1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
6 SCAP Security Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
13 The project provides practical security hardening advice for Red Hat
14 products, and also links it to compliance requirements in order to ease
15 deployment activities, such as certification and accreditation. These
16 include requirements in the U.S. government (Federal, Defense, and
17 Intelligence Community) as well as of the financial services and health
18 care industries. For example, high-level and widely-accepted policies
19 such as NIST 800-53 provides prose stating that System Administrators
20 must audit "privileged user actions," but do not define what "privi‐
21 leged actions" are. The SSG bridges the gap between generalized policy
22 requirements and specific implementation guidance, in SCAP formats to
23 support automation whenever possible.
24 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
31 Source Datastream: ssg-centos7-ds.xml
32 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
34 broken into 'profiles', groupings of security settings that correlate
35 to a known policy. Available profiles are:
36 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
40 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
42 Ensures PCI-DSS v3.2.1 security configuration settings are
44 applied.
45 Standard System Security Profile for Red Hat Enterprise Linux 7
48 Profile ID: xccdf_org.ssgproject.content_profile_standard
50 This profile contains rules to ensure standard security baseline
52 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
53 tem's workload all of these checks should pass.
54
60 Source Datastream: ssg-centos8-ds.xml
61 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
63 broken into 'profiles', groupings of security settings that correlate
64 to a known policy. Available profiles are:
65 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
69 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
71 Ensures PCI-DSS v3.2.1 security configuration settings are
73 applied.
74 Standard System Security Profile for Red Hat Enterprise Linux 8
77 Profile ID: xccdf_org.ssgproject.content_profile_standard
79 This profile contains rules to ensure standard security baseline
81 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
82 tem's workload all of these checks should pass.
83
89 Source Datastream: ssg-chromium-ds.xml
90 The Guide to the Secure Configuration of Chromium is broken into 'pro‐
92 files', groupings of security settings that correlate to a known pol‐
93 icy. Available profiles are:
94 Upstream STIG for Google Chromium
98 Profile ID: xccdf_org.ssgproject.content_profile_stig
100 This profile is developed under the DoD consensus model and DISA
102 FSO Vendor STIG process, serving as the upstream development
103 environment for the Google Chromium STIG.
104 As a result of the upstream/downstream relationship between the
106 SCAP Security Guide project and the official DISA FSO STIG base‐
107 line, users should expect variance between SSG and DISA FSO con‐
108 tent. For official DISA FSO STIG content, refer to https://pub‐
109 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
110 rity%2Cbrowser-guidance.
111 While this profile is packaged by Red Hat as part of the SCAP
113 Security Guide package, please note that commercial support of
114 this SCAP content is NOT available. This profile is provided as
115 example SCAP content with no endorsement for suitability or pro‐
116 duction readiness. Support for this profile is provided by the
117 upstream SCAP Security Guide community on a best-effort basis.
118 The upstream project homepage is https://www.open-scap.org/secu‐
119 rity-policies/scap-security-guide/.
120
126 Source Datastream: ssg-debian10-ds.xml
127 The Guide to the Secure Configuration of Debian 10 is broken into 'pro‐
129 files', groupings of security settings that correlate to a known pol‐
130 icy. Available profiles are:
131 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
135 Profile ID: xccdf_org.ssgproject.content_pro‐
137 file_anssi_np_nt28_average
138 This profile contains items for GNU/Linux installations already
140 protected by multiple higher level security stacks.
141 Profile for ANSSI DAT-NT28 High (Enforced) Level
144 Profile ID: xccdf_org.ssgproject.content_pro‐
146 file_anssi_np_nt28_high
147 This profile contains items for GNU/Linux installations storing
149 sensitive informations that can be accessible from unauthenti‐
150 cated or uncontroled networks.
151 Profile for ANSSI DAT-NT28 Minimal Level
154 Profile ID: xccdf_org.ssgproject.content_pro‐
156 file_anssi_np_nt28_minimal
157 This profile contains items to be applied systematically.
159 Profile for ANSSI DAT-NT28 Restrictive Level
162 Profile ID: xccdf_org.ssgproject.content_pro‐
164 file_anssi_np_nt28_restrictive
165 This profile contains items for GNU/Linux installations exposed
167 to unauthenticated flows or multiple sources.
168 Standard System Security Profile for Debian 10
171 Profile ID: xccdf_org.ssgproject.content_profile_standard
173 This profile contains rules to ensure standard security baseline
175 of a Debian 10 system. Regardless of your system's workload all
176 of these checks should pass.
177
183 Source Datastream: ssg-debian9-ds.xml
184 The Guide to the Secure Configuration of Debian 9 is broken into 'pro‐
186 files', groupings of security settings that correlate to a known pol‐
187 icy. Available profiles are:
188 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
192 Profile ID: xccdf_org.ssgproject.content_pro‐
194 file_anssi_np_nt28_average
195 This profile contains items for GNU/Linux installations already
197 protected by multiple higher level security stacks.
198 Profile for ANSSI DAT-NT28 High (Enforced) Level
201 Profile ID: xccdf_org.ssgproject.content_pro‐
203 file_anssi_np_nt28_high
204 This profile contains items for GNU/Linux installations storing
206 sensitive informations that can be accessible from unauthenti‐
207 cated or uncontroled networks.
208 Profile for ANSSI DAT-NT28 Minimal Level
211 Profile ID: xccdf_org.ssgproject.content_pro‐
213 file_anssi_np_nt28_minimal
214 This profile contains items to be applied systematically.
216 Profile for ANSSI DAT-NT28 Restrictive Level
219 Profile ID: xccdf_org.ssgproject.content_pro‐
221 file_anssi_np_nt28_restrictive
222 This profile contains items for GNU/Linux installations exposed
224 to unauthenticated flows or multiple sources.
225 Standard System Security Profile for Debian 9
228 Profile ID: xccdf_org.ssgproject.content_profile_standard
230 This profile contains rules to ensure standard security baseline
232 of a Debian 9 system. Regardless of your system's workload all
233 of these checks should pass.
234
240 Source Datastream: ssg-fedora-ds.xml
241 The Guide to the Secure Configuration of Fedora is broken into 'pro‐
243 files', groupings of security settings that correlate to a known pol‐
244 icy. Available profiles are:
245 OSPP - Protection Profile for General Purpose Operating Systems
249 Profile ID: xccdf_org.ssgproject.content_profile_ospp
251 This profile reflects mandatory configuration controls identi‐
253 fied in the NIAP Configuration Annex to the Protection Profile
254 for General Purpose Operating Systems (Protection Profile Ver‐
255 sion 4.2).
256 As Fedora OS is moving target, this profile does not guarantee
258 to provide security levels required from US National Security
259 Systems. Main goal of the profile is to provide Fedora develop‐
260 ers with hardened environment similar to the one mandated by US
261 National Security Systems.
262 PCI-DSS v3.2.1 Control Baseline for Fedora
265 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
267 Ensures PCI-DSS v3.2.1 related security configuration settings
269 are applied.
270 Standard System Security Profile for Fedora
273 Profile ID: xccdf_org.ssgproject.content_profile_standard
275 This profile contains rules to ensure standard security baseline
277 of a Fedora system. Regardless of your system's workload all of
278 these checks should pass.
279
285 Source Datastream: ssg-firefox-ds.xml
286 The Guide to the Secure Configuration of Firefox is broken into 'pro‐
288 files', groupings of security settings that correlate to a known pol‐
289 icy. Available profiles are:
290 Upstream Firefox STIG
294 Profile ID: xccdf_org.ssgproject.content_profile_stig
296 This profile is developed under the DoD consensus model and DISA
298 FSO Vendor STIG process, serving as the upstream development
299 environment for the Firefox STIG.
