1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
6 SCAP-Security-Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
13 The project provides practical security hardening advice and also links
14 it to compliance requirements in order to ease deployment activities,
15 such as certification and accreditation. These include requirements in
16 the U.S. government (Federal, Defense, and Intelligence Community) as
17 well as of the financial services and health care industries. For exam‐
18 ple, high-level and widely-accepted policies such as NIST 800-53 pro‐
19 vides prose stating that System Administrators must audit "privileged
20 user actions," but do not define what "privileged actions" are. The SSG
21 bridges the gap between generalized policy requirements and specific
22 implementation guidance, in SCAP formats to support automation whenever
23 possible.
24 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
31 Source data stream: ssg-alinux2-ds.xml
32 The Guide to the Secure Configuration of Alibaba Cloud Linux 2 is bro‐
34 ken into 'profiles', groupings of security settings that correlate to a
35 known policy. Available profiles are:
36 CIS Aliyun Linux 2 Benchmark for Level 2
40 Profile ID: xccdf_org.ssgproject.content_profile_cis
42 This profile defines a baseline that aligns to the "Level 2"
44 configuration from the Center for Internet Security® Aliyun
45 Linux 2 Benchmark™, v1.0.0, released 08-16-2019.
46 This profile includes Center for Internet Security® Aliyun Linux
48 2 CIS Benchmarks™ content.
49 CIS Aliyun Linux 2 Benchmark for Level 1
52 Profile ID: xccdf_org.ssgproject.content_profile_cis_l1
54 This profile defines a baseline that aligns to the "Level 1"
56 configuration from the Center for Internet Security® Aliyun
57 Linux 2 Benchmark™, v1.0.0, released 08-16-2019.
58 This profile includes Center for Internet Security® Aliyun Linux
60 2 CIS Benchmarks™ content.
61 Standard System Security Profile for Alibaba Cloud Linux 2
64 Profile ID: xccdf_org.ssgproject.content_profile_standard
66 This profile contains rules to ensure standard security baseline
68 of a Alibaba Cloud Linux 2 system. Regardless of your system's
69 workload all of these checks should pass.
70
76 Source data stream: ssg-alinux3-ds.xml
77 The Guide to the Secure Configuration of Alibaba Cloud Linux 3 is bro‐
79 ken into 'profiles', groupings of security settings that correlate to a
80 known policy. Available profiles are:
81 CIS Benchmark for Alibaba Cloud Linux 3 for Level 2
85 Profile ID: xccdf_org.ssgproject.content_profile_cis
87 This profile defines a baseline that aligns to the "Level 2"
89 configuration from the Center for Internet Security® Alibaba
90 Cloud Linux 3 Benchmark™, v1.0.0, released 08-16-2019.
91 This profile includes Center for Internet Security® Alibaba
93 Cloud Linux 3 Benchmark™ content.
94 CIS Benchmark for Alibaba Cloud Linux 3 for Level 1
97 Profile ID: xccdf_org.ssgproject.content_profile_cis_l1
99 This profile defines a baseline that aligns to the "Level 1"
101 configuration from the Center for Internet Security® Alibaba
102 Cloud Linux 3 Benchmark™, v1.0.0, released 08-16-2019.
103 This profile includes Center for Internet Security® Alibaba
105 Cloud Linux 3 Benchmark™ content.
106 Standard System Security Profile for Alibaba Cloud Linux 3
109 Profile ID: xccdf_org.ssgproject.content_profile_standard
111 This profile contains rules to ensure standard security baseline
113 of a Alibaba Cloud Linux 3 system. Regardless of your system's
114 workload all of these checks should pass.
115
121 Source data stream: ssg-anolis23-ds.xml
122 The Guide to the Secure Configuration of Anolis OS 23 is broken into
124 'profiles', groupings of security settings that correlate to a known
125 policy. Available profiles are:
126 Standard System Security Profile for Anolis OS 23
130 Profile ID: xccdf_org.ssgproject.content_profile_standard
132 This profile contains rules to ensure standard security baseline
134 of a Anolis OS 23 system.
135
141 Source data stream: ssg-anolis8-ds.xml
142 The Guide to the Secure Configuration of Anolis OS 8 is broken into
144 'profiles', groupings of security settings that correlate to a known
145 policy. Available profiles are:
146 Standard System Security Profile for Anolis OS 8
150 Profile ID: xccdf_org.ssgproject.content_profile_standard
152 This profile contains rules to ensure standard security baseline
154 of a Anolis OS 8 system.
155
161 Source data stream: ssg-centos7-ds.xml
162 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
164 broken into 'profiles', groupings of security settings that correlate
165 to a known policy. Available profiles are:
166 C2S for Red Hat Enterprise Linux 7
170 Profile ID: xccdf_org.ssgproject.content_profile_C2S
172 This profile demonstrates compliance against the U.S. Government
174 Commercial Cloud Services (C2S) baseline.
175 This baseline was inspired by the Center for Internet Security
177 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
178 For the SCAP Security Guide project to remain in compliance with
180 CIS' terms and conditions, specifically Restrictions(8), note
181 there is no representation or claim that the C2S profile will
182 ensure a system is in compliance or consistency with the CIS
183 baseline.
184 ANSSI-BP-028 (enhanced)
187 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
189 hanced
190 This profile contains configurations that align to ANSSI-BP-028
192 v2.0 at the enhanced hardening level.
193 ANSSI is the French National Information Security Agency, and
195 stands for Agence nationale de la sécurité des systèmes d'infor‐
196 mation. ANSSI-BP-028 is a configuration recommendation for
197 GNU/Linux systems.
198 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
200 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
201 securite-relatives-a-un-systeme-gnulinux/
202 ANSSI-BP-028 (high)
205 Profile ID: xccdf_org.ssgproject.content_pro‐
207 file_anssi_nt28_high
208 This profile contains configurations that align to ANSSI-BP-028
210 v2.0 at the high hardening level.
211 ANSSI is the French National Information Security Agency, and
213 stands for Agence nationale de la sécurité des systèmes d'infor‐
214 mation. ANSSI-BP-028 is a configuration recommendation for
215 GNU/Linux systems.
216 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
218 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
219 securite-relatives-a-un-systeme-gnulinux/
220 ANSSI-BP-028 (intermediary)
223 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
225 termediary
226 This profile contains configurations that align to ANSSI-BP-028
228 v2.0 at the intermediary hardening level.
229 ANSSI is the French National Information Security Agency, and
231 stands for Agence nationale de la sécurité des systèmes d'infor‐
232 mation. ANSSI-BP-028 is a configuration recommendation for
233 GNU/Linux systems.
234 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
236 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
237 securite-relatives-a-un-systeme-gnulinux/
238 ANSSI-BP-028 (minimal)
241 Profile ID: xccdf_org.ssgproject.content_pro‐
243 file_anssi_nt28_minimal
244 This profile contains configurations that align to ANSSI-BP-028
246 v2.0 at the minimal hardening level.
247 ANSSI is the French National Information Security Agency, and
249 stands for Agence nationale de la sécurité des systèmes d'infor‐
250 mation. ANSSI-BP-028 is a configuration recommendation for
251 GNU/Linux systems.
252 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
254 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
255 securite-relatives-a-un-systeme-gnulinux/
256 CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
259 Profile ID: xccdf_org.ssgproject.content_profile_cis
261 This profile defines a baseline that aligns to the "Level 2 -
263 Server" configuration from the Center for Internet Security® Red
264 Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
265 This profile includes Center for Internet Security® Red Hat En‐
267 terprise Linux 7 CIS Benchmarks™ content.
268 CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
271 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
273 This profile defines a baseline that aligns to the "Level 1 -
275 Server" configuration from the Center for Internet Security® Red
276 Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
277 This profile includes Center for Internet Security® Red Hat En‐
279 terprise Linux 7 CIS Benchmarks™ content.
280 CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation
283 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
285 tion_l1
286 This profile defines a baseline that aligns to the "Level 1 -
288 Workstation" configuration from the Center for Internet Secu‐
289 rity® Red Hat Enterprise Linux 7 Benchmark™, v3.1.1, released
290 05-21-2021.
291 This profile includes Center for Internet Security® Red Hat En‐
293 terprise Linux 7 CIS Benchmarks™ content.
294 CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation
297 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
299 tion_l2
300 This profile defines a baseline that aligns to the "Level 2 -
302 Workstation" configuration from the Center for Internet Secu‐
303 rity® Red Hat Enterprise Linux 7 Benchmark™, v3.1.1, released
304 05-21-2021.
305 This profile includes Center for Internet Security® Red Hat En‐
307 terprise Linux 7 CIS Benchmarks™ content.
308 Criminal Justice Information Services (CJIS) Security Policy
311 Profile ID: xccdf_org.ssgproject.content_profile_cjis
313 This profile is derived from FBI's CJIS v5.4 Security Policy. A
315 copy of this policy can be found at the CJIS Security Policy Re‐
316 source Center:
317 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
319 center
320 Unclassified Information in Non-federal Information Systems and Organi‐
323 zations (NIST 800-171)
324 Profile ID: xccdf_org.ssgproject.content_profile_cui
326 From NIST 800-171, Section 2.2: Security requirements for pro‐
328 tecting the confidentiality of CUI in non-federal information
329 systems and organizations have a well-defined structure that
330 consists of:
331 (i) a basic security requirements section; (ii) a derived secu‐
333 rity requirements section.
334 The basic security requirements are obtained from FIPS Publica‐
336 tion 200, which provides the high-level and fundamental security
337 requirements for federal information and information systems.
338 The derived security requirements, which supplement the basic
339 security requirements, are taken from the security controls in
340 NIST Special Publication 800-53.
341 This profile configures Red Hat Enterprise Linux 7 to the NIST
343 Special Publication 800-53 controls identified for securing Con‐
344 trolled Unclassified Information (CUI).
345 Australian Cyber Security Centre (ACSC) Essential Eight
348 Profile ID: xccdf_org.ssgproject.content_profile_e8
350 This profile contains configuration checks for Red Hat Enter‐
352 prise Linux 7 that align to the Australian Cyber Security Centre
353 (ACSC) Essential Eight.
354 A copy of the Essential Eight in Linux Environments guide can be
356 found at the ACSC website:
357 https://www.cyber.gov.au/acsc/view-all-content/publica‐
359 tions/hardening-linux-workstations-and-servers
360 Health Insurance Portability and Accountability Act (HIPAA)
363 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
365 The HIPAA Security Rule establishes U.S. national standards to
367 protect individuals’ electronic personal health information that
368 is created, received, used, or maintained by a covered entity.
