1037              (i) a basic security requirements section; (ii) a derived  secu‐
1038              rity requirements section.
1039
1040              The  basic security requirements are obtained from FIPS Publica‐
1041              tion 200, which provides the high-level and fundamental security
1042              requirements  for  federal  information and information systems.
1043              The derived security requirements, which  supplement  the  basic
1044              security  requirements,  are taken from the security controls in
1045              NIST Special Publication 800-53.
1046
1047              This profile configures Red Hat Enterprise Linux 8 to  the  NIST
1048              Special Publication 800-53 controls identified for securing Con‐
1049              trolled Unclassified Information (CUI)."
1050
1051
1052       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
1053
1054              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
1055
1056              Ensures  PCI-DSS  v3.2.1  security  configuration  settings  are
1057              applied.
1058
1059
1060
1061
1062

Profiles in Guide to the Secure Configuration of Red Hat OpenStack Platform 13

1064
1065       Source Datastream:  ssg-rhosp13-ds.xml
1066
1067       The Guide to the Secure Configuration of Red Hat OpenStack Platform  13
1068       is  broken  into 'profiles', groupings of security settings that corre‐
1069       late to a known policy. Available profiles are:
1070
1071
1072
1073       RHOSP STIG
1074
1075              Profile ID:  xccdf_org.ssgproject.content_profile_stig
1076
1077              Sample profile description.
1078
1079
1080
1081
1082

Profiles in Guide to the Secure Configuration of Red Hat Virtualization 4

1084       Source Datastream:  ssg-rhv4-ds.xml
1085
1086       The Guide to the Secure Configuration of Red Hat  Virtualization  4  is
1087       broken  into  'profiles', groupings of security settings that correlate
1088       to a known policy. Available profiles are:
1089
1090
1091
1092       VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
1093       ization Hypervisor (RHVH)
1094
1095              Profile ID:  xccdf_org.ssgproject.content_profile_rhvh-vpp
1096
1097              This  compliance  profile  reflects  the  core  set  of security
1098              related configuration settings for deployment of Red Hat  Virtu‐
1099              alization Hypervisor (RHVH) 4.x into U.S. Defense, Intelligence,
1100              and  Civilian  agencies.   Development  partners  and   sponsors
1101              include  the U.S. National Institute of Standards and Technology
1102              (NIST),  U.S.  Department  of  Defense,  the  National  Security
1103              Agency, and Red Hat.
1104
1105              This  baseline  implements  configuration  requirements from the
1106              following sources:
1107
1108              - Committee on National Security Systems  Instruction  No.  1253
1109              (CNSSI  1253)  -  NIST  800-53  control  selections for MODERATE
1110              impact systems (NIST 800-53)  -  U.S.  Government  Configuration
1111              Baseline  (USGCB)  -  NIAP Protection Profile for Virtualization
1112              v1.0 (VPP v1.0)
1113
1114              For any  differing  configuration  requirements,  e.g.  password
1115              lengths,  the  stricter  security  setting  was chosen. Security
1116              Requirement Traceability Guides (RTMs) and sample  System  Secu‐
1117              rity  Configuration  Guides  are provided via the scap-security-
1118              guide-docs package.
1119
1120              This profile reflects U.S. Government consensus content  and  is
1121              developed  through  the  ComplianceAsCode project, championed by
1122              the National Security Agency. Except for differences in  format‐
1123              ting  to  accommodate publishing processes, this profile mirrors
1124              ComplianceAsCode content as minor divergences, such as bugfixes,
1125              work through the consensus and release processes.
1126
1127
1128       [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
1129
1130              Profile ID:  xccdf_org.ssgproject.content_profile_rhvh-stig
1131
1132              This *draft* profile contains configuration checks that align to
1133              the DISA STIG for Red Hat Virtualization Host (RHVH).
1134
1135
1136
1137
1138

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 6

1140       Source Datastream:  ssg-sl6-ds.xml
1141
1142       The Guide to the Secure Configuration of Red Hat Enterprise Linux 6  is
1143       broken  into  'profiles', groupings of security settings that correlate
1144       to a known policy. Available profiles are:
1145
1146
1147
1148       Desktop Baseline
1149
1150              Profile ID:  xccdf_org.ssgproject.content_profile_desktop
1151
1152              This profile is for a desktop installation of Red Hat Enterprise
1153              Linux 6.
1154
1155
1156       Standard System Security Profile for Red Hat Enterprise Linux 6
1157
1158              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1159
1160              This profile contains rules to ensure standard security baseline
1161              of a Red Hat Enterprise Linux 6 system. Regardless of your  sys‐
1162              tem's workload all of these checks should pass.
1163
1164
1165       PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
1166
1167              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
1168
1169              This is a *draft* profile for PCI-DSS v3.
1170
1171
1172       Server Baseline
1173
1174              Profile ID:  xccdf_org.ssgproject.content_profile_server
1175
1176              This  profile  is  for  Red  Hat  Enterprise Linux 6 acting as a
1177              server.
1178
1179
1180
1181
1182