300 As a result of the upstream/downstream relationship between the
302 SCAP Security Guide project and the official DISA FSO STIG base‐
303 line, users should expect variance between SSG and DISA FSO con‐
304 tent. For official DISA FSO STIG content, refer to https://pub‐
305 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
306 rity%2Cbrowser-guidance.
307 While this profile is packaged by Red Hat as part of the SCAP
309 Security Guide package, please note that commercial support of
310 this SCAP content is NOT available. This profile is provided as
311 example SCAP content with no endorsement for suitability or pro‐
312 duction readiness. Support for this profile is provided by the
313 upstream SCAP Security Guide community on a best-effort basis.
314 The upstream project homepage is https://www.open-scap.org/secu‐
315 rity-policies/scap-security-guide/.
316
322 Source Datastream: ssg-fuse6-ds.xml
323 The Guide to the Secure Configuration of JBoss Fuse 6 is broken into
325 'profiles', groupings of security settings that correlate to a known
326 policy. Available profiles are:
327 STIG for Apache ActiveMQ
331 Profile ID: xccdf_org.ssgproject.content_profile_amq-stig
333 This is a *draft* profile for STIG. This profile is being devel‐
335 oped under the DoD consensus model to become a STIG in coordina‐
336 tion with DISA FSO.
337 Standard System Security Profile for JBoss
340 Profile ID: xccdf_org.ssgproject.content_profile_standard
342 This profile contains rules to ensure standard security baseline
344 of JBoss Fuse. Regardless of your system's workload all of these
345 checks should pass.
346 STIG for JBoss Fuse 6
349 Profile ID: xccdf_org.ssgproject.content_profile_stig
351 This is a *draft* profile for STIG. This profile is being devel‐
353 oped under the DoD consensus model to become a STIG in coordina‐
354 tion with DISA FSO.
355
361 Source Datastream: ssg-jre-ds.xml
362 The Guide to the Secure Configuration of Java Runtime Environment is
364 broken into 'profiles', groupings of security settings that correlate
365 to a known policy. Available profiles are:
366 Java Runtime Environment (JRE) STIG
370 Profile ID: xccdf_org.ssgproject.content_profile_stig
372 The Java Runtime Environment (JRE) is a bundle developed and
374 offered by Oracle Corporation which includes the Java Virtual
375 Machine (JVM), class libraries, and other components necessary
376 to run Java applications and applets. Certain default settings
377 within the JRE pose a security risk so it is necessary to deploy
378 system wide properties to ensure a higher degree of security
379 when utilizing the JRE.
380 The IBM Corporation also develops and bundles the Java Runtime
382 Environment (JRE) as well as Red Hat with OpenJDK.
383
389 Source Datastream: ssg-macos1015-ds.xml
390 The Guide to the Secure Configuration of Apple macOS 10.15 is broken
392 into 'profiles', groupings of security settings that correlate to a
393 known policy. Available profiles are:
394 NIST 800-53 Moderate-Impact Baseline for Apple macOS 10.15 Catalina
398 Profile ID: xccdf_org.ssgproject.content_profile_moderate
400 This compliance profile reflects the core set of Moderate-Impact
402 Baseline configuration settings for deployment of Apple macOS
403 10.15 Catalina into U.S. Defense, Intelligence, and Civilian
404 agencies. Development partners and sponsors include the U.S.
405 National Institute of Standards and Technology (NIST), U.S.
406 Department of Defense, and the the National Security Agency.
407 This baseline implements configuration requirements from the
409 following sources:
410 - NIST 800-53 control selections for Moderate-Impact systems
412 (NIST 800-53)
413 For any differing configuration requirements, e.g. password
415 lengths, the stricter security setting was chosen. Security
416 Requirement Traceability Guides (RTMs) and sample System Secu‐
417 rity Configuration Guides are provided via the scap-security-
418 guide-docs package.
419 This profile reflects U.S. Government consensus content and is
421 developed through the ComplianceAsCode initiative, championed by
422 the National Security Agency. Except for differences in format‐
423 ting to accommodate publishing processes, this profile mirrors
424 ComplianceAsCode content as minor divergences, such as bugfixes,
425 work through the consensus and release processes.
426
432 Platform 4
433 Source Datastream: ssg-ocp4-ds.xml
434 The Guide to the Secure Configuration of Red Hat OpenShift Container
436 Platform 4 is broken into 'profiles', groupings of security settings
437 that correlate to a known policy. Available profiles are:
438 CIS Red Hat OpenShift Container Platform 4 Benchmark
442 Profile ID: xccdf_org.ssgproject.content_profile_cis-node
444 This profile defines a baseline that aligns to the Center for
446 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
447 mark™, V0.3, currently unreleased.
448 This profile includes Center for Internet Security® Red Hat
450 OpenShift Container Platform 4 CIS Benchmarks™ content.
451 Note that this part of the profile is meant to run on the Oper‐
453 ating System that Red Hat OpenShift Container Platform 4 runs on
454 top of.
455 This profile is applicable to OpenShift versions 4.6 and
457 greater.
458 CIS Red Hat OpenShift Container Platform 4 Benchmark
461 Profile ID: xccdf_org.ssgproject.content_profile_cis
463 This profile defines a baseline that aligns to the Center for
465 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
466 mark™, V0.3, currently unreleased.
467 This profile includes Center for Internet Security® Red Hat
469 OpenShift Container Platform 4 CIS Benchmarks™ content.
470 Note that this part of the profile is meant to run on the Plat‐
472 form that Red Hat OpenShift Container Platform 4 runs on top of.
473 This profile is applicable to OpenShift versions 4.6 and
475 greater.
476 Australian Cyber Security Centre (ACSC) Essential Eight
479 Profile ID: xccdf_org.ssgproject.content_profile_e8
481 This profile contains configuration checks for Red Hat OpenShift
483 Container Platform that align to the Australian Cyber Security
484 Centre (ACSC) Essential Eight.
485 A copy of the Essential Eight in Linux Environments guide can be
487 found at the ACSC website:
488 https://www.cyber.gov.au/acsc/view-all-content/publica‐
490 tions/hardening-linux-workstations-and-servers
491 NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift
494 Profile ID: xccdf_org.ssgproject.content_profile_moderate
496 This compliance profile reflects the core set of Moderate-Impact
498 Baseline configuration settings for deployment of Red Hat Open‐
499 Shift Container Platform into U.S. Defense, Intelligence, and
500 Civilian agencies. Development partners and sponsors include
501 the U.S. National Institute of Standards and Technology (NIST),
502 U.S. Department of Defense, the National Security Agency, and
503 Red Hat.
504 This baseline implements configuration requirements from the
506 following sources:
507 - NIST 800-53 control selections for Moderate-Impact systems
509 (NIST 800-53)
510 For any differing configuration requirements, e.g. password
512 lengths, the stricter security setting was chosen. Security
513 Requirement Traceability Guides (RTMs) and sample System Secu‐
514 rity Configuration Guides are provided via the scap-security-
515 guide-docs package.
516 This profile reflects U.S. Government consensus content and is
518 developed through the ComplianceAsCode initiative, championed by
519 the National Security Agency. Except for differences in format‐
520 ting to accommodate publishing processes, this profile mirrors
521 ComplianceAsCode content as minor divergences, such as bugfixes,
522 work through the consensus and release processes.