369 The Security Rule requires appropriate administrative, physical
370 and technical safeguards to ensure the confidentiality, integ‐
371 rity, and security of electronic protected health information.
372 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
374 Security Rule identified for securing of electronic protected
375 health information. Use of this profile in no way guarantees or
376 makes claims against legal compliance against the HIPAA Security
377 Rule(s).
378 NIST National Checklist Program Security Guide
381 Profile ID: xccdf_org.ssgproject.content_profile_ncp
383 This compliance profile reflects the core set of security re‐
385 lated configuration settings for deployment of Red Hat Enter‐
386 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
387 agencies. Development partners and sponsors include the U.S.
388 National Institute of Standards and Technology (NIST), U.S. De‐
389 partment of Defense, the National Security Agency, and Red Hat.
390 This baseline implements configuration requirements from the
392 following sources:
393 - Committee on National Security Systems Instruction No. 1253
395 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
396 800-171) - NIST 800-53 control selections for MODERATE impact
397 systems (NIST 800-53) - U.S. Government Configuration Baseline
398 (USGCB) - NIAP Protection Profile for General Purpose Operating
399 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
400 Requirements Guide (OS SRG)
401 For any differing configuration requirements, e.g. password
403 lengths, the stricter security setting was chosen. Security Re‐
404 quirement Traceability Guides (RTMs) and sample System Security
405 Configuration Guides are provided via the scap-security-guide-
406 docs package.
407 This profile reflects U.S. Government consensus content and is
409 developed through the OpenSCAP/SCAP Security Guide initiative,
410 championed by the National Security Agency. Except for differ‐
411 ences in formatting to accommodate publishing processes, this
412 profile mirrors OpenSCAP/SCAP Security Guide content as minor
413 divergences, such as bugfixes, work through the consensus and
414 release processes.
415 OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
418 Profile ID: xccdf_org.ssgproject.content_profile_ospp
420 This profile reflects mandatory configuration controls identi‐
422 fied in the NIAP Configuration Annex to the Protection Profile
423 for General Purpose Operating Systems (Protection Profile Ver‐
424 sion 4.2.1).
425 This configuration profile is consistent with CNSSI-1253, which
427 requires U.S. National Security Systems to adhere to certain
428 configuration parameters. Accordingly, this configuration pro‐
429 file is suitable for use in U.S. National Security Systems.
430 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
433 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
435 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
437 plied.
438 RHV hardening based on STIG for Red Hat Enterprise Linux 7
441 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
443 This profile contains configuration checks for Red Hat Virtual‐
445 ization based on the the DISA STIG for Red Hat Enterprise Linux
446 7.
447 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
450 ization
451 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
453 This compliance profile reflects the core set of security re‐
455 lated configuration settings for deployment of Red Hat Enter‐
456 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
457 gence, and Civilian agencies. Development partners and sponsors
458 include the U.S. National Institute of Standards and Technology
459 (NIST), U.S. Department of Defense, the National Security
460 Agency, and Red Hat.
461 This baseline implements configuration requirements from the
463 following sources:
464 - Committee on National Security Systems Instruction No. 1253
466 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
467 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
468 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
469 (VPP v1.0)
470 For any differing configuration requirements, e.g. password
472 lengths, the stricter security setting was chosen. Security Re‐
473 quirement Traceability Guides (RTMs) and sample System Security
474 Configuration Guides are provided via the scap-security-guide-
475 docs package.
476 This profile reflects U.S. Government consensus content and is
478 developed through the ComplianceAsCode project, championed by
479 the National Security Agency. Except for differences in format‐
480 ting to accommodate publishing processes, this profile mirrors
481 ComplianceAsCode content as minor divergences, such as bugfixes,
482 work through the consensus and release processes.
483 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
486 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
488 This profile contains the minimum security relevant configura‐
490 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
491 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
492 Standard System Security Profile for Red Hat Enterprise Linux 7
495 Profile ID: xccdf_org.ssgproject.content_profile_standard
497 This profile contains rules to ensure standard security baseline
499 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
500 tem's workload all of these checks should pass.
501 DISA STIG for Red Hat Enterprise Linux 7
504 Profile ID: xccdf_org.ssgproject.content_profile_stig
506 This profile contains configuration checks that align to the
508 DISA STIG for Red Hat Enterprise Linux V3R12.
509 In addition to being applicable to Red Hat Enterprise Linux 7,
511 DISA recognizes this configuration baseline as applicable to the
512 operating system tier of Red Hat technologies that are based on
513 Red Hat Enterprise Linux 7, such as:
514 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
516 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
517 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
518 7 image
519 DISA STIG with GUI for Red Hat Enterprise Linux 7
522 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
524 This profile contains configuration checks that align to the
526 DISA STIG with GUI for Red Hat Enterprise Linux V3R12.
527 In addition to being applicable to Red Hat Enterprise Linux 7,
529 DISA recognizes this configuration baseline as applicable to the
530 operating system tier of Red Hat technologies that are based on
531 Red Hat Enterprise Linux 7, such as:
532 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
534 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
535 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
536 7 image
537 Warning: The installation and use of a Graphical User Interface
539 (GUI) increases your attack vector and decreases your overall
540 security posture. If your Information Systems Security Officer
541 (ISSO) lacks a documented operational requirement for a graphi‐
542 cal user interface, please consider using the standard DISA STIG
543 for Red Hat Enterprise Linux 7 profile.
544
550 Source data stream: ssg-centos8-ds.xml
551 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
553 broken into 'profiles', groupings of security settings that correlate
554 to a known policy. Available profiles are:
555 ANSSI-BP-028 (enhanced)
559 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
561 hanced
562 This profile contains configurations that align to ANSSI-BP-028
564 v2.0 at the enhanced hardening level.
565 ANSSI is the French National Information Security Agency, and
567 stands for Agence nationale de la sécurité des systèmes d'infor‐
568 mation. ANSSI-BP-028 is a configuration recommendation for
569 GNU/Linux systems.
570 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
572 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
573 securite-relatives-a-un-systeme-gnulinux/
574 ANSSI-BP-028 (high)
577 Profile ID: xccdf_org.ssgproject.content_pro‐
579 file_anssi_bp28_high
580 This profile contains configurations that align to ANSSI-BP-028
582 v2.0 at the high hardening level.
583 ANSSI is the French National Information Security Agency, and
585 stands for Agence nationale de la sécurité des systèmes d'infor‐
586 mation. ANSSI-BP-028 is a configuration recommendation for
587 GNU/Linux systems.
588 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
590 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
591 securite-relatives-a-un-systeme-gnulinux/
592 ANSSI-BP-028 (intermediary)
595 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
597 termediary
598 This profile contains configurations that align to ANSSI-BP-028
600 v2.0 at the intermediary hardening level.
601 ANSSI is the French National Information Security Agency, and
603 stands for Agence nationale de la sécurité des systèmes d'infor‐
604 mation. ANSSI-BP-028 is a configuration recommendation for
605 GNU/Linux systems.
606 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
608 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
609 securite-relatives-a-un-systeme-gnulinux/
610 ANSSI-BP-028 (minimal)
613 Profile ID: xccdf_org.ssgproject.content_pro‐
615 file_anssi_bp28_minimal
616 This profile contains configurations that align to ANSSI-BP-028
618 v2.0 at the minimal hardening level.
619 ANSSI is the French National Information Security Agency, and
621 stands for Agence nationale de la sécurité des systèmes d'infor‐
622 mation. ANSSI-BP-028 is a configuration recommendation for
623 GNU/Linux systems.
624 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
626 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
627 securite-relatives-a-un-systeme-gnulinux/
628 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
631 Profile ID: xccdf_org.ssgproject.content_profile_cis
633 This profile defines a baseline that aligns to the "Level 2 -
635 Server" configuration from the Center for Internet Security® Red
636 Hat Enterprise Linux 8 Benchmark™, v2.0.0, released 2022-02-23.
637 This profile includes Center for Internet Security® Red Hat En‐
639 terprise Linux 8 CIS Benchmarks™ content.
640 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
643 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
645 This profile defines a baseline that aligns to the "Level 1 -
647 Server" configuration from the Center for Internet Security® Red
648 Hat Enterprise Linux 8 Benchmark™, v2.0.0, released 2022-02-23.
649 This profile includes Center for Internet Security® Red Hat En‐
651 terprise Linux 8 CIS Benchmarks™ content.
652 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation
655 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
657 tion_l1
658 This profile defines a baseline that aligns to the "Level 1 -
660 Workstation" configuration from the Center for Internet Secu‐
661 rity® Red Hat Enterprise Linux 8 Benchmark™, v2.0.0, released
662 2022-02-23.
663 This profile includes Center for Internet Security® Red Hat En‐
665 terprise Linux 8 CIS Benchmarks™ content.
666 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation
669 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
671 tion_l2
672 This profile defines a baseline that aligns to the "Level 2 -
674 Workstation" configuration from the Center for Internet Secu‐
675 rity® Red Hat Enterprise Linux 8 Benchmark™, v2.0.0, released
676 2022-02-23.
677 This profile includes Center for Internet Security® Red Hat En‐
679 terprise Linux 8 CIS Benchmarks™ content.
680 Criminal Justice Information Services (CJIS) Security Policy
683 Profile ID: xccdf_org.ssgproject.content_profile_cjis
685 This profile is derived from FBI's CJIS v5.4 Security Policy. A
687 copy of this policy can be found at the CJIS Security Policy Re‐
688 source Center:
689 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
691 center
692 Unclassified Information in Non-federal Information Systems and Organi‐
695 zations (NIST 800-171)
696 Profile ID: xccdf_org.ssgproject.content_profile_cui
698 From NIST 800-171, Section 2.2: Security requirements for pro‐
700 tecting the confidentiality of CUI in nonfederal information
701 systems and organizations have a well-defined structure that
702 consists of:
703 (i) a basic security requirements section; (ii) a derived secu‐
705 rity requirements section.
706 The basic security requirements are obtained from FIPS Publica‐
708 tion 200, which provides the high-level and fundamental security
709 requirements for federal information and information systems.
710 The derived security requirements, which supplement the basic
711 security requirements, are taken from the security controls in
712 NIST Special Publication 800-53.
713 This profile configures Red Hat Enterprise Linux 8 to the NIST
715 Special Publication 800-53 controls identified for securing Con‐
716 trolled Unclassified Information (CUI)."