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

1184       Source Datastream:  ssg-sl7-ds.xml
1185
1186       The Guide to the Secure Configuration of Red Hat Enterprise Linux 7  is
1187       broken  into  'profiles', groupings of security settings that correlate
1188       to a known policy. Available profiles are:
1189
1190
1191
1192       Standard System Security Profile for Red Hat Enterprise Linux 7
1193
1194              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1195
1196              This profile contains rules to ensure standard security baseline
1197              of  a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
1198              tem's workload all of these checks should pass.
1199
1200
1201       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1202
1203              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
1204
1205              Ensures  PCI-DSS  v3.2.1  security  configuration  settings  are
1206              applied.
1207
1208
1209
1210
1211

Profiles in Guide to the Secure Configuration of SUSE Linux Enterprise 11

1213       Source Datastream:  ssg-sle11-ds.xml
1214
1215       The  Guide  to  the Secure Configuration of SUSE Linux Enterprise 11 is
1216       broken into 'profiles', groupings of security settings  that  correlate
1217       to a known policy. Available profiles are:
1218
1219
1220
1221       Standard System Security Profile for SUSE Linux Enterprise 11
1222
1223              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1224
1225              This profile contains rules to ensure standard security baseline
1226              of a SUSE Linux Enterprise 11 system. Regardless  of  your  sys‐
1227              tem's workload all of these checks should pass.
1228
1229
1230       Server Baseline
1231
1232              Profile ID:  xccdf_org.ssgproject.content_profile_server
1233
1234              This profile is for SUSE Enterprise Linux 11 acting as a server.
1235
1236
1237
1238
1239

Profiles in Guide to the Secure Configuration of SUSE Linux Enterprise 12

1241       Source Datastream:  ssg-sle12-ds.xml
1242
1243       The  Guide  to  the Secure Configuration of SUSE Linux Enterprise 12 is
1244       broken into 'profiles', groupings of security settings  that  correlate
1245       to a known policy. Available profiles are:
1246
1247
1248
1249       Standard System Security Profile for SUSE Linux Enterprise 12
1250
1251              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1252
1253              This profile contains rules to ensure standard security baseline
1254              of a SUSE Linux Enterprise 12 system. Regardless  of  your  sys‐
1255              tem's workload all of these checks should pass.
1256
1257
1258
1259
1260

Profiles in Guide to the Secure Configuration of Ubuntu 14.04

1262       Source Datastream:  ssg-ubuntu1404-ds.xml
1263
1264       The  Guide  to  the Secure Configuration of Ubuntu 14.04 is broken into
1265       'profiles', groupings of security settings that correlate  to  a  known
1266       policy. Available profiles are:
1267
1268
1269
1270       Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1271
1272              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1273              file_anssi_np_nt28_average
1274
1275              This profile contains items for GNU/Linux installations  already
1276              protected by multiple higher level security stacks.
1277
1278
1279       Profile for ANSSI DAT-NT28 High (Enforced) Level
1280
1281              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1282              file_anssi_np_nt28_high
1283
1284              This profile contains items for GNU/Linux installations  storing
1285              sensitive  informations  that can be accessible from unauthenti‐
1286              cated or uncontroled networks.
1287
1288
1289       Profile for ANSSI DAT-NT28 Restrictive Level
1290
1291              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1292              file_anssi_np_nt28_restrictive
1293
1294              This  profile contains items for GNU/Linux installations exposed
1295              to unauthenticated flows or multiple sources.
1296
1297
1298       Standard System Security Profile for Ubuntu 14.04
1299
1300              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1301
1302              This profile contains rules to ensure standard security baseline
1303              of  an Ubuntu 14.04 system. Regardless of your system's workload
1304              all of these checks should pass.
1305
1306
1307       Profile for ANSSI DAT-NT28 Minimal Level
1308
1309              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1310              file_anssi_np_nt28_minimal
1311
1312              This profile contains items to be applied systematically.
1313
1314
1315
1316
1317