523 NIST National Checklist for Red Hat OpenShift Container Platform
526 Profile ID: xccdf_org.ssgproject.content_profile_ncp
528 This compliance profile reflects the core set of security
530 related configuration settings for deployment of Red Hat Open‐
531 Shift Container Platform into U.S. Defense, Intelligence, and
532 Civilian agencies. Development partners and sponsors include
533 the U.S. National Institute of Standards and Technology (NIST),
534 U.S. Department of Defense, the National Security Agency, and
535 Red Hat.
536 This baseline implements configuration requirements from the
538 following sources:
539 - Committee on National Security Systems Instruction No. 1253
541 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
542 800-171) - NIST 800-53 control selections for Moderate-Impact
543 systems (NIST 800-53) - U.S. Government Configuration Baseline
544 (USGCB) - NIAP Protection Profile for General Purpose Operating
545 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
546 Requirements Guide (OS SRG)
547 For any differing configuration requirements, e.g. password
549 lengths, the stricter security setting was chosen. Security
550 Requirement Traceability Guides (RTMs) and sample System Secu‐
551 rity Configuration Guides are provided via the scap-security-
552 guide-docs package.
553 This profile reflects U.S. Government consensus content and is
555 developed through the ComplianceAsCode initiative, championed by
556 the National Security Agency. Except for differences in format‐
557 ting to accommodate publishing processes, this profile mirrors
558 ComplianceAsCode content as minor divergences, such as bugfixes,
559 work through the consensus and release processes.
560
566 Source Datastream: ssg-ol7-ds.xml
567 The Guide to the Secure Configuration of Oracle Linux 7 is broken into
569 'profiles', groupings of security settings that correlate to a known
570 policy. Available profiles are:
571 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7
575 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
577 Ensures PCI-DSS v3.2.1 related security configuration settings
579 are applied.
580 Security Profile of Oracle Linux 7 for SAP
583 Profile ID: xccdf_org.ssgproject.content_profile_sap
585 This profile contains rules for Oracle Linux 7 Operating System
587 in compliance with SAP note 2069760 and SAP Security Baseline
588 Template version 1.9 Item I-8 and section 4.1.2.2. Regardless
589 of your system's workload all of these checks should pass.
590 Standard System Security Profile for Oracle Linux 7
593 Profile ID: xccdf_org.ssgproject.content_profile_standard
595 This profile contains rules to ensure standard security baseline
597 of Oracle Linux 7 system. Regardless of your system's workload
598 all of these checks should pass.
599 DISA STIG for Oracle Linux 7
602 Profile ID: xccdf_org.ssgproject.content_profile_stig
604 This profile contains configuration checks that align to the
606 DISA STIG for Oracle Linux V2R2.
607
613 Source Datastream: ssg-ol8-ds.xml
614 The Guide to the Secure Configuration of Oracle Linux 8 is broken into
616 'profiles', groupings of security settings that correlate to a known
617 policy. Available profiles are:
618 Criminal Justice Information Services (CJIS) Security Policy
622 Profile ID: xccdf_org.ssgproject.content_profile_cjis
624 This profile is derived from FBI's CJIS v5.4 Security Policy. A
626 copy of this policy can be found at the CJIS Security Policy
627 Resource Center:
628 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
630 center
631 Unclassified Information in Non-federal Information Systems and Organi‐
634 zations (NIST 800-171)
635 Profile ID: xccdf_org.ssgproject.content_profile_cui
637 From NIST 800-171, Section 2.2: Security requirements for pro‐
639 tecting the confidentiality of CUI in nonfederal information
640 systems and organizations have a well-defined structure that
641 consists of:
642 (i) a basic security requirements section; (ii) a derived secu‐
644 rity requirements section.
645 The basic security requirements are obtained from FIPS Publica‐
647 tion 200, which provides the high-level and fundamental security
648 requirements for federal information and information systems.
649 The derived security requirements, which supplement the basic
650 security requirements, are taken from the security controls in
651 NIST Special Publication 800-53.
652 This profile configures Oracle Linux 8 to the NIST Special Pub‐
654 lication 800-53 controls identified for securing Controlled
655 Unclassified Information (CUI).
656 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
659 Profile ID: xccdf_org.ssgproject.content_profile_e8
661 This profile contains configuration checks for Oracle Linux 8
663 that align to the Australian Cyber Security Centre (ACSC) Essen‐
664 tial Eight.
665 A copy of the Essential Eight in Linux Environments guide can be
667 found at the ACSC website:
668 https://www.cyber.gov.au/acsc/view-all-content/publica‐
670 tions/hardening-linux-workstations-and-servers
671 Health Insurance Portability and Accountability Act (HIPAA)
674 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
676 The HIPAA Security Rule establishes U.S. national standards to
678 protect individuals’ electronic personal health information that
679 is created, received, used, or maintained by a covered entity.
680 The Security Rule requires appropriate administrative, physical
681 and technical safeguards to ensure the confidentiality,
682 integrity, and security of electronic protected health informa‐
683 tion.
684 This profile configures Oracle Linux 8 to the HIPAA Security
686 Rule identified for securing of electronic protected health
687 information.
688 [DRAFT] Protection Profile for General Purpose Operating Systems
691 Profile ID: xccdf_org.ssgproject.content_profile_ospp
693 This profile reflects mandatory configuration controls identi‐
695 fied in the NIAP Configuration Annex to the Protection Profile
696 for General Purpose Operating Systems (Protection Profile Ver‐
697 sion 4.2.1).
698 This configuration profile is consistent with CNSSI-1253, which
700 requires U.S. National Security Systems to adhere to certain
701 configuration parameters. Accordingly, this configuration pro‐
702 file is suitable for use in U.S. National Security Systems.
703 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8
706 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
708 Ensures PCI-DSS v3.2.1 related security configuration settings
710 are applied.
711 Standard System Security Profile for Oracle Linux 8
714 Profile ID: xccdf_org.ssgproject.content_profile_standard
716 This profile contains rules to ensure standard security baseline
718 of Oracle Linux 8 system. Regardless of your system's workload
719 all of these checks should pass.
720
726 Source Datastream: ssg-opensuse-ds.xml
727 The Guide to the Secure Configuration of openSUSE is broken into 'pro‐
729 files', groupings of security settings that correlate to a known pol‐
730 icy. Available profiles are:
731 Standard System Security Profile for openSUSE
735 Profile ID: xccdf_org.ssgproject.content_profile_standard
737 This profile contains rules to ensure standard security baseline
739 of an openSUSE system. Regardless of your system's workload all
740 of these checks should pass.
741
747 CoreOS 4
748 Source Datastream: ssg-rhcos4-ds.xml
749 The Guide to the Secure Configuration of Red Hat Enterprise Linux
751 CoreOS 4 is broken into 'profiles', groupings of security settings that
752 correlate to a known policy. Available profiles are:
753 Australian Cyber Security Centre (ACSC) Essential Eight
757 Profile ID: xccdf_org.ssgproject.content_profile_e8
759 This profile contains configuration checks for Red Hat Enter‐
761 prise Linux CoreOS that align to the Australian Cyber Security
762 Centre (ACSC) Essential Eight.
763 A copy of the Essential Eight in Linux Environments guide can be
765 found at the ACSC website:
766 https://www.cyber.gov.au/acsc/view-all-content/publica‐
768 tions/hardening-linux-workstations-and-servers
769 NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux
772 CoreOS
773 Profile ID: xccdf_org.ssgproject.content_profile_moderate
775 This compliance profile reflects the core set of Moderate-Impact
777 Baseline configuration settings for deployment of Red Hat Enter‐
778 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
779 agencies. Development partners and sponsors include the U.S.