717 Australian Cyber Security Centre (ACSC) Essential Eight
720 Profile ID: xccdf_org.ssgproject.content_profile_e8
722 This profile contains configuration checks for Red Hat Enter‐
724 prise Linux 8 that align to the Australian Cyber Security Centre
725 (ACSC) Essential Eight.
726 A copy of the Essential Eight in Linux Environments guide can be
728 found at the ACSC website:
729 https://www.cyber.gov.au/acsc/view-all-content/publica‐
731 tions/hardening-linux-workstations-and-servers
732 Health Insurance Portability and Accountability Act (HIPAA)
735 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
737 The HIPAA Security Rule establishes U.S. national standards to
739 protect individuals’ electronic personal health information that
740 is created, received, used, or maintained by a covered entity.
741 The Security Rule requires appropriate administrative, physical
742 and technical safeguards to ensure the confidentiality, integ‐
743 rity, and security of electronic protected health information.
744 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
746 Security Rule identified for securing of electronic protected
747 health information. Use of this profile in no way guarantees or
748 makes claims against legal compliance against the HIPAA Security
749 Rule(s).
750 Australian Cyber Security Centre (ACSC) ISM Official
753 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
755 This profile contains configuration checks for Red Hat Enter‐
757 prise Linux 8 that align to the Australian Cyber Security Centre
758 (ACSC) Information Security Manual (ISM) with the applicability
759 marking of OFFICIAL.
760 The ISM uses a risk-based approach to cyber security. This pro‐
762 file provides a guide to aligning Red Hat Enterprise Linux secu‐
763 rity controls with the ISM, which can be used to select controls
764 specific to an organisation's security posture and risk profile.
765 A copy of the ISM can be found at the ACSC website:
767 https://www.cyber.gov.au/ism
769 Protection Profile for General Purpose Operating Systems
772 Profile ID: xccdf_org.ssgproject.content_profile_ospp
774 This profile reflects mandatory configuration controls identi‐
776 fied in the NIAP Configuration Annex to the Protection Profile
777 for General Purpose Operating Systems (Protection Profile Ver‐
778 sion 4.2.1).
779 This configuration profile is consistent with CNSSI-1253, which
781 requires U.S. National Security Systems to adhere to certain
782 configuration parameters. Accordingly, this configuration pro‐
783 file is suitable for use in U.S. National Security Systems.
784 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
787 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
789 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
791 plied.
792 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
795 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
797 This profile contains the minimum security relevant configura‐
799 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
800 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
801 Standard System Security Profile for Red Hat Enterprise Linux 8
804 Profile ID: xccdf_org.ssgproject.content_profile_standard
806 This profile contains rules to ensure standard security baseline
808 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
809 tem's workload all of these checks should pass.
810 DISA STIG for Red Hat Enterprise Linux 8
813 Profile ID: xccdf_org.ssgproject.content_profile_stig
815 This profile contains configuration checks that align to the
817 DISA STIG for Red Hat Enterprise Linux 8 V1R11.
818 In addition to being applicable to Red Hat Enterprise Linux 8,
820 DISA recognizes this configuration baseline as applicable to the
821 operating system tier of Red Hat technologies that are based on
822 Red Hat Enterprise Linux 8, such as:
823 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
825 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
826 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
827 8 image
828 DISA STIG with GUI for Red Hat Enterprise Linux 8
831 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
833 This profile contains configuration checks that align to the
835 DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R11.
836 In addition to being applicable to Red Hat Enterprise Linux 8,
838 DISA recognizes this configuration baseline as applicable to the
839 operating system tier of Red Hat technologies that are based on
840 Red Hat Enterprise Linux 8, such as:
841 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
843 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
844 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
845 8 image
846 Warning: The installation and use of a Graphical User Interface
848 (GUI) increases your attack vector and decreases your overall
849 security posture. If your Information Systems Security Officer
850 (ISSO) lacks a documented operational requirement for a graphi‐
851 cal user interface, please consider using the standard DISA STIG
852 for Red Hat Enterprise Linux 8 profile.
853
859 Source data stream: ssg-chromium-ds.xml
860 The Guide to the Secure Configuration of Chromium is broken into 'pro‐
862 files', groupings of security settings that correlate to a known pol‐
863 icy. Available profiles are:
864 Upstream STIG for Google Chromium
868 Profile ID: xccdf_org.ssgproject.content_profile_stig
870 This profile is developed under the DoD consensus model and DISA
872 FSO Vendor STIG process, serving as the upstream development en‐
873 vironment for the Google Chromium STIG.
874 As a result of the upstream/downstream relationship between the
876 SCAP Security Guide project and the official DISA FSO STIG base‐
877 line, users should expect variance between SSG and DISA FSO con‐
878 tent. For official DISA FSO STIG content, refer to https://pub‐
879 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
880 rity%2Cbrowser-guidance.
881 While this profile is packaged by Red Hat as part of the SCAP
883 Security Guide package, please note that commercial support of
884 this SCAP content is NOT available. This profile is provided as
885 example SCAP content with no endorsement for suitability or pro‐
886 duction readiness. Support for this profile is provided by the
887 upstream SCAP Security Guide community on a best-effort basis.
888 The upstream project homepage is https://www.open-scap.org/secu‐
889 rity-policies/scap-security-guide/.
890
896 Source data stream: ssg-cs9-ds.xml
897 The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is
899 broken into 'profiles', groupings of security settings that correlate
900 to a known policy. Available profiles are:
901 ANSSI-BP-028 (enhanced)
905 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
907 hanced
908 This profile contains configurations that align to ANSSI-BP-028
910 v2.0 at the enhanced hardening level.
911 ANSSI is the French National Information Security Agency, and
913 stands for Agence nationale de la sécurité des systèmes d'infor‐
914 mation. ANSSI-BP-028 is a configuration recommendation for
915 GNU/Linux systems.
916 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
918 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
919 securite-relatives-a-un-systeme-gnulinux/
920 ANSSI-BP-028 (high)
923 Profile ID: xccdf_org.ssgproject.content_pro‐
925 file_anssi_bp28_high
926 This profile contains configurations that align to ANSSI-BP-028
928 v2.0 at the high hardening level.
929 ANSSI is the French National Information Security Agency, and
931 stands for Agence nationale de la sécurité des systèmes d'infor‐
932 mation. ANSSI-BP-028 is a configuration recommendation for
933 GNU/Linux systems.
934 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
936 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
937 securite-relatives-a-un-systeme-gnulinux/
938 ANSSI-BP-028 (intermediary)
941 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
943 termediary
944 This profile contains configurations that align to ANSSI-BP-028
946 v2.0 at the intermediary hardening level.
947 ANSSI is the French National Information Security Agency, and
949 stands for Agence nationale de la sécurité des systèmes d'infor‐
950 mation. ANSSI-BP-028 is a configuration recommendation for
951 GNU/Linux systems.
952 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
954 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
955 securite-relatives-a-un-systeme-gnulinux/
956 ANSSI-BP-028 (minimal)
959 Profile ID: xccdf_org.ssgproject.content_pro‐
961 file_anssi_bp28_minimal
962 This profile contains configurations that align to ANSSI-BP-028
964 v2.0 at the minimal hardening level.
965 ANSSI is the French National Information Security Agency, and
967 stands for Agence nationale de la sécurité des systèmes d'infor‐
968 mation. ANSSI-BP-028 is a configuration recommendation for
969 GNU/Linux systems.
970 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
972 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
973 securite-relatives-a-un-systeme-gnulinux/
974 CCN Red Hat Enterprise Linux 9 - Advanced
977 Profile ID: xccdf_org.ssgproject.content_profile_ccn_advanced
979 This profile defines a baseline that aligns with the "Advanced"
981 configuration of the CCN-STIC-610A22 Guide issued by the Na‐
982 tional Cryptological Center of Spain in 2022-10.
983 The CCN-STIC-610A22 guide includes hardening settings for Red
985 Hat Enterprise Linux 9 at basic, intermediate, and advanced lev‐
986 els.
987 CCN Red Hat Enterprise Linux 9 - Basic
990 Profile ID: xccdf_org.ssgproject.content_profile_ccn_basic
992 This profile defines a baseline that aligns with the "Basic"
994 configuration of the CCN-STIC-610A22 Guide issued by the Na‐
995 tional Cryptological Center of Spain in 2022-10.
996 The CCN-STIC-610A22 guide includes hardening settings for Red
998 Hat Enterprise Linux 9 at basic, intermediate, and advanced lev‐
999 els.
1000 CCN Red Hat Enterprise Linux 9 - Intermediate
1003 Profile ID: xccdf_org.ssgproject.content_profile_ccn_intermedi‐
1005 ate
1006 This profile defines a baseline that aligns with the "Intermedi‐
1008 ate" configuration of the CCN-STIC-610A22 Guide issued by the
1009 National Cryptological Center of Spain in 2022-10.
1010 The CCN-STIC-610A22 guide includes hardening settings for Red
1012 Hat Enterprise Linux 9 at basic, intermediate, and advanced lev‐
1013 els.
1014 CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
1017 Profile ID: xccdf_org.ssgproject.content_profile_cis
1019 This profile defines a baseline that aligns to the "Level 2 -
1021 Server" configuration from the Center for Internet Security® Red
1022 Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
1023 This profile includes Center for Internet Security® Red Hat En‐
1025 terprise Linux 9 CIS Benchmarks™ content.
1026 CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
1029 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
1031 This profile defines a baseline that aligns to the "Level 1 -
1033 Server" configuration from the Center for Internet Security® Red
1034 Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
1035 This profile includes Center for Internet Security® Red Hat En‐
1037 terprise Linux 9 CIS Benchmarks™ content.
1038 CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
1041 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
1043 tion_l1
1044 This profile defines a baseline that aligns to the "Level 1 -
1046 Workstation" configuration from the Center for Internet Secu‐
1047 rity® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released
1048 2022-11-28.
1049 This profile includes Center for Internet Security® Red Hat En‐
1051 terprise Linux 9 CIS Benchmarks™ content.
1052 CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
1055 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
1057 tion_l2
1058 This profile defines a baseline that aligns to the "Level 2 -
1060 Workstation" configuration from the Center for Internet Secu‐
1061 rity® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released
1062 2022-11-28.
1063 This profile includes Center for Internet Security® Red Hat En‐
1065 terprise Linux 9 CIS Benchmarks™ content.