Profiles in Guide to the Secure Configuration of Ubuntu 16.04

1319       Source Datastream:  ssg-ubuntu1604-ds.xml
1320
1321       The  Guide  to  the Secure Configuration of Ubuntu 16.04 is broken into
1322       'profiles', groupings of security settings that correlate  to  a  known
1323       policy. Available profiles are:
1324
1325
1326
1327       Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1328
1329              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1330              file_anssi_np_nt28_average
1331
1332              This profile contains items for GNU/Linux installations  already
1333              protected by multiple higher level security stacks.
1334
1335
1336       Profile for ANSSI DAT-NT28 High (Enforced) Level
1337
1338              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1339              file_anssi_np_nt28_high
1340
1341              This profile contains items for GNU/Linux installations  storing
1342              sensitive  informations  that can be accessible from unauthenti‐
1343              cated or uncontroled networks.
1344
1345
1346       Profile for ANSSI DAT-NT28 Restrictive Level
1347
1348              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1349              file_anssi_np_nt28_restrictive
1350
1351              This  profile contains items for GNU/Linux installations exposed
1352              to unauthenticated flows or multiple sources.
1353
1354
1355       Standard System Security Profile for Ubuntu 16.04
1356
1357              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1358
1359              This profile contains rules to ensure standard security baseline
1360              of  an Ubuntu 16.04 system. Regardless of your system's workload
1361              all of these checks should pass.
1362
1363
1364       Profile for ANSSI DAT-NT28 Minimal Level
1365
1366              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1367              file_anssi_np_nt28_minimal
1368
1369              This profile contains items to be applied systematically.
1370
1371
1372
1373
1374

Profiles in Guide to the Secure Configuration of Ubuntu 18.04

1376       Source Datastream:  ssg-ubuntu1804-ds.xml
1377
1378       The  Guide  to  the Secure Configuration of Ubuntu 18.04 is broken into
1379       'profiles', groupings of security settings that correlate  to  a  known
1380       policy. Available profiles are:
1381
1382
1383
1384       Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1385
1386              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1387              file_anssi_np_nt28_average
1388
1389              This profile contains items for GNU/Linux installations  already
1390              protected by multiple higher level security stacks.
1391
1392
1393       Profile for ANSSI DAT-NT28 High (Enforced) Level
1394
1395              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1396              file_anssi_np_nt28_high
1397
1398              This profile contains items for GNU/Linux installations  storing
1399              sensitive  informations  that can be accessible from unauthenti‐
1400              cated or uncontroled networks.
1401
1402
1403       Profile for ANSSI DAT-NT28 Restrictive Level
1404
1405              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1406              file_anssi_np_nt28_restrictive
1407
1408              This  profile contains items for GNU/Linux installations exposed
1409              to unauthenticated flows or multiple sources.
1410
1411
1412       Standard System Security Profile for Ubuntu 18.04
1413
1414              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1415
1416              This profile contains rules to ensure standard security baseline
1417              of  an Ubuntu 18.04 system. Regardless of your system's workload
1418              all of these checks should pass.
1419
1420
1421       Profile for ANSSI DAT-NT28 Minimal Level
1422
1423              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1424              file_anssi_np_nt28_minimal
1425
1426              This profile contains items to be applied systematically.
1427
1428
1429
1430
1431

Profiles in Guide to the Secure Configuration of WRLinux

1433       Source Datastream:  ssg-wrlinux-ds.xml
1434
1435       The  Guide  to the Secure Configuration of WRLinux is broken into 'pro‐
1436       files', groupings of security settings that correlate to a  known  pol‐
1437       icy. Available profiles are:
1438
1439
1440
1441       Basic Profile for Embedded Systems
1442
1443              Profile ID:  xccdf_org.ssgproject.content_profile_basic-embedded
1444
1445              This  profile  contains  items  common  to  many  embedded Linux
1446              installations.  Regardless of your  system's  deployment  objec‐
1447              tive, all of these checks should pass.
1448
1449
1450
1451
1452
1453

EXAMPLES

1455       To  scan  your  system  utilizing the OpenSCAP utility against the ospp
1456       profile:
1457
1458       oscap  xccdf  eval  --profile   ospp   --results   /tmp/`hostname`-ssg-
1459       results.xml  --report  /tmp/`hostname`-ssg-results.html  --oval-results
1460       /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
1461
1462       Additional  details  can  be  found  on   the   projects   wiki   page:
1463       https://www.github.com/OpenSCAP/scap-security-guide/wiki
1464
1465
1466