780 National Institute of Standards and Technology (NIST), U.S.
781 Department of Defense, the National Security Agency, and Red
782 Hat.
783 This baseline implements configuration requirements from the
785 following sources:
786 - NIST 800-53 control selections for Moderate-Impact systems
788 (NIST 800-53)
789 For any differing configuration requirements, e.g. password
791 lengths, the stricter security setting was chosen. Security
792 Requirement Traceability Guides (RTMs) and sample System Secu‐
793 rity Configuration Guides are provided via the scap-security-
794 guide-docs package.
795 This profile reflects U.S. Government consensus content and is
797 developed through the ComplianceAsCode initiative, championed by
798 the National Security Agency. Except for differences in format‐
799 ting to accommodate publishing processes, this profile mirrors
800 ComplianceAsCode content as minor divergences, such as bugfixes,
801 work through the consensus and release processes.
802 NIST National Checklist for Red Hat Enterprise Linux CoreOS
805 Profile ID: xccdf_org.ssgproject.content_profile_ncp
807 This compliance profile reflects the core set of security
809 related configuration settings for deployment of Red Hat Enter‐
810 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
811 agencies. Development partners and sponsors include the U.S.
812 National Institute of Standards and Technology (NIST), U.S.
813 Department of Defense, the National Security Agency, and Red
814 Hat.
815 This baseline implements configuration requirements from the
817 following sources:
818 - Committee on National Security Systems Instruction No. 1253
820 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
821 800-171) - NIST 800-53 control selections for Moderate-Impact
822 systems (NIST 800-53) - U.S. Government Configuration Baseline
823 (USGCB) - NIAP Protection Profile for General Purpose Operating
824 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
825 Requirements Guide (OS SRG)
826 For any differing configuration requirements, e.g. password
828 lengths, the stricter security setting was chosen. Security
829 Requirement Traceability Guides (RTMs) and sample System Secu‐
830 rity Configuration Guides are provided via the scap-security-
831 guide-docs package.
832 This profile reflects U.S. Government consensus content and is
834 developed through the ComplianceAsCode initiative, championed by
835 the National Security Agency. Except for differences in format‐
836 ting to accommodate publishing processes, this profile mirrors
837 ComplianceAsCode content as minor divergences, such as bugfixes,
838 work through the consensus and release processes.
839 Protection Profile for General Purpose Operating Systems
842 Profile ID: xccdf_org.ssgproject.content_profile_ospp
844 This profile reflects mandatory configuration controls identi‐
846 fied in the NIAP Configuration Annex to the Protection Profile
847 for General Purpose Operating Systems (Protection Profile Ver‐
848 sion 4.2.1).
849 This configuration profile is consistent with CNSSI-1253, which
851 requires U.S. National Security Systems to adhere to certain
852 configuration parameters. Accordingly, this configuration pro‐
853 file is suitable for use in U.S. National Security Systems.
854 [DRAFT] DISA STIG for Red Hat Enterprise Linux CoreOS
857 Profile ID: xccdf_org.ssgproject.content_profile_stig
859 This profile contains configuration checks that align to the
861 [DRAFT] DISA STIG for Red Hat Enterprise Linux CoreOS which is
862 the operating system layer of Red Hat OpenShift Container Plat‐
863 form.
864
870 Source Datastream: ssg-rhel7-ds.xml
871 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
873 broken into 'profiles', groupings of security settings that correlate
874 to a known policy. Available profiles are:
875 C2S for Red Hat Enterprise Linux 7
879 Profile ID: xccdf_org.ssgproject.content_profile_C2S
881 This profile demonstrates compliance against the U.S. Government
883 Commercial Cloud Services (C2S) baseline.
884 This baseline was inspired by the Center for Internet Security
886 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
887 For the SCAP Security Guide project to remain in compliance with
889 CIS' terms and conditions, specifically Restrictions(8), note
890 there is no representation or claim that the C2S profile will
891 ensure a system is in compliance or consistency with the CIS
892 baseline.
893 ANSSI-BP-028 (enhanced)
896 Profile ID: xccdf_org.ssgproject.content_pro‐
898 file_anssi_nt28_enhanced
899 This profile contains configurations that align to ANSSI-BP-028
901 at the enhanced hardening level.
902 ANSSI is the French National Information Security Agency, and
904 stands for Agence nationale de la sécurité des systèmes d'infor‐
905 mation. ANSSI-BP-028 is a configuration recommendation for
906 GNU/Linux systems.
907 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
909 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
910 securite-relatives-a-un-systeme-gnulinux/
911 DRAFT - ANSSI-BP-028 (high)
914 Profile ID: xccdf_org.ssgproject.content_pro‐
916 file_anssi_nt28_high
917 This profile contains configurations that align to ANSSI-BP-028
919 at the high hardening level.
920 ANSSI is the French National Information Security Agency, and
922 stands for Agence nationale de la sécurité des systèmes d'infor‐
923 mation. ANSSI-BP-028 is a configuration recommendation for
924 GNU/Linux systems.
925 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
927 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
928 securite-relatives-a-un-systeme-gnulinux/
929 ANSSI-BP-028 (intermediary)
932 Profile ID: xccdf_org.ssgproject.content_pro‐
934 file_anssi_nt28_intermediary
935 This profile contains configurations that align to ANSSI-BP-028
937 at the intermediary hardening level.
938 ANSSI is the French National Information Security Agency, and
940 stands for Agence nationale de la sécurité des systèmes d'infor‐
941 mation. ANSSI-BP-028 is a configuration recommendation for
942 GNU/Linux systems.
943 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
945 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
946 securite-relatives-a-un-systeme-gnulinux/
947 ANSSI-BP-028 (minimal)
950 Profile ID: xccdf_org.ssgproject.content_pro‐
952 file_anssi_nt28_minimal
953 This profile contains configurations that align to ANSSI-BP-028
955 at the minimal hardening level.
956 ANSSI is the French National Information Security Agency, and
958 stands for Agence nationale de la sécurité des systèmes d'infor‐
959 mation. ANSSI-BP-028 is a configuration recommendation for
960 GNU/Linux systems.
961 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
963 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
964 securite-relatives-a-un-systeme-gnulinux/
965 CIS Red Hat Enterprise Linux 7 Benchmark
968 Profile ID: xccdf_org.ssgproject.content_profile_cis
970 This profile defines a baseline that aligns to the Center for
972 Internet Security® Red Hat Enterprise Linux 7 Benchmark™,
973 v2.2.0, released 12-27-2017.
974 This profile includes Center for Internet Security® Red Hat
976 Enterprise Linux 7 CIS Benchmarks™ content.
977 Criminal Justice Information Services (CJIS) Security Policy
980 Profile ID: xccdf_org.ssgproject.content_profile_cjis
982 This profile is derived from FBI's CJIS v5.4 Security Policy. A
984 copy of this policy can be found at the CJIS Security Policy
985 Resource Center:
986 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
988 center
989 Unclassified Information in Non-federal Information Systems and Organi‐
992 zations (NIST 800-171)
993 Profile ID: xccdf_org.ssgproject.content_profile_cui
995 From NIST 800-171, Section 2.2: Security requirements for pro‐
997 tecting the confidentiality of CUI in non-federal information
998 systems and organizations have a well-defined structure that
999 consists of:
1000 (i) a basic security requirements section; (ii) a derived secu‐
1002 rity requirements section.
1003 The basic security requirements are obtained from FIPS Publica‐
1005 tion 200, which provides the high-level and fundamental security
1006 requirements for federal information and information systems.
1007 The derived security requirements, which supplement the basic
1008 security requirements, are taken from the security controls in
1009 NIST Special Publication 800-53.
1010 This profile configures Red Hat Enterprise Linux 7 to the NIST
1012 Special Publication 800-53 controls identified for securing Con‐
1013 trolled Unclassified Information (CUI).