1066 DRAFT - Unclassified Information in Non-federal Information Systems and
1069 Organizations (NIST 800-171)
1070 Profile ID: xccdf_org.ssgproject.content_profile_cui
1072 From NIST 800-171, Section 2.2: Security requirements for pro‐
1074 tecting the confidentiality of CUI in nonfederal information
1075 systems and organizations have a well-defined structure that
1076 consists of:
1077 (i) a basic security requirements section; (ii) a derived secu‐
1079 rity requirements section.
1080 The basic security requirements are obtained from FIPS Publica‐
1082 tion 200, which provides the high-level and fundamental security
1083 requirements for federal information and information systems.
1084 The derived security requirements, which supplement the basic
1085 security requirements, are taken from the security controls in
1086 NIST Special Publication 800-53.
1087 This profile configures Red Hat Enterprise Linux 9 to the NIST
1089 Special Publication 800-53 controls identified for securing Con‐
1090 trolled Unclassified Information (CUI)."
1091 Australian Cyber Security Centre (ACSC) Essential Eight
1094 Profile ID: xccdf_org.ssgproject.content_profile_e8
1096 This profile contains configuration checks for Red Hat Enter‐
1098 prise Linux 9 that align to the Australian Cyber Security Centre
1099 (ACSC) Essential Eight.
1100 A copy of the Essential Eight in Linux Environments guide can be
1102 found at the ACSC website:
1103 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1105 tions/hardening-linux-workstations-and-servers
1106 Health Insurance Portability and Accountability Act (HIPAA)
1109 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1111 The HIPAA Security Rule establishes U.S. national standards to
1113 protect individuals’ electronic personal health information that
1114 is created, received, used, or maintained by a covered entity.
1115 The Security Rule requires appropriate administrative, physical
1116 and technical safeguards to ensure the confidentiality, integ‐
1117 rity, and security of electronic protected health information.
1118 This profile configures Red Hat Enterprise Linux 9 to the HIPAA
1120 Security Rule identified for securing of electronic protected
1121 health information. Use of this profile in no way guarantees or
1122 makes claims against legal compliance against the HIPAA Security
1123 Rule(s).
1124 Australian Cyber Security Centre (ACSC) ISM Official
1127 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
1129 This profile contains configuration checks for Red Hat Enter‐
1131 prise Linux 9 that align to the Australian Cyber Security Centre
1132 (ACSC) Information Security Manual (ISM) with the applicability
1133 marking of OFFICIAL.
1134 The ISM uses a risk-based approach to cyber security. This pro‐
1136 file provides a guide to aligning Red Hat Enterprise Linux secu‐
1137 rity controls with the ISM, which can be used to select controls
1138 specific to an organisation's security posture and risk profile.
1139 A copy of the ISM can be found at the ACSC website:
1141 https://www.cyber.gov.au/ism
1143 Protection Profile for General Purpose Operating Systems
1146 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1148 This profile is part of Red Hat Enterprise Linux 9 Common Crite‐
1150 ria Guidance documentation for Target of Evaluation based on
1151 Protection Profile for General Purpose Operating Systems (OSPP)
1152 version 4.3 and Functional Package for SSH version 1.0.
1153 Where appropriate, CNSSI 1253 or DoD-specific values are used
1155 for configuration, based on Configuration Annex to the OSPP.
1156 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
1159 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1161 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1163 plied.
1164 DRAFT - DISA STIG for Red Hat Enterprise Linux 9
1167 Profile ID: xccdf_org.ssgproject.content_profile_stig
1169 This is a draft profile based on its RHEL8 version for experi‐
1171 mental purposes. It is not based on the DISA STIG for RHEL9,
1172 because this one was not available at time of the release.
1173 In addition to being applicable to Red Hat Enterprise Linux 9,
1175 DISA recognizes this configuration baseline as applicable to the
1176 operating system tier of Red Hat technologies that are based on
1177 Red Hat Enterprise Linux 9, such as:
1178 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1180 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1181 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1182 9 image
1183 DRAFT - DISA STIG with GUI for Red Hat Enterprise Linux 9
1186 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
1188 This is a draft profile based on its RHEL8 version for experi‐
1190 mental purposes. It is not based on the DISA STIG for RHEL9,
1191 because this one was not available at time of the release.
1192 In addition to being applicable to Red Hat Enterprise Linux 9,
1194 DISA recognizes this configuration baseline as applicable to the
1195 operating system tier of Red Hat technologies that are based on
1196 Red Hat Enterprise Linux 9, such as:
1197 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1199 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1200 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1201 9 image
1202 Warning: The installation and use of a Graphical User Interface
1204 (GUI) increases your attack vector and decreases your overall
1205 security posture. If your Information Systems Security Officer
1206 (ISSO) lacks a documented operational requirement for a graphi‐
1207 cal user interface, please consider using the standard DISA STIG
1208 for Red Hat Enterprise Linux 9 profile.
1209
1215 Source data stream: ssg-debian10-ds.xml
1216 The Guide to the Secure Configuration of Debian 10 is broken into 'pro‐
1218 files', groupings of security settings that correlate to a known pol‐
1219 icy. Available profiles are:
1220 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1224 Profile ID: xccdf_org.ssgproject.content_pro‐
1226 file_anssi_np_nt28_average
1227 This profile contains items for GNU/Linux installations already
1229 protected by multiple higher level security stacks.
1230 Profile for ANSSI DAT-NT28 High (Enforced) Level
1233 Profile ID: xccdf_org.ssgproject.content_pro‐
1235 file_anssi_np_nt28_high
1236 This profile contains items for GNU/Linux installations storing
1238 sensitive information that can be accessible from unauthenti‐
1239 cated or uncontroled networks.
1240 Profile for ANSSI DAT-NT28 Minimal Level
1243 Profile ID: xccdf_org.ssgproject.content_pro‐
1245 file_anssi_np_nt28_minimal
1246 This profile contains items to be applied systematically.
1248 Profile for ANSSI DAT-NT28 Restrictive Level
1251 Profile ID: xccdf_org.ssgproject.content_pro‐
1253 file_anssi_np_nt28_restrictive
1254 This profile contains items for GNU/Linux installations exposed
1256 to unauthenticated flows or multiple sources.
1257 Standard System Security Profile for Debian 10
1260 Profile ID: xccdf_org.ssgproject.content_profile_standard
1262 This profile contains rules to ensure standard security baseline
1264 of a Debian 10 system. Regardless of your system's workload all
1265 of these checks should pass.
1266
1272 Source data stream: ssg-debian11-ds.xml
1273 The Guide to the Secure Configuration of Debian 11 is broken into 'pro‐
1275 files', groupings of security settings that correlate to a known pol‐
1276 icy. Available profiles are:
1277 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1281 Profile ID: xccdf_org.ssgproject.content_pro‐
1283 file_anssi_np_nt28_average
1284 This profile contains items for GNU/Linux installations already
1286 protected by multiple higher level security stacks.
1287 Profile for ANSSI DAT-NT28 High (Enforced) Level
1290 Profile ID: xccdf_org.ssgproject.content_pro‐
1292 file_anssi_np_nt28_high
1293 This profile contains items for GNU/Linux installations storing
1295 sensitive information that can be accessible from unauthenti‐
1296 cated or uncontroled networks.
1297 Profile for ANSSI DAT-NT28 Minimal Level
1300 Profile ID: xccdf_org.ssgproject.content_pro‐
1302 file_anssi_np_nt28_minimal
1303 This profile contains items to be applied systematically.
1305 Profile for ANSSI DAT-NT28 Restrictive Level
1308 Profile ID: xccdf_org.ssgproject.content_pro‐
1310 file_anssi_np_nt28_restrictive
1311 This profile contains items for GNU/Linux installations exposed
1313 to unauthenticated flows or multiple sources.
1314 Standard System Security Profile for Debian 11
1317 Profile ID: xccdf_org.ssgproject.content_profile_standard
1319 This profile contains rules to ensure standard security baseline
1321 of a Debian 11 system. Regardless of your system's workload all
1322 of these checks should pass.
1323
1329 Service
1330 Source data stream: ssg-eks-ds.xml
1331 The Guide to the Secure Configuration of Amazon Elastic Kubernetes Ser‐
1333 vice is broken into 'profiles', groupings of security settings that
1334 correlate to a known policy. Available profiles are:
1335 CIS Amazon Elastic Kubernetes Service (EKS) Benchmark - Node
1339 Profile ID: xccdf_org.ssgproject.content_profile_cis-node
1341 This profile defines a baseline that aligns to the Center for
1343 Internet Security® Amazon Elastic Kubernetes Service (EKS)
1344 Benchmark™, V1.0.1.
1345 This profile includes Center for Internet Security® Amazon Elas‐
1347 tic Kubernetes Service (EKS)™ content.
1348 This profile is applicable to EKS 1.21 and greater.
1350 CIS Amazon Elastic Kubernetes Service Benchmark - Platform
1353 Profile ID: xccdf_org.ssgproject.content_profile_cis
1355 This profile defines a baseline that aligns to the Center for
1357 Internet Security® Amazon Elastic Kubernetes Service (EKS)
1358 Benchmark™, V1.0.1.
1359 This profile includes Center for Internet Security® Amazon Elas‐
1361 tic Kubernetes Service (EKS)™ content.
1362 This profile is applicable to EKS 1.21 and greater.
1364
1370 Source data stream: ssg-fedora-ds.xml
1371 The Guide to the Secure Configuration of Fedora is broken into 'pro‐
1373 files', groupings of security settings that correlate to a known pol‐
1374 icy. Available profiles are:
1375 CUSP - Common User Security Profile for Fedora Workstation
1379 Profile ID: xccdf_org.ssgproject.content_profile_cusp_fedora
1381 This profile contains rules to harden Fedora Linux according to
1383 the Common User Security Guide for Fedora Workstation.
1384 OSPP - Protection Profile for General Purpose Operating Systems
1387 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1389 This profile reflects mandatory configuration controls identi‐
1391 fied in the NIAP Configuration Annex to the Protection Profile
1392 for General Purpose Operating Systems (Protection Profile Ver‐
1393 sion 4.2).
1394 As Fedora OS is moving target, this profile does not guarantee
1396 to provide security levels required from US National Security
1397 Systems. Main goal of the profile is to provide Fedora develop‐
1398 ers with hardened environment similar to the one mandated by US
1399 National Security Systems.
1400 PCI-DSS v3.2.1 Control Baseline for Fedora
1403 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1405 Ensures PCI-DSS v3.2.1 related security configuration settings
1407 are applied.