FILES

1468       /usr/share/xml/scap/ssg/content
1469              Houses SCAP content utilizing the following naming conventions:
1470
1471              SCAP Source Datastreams: ssg-{product}-ds.xml
1472
1473              CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
1474
1475              CPE OVAL Content: ssg-{product}-cpe-oval.xml
1476
1477              OVAL Content: ssg-{product}-oval.xml
1478
1479              XCCDF Content: ssg-{product}-xccdf.xml
1480
1481       /usr/share/doc/scap-security-guide/guides/
1482              HTML versions of SSG profiles.
1483
1484       /usr/share/scap-security-guide/ansible/
1485              Contains Ansible Playbooks for SSG profiles.
1486
1487       /usr/share/scap-security-guide/bash/
1488              Contains Bash remediation scripts for SSG profiles.
1489
1490

STATEMENT OF SUPPORT

1492       The  SCAP  Security Guide, an open source project jointly maintained by
1493       Red Hat and the NSA, provides XCCDF and OVAL content for Red Hat  tech‐
1494       nologies.  As  an  open source project, community participation extends
1495       into U.S. Department of Defense agencies, civilian agencies,  academia,
1496       and other industrial partners.
1497
1498       SCAP Security Guide is provided to consumers through Red Hat's Extended
1499       Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security
1500       Guide content is considered "vendor provided."
1501
1502       Note  that  while Red Hat hosts the infrastructure for this project and
1503       Red Hat engineers are involved as maintainers and leaders, there is  no
1504       commercial  support  contracts  or service level agreements provided by
1505       Red Hat.
1506
1507       Support, for both users and developers, is provided  through  the  SCAP
1508       Security Guide community.
1509
1510       Homepage:    https://www.open-scap.org/security-policies/scap-security-
1511       guide
1512
1513       Mailing   List:   https://lists.fedorahosted.org/mailman/listinfo/scap-
1514       security-guide
1515
1516
1517

DEPLOYMENT TO U.S. CIVILIAN GOVERNMENT SYSTEMS

1519       SCAP  Security  Guide  content  is considered vendor (Red Hat) provided
1520       content.  Per guidance from the U.S. National  Institute  of  Standards
1521       and Technology (NIST), U.S. Government programs are allowed to use Ven‐
1522       dor produced SCAP content in absence of "Governmental Authority" check‐
1523       lists.           The           specific          NIST          verbage:
1524       http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
1525
1526
1527

DEPLOYMENT TO U.S. MILITARY SYSTEMS

1529       DoD Directive (DoDD) 8500.1 requires that "all  IA  and  IA-enabled  IT
1530       products  incorporated into DoD information systems shall be configured
1531       in accordance with DoD-approved security configuration guidelines"  and
1532       tasks Defense Information Systems Agency (DISA) to "develop and provide
1533       security configuration guidance for IA and IA-enabled  IT  products  in
1534       coordination  with Director, NSA."  The output of this authority is the
1535       DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
1536       the  process  of  moving the STIGs towards the use of the NIST Security
1537       Content Automation Protocol (SCAP) in order  to  "automate"  compliance
1538       reporting of the STIGs.
1539
1540       Through  a  common,  shared  vision,  the SCAP Security Guide community
1541       enjoys close collaboration directly with NSA, NIST, and  DISA  FSO.  As
1542       stated  in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
1543       Version 1, Release 2, issued on 03-JUNE-2013:
1544
1545       "The consensus content  was  developed  using  an  open-source  project
1546       called  SCAP Security Guide. The project's website is https://www.open-
1547       scap.org/security-policies/scap-security-guide.  Except for differences
1548       in  formatting to accomodate the DISA STIG publishing process, the con‐
1549       tent of the Red Hat Enterprise Linux 6  STIG  should  mirrot  the  SCAP
1550       Security  Guide content with only minor divergence as updates from mul‐
1551       tiple sources work through the concensus process."
1552
1553       The DoD STIG for Red Hat Enterprise Linux 6  was  released  June  2013.
1554       Currently,  the DoD Red Hat Enterprise Linux 6 STIG contains only XCCDF
1555       content and is  available  online:  http://iase.disa.mil/stigs/os/unix-
1556       linux/Pages/red-hat.aspx
1557
1558       Content  published  against  the iase.disa.mil website is authoritative
1559       STIG content. The SCAP Security Guide project, as  noted  in  the  STIG
1560       overview,  is  considered  upstream  content. Unlike DISA FSO, the SCAP
1561       Security Guide project does publish OVAL automation content. Individual
1562       programs  and  C&A  evaluators make program-level determinations on the
1563       direct usage of the SCAP Security Guide.  Currently there is no blanket
1564       approval.
1565
1566
1567

SEE ALSO

1569       oscap(8)
1570
1571
1572

AUTHOR

1574       Please    direct    all    questions   to   the   SSG   mailing   list:
1575       https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
1576
1577
1578
1579version 1                         26 Jan 2013           scap-security-guide(8)
Impressum