1014 Australian Cyber Security Centre (ACSC) Essential Eight
1017 Profile ID: xccdf_org.ssgproject.content_profile_e8
1019 This profile contains configuration checks for Red Hat Enter‐
1021 prise Linux 7 that align to the Australian Cyber Security Centre
1022 (ACSC) Essential Eight.
1023 A copy of the Essential Eight in Linux Environments guide can be
1025 found at the ACSC website:
1026 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1028 tions/hardening-linux-workstations-and-servers
1029 Health Insurance Portability and Accountability Act (HIPAA)
1032 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1034 The HIPAA Security Rule establishes U.S. national standards to
1036 protect individuals’ electronic personal health information that
1037 is created, received, used, or maintained by a covered entity.
1038 The Security Rule requires appropriate administrative, physical
1039 and technical safeguards to ensure the confidentiality,
1040 integrity, and security of electronic protected health informa‐
1041 tion.
1042 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
1044 Security Rule identified for securing of electronic protected
1045 health information. Use of this profile in no way guarantees or
1046 makes claims against legal compliance against the HIPAA Security
1047 Rule(s).
1048 NIST National Checklist Program Security Guide
1051 Profile ID: xccdf_org.ssgproject.content_profile_ncp
1053 This compliance profile reflects the core set of security
1055 related configuration settings for deployment of Red Hat Enter‐
1056 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
1057 agencies. Development partners and sponsors include the U.S.
1058 National Institute of Standards and Technology (NIST), U.S.
1059 Department of Defense, the National Security Agency, and Red
1060 Hat.
1061 This baseline implements configuration requirements from the
1063 following sources:
1064 - Committee on National Security Systems Instruction No. 1253
1066 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
1067 800-171) - NIST 800-53 control selections for MODERATE impact
1068 systems (NIST 800-53) - U.S. Government Configuration Baseline
1069 (USGCB) - NIAP Protection Profile for General Purpose Operating
1070 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
1071 Requirements Guide (OS SRG)
1072 For any differing configuration requirements, e.g. password
1074 lengths, the stricter security setting was chosen. Security
1075 Requirement Traceability Guides (RTMs) and sample System Secu‐
1076 rity Configuration Guides are provided via the scap-security-
1077 guide-docs package.
1078 This profile reflects U.S. Government consensus content and is
1080 developed through the OpenSCAP/SCAP Security Guide initiative,
1081 championed by the National Security Agency. Except for differ‐
1082 ences in formatting to accommodate publishing processes, this
1083 profile mirrors OpenSCAP/SCAP Security Guide content as minor
1084 divergences, such as bugfixes, work through the consensus and
1085 release processes.
1086 OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
1089 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1091 This profile reflects mandatory configuration controls identi‐
1093 fied in the NIAP Configuration Annex to the Protection Profile
1094 for General Purpose Operating Systems (Protection Profile Ver‐
1095 sion 4.2.1).
1096 This configuration profile is consistent with CNSSI-1253, which
1098 requires U.S. National Security Systems to adhere to certain
1099 configuration parameters. Accordingly, this configuration pro‐
1100 file is suitable for use in U.S. National Security Systems.
1101 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1104 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1106 Ensures PCI-DSS v3.2.1 security configuration settings are
1108 applied.
1109 [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host
1112 (RHELH)
1113 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
1115 This *draft* profile contains configuration checks that align to
1117 the DISA STIG for Red Hat Enterprise Linux Virtualization Host
1118 (RHELH).
1119 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enter‐
1122 prise Linux Hypervisor (RHELH)
1123 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
1125 This compliance profile reflects the core set of security
1127 related configuration settings for deployment of Red Hat Enter‐
1128 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
1129 gence, and Civilian agencies. Development partners and sponsors
1130 include the U.S. National Institute of Standards and Technology
1131 (NIST), U.S. Department of Defense, the National Security
1132 Agency, and Red Hat.
1133 This baseline implements configuration requirements from the
1135 following sources:
1136 - Committee on National Security Systems Instruction No. 1253
1138 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
1139 impact systems (NIST 800-53) - U.S. Government Configuration
1140 Baseline (USGCB) - NIAP Protection Profile for Virtualization
1141 v1.0 (VPP v1.0)
1142 For any differing configuration requirements, e.g. password
1144 lengths, the stricter security setting was chosen. Security
1145 Requirement Traceability Guides (RTMs) and sample System Secu‐
1146 rity Configuration Guides are provided via the scap-security-
1147 guide-docs package.
1148 This profile reflects U.S. Government consensus content and is
1150 developed through the ComplianceAsCode project, championed by
1151 the National Security Agency. Except for differences in format‐
1152 ting to accommodate publishing processes, this profile mirrors
1153 ComplianceAsCode content as minor divergences, such as bugfixes,
1154 work through the consensus and release processes.
1155 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1158 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1160 This profile contains the minimum security relevant configura‐
1162 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1163 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
1164 Standard System Security Profile for Red Hat Enterprise Linux 7
1167 Profile ID: xccdf_org.ssgproject.content_profile_standard
1169 This profile contains rules to ensure standard security baseline
1171 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
1172 tem's workload all of these checks should pass.
1173 DISA STIG for Red Hat Enterprise Linux 7
1176 Profile ID: xccdf_org.ssgproject.content_profile_stig
1178 This profile contains configuration checks that align to the
1180 DISA STIG for Red Hat Enterprise Linux V3R2.
1181 In addition to being applicable to Red Hat Enterprise Linux 7,
1183 DISA recognizes this configuration baseline as applicable to the
1184 operating system tier of Red Hat technologies that are based on
1185 Red Hat Enterprise Linux 7, such as:
1186 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1188 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1189 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1190 7 image
1191
1197 Source Datastream: ssg-rhel8-ds.xml
1198 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
1200 broken into 'profiles', groupings of security settings that correlate
1201 to a known policy. Available profiles are:
1202 ANSSI-BP-028 (enhanced)
1206 Profile ID: xccdf_org.ssgproject.content_pro‐
1208 file_anssi_bp28_enhanced
1209 This profile contains configurations that align to ANSSI-BP-028
1211 at the enhanced hardening level.
1212 ANSSI is the French National Information Security Agency, and
1214 stands for Agence nationale de la sécurité des systèmes d'infor‐
1215 mation. ANSSI-BP-028 is a configuration recommendation for
1216 GNU/Linux systems.
1217 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1219 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1220 securite-relatives-a-un-systeme-gnulinux/
1221 DRAFT - ANSSI-BP-028 (high)
1224 Profile ID: xccdf_org.ssgproject.content_pro‐
1226 file_anssi_bp28_high
1227 This profile contains configurations that align to ANSSI-BP-028
1229 at the high hardening level.
1230 ANSSI is the French National Information Security Agency, and
1232 stands for Agence nationale de la sécurité des systèmes d'infor‐
1233 mation. ANSSI-BP-028 is a configuration recommendation for
1234 GNU/Linux systems.
1235 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1237 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1238 securite-relatives-a-un-systeme-gnulinux/
1239 ANSSI-BP-028 (intermediary)
1242 Profile ID: xccdf_org.ssgproject.content_pro‐
1244 file_anssi_bp28_intermediary
1245 This profile contains configurations that align to ANSSI-BP-028
1247 at the intermediary hardening level.
1248 ANSSI is the French National Information Security Agency, and
1250 stands for Agence nationale de la sécurité des systèmes d'infor‐
1251 mation. ANSSI-BP-028 is a configuration recommendation for
1252 GNU/Linux systems.
1253 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1255 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1256 securite-relatives-a-un-systeme-gnulinux/
1257 ANSSI-BP-028 (minimal)
1260 Profile ID: xccdf_org.ssgproject.content_pro‐
1262 file_anssi_bp28_minimal
1263 This profile contains configurations that align to ANSSI-BP-028
1265 at the minimal hardening level.