1408 Standard System Security Profile for Fedora
1411 Profile ID: xccdf_org.ssgproject.content_profile_standard
1413 This profile contains rules to ensure standard security baseline
1415 of a Fedora system. Regardless of your system's workload all of
1416 these checks should pass.
1417
1423 Source data stream: ssg-firefox-ds.xml
1424 The Guide to the Secure Configuration of Firefox is broken into 'pro‐
1426 files', groupings of security settings that correlate to a known pol‐
1427 icy. Available profiles are:
1428 CUSP - Common User Security Profile for Mozilla Firefox
1432 Profile ID: xccdf_org.ssgproject.content_profile_cusp_firefox
1434 This profile contains rules to harden Mozilla Firefox according
1436 to rule 6.1 in the Common User Security Guide for Fedora Work‐
1437 station.
1438 Mozilla Firefox STIG
1441 Profile ID: xccdf_org.ssgproject.content_profile_stig
1443 This profile is developed under the DoD consensus model and DISA
1445 FSO Vendor STIG process, serving as the upstream development en‐
1446 vironment for the Firefox STIG.
1447 As a result of the upstream/downstream relationship between the
1449 SCAP Security Guide project and the official DISA FSO STIG base‐
1450 line, users should expect variance between SSG and DISA FSO con‐
1451 tent. For official DISA FSO STIG content, refer to https://pub‐
1452 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
1453 rity%2Cbrowser-guidance.
1454 While this profile is packaged by Red Hat as part of the SCAP
1456 Security Guide package, please note that commercial support of
1457 this SCAP content is NOT available. This profile is provided as
1458 example SCAP content with no endorsement for suitability or pro‐
1459 duction readiness. Support for this profile is provided by the
1460 upstream SCAP Security Guide community on a best-effort basis.
1461 The upstream project homepage is https://www.open-scap.org/secu‐
1462 rity-policies/scap-security-guide/.
1463
1469 Source data stream: ssg-macos1015-ds.xml
1470 The Guide to the Secure Configuration of Apple macOS 10.15 is broken
1472 into 'profiles', groupings of security settings that correlate to a
1473 known policy. Available profiles are:
1474 NIST 800-53 Moderate-Impact Baseline for Apple macOS 10.15 Catalina
1478 Profile ID: xccdf_org.ssgproject.content_profile_moderate
1480 This compliance profile reflects the core set of Moderate-Impact
1482 Baseline configuration settings for deployment of Apple macOS
1483 10.15 Catalina into U.S. Defense, Intelligence, and Civilian
1484 agencies. Development partners and sponsors include the U.S.
1485 National Institute of Standards and Technology (NIST), U.S. De‐
1486 partment of Defense, and the the National Security Agency.
1487 This baseline implements configuration requirements from the
1489 following sources:
1490 - NIST 800-53 control selections for Moderate-Impact systems
1492 (NIST 800-53)
1493 For any differing configuration requirements, e.g. password
1495 lengths, the stricter security setting was chosen. Security Re‐
1496 quirement Traceability Guides (RTMs) and sample System Security
1497 Configuration Guides are provided via the scap-security-guide-
1498 docs package.
1499 This profile reflects U.S. Government consensus content and is
1501 developed through the ComplianceAsCode initiative, championed by
1502 the National Security Agency. Except for differences in format‐
1503 ting to accommodate publishing processes, this profile mirrors
1504 ComplianceAsCode content as minor divergences, such as bugfixes,
1505 work through the consensus and release processes.
1506
1512 Platform 4
1513 Source data stream: ssg-ocp4-ds.xml
1514 The Guide to the Secure Configuration of Red Hat OpenShift Container
1516 Platform 4 is broken into 'profiles', groupings of security settings
1517 that correlate to a known policy. Available profiles are:
1518 CIS Red Hat OpenShift Container Platform 4 Benchmark
1522 Profile ID: xccdf_org.ssgproject.content_profile_cis-node
1524 This profile defines a baseline that aligns to the Center for
1526 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
1527 mark™, V1.4.
1528 This profile includes Center for Internet Security® Red Hat
1530 OpenShift Container Platform 4 CIS Benchmarks™ content.
1531 Note that this part of the profile is meant to run on the Oper‐
1533 ating System that Red Hat OpenShift Container Platform 4 runs on
1534 top of.
1535 This profile is applicable to OpenShift versions 4.10 and
1537 greater.
1538 CIS Red Hat OpenShift Container Platform 4 Benchmark
1541 Profile ID: xccdf_org.ssgproject.content_profile_cis
1543 This profile defines a baseline that aligns to the Center for
1545 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
1546 mark™, V1.4.
1547 This profile includes Center for Internet Security® Red Hat
1549 OpenShift Container Platform 4 CIS Benchmarks™ content.
1550 Note that this part of the profile is meant to run on the Plat‐
1552 form that Red Hat OpenShift Container Platform 4 runs on top of.
1553 This profile is applicable to OpenShift versions 4.10 and
1555 greater.
1556 Australian Cyber Security Centre (ACSC) Essential Eight
1559 Profile ID: xccdf_org.ssgproject.content_profile_e8
1561 This profile contains configuration checks for Red Hat OpenShift
1563 Container Platform that align to the Australian Cyber Security
1564 Centre (ACSC) Essential Eight.
1565 A copy of the Essential Eight in Linux Environments guide can be
1567 found at the ACSC website:
1568 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1570 tions/hardening-linux-workstations-and-servers
1571 NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level
1574 Profile ID: xccdf_org.ssgproject.content_profile_high-node
1576 This compliance profile reflects the core set of High-Impact
1578 Baseline configuration settings for deployment of Red Hat Open‐
1579 Shift Container Platform into U.S. Defense, Intelligence, and
1580 Civilian agencies. Development partners and sponsors include
1581 the U.S. National Institute of Standards and Technology (NIST),
1582 U.S. Department of Defense, the National Security Agency, and
1583 Red Hat.
1584 This baseline implements configuration requirements from the
1586 following sources:
1587 - NIST 800-53 control selections for High-Impact systems (NIST
1589 800-53)
1590 For any differing configuration requirements, e.g. password
1592 lengths, the stricter security setting was chosen. Security Re‐
1593 quirement Traceability Guides (RTMs) and sample System Security
1594 Configuration Guides are provided via the scap-security-guide-
1595 docs package.
1596 This profile reflects U.S. Government consensus content and is
1598 developed through the ComplianceAsCode initiative, championed by
1599 the National Security Agency. Except for differences in format‐
1600 ting to accommodate publishing processes, this profile mirrors
1601 ComplianceAsCode content as minor divergences, such as bugfixes,
1602 work through the consensus and release processes.
1603 NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level
1606 Profile ID: xccdf_org.ssgproject.content_profile_high
1608 This compliance profile reflects the core set of High-Impact
1610 Baseline configuration settings for deployment of Red Hat Open‐
1611 Shift Container Platform into U.S. Defense, Intelligence, and
1612 Civilian agencies. Development partners and sponsors include
1613 the U.S. National Institute of Standards and Technology (NIST),
1614 U.S. Department of Defense, the National Security Agency, and
1615 Red Hat.
1616 This baseline implements configuration requirements from the
1618 following sources:
1619 - NIST 800-53 control selections for High-Impact systems (NIST
1621 800-53)
1622 For any differing configuration requirements, e.g. password
1624 lengths, the stricter security setting was chosen. Security Re‐
1625 quirement Traceability Guides (RTMs) and sample System Security
1626 Configuration Guides are provided via the scap-security-guide-
1627 docs package.
1628 This profile reflects U.S. Government consensus content and is
1630 developed through the ComplianceAsCode initiative, championed by
1631 the National Security Agency. Except for differences in format‐
1632 ting to accommodate publishing processes, this profile mirrors
1633 ComplianceAsCode content as minor divergences, such as bugfixes,
1634 work through the consensus and release processes.
1635 NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
1638 Profile ID: xccdf_org.ssgproject.content_profile_moderate-node
1640 This compliance profile reflects the core set of Moderate-Impact
1642 Baseline configuration settings for deployment of Red Hat Open‐
1643 Shift Container Platform into U.S. Defense, Intelligence, and
1644 Civilian agencies. Development partners and sponsors include
1645 the U.S. National Institute of Standards and Technology (NIST),
1646 U.S. Department of Defense, the National Security Agency, and
1647 Red Hat.
1648 This baseline implements configuration requirements from the
1650 following sources:
1651 - NIST 800-53 control selections for Moderate-Impact systems
1653 (NIST 800-53)
1654 For any differing configuration requirements, e.g. password
1656 lengths, the stricter security setting was chosen. Security Re‐
1657 quirement Traceability Guides (RTMs) and sample System Security
1658 Configuration Guides are provided via the scap-security-guide-
1659 docs package.
1660 This profile reflects U.S. Government consensus content and is
1662 developed through the ComplianceAsCode initiative, championed by
1663 the National Security Agency. Except for differences in format‐
1664 ting to accommodate publishing processes, this profile mirrors
1665 ComplianceAsCode content as minor divergences, such as bugfixes,
1666 work through the consensus and release processes.
1667 NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform
1670 level
1671 Profile ID: xccdf_org.ssgproject.content_profile_moderate
1673 This compliance profile reflects the core set of Moderate-Impact
1675 Baseline configuration settings for deployment of Red Hat Open‐
1676 Shift Container Platform into U.S. Defense, Intelligence, and
1677 Civilian agencies. Development partners and sponsors include
1678 the U.S. National Institute of Standards and Technology (NIST),
1679 U.S. Department of Defense, the National Security Agency, and
1680 Red Hat.
1681 This baseline implements configuration requirements from the
1683 following sources:
1684 - NIST 800-53 control selections for Moderate-Impact systems
1686 (NIST 800-53)
1687 For any differing configuration requirements, e.g. password
1689 lengths, the stricter security setting was chosen. Security Re‐
1690 quirement Traceability Guides (RTMs) and sample System Security
1691 Configuration Guides are provided via the scap-security-guide-
1692 docs package.
1693 This profile reflects U.S. Government consensus content and is
1695 developed through the ComplianceAsCode initiative, championed by
1696 the National Security Agency. Except for differences in format‐
1697 ting to accommodate publishing processes, this profile mirrors
1698 ComplianceAsCode content as minor divergences, such as bugfixes,
1699 work through the consensus and release processes.