1266 ANSSI is the French National Information Security Agency, and
1268 stands for Agence nationale de la sécurité des systèmes d'infor‐
1269 mation. ANSSI-BP-028 is a configuration recommendation for
1270 GNU/Linux systems.
1271 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1273 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1274 securite-relatives-a-un-systeme-gnulinux/
1275 CIS Red Hat Enterprise Linux 8 Benchmark
1278 Profile ID: xccdf_org.ssgproject.content_profile_cis
1280 This profile defines a baseline that aligns to the Center for
1282 Internet Security® Red Hat Enterprise Linux 8 Benchmark™,
1283 v1.0.0, released 09-30-2019.
1284 This profile includes Center for Internet Security® Red Hat
1286 Enterprise Linux 8 CIS Benchmarks™ content.
1287 Criminal Justice Information Services (CJIS) Security Policy
1290 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1292 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1294 copy of this policy can be found at the CJIS Security Policy
1295 Resource Center:
1296 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1298 center
1299 Unclassified Information in Non-federal Information Systems and Organi‐
1302 zations (NIST 800-171)
1303 Profile ID: xccdf_org.ssgproject.content_profile_cui
1305 From NIST 800-171, Section 2.2: Security requirements for pro‐
1307 tecting the confidentiality of CUI in nonfederal information
1308 systems and organizations have a well-defined structure that
1309 consists of:
1310 (i) a basic security requirements section; (ii) a derived secu‐
1312 rity requirements section.
1313 The basic security requirements are obtained from FIPS Publica‐
1315 tion 200, which provides the high-level and fundamental security
1316 requirements for federal information and information systems.
1317 The derived security requirements, which supplement the basic
1318 security requirements, are taken from the security controls in
1319 NIST Special Publication 800-53.
1320 This profile configures Red Hat Enterprise Linux 8 to the NIST
1322 Special Publication 800-53 controls identified for securing Con‐
1323 trolled Unclassified Information (CUI)."
1324 Australian Cyber Security Centre (ACSC) Essential Eight
1327 Profile ID: xccdf_org.ssgproject.content_profile_e8
1329 This profile contains configuration checks for Red Hat Enter‐
1331 prise Linux 8 that align to the Australian Cyber Security Centre
1332 (ACSC) Essential Eight.
1333 A copy of the Essential Eight in Linux Environments guide can be
1335 found at the ACSC website:
1336 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1338 tions/hardening-linux-workstations-and-servers
1339 Health Insurance Portability and Accountability Act (HIPAA)
1342 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1344 The HIPAA Security Rule establishes U.S. national standards to
1346 protect individuals’ electronic personal health information that
1347 is created, received, used, or maintained by a covered entity.
1348 The Security Rule requires appropriate administrative, physical
1349 and technical safeguards to ensure the confidentiality,
1350 integrity, and security of electronic protected health informa‐
1351 tion.
1352 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
1354 Security Rule identified for securing of electronic protected
1355 health information. Use of this profile in no way guarantees or
1356 makes claims against legal compliance against the HIPAA Security
1357 Rule(s).
1358 Australian Cyber Security Centre (ACSC) Information Security Manual
1361 (ISM) Official
1362 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
1364 This profile contains configuration checks for Red Hat Enter‐
1366 prise Linux 8 that align to the Australian Cyber Security Centre
1367 (ACSC) Information Security Manual (ISM) with the Attorney-Gen‐
1368 eral’s Department (AGD)’s applicability marking of OFFICIAL.
1369 A overview and list of Cyber security guidelines of the Informa‐
1371 tion Security Manual can be found at the ACSC website:
1372 https://www.cyber.gov.au/ism
1374 Protection Profile for General Purpose Operating Systems
1377 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1379 This profile reflects mandatory configuration controls identi‐
1381 fied in the NIAP Configuration Annex to the Protection Profile
1382 for General Purpose Operating Systems (Protection Profile Ver‐
1383 sion 4.2.1).
1384 This configuration profile is consistent with CNSSI-1253, which
1386 requires U.S. National Security Systems to adhere to certain
1387 configuration parameters. Accordingly, this configuration pro‐
1388 file is suitable for use in U.S. National Security Systems.
1389 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
1392 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1394 Ensures PCI-DSS v3.2.1 security configuration settings are
1396 applied.
1397 [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host
1400 (RHELH)
1401 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
1403 This *draft* profile contains configuration checks that align to
1405 the DISA STIG for Red Hat Enterprise Linux Virtualization Host
1406 (RHELH).
1407 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enter‐
1410 prise Linux Hypervisor (RHELH)
1411 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
1413 This compliance profile reflects the core set of security
1415 related configuration settings for deployment of Red Hat Enter‐
1416 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
1417 gence, and Civilian agencies. Development partners and sponsors
1418 include the U.S. National Institute of Standards and Technology
1419 (NIST), U.S. Department of Defense, the National Security
1420 Agency, and Red Hat.
1421 This baseline implements configuration requirements from the
1423 following sources:
1424 - Committee on National Security Systems Instruction No. 1253
1426 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
1427 impact systems (NIST 800-53) - U.S. Government Configuration
1428 Baseline (USGCB) - NIAP Protection Profile for Virtualization
1429 v1.0 (VPP v1.0)
1430 For any differing configuration requirements, e.g. password
1432 lengths, the stricter security setting was chosen. Security
1433 Requirement Traceability Guides (RTMs) and sample System Secu‐
1434 rity Configuration Guides are provided via the scap-security-
1435 guide-docs package.
1436 This profile reflects U.S. Government consensus content and is
1438 developed through the ComplianceAsCode project, championed by
1439 the National Security Agency. Except for differences in format‐
1440 ting to accommodate publishing processes, this profile mirrors
1441 ComplianceAsCode content as minor divergences, such as bugfixes,
1442 work through the consensus and release processes.
1443 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1446 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1448 This profile contains the minimum security relevant configura‐
1450 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1451 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
1452 Standard System Security Profile for Red Hat Enterprise Linux 8
1455 Profile ID: xccdf_org.ssgproject.content_profile_standard
1457 This profile contains rules to ensure standard security baseline
1459 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
1460 tem's workload all of these checks should pass.
1461 DISA STIG for Red Hat Enterprise Linux 8
1464 Profile ID: xccdf_org.ssgproject.content_profile_stig
1466 This profile contains configuration checks that align to the
1468 DISA STIG for Red Hat Enterprise Linux 8.
1469 In addition to being applicable to Red Hat Enterprise Linux 8,
1471 DISA recognizes this configuration baseline as applicable to the
1472 operating system tier of Red Hat technologies that are based on
1473 Red Hat Enterprise Linux 8, such as:
1474 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1476 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1477 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1478 8 image
1479
1485 Source Datastream: ssg-rhosp10-ds.xml
1487 The Guide to the Secure Configuration of Red Hat OpenStack Platform 10
1489 is broken into 'profiles', groupings of security settings that corre‐
1490 late to a known policy. Available profiles are:
1491 [DRAFT] Controlled Unclassified Infomration (CUI) Profile for Red Hat
1495 OpenStack Plaform 10
1496 Profile ID: xccdf_org.ssgproject.content_profile_cui
1498 These are the controls for scanning against CUI for rhosp10
1500 [DRAFT] STIG for Red Hat OpenStack Plaform 10
1503 Profile ID: xccdf_org.ssgproject.content_profile_stig
1505 Controls for scanning against classified STIG for rhosp10
1507
1513 Source Datastream: ssg-rhosp13-ds.xml
1515 The Guide to the Secure Configuration of Red Hat OpenStack Platform 13
1517 is broken into 'profiles', groupings of security settings that corre‐
1518 late to a known policy. Available profiles are:
1519 RHOSP STIG
1523 Profile ID: xccdf_org.ssgproject.content_profile_stig
1525 Sample profile description.
1527
1533 Source Datastream: ssg-rhv4-ds.xml
1534 The Guide to the Secure Configuration of Red Hat Virtualization 4 is
1536 broken into 'profiles', groupings of security settings that correlate
1537 to a known policy. Available profiles are:
1538 [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
1542 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
1544 This *draft* profile contains configuration checks that align to
1546 the DISA STIG for Red Hat Virtualization Host (RHVH).
1547 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
1550 ization Host (RHVH)
1551 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
1553 This compliance profile reflects the core set of security
1555 related configuration settings for deployment of Red Hat Virtu‐
1556 alization Host (RHVH) 4.x into U.S. Defense, Intelligence, and
1557 Civilian agencies. Development partners and sponsors include
1558 the U.S. National Institute of Standards and Technology (NIST),
1559 U.S. Department of Defense, the National Security Agency, and
1560 Red Hat.
1561 This baseline implements configuration requirements from the
1563 following sources:
1564 - Committee on National Security Systems Instruction No. 1253
1566 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
1567 impact systems (NIST 800-53) - U.S. Government Configuration
1568 Baseline (USGCB) - NIAP Protection Profile for Virtualization
1569 v1.0 (VPP v1.0)
1570 For any differing configuration requirements, e.g. password
1572 lengths, the stricter security setting was chosen. Security
1573 Requirement Traceability Guides (RTMs) and sample System Secu‐
1574 rity Configuration Guides are provided via the scap-security-
1575 guide-docs package.
1576 This profile reflects U.S. Government consensus content and is
1578 developed through the ComplianceAsCode project, championed by
1579 the National Security Agency. Except for differences in format‐
1580 ting to accommodate publishing processes, this profile mirrors
1581 ComplianceAsCode content as minor divergences, such as bugfixes,
1582 work through the consensus and release processes.
1583
1589 Source Datastream: ssg-sl7-ds.xml
1590 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
1592 broken into 'profiles', groupings of security settings that correlate
1593 to a known policy. Available profiles are:
1594 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1598 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1600 Ensures PCI-DSS v3.2.1 security configuration settings are
1602 applied.
1603 Standard System Security Profile for Red Hat Enterprise Linux 7
1606 Profile ID: xccdf_org.ssgproject.content_profile_standard
1608 This profile contains rules to ensure standard security baseline
1610 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
1611 tem's workload all of these checks should pass.
1612
1618 Source Datastream: ssg-sle12-ds.xml
1619 The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is
1621 broken into 'profiles', groupings of security settings that correlate
1622 to a known policy. Available profiles are:
1623 Standard System Security Profile for SUSE Linux Enterprise 12
1627 Profile ID: xccdf_org.ssgproject.content_profile_standard
1629 This profile contains rules to ensure standard security baseline
1631 of a SUSE Linux Enterprise 12 system. Regardless of your sys‐
1632 tem's workload all of these checks should pass.
1633 DISA STIG for SUSE Linux Enterprise 12
1636 Profile ID: xccdf_org.ssgproject.content_profile_stig
1638 This profile contains configuration checks that align to the
1640 DISA STIG for SUSE Linux Enterprise 12 V1R2.
1641
1647 Source Datastream: ssg-sle15-ds.xml
1648 The Guide to the Secure Configuration of SUSE Linux Enterprise 15 is
1650 broken into 'profiles', groupings of security settings that correlate
1651 to a known policy. Available profiles are:
1652 CIS SUSE Linux Enterprise 15 Benchmark
1656 Profile ID: xccdf_org.ssgproject.content_profile_cis
1658 This baseline aligns to the Center for Internet Security SUSE
1660 Linux Enterprise 15 Benchmark, v1.0.0, currently in draft.
1661 Standard System Security Profile for SUSE Linux Enterprise 15
1664 Profile ID: xccdf_org.ssgproject.content_profile_standard
1666 This profile contains rules to ensure standard security baseline
1668 of a SUSE Linux Enterprise 15 system based off of the SUSE Hard‐
1669 ening Guide. Regardless of your system's workload all of these
1670 checks should pass.
1671
1677 Source Datastream: ssg-ubuntu1604-ds.xml
1678 The Guide to the Secure Configuration of Ubuntu 16.04 is broken into
1680 'profiles', groupings of security settings that correlate to a known
1681 policy. Available profiles are:
1682 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1686 Profile ID: xccdf_org.ssgproject.content_pro‐
1688 file_anssi_np_nt28_average
1689 This profile contains items for GNU/Linux installations already
1691 protected by multiple higher level security stacks.
1692 Profile for ANSSI DAT-NT28 High (Enforced) Level
1695 Profile ID: xccdf_org.ssgproject.content_pro‐
1697 file_anssi_np_nt28_high
1698 This profile contains items for GNU/Linux installations storing
1700 sensitive informations that can be accessible from unauthenti‐
1701 cated or uncontroled networks.
1702 Profile for ANSSI DAT-NT28 Minimal Level
1705 Profile ID: xccdf_org.ssgproject.content_pro‐
1707 file_anssi_np_nt28_minimal
1708 This profile contains items to be applied systematically.
1710 Profile for ANSSI DAT-NT28 Restrictive Level
1713 Profile ID: xccdf_org.ssgproject.content_pro‐
1715 file_anssi_np_nt28_restrictive
1716 This profile contains items for GNU/Linux installations exposed
1718 to unauthenticated flows or multiple sources.
1719 Standard System Security Profile for Ubuntu 16.04
1722 Profile ID: xccdf_org.ssgproject.content_profile_standard
1724 This profile contains rules to ensure standard security baseline
1726 of an Ubuntu 16.04 system. Regardless of your system's workload
1727 all of these checks should pass.
1728
1734 Source Datastream: ssg-ubuntu1804-ds.xml
1735 The Guide to the Secure Configuration of Ubuntu 18.04 is broken into
1737 'profiles', groupings of security settings that correlate to a known
1738 policy. Available profiles are:
1739 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1743 Profile ID: xccdf_org.ssgproject.content_pro‐
1745 file_anssi_np_nt28_average
1746 This profile contains items for GNU/Linux installations already
1748 protected by multiple higher level security stacks.
1749 Profile for ANSSI DAT-NT28 High (Enforced) Level
1752 Profile ID: xccdf_org.ssgproject.content_pro‐
1754 file_anssi_np_nt28_high
1755 This profile contains items for GNU/Linux installations storing
1757 sensitive informations that can be accessible from unauthenti‐
1758 cated or uncontroled networks.
1759 Profile for ANSSI DAT-NT28 Minimal Level
1762 Profile ID: xccdf_org.ssgproject.content_pro‐
1764 file_anssi_np_nt28_minimal
1765 This profile contains items to be applied systematically.
1767 Profile for ANSSI DAT-NT28 Restrictive Level
1770 Profile ID: xccdf_org.ssgproject.content_pro‐
1772 file_anssi_np_nt28_restrictive
1773 This profile contains items for GNU/Linux installations exposed
1775 to unauthenticated flows or multiple sources.
1776 CIS Ubuntu 18.04 LTS Benchmark
1779 Profile ID: xccdf_org.ssgproject.content_profile_cis
1781 This baseline aligns to the Center for Internet Security Ubuntu
1783 18.04 LTS Benchmark, v1.0.0, released 08-13-2018.