1700 North American Electric Reliability Corporation (NERC) Critical Infra‐
1703 structure Protection (CIP) cybersecurity standards profile for the Red
1704 Hat OpenShift Container Platform - Node level
1705 Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip-node
1707 This compliance profile reflects a set of security recommenda‐
1709 tions for the usage of Red Hat OpenShift Container Platform in
1710 critical infrastructure in the energy sector. This follows the
1711 recommendations coming from the following CIP standards:
1712 - CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 -
1714 CIP-007-6 - CIP-009-6
1715 North American Electric Reliability Corporation (NERC) Critical Infra‐
1718 structure Protection (CIP) cybersecurity standards profile for the Red
1719 Hat OpenShift Container Platform - Platform level
1720 Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip
1722 This compliance profile reflects a set of security recommenda‐
1724 tions for the usage of Red Hat OpenShift Container Platform in
1725 critical infrastructure in the energy sector. This follows the
1726 recommendations coming from the following CIP standards:
1727 - CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 -
1729 CIP-007-6 - CIP-009-6
1730 PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Plat‐
1733 form 4
1734 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-node
1736 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1738 plied.
1739 PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Plat‐
1742 form 4
1743 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1745 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1747 plied.
1748 DISA STIG for Red Hat OpenShift Container Platform 4 - Node level
1751 Profile ID: xccdf_org.ssgproject.content_profile_stig-node
1753 This profile contains configuration checks that align to the
1755 DISA STIG for Red Hat OpenShift Container Platform 4.
1756 DISA STIG for Red Hat OpenShift Container Platform 4 - Platform level
1759 Profile ID: xccdf_org.ssgproject.content_profile_stig
1761 This profile contains configuration checks that align to the
1763 DISA STIG for Red Hat OpenShift Container Platform 4.
1764
1770 Source data stream: ssg-ol7-ds.xml
1771 The Guide to the Secure Configuration of Oracle Linux 7 is broken into
1773 'profiles', groupings of security settings that correlate to a known
1774 policy. Available profiles are:
1775 ANSSI-BP-028 (enhanced)
1779 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
1781 hanced
1782 This profile contains configurations that align to ANSSI-BP-028
1784 at the enhanced hardening level.
1785 ANSSI is the French National Information Security Agency, and
1787 stands for Agence nationale de la sécurité des systèmes d'infor‐
1788 mation. ANSSI-BP-028 is a configuration recommendation for
1789 GNU/Linux systems.
1790 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1792 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1793 securite-relatives-a-un-systeme-gnulinux/
1794 DRAFT - ANSSI-BP-028 (high)
1797 Profile ID: xccdf_org.ssgproject.content_pro‐
1799 file_anssi_nt28_high
1800 This profile contains configurations that align to ANSSI-BP-028
1802 at the high hardening level.
1803 ANSSI is the French National Information Security Agency, and
1805 stands for Agence nationale de la sécurité des systèmes d'infor‐
1806 mation. ANSSI-BP-028 is a configuration recommendation for
1807 GNU/Linux systems.
1808 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1810 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1811 securite-relatives-a-un-systeme-gnulinux/
1812 ANSSI-BP-028 (intermediary)
1815 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
1817 termediary
1818 This profile contains configurations that align to ANSSI-BP-028
1820 at the intermediary hardening level.
1821 ANSSI is the French National Information Security Agency, and
1823 stands for Agence nationale de la sécurité des systèmes d'infor‐
1824 mation. ANSSI-BP-028 is a configuration recommendation for
1825 GNU/Linux systems.
1826 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1828 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1829 securite-relatives-a-un-systeme-gnulinux/
1830 ANSSI-BP-028 (minimal)
1833 Profile ID: xccdf_org.ssgproject.content_pro‐
1835 file_anssi_nt28_minimal
1836 This profile contains configurations that align to ANSSI-BP-028
1838 at the minimal hardening level.
1839 ANSSI is the French National Information Security Agency, and
1841 stands for Agence nationale de la sécurité des systèmes d'infor‐
1842 mation. ANSSI-BP-028 is a configuration recommendation for
1843 GNU/Linux systems.
1844 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1846 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1847 securite-relatives-a-un-systeme-gnulinux/
1848 Criminal Justice Information Services (CJIS) Security Policy
1851 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1853 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1855 copy of this policy can be found at the CJIS Security Policy Re‐
1856 source Center:
1857 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1859 center
1860 Unclassified Information in Non-federal Information Systems and Organi‐
1863 zations (NIST 800-171)
1864 Profile ID: xccdf_org.ssgproject.content_profile_cui
1866 From NIST 800-171, Section 2.2: Security requirements for pro‐
1868 tecting the confidentiality of CUI in non-federal information
1869 systems and organizations have a well-defined structure that
1870 consists of:
1871 (i) a basic security requirements section; (ii) a derived secu‐
1873 rity requirements section.
1874 The basic security requirements are obtained from FIPS Publica‐
1876 tion 200, which provides the high-level and fundamental security
1877 requirements for federal information and information systems.
1878 The derived security requirements, which supplement the basic
1879 security requirements, are taken from the security controls in
1880 NIST Special Publication 800-53.
1881 This profile configures Oracle Linux 7 to the NIST Special Pub‐
1883 lication 800-53 controls identified for securing Controlled Un‐
1884 classified Information (CUI).
1885 DRAFT - Australian Cyber Security Centre (ACSC) Essential Eight
1888 Profile ID: xccdf_org.ssgproject.content_profile_e8
1890 This profile contains configuration checks for Oracle Linux 7
1892 that align to the Australian Cyber Security Centre (ACSC) Essen‐
1893 tial Eight.
1894 A copy of the Essential Eight in Linux Environments guide can be
1896 found at the ACSC website:
1897 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1899 tions/hardening-linux-workstations-and-servers
1900 Health Insurance Portability and Accountability Act (HIPAA)
1903 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1905 The HIPAA Security Rule establishes U.S. national standards to
1907 protect individuals’ electronic personal health information that
1908 is created, received, used, or maintained by a covered entity.
1909 The Security Rule requires appropriate administrative, physical
1910 and technical safeguards to ensure the confidentiality, integ‐
1911 rity, and security of electronic protected health information.
1912 This profile configures Oracle Linux 7 to the HIPAA Security
1914 Rule identified for securing of electronic protected health in‐
1915 formation. Use of this profile in no way guarantees or makes
1916 claims against legal compliance against the HIPAA Security
1917 Rule(s).
1918 NIST National Checklist Program Security Guide
1921 Profile ID: xccdf_org.ssgproject.content_profile_ncp
1923 This compliance profile reflects the core set of security re‐
1925 lated configuration settings for deployment of Oracle Linux 7
1926 into U.S. Defense, Intelligence, and Civilian agencies. Devel‐
1927 opment partners and sponsors include the U.S. National Institute
1928 of Standards and Technology (NIST), U.S. Department of Defense,
1929 the National Security Agency, and Red Hat.
1930 This baseline implements configuration requirements from the
1932 following sources:
1933 - Committee on National Security Systems Instruction No. 1253
1935 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
1936 800-171) - NIST 800-53 control selections for MODERATE impact
1937 systems (NIST 800-53) - U.S. Government Configuration Baseline
1938 (USGCB) - NIAP Protection Profile for General Purpose Operating
1939 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
1940 Requirements Guide (OS SRG)
1941 For any differing configuration requirements, e.g. password
1943 lengths, the stricter security setting was chosen. Security Re‐
1944 quirement Traceability Guides (RTMs) and sample System Security
1945 Configuration Guides are provided via the scap-security-guide-
1946 docs package.
1947 This profile reflects U.S. Government consensus content and is
1949 developed through the OpenSCAP/SCAP Security Guide initiative,
1950 championed by the National Security Agency. Except for differ‐
1951 ences in formatting to accommodate publishing processes, this
1952 profile mirrors OpenSCAP/SCAP Security Guide content as minor
1953 divergences, such as bugfixes, work through the consensus and
1954 release processes.
1955 DRAFT - Protection Profile for General Purpose Operating Systems
1958 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1960 This profile reflects mandatory configuration controls identi‐
1962 fied in the NIAP Configuration Annex to the Protection Profile
1963 for General Purpose Operating Systems (Protection Profile Ver‐
1964 sion 4.2.1).
1965 This configuration profile is consistent with CNSSI-1253, which
1967 requires U.S. National Security Systems to adhere to certain
1968 configuration parameters. Accordingly, this configuration pro‐
1969 file is suitable for use in U.S. National Security Systems.
1970 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7
1973 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1975 Ensures PCI-DSS v3.2.1 related security configuration settings
1977 are applied.
1978 Security Profile of Oracle Linux 7 for SAP
1981 Profile ID: xccdf_org.ssgproject.content_profile_sap
1983 This profile contains rules for Oracle Linux 7 Operating System
1985 in compliance with SAP note 2069760 and SAP Security Baseline
1986 Template version 1.9 Item I-8 and section 4.1.2.2. Regardless
1987 of your system's workload all of these checks should pass.
1988 Standard System Security Profile for Oracle Linux 7
1991 Profile ID: xccdf_org.ssgproject.content_profile_standard
1993 This profile contains rules to ensure standard security baseline
1995 of Oracle Linux 7 system. Regardless of your system's workload
1996 all of these checks should pass.
1997 DISA STIG for Oracle Linux 7
2000 Profile ID: xccdf_org.ssgproject.content_profile_stig
2002 This profile contains configuration checks that align to the
2004 DISA STIG for Oracle Linux V2R12.
2005 DISA STIG with GUI for Oracle Linux 7
2008 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
2010 This profile contains configuration checks that align to the
2012 DISA STIG with GUI for Oracle Linux V2R12.
2013 Warning: The installation and use of a Graphical User Interface
2015 (GUI) increases your attack vector and decreases your overall
2016 security posture. If your Information Systems Security Officer
2017 (ISSO) lacks a documented operational requirement for a graphi‐
2018 cal user interface, please consider using the standard DISA STIG
2019 for Oracle Linux 7 profile.
2020
2026 Source data stream: ssg-ol8-ds.xml
2027 The Guide to the Secure Configuration of Oracle Linux 8 is broken into
2029 'profiles', groupings of security settings that correlate to a known
2030 policy. Available profiles are:
2031 ANSSI-BP-028 (enhanced)
2035 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
2037 hanced
2038 This profile contains configurations that align to ANSSI-BP-028
2040 v2.0 at the enhanced hardening level.