1784 Standard System Security Profile for Ubuntu 18.04
1787 Profile ID: xccdf_org.ssgproject.content_profile_standard
1789 This profile contains rules to ensure standard security baseline
1791 of an Ubuntu 18.04 system. Regardless of your system's workload
1792 all of these checks should pass.
1793
1799 Source Datastream: ssg-ubuntu2004-ds.xml
1800 The Guide to the Secure Configuration of Ubuntu 20.04 is broken into
1802 'profiles', groupings of security settings that correlate to a known
1803 policy. Available profiles are:
1804 Standard System Security Profile for Ubuntu 20.04
1808 Profile ID: xccdf_org.ssgproject.content_profile_standard
1810 This profile contains rules to ensure standard security baseline
1812 of an Ubuntu 20.04 system. Regardless of your system's workload
1813 all of these checks should pass.
1814
1820 for Linux
1821 Source Datastream: ssg-vsel-ds.xml
1822 The Guide to the Secure Configuration of McAfee VirusScan Enterprise
1824 for Linux is broken into 'profiles', groupings of security settings
1825 that correlate to a known policy. Available profiles are:
1826 McAfee VirusScan Enterprise for Linux (VSEL) STIG
1830 Profile ID: xccdf_org.ssgproject.content_profile_stig
1832 The McAfee VirusScan Enterprise for Linux software provides a
1834 realtime virus scanner for Linux systems.
1835
1841 Source Datastream: ssg-wrlinux1019-ds.xml
1842 The Guide to the Secure Configuration of WRLinux 1019 is broken into
1844 'profiles', groupings of security settings that correlate to a known
1845 policy. Available profiles are:
1846 Basic Profile for Embedded Systems
1850 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
1852 This profile contains items common to many embedded Linux
1854 installations. Regardless of your system's deployment objec‐
1855 tive, all of these checks should pass.
1856 DRAFT DISA STIG for Wind River Linux
1859 Profile ID: xccdf_org.ssgproject.content_pro‐
1861 file_draft_stig_wrlinux_disa
1862 This profile contains configuration checks that align to the
1864 DISA STIG for Wind River Linux. This profile is being developed
1865 under the DoD consensus model to become a STIG in coordination
1866 with DISA FSO. What is the status of the Wind River Linux STIG?
1867 The Wind River Linux STIG is in development under the DoD con‐
1868 sensus model and Wind River has started the process to get
1869 approval from DISA. However, in the absence of an approved SRG
1870 or STIG, vendor recommendations may be used instead. The current
1871 contents constitute the vendor recommendations at the time of
1872 the product release containing these contents. Note that
1873 changes are expected before approval is granted, and those
1874 changes will be made available in future Wind River Linux Secu‐
1875 rity Profile 1019 RCPL releases. More information, including
1876 the following, is available from the DISA FAQs at https://pub‐
1877 lic.cyber.mil/stigs/faqs/
1878
1884 Source Datastream: ssg-wrlinux8-ds.xml
1885 The Guide to the Secure Configuration of WRLinux 8 is broken into 'pro‐
1887 files', groupings of security settings that correlate to a known pol‐
1888 icy. Available profiles are:
1889 Basic Profile for Embedded Systems
1893 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
1895 This profile contains items common to many embedded Linux
1897 installations. Regardless of your system's deployment objec‐
1898 tive, all of these checks should pass.
1899
1906 To scan your system utilizing the OpenSCAP utility against the ospp
1907 profile:
1908 oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-
1910 results.xml --report /tmp/`hostname`-ssg-results.html --oval-results
1911 /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
1912 Additional details can be found on the projects wiki page:
1914 https://www.github.com/OpenSCAP/scap-security-guide/wiki
1915
1919 /usr/share/xml/scap/ssg/content
1920 Houses SCAP content utilizing the following naming conventions:
1921 SCAP Source Datastreams: ssg-{product}-ds.xml
1923 CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
1925 CPE OVAL Content: ssg-{product}-cpe-oval.xml
1927 OVAL Content: ssg-{product}-oval.xml
1929 XCCDF Content: ssg-{product}-xccdf.xml
1931 /usr/share/doc/scap-security-guide/guides/
1933 HTML versions of SSG profiles.
1934 /usr/share/scap-security-guide/ansible/
1936 Contains Ansible Playbooks for SSG profiles.
1937 /usr/share/scap-security-guide/bash/
1939 Contains Bash remediation scripts for SSG profiles.
1940
1943 The SCAP Security Guide, an open source project jointly maintained by
1944 Red Hat and the NSA, provides XCCDF and OVAL content for Red Hat tech‐
1945 nologies. As an open source project, community participation extends
1946 into U.S. Department of Defense agencies, civilian agencies, academia,
1947 and other industrial partners.
1948 SCAP Security Guide is provided to consumers through Red Hat's Extended
1950 Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security
1951 Guide content is considered "vendor provided."
1952 Note that while Red Hat hosts the infrastructure for this project and
1954 Red Hat engineers are involved as maintainers and leaders, there is no
1955 commercial support contracts or service level agreements provided by
1956 Red Hat.
1957 Support, for both users and developers, is provided through the SCAP
1959 Security Guide community.
1960 Homepage: https://www.open-scap.org/security-policies/scap-security-
1962 guide
1963 Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-
1965 security-guide
1966
1970 SCAP Security Guide content is considered vendor (Red Hat) provided
1971 content. Per guidance from the U.S. National Institute of Standards
1972 and Technology (NIST), U.S. Government programs are allowed to use Ven‐
1973 dor produced SCAP content in absence of "Governmental Authority" check‐
1974 lists. The specific NIST verbage:
1975 http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
1976
1980 DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT
1981 products incorporated into DoD information systems shall be configured
1982 in accordance with DoD-approved security configuration guidelines" and
1983 tasks Defense Information Systems Agency (DISA) to "develop and provide
1984 security configuration guidance for IA and IA-enabled IT products in
1985 coordination with Director, NSA." The output of this authority is the
1986 DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
1987 the process of moving the STIGs towards the use of the NIST Security
1988 Content Automation Protocol (SCAP) in order to "automate" compliance
1989 reporting of the STIGs.
1990 Through a common, shared vision, the SCAP Security Guide community
1992 enjoys close collaboration directly with NSA, NIST, and DISA FSO. As
1993 stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
1994 Version 1, Release 2, issued on 03-JUNE-2013:
1995 "The consensus content was developed using an open-source project
1997 called SCAP Security Guide. The project's website is https://www.open-
1998 scap.org/security-policies/scap-security-guide. Except for differences
1999 in formatting to accomodate the DISA STIG publishing process, the con‐
2000 tent of the Red Hat Enterprise Linux 6 STIG should mirror the SCAP
2001 Security Guide content with only minor divergence as updates from mul‐
2002 tiple sources work through the consensus process."
2003 The DoD STIG for Red Hat Enterprise Linux 7, revision V2R4, was
2005 released in July 2019 Currently, the DoD Red Hat Enterprise Linux 7
2006 STIG contains only XCCDF content and is available online: https://pub‐
2007 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-sys‐
2008 tems%2Cunix-linux
2009 Content published against the public.cyber.mil website is authoritative
2011 STIG content. The SCAP Security Guide project, as noted in the STIG
2012 overview, is considered upstream content. Unlike DISA FSO, the SCAP
2013 Security Guide project does publish OVAL automation content. Individual
2014 programs and C&A evaluators make program-level determinations on the
2015 direct usage of the SCAP Security Guide. Currently there is no blanket
2016 approval.
2017
2021 oscap(8)
2022
2026 Please direct all questions to the SSG mailing list:
2027 https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
2028version 1 26 Jan 2013 scap-security-guide(8)