2041 ANSSI is the French National Information Security Agency, and
2043 stands for Agence nationale de la sécurité des systèmes d'infor‐
2044 mation. ANSSI-BP-028 is a configuration recommendation for
2045 GNU/Linux systems.
2046 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2048 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2049 securite-relatives-a-un-systeme-gnulinux/
2050 ANSSI-BP-028 (high)
2053 Profile ID: xccdf_org.ssgproject.content_pro‐
2055 file_anssi_bp28_high
2056 This profile contains configurations that align to ANSSI-BP-028
2058 v2.0 at the high hardening level.
2059 ANSSI is the French National Information Security Agency, and
2061 stands for Agence nationale de la sécurité des systèmes d'infor‐
2062 mation. ANSSI-BP-028 is a configuration recommendation for
2063 GNU/Linux systems.
2064 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2066 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2067 securite-relatives-a-un-systeme-gnulinux/
2068 ANSSI-BP-028 (intermediary)
2071 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
2073 termediary
2074 This profile contains configurations that align to ANSSI-BP-028
2076 v2.0 at the intermediary hardening level.
2077 ANSSI is the French National Information Security Agency, and
2079 stands for Agence nationale de la sécurité des systèmes d'infor‐
2080 mation. ANSSI-BP-028 is a configuration recommendation for
2081 GNU/Linux systems.
2082 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2084 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2085 securite-relatives-a-un-systeme-gnulinux/
2086 ANSSI-BP-028 (minimal)
2089 Profile ID: xccdf_org.ssgproject.content_pro‐
2091 file_anssi_bp28_minimal
2092 This profile contains configurations that align to ANSSI-BP-028
2094 v2.0 at the minimal hardening level.
2095 ANSSI is the French National Information Security Agency, and
2097 stands for Agence nationale de la sécurité des systèmes d'infor‐
2098 mation. ANSSI-BP-028 is a configuration recommendation for
2099 GNU/Linux systems.
2100 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2102 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2103 securite-relatives-a-un-systeme-gnulinux/
2104 Criminal Justice Information Services (CJIS) Security Policy
2107 Profile ID: xccdf_org.ssgproject.content_profile_cjis
2109 This profile is derived from FBI's CJIS v5.4 Security Policy. A
2111 copy of this policy can be found at the CJIS Security Policy Re‐
2112 source Center:
2113 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
2115 center
2116 Unclassified Information in Non-federal Information Systems and Organi‐
2119 zations (NIST 800-171)
2120 Profile ID: xccdf_org.ssgproject.content_profile_cui
2122 From NIST 800-171, Section 2.2: Security requirements for pro‐
2124 tecting the confidentiality of CUI in non-federal information
2125 systems and organizations have a well-defined structure that
2126 consists of:
2127 (i) a basic security requirements section; (ii) a derived secu‐
2129 rity requirements section.
2130 The basic security requirements are obtained from FIPS Publica‐
2132 tion 200, which provides the high-level and fundamental security
2133 requirements for federal information and information systems.
2134 The derived security requirements, which supplement the basic
2135 security requirements, are taken from the security controls in
2136 NIST Special Publication 800-53.
2137 This profile configures Oracle Linux 8 to the NIST Special Pub‐
2139 lication 800-53 controls identified for securing Controlled Un‐
2140 classified Information (CUI).
2141 DRAFT - Australian Cyber Security Centre (ACSC) Essential Eight
2144 Profile ID: xccdf_org.ssgproject.content_profile_e8
2146 This profile contains configuration checks for Oracle Linux 8
2148 that align to the Australian Cyber Security Centre (ACSC) Essen‐
2149 tial Eight.
2150 A copy of the Essential Eight in Linux Environments guide can be
2152 found at the ACSC website:
2153 https://www.cyber.gov.au/acsc/view-all-content/publica‐
2155 tions/hardening-linux-workstations-and-servers
2156 Health Insurance Portability and Accountability Act (HIPAA)
2159 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
2161 The HIPAA Security Rule establishes U.S. national standards to
2163 protect individuals’ electronic personal health information that
2164 is created, received, used, or maintained by a covered entity.
2165 The Security Rule requires appropriate administrative, physical
2166 and technical safeguards to ensure the confidentiality, integ‐
2167 rity, and security of electronic protected health information.
2168 This profile configures Oracle Linux 8 to the HIPAA Security
2170 Rule identified for securing of electronic protected health in‐
2171 formation. Use of this profile in no way guarantees or makes
2172 claims against legal compliance against the HIPAA Security
2173 Rule(s).
2174 DRAFT - Protection Profile for General Purpose Operating Systems
2177 Profile ID: xccdf_org.ssgproject.content_profile_ospp
2179 This profile reflects mandatory configuration controls identi‐
2181 fied in the NIAP Configuration Annex to the Protection Profile
2182 for General Purpose Operating Systems (Protection Profile Ver‐
2183 sion 4.2.1).
2184 This configuration profile is consistent with CNSSI-1253, which
2186 requires U.S. National Security Systems to adhere to certain
2187 configuration parameters. Accordingly, this configuration pro‐
2188 file is suitable for use in U.S. National Security Systems.
2189 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8
2192 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2194 Ensures PCI-DSS v3.2.1 related security configuration settings
2196 are applied.
2197 Standard System Security Profile for Oracle Linux 8
2200 Profile ID: xccdf_org.ssgproject.content_profile_standard
2202 This profile contains rules to ensure standard security baseline
2204 of Oracle Linux 8 system. Regardless of your system's workload
2205 all of these checks should pass.
2206 DISA STIG for Oracle Linux 8
2209 Profile ID: xccdf_org.ssgproject.content_profile_stig
2211 This profile contains configuration checks that align to the
2213 DISA STIG for Oracle Linux 8 V1R7.
2214 DISA STIG with GUI for Oracle Linux 8
2217 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
2219 This profile contains configuration checks that align to the
2221 DISA STIG with GUI for Oracle Linux V1R7.
2222 Warning: The installation and use of a Graphical User Interface
2224 (GUI) increases your attack vector and decreases your overall
2225 security posture. If your Information Systems Security Officer
2226 (ISSO) lacks a documented operational requirement for a graphi‐
2227 cal user interface, please consider using the standard DISA STIG
2228 for Oracle Linux 8 profile.
2229
2235 Source data stream: ssg-ol9-ds.xml
2236 The Guide to the Secure Configuration of Oracle Linux 9 is broken into
2238 'profiles', groupings of security settings that correlate to a known
2239 policy. Available profiles are:
2240 ANSSI-BP-028 (enhanced)
2244 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
2246 hanced
2247 This profile contains configurations that align to ANSSI-BP-028
2249 at the enhanced hardening level. ANSSI is the French National
2250 Information Security Agency, and stands for Agence nationale de
2251 la sécurité des systèmes d'information. ANSSI-BP-028 is a con‐
2252 figuration recommendation for GNU/Linux systems.
2253 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2255 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2256 securite-relatives-a-un-systeme-gnulinux/
2257 ANSSI-BP-028 (high)
2260 Profile ID: xccdf_org.ssgproject.content_pro‐
2262 file_anssi_bp28_high
2263 This profile contains configurations that align to ANSSI-BP-028
2265 at the high hardening level. ANSSI is the French National Infor‐
2266 mation Security Agency, and stands for Agence nationale de la
2267 sécurité des systèmes d'information. ANSSI-BP-028 is a configu‐
2268 ration recommendation for GNU/Linux systems.
2269 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2271 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2272 securite-relatives-a-un-systeme-gnulinux/
2273 ANSSI-BP-028 (intermediary)
2276 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
2278 termediary
2279 This profile contains configurations that align to ANSSI-BP-028
2281 at the intermediary hardening level. ANSSI is the French Na‐
2282 tional Information Security Agency, and stands for Agence na‐
2283 tionale de la sécurité des systèmes d'information. ANSSI-BP-028
2284 is a configuration recommendation for GNU/Linux systems.
2285 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2287 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2288 securite-relatives-a-un-systeme-gnulinux/
2289 ANSSI-BP-028 (minimal)
2292 Profile ID: xccdf_org.ssgproject.content_pro‐
2294 file_anssi_bp28_minimal
2295 This profile contains configurations that align to ANSSI-BP-028
2297 at the minimal hardening level. ANSSI is the French National In‐
2298 formation Security Agency, and stands for Agence nationale de la
2299 sécurité des systèmes d'information. ANSSI-BP-028 is a configu‐
2300 ration recommendation for GNU/Linux systems.
2301 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2303 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2304 securite-relatives-a-un-systeme-gnulinux/
2305 DRAFT - Unclassified Information in Non-federal Information Systems and
2308 Organizations (NIST 800-171)
2309 Profile ID: xccdf_org.ssgproject.content_profile_cui
2311 From NIST 800-171, Section 2.2: Security requirements for pro‐
2313 tecting the confidentiality of CUI in nonfederal information
2314 systems and organizations have a well-defined structure that
2315 consists of:
2316 (i) a basic security requirements section; (ii) a derived secu‐
2318 rity requirements section.
2319 The basic security requirements are obtained from FIPS Publica‐
2321 tion 200, which provides the high-level and fundamental security
2322 requirements for federal information and information systems.
2323 The derived security requirements, which supplement the basic
2324 security requirements, are taken from the security controls in
2325 NIST Special Publication 800-53.
2326 This profile configures Oracle Linux 9 to the NIST Special Pub‐
2328 lication 800-53 controls identified for securing Controlled Un‐
2329 classified Information (CUI)."
2330 Australian Cyber Security Centre (ACSC) Essential Eight
2333 Profile ID: xccdf_org.ssgproject.content_profile_e8
2335 This profile contains configuration checks for Oracle Linux 9
2337 that align to the Australian Cyber Security Centre (ACSC) Essen‐
2338 tial Eight.
2339 A copy of the Essential Eight in Linux Environments guide can be
2341 found at the ACSC website:
2342 https://www.cyber.gov.au/acsc/view-all-content/publica‐
2344 tions/hardening-linux-workstations-and-servers
2345 Health Insurance Portability and Accountability Act (HIPAA)
2348 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
2350 The HIPAA Security Rule establishes U.S. national standards to
2352 protect individuals’ electronic personal health information that
2353 is created, received, used, or maintained by a covered entity.
2354 The Security Rule requires appropriate administrative, physical
2355 and technical safeguards to ensure the confidentiality, integ‐
2356 rity, and security of electronic protected health information.
2357 This profile configures Oracle Linux 9 to the HIPAA Security
2359 Rule identified for securing of electronic protected health in‐
2360 formation. Use of this profile in no way guarantees or makes
2361 claims against legal compliance against the HIPAA Security
2362 Rule(s).
2363 DRAFT - Protection Profile for General Purpose Operating Systems
2366 Profile ID: xccdf_org.ssgproject.content_profile_ospp
2368 This profile is part of Oracle Linux 9 Common Criteria Guidance
2370 documentation for Target of Evaluation based on Protection Pro‐
2371 file for General Purpose Operating Systems (OSPP) version 4.2.1
2372 and Functional Package for SSH version 1.0.
2373 Where appropriate, CNSSI 1253 or DoD-specific values are used
2375 for configuration, based on Configuration Annex to the OSPP.
2376 PCI-DSS v3.2.1 Control Baseline for Oracle Linux 9
2379 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2381 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2383 plied.
2384 Standard System Security Profile for Oracle Linux 9
2387 Profile ID: xccdf_org.ssgproject.content_profile_standard
2389 This profile contains rules to ensure standard security baseline
2391 of Oracle Linux 9 system. Regardless of your system's workload
2392 all of these checks should pass.
2393 DRAFT - DISA STIG for Oracle Linux 9
2396 Profile ID: xccdf_org.ssgproject.content_profile_stig
2398 This is a draft profile based on its OL8 version for experimen‐
2400 tal purposes. It is not based on the DISA STIG for OL9, because
2401 this one was not available at time of the release.
2402 DRAFT - DISA STIG with GUI for Oracle Linux 9
2405 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
2407 This is a draft profile based on its OL8 version for experimen‐
2409 tal purposes. It is not based on the DISA STIG for OL9, because
2410 this one was not available at time of the release.
2411 Warning: The installation and use of a Graphical User Interface
2413 (GUI) increases your attack vector and decreases your overall
2414 security posture. If your Information Systems Security Officer
2415 (ISSO) lacks a documented operational requirement for a graphi‐
2416 cal user interface, please consider using the standard DISA STIG
2417 for Oracle Linux 9 profile.
2418
2424 Source data stream: ssg-openembedded-ds.xml
2425 The Guide to the Secure Configuration of OpemEmbedded is broken into
2427 'profiles', groupings of security settings that correlate to a known
2428 policy. Available profiles are:
2429 Sample Security Profile for OpenEmbedded Distros
2433 Profile ID: xccdf_org.ssgproject.content_profile_standard
2435 This profile is an sample for use in documentation and example
2437 content. The selected rules are standard and should pass
2438 quickly on most systems.
2439
2445 Source data stream: ssg-opensuse-ds.xml
2446 The Guide to the Secure Configuration of openSUSE is broken into 'pro‐
2448 files', groupings of security settings that correlate to a known pol‐
2449 icy. Available profiles are:
2450 Standard System Security Profile for openSUSE
2454 Profile ID: xccdf_org.ssgproject.content_profile_standard
2456 This profile contains rules to ensure standard security baseline
2458 of an openSUSE system. Regardless of your system's workload all
2459 of these checks should pass.
2460
2466 CoreOS 4
2467 Source data stream: ssg-rhcos4-ds.xml
2468 The Guide to the Secure Configuration of Red Hat Enterprise Linux
2470 CoreOS 4 is broken into 'profiles', groupings of security settings that
2471 correlate to a known policy. Available profiles are:
2472 DRAFT - ANSSI-BP-028 (enhanced)
2476 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
2478 hanced
2479 This profile contains configurations that align to ANSSI-BP-028
2481 at the enhanced hardening level.
2482 ANSSI is the French National Information Security Agency, and
2484 stands for Agence nationale de la sécurité des systèmes d'infor‐
2485 mation. ANSSI-BP-028 is a configuration recommendation for
2486 GNU/Linux systems.
2487 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2489 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2490 securite-relatives-a-un-systeme-gnulinux/
2491 DRAFT - ANSSI-BP-028 (high)
2494 Profile ID: xccdf_org.ssgproject.content_pro‐
2496 file_anssi_bp28_high
2497 This profile contains configurations that align to ANSSI-BP-028
2499 at the high hardening level.
2500 ANSSI is the French National Information Security Agency, and
2502 stands for Agence nationale de la sécurité des systèmes d'infor‐
2503 mation. ANSSI-BP-028 is a configuration recommendation for
2504 GNU/Linux systems.
2505 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2507 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2508 securite-relatives-a-un-systeme-gnulinux/
2509 DRAFT - ANSSI-BP-028 (intermediary)
2512 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
2514 termediary
2515 This profile contains configurations that align to ANSSI-BP-028
2517 at the intermediary hardening level.
2518 ANSSI is the French National Information Security Agency, and
2520 stands for Agence nationale de la sécurité des systèmes d'infor‐
2521 mation. ANSSI-BP-028 is a configuration recommendation for
2522 GNU/Linux systems.
2523 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2525 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2526 securite-relatives-a-un-systeme-gnulinux/
2527 DRAFT - ANSSI-BP-028 (minimal)
2530 Profile ID: xccdf_org.ssgproject.content_pro‐
2532 file_anssi_bp28_minimal
2533 This profile contains configurations that align to ANSSI-BP-028
2535 at the minimal hardening level.
2536 ANSSI is the French National Information Security Agency, and
2538 stands for Agence nationale de la sécurité des systèmes d'infor‐
2539 mation. ANSSI-BP-028 is a configuration recommendation for
2540 GNU/Linux systems.
2541 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2543 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2544 securite-relatives-a-un-systeme-gnulinux/
2545 Australian Cyber Security Centre (ACSC) Essential Eight
2548 Profile ID: xccdf_org.ssgproject.content_profile_e8
2550 This profile contains configuration checks for Red Hat Enter‐
2552 prise Linux CoreOS that align to the Australian Cyber Security
2553 Centre (ACSC) Essential Eight.
2554 A copy of the Essential Eight in Linux Environments guide can be
2556 found at the ACSC website:
2557 https://www.cyber.gov.au/acsc/view-all-content/publica‐
2559 tions/hardening-linux-workstations-and-servers
2560 NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS
2563 Profile ID: xccdf_org.ssgproject.content_profile_high
2565 This compliance profile reflects the core set of High-Impact
2567 Baseline configuration settings for deployment of Red Hat Enter‐
2568 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
2569 agencies. Development partners and sponsors include the U.S.
2570 National Institute of Standards and Technology (NIST), U.S. De‐
2571 partment of Defense, the National Security Agency, and Red Hat.
2572 This baseline implements configuration requirements from the
2574 following sources:
2575 - NIST 800-53 control selections for High-Impact systems (NIST
2577 800-53)
2578 For any differing configuration requirements, e.g. password
2580 lengths, the stricter security setting was chosen. Security Re‐
2581 quirement Traceability Guides (RTMs) and sample System Security
2582 Configuration Guides are provided via the scap-security-guide-
2583 docs package.
2584 This profile reflects U.S. Government consensus content and is
2586 developed through the ComplianceAsCode initiative, championed by
2587 the National Security Agency. Except for differences in format‐
2588 ting to accommodate publishing processes, this profile mirrors
2589 ComplianceAsCode content as minor divergences, such as bugfixes,
2590 work through the consensus and release processes.
2591 NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux
2594 CoreOS
2595 Profile ID: xccdf_org.ssgproject.content_profile_moderate
2597 This compliance profile reflects the core set of Moderate-Impact
2599 Baseline configuration settings for deployment of Red Hat Enter‐
2600 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
2601 agencies. Development partners and sponsors include the U.S.
2602 National Institute of Standards and Technology (NIST), U.S. De‐
2603 partment of Defense, the National Security Agency, and Red Hat.
2604 This baseline implements configuration requirements from the
2606 following sources:
2607 - NIST 800-53 control selections for Moderate-Impact systems
2609 (NIST 800-53)
2610 For any differing configuration requirements, e.g. password
2612 lengths, the stricter security setting was chosen. Security Re‐
2613 quirement Traceability Guides (RTMs) and sample System Security
2614 Configuration Guides are provided via the scap-security-guide-
2615 docs package.
2616 This profile reflects U.S. Government consensus content and is
2618 developed through the ComplianceAsCode initiative, championed by
2619 the National Security Agency. Except for differences in format‐
2620 ting to accommodate publishing processes, this profile mirrors
2621 ComplianceAsCode content as minor divergences, such as bugfixes,
2622 work through the consensus and release processes.
2623 North American Electric Reliability Corporation (NERC) Critical Infra‐
2626 structure Protection (CIP) cybersecurity standards profile for Red Hat
2627 Enterprise Linux CoreOS
2628 Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip
2630 This compliance profile reflects a set of security recommenda‐
2632 tions for the usage of Red Hat Enterprise Linux CoreOS in criti‐
2633 cal infrastructure in the energy sector. This follows the recom‐
2634 mendations coming from the following CIP standards:
2635 - CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 -
2637 CIP-007-6 - CIP-009-6
2638 DISA STIG for Red Hat Enterprise Linux CoreOS
2641 Profile ID: xccdf_org.ssgproject.content_profile_stig
2643 This profile contains configuration checks that align to the
2645 DISA STIG for Red Hat Enterprise Linux CoreOS 4.
2646
2652 Source data stream: ssg-rhel7-ds.xml
2653 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
2655 broken into 'profiles', groupings of security settings that correlate
2656 to a known policy. Available profiles are:
2657 C2S for Red Hat Enterprise Linux 7
2661 Profile ID: xccdf_org.ssgproject.content_profile_C2S
2663 This profile demonstrates compliance against the U.S. Government
2665 Commercial Cloud Services (C2S) baseline.
2666 This baseline was inspired by the Center for Internet Security
2668 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
2669 For the SCAP Security Guide project to remain in compliance with
2671 CIS' terms and conditions, specifically Restrictions(8), note
2672 there is no representation or claim that the C2S profile will
2673 ensure a system is in compliance or consistency with the CIS
2674 baseline.
2675 ANSSI-BP-028 (enhanced)
2678 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
2680 hanced
2681 This profile contains configurations that align to ANSSI-BP-028
2683 v2.0 at the enhanced hardening level.
2684 ANSSI is the French National Information Security Agency, and
2686 stands for Agence nationale de la sécurité des systèmes d'infor‐
2687 mation. ANSSI-BP-028 is a configuration recommendation for
2688 GNU/Linux systems.
2689 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2691 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2692 securite-relatives-a-un-systeme-gnulinux/
2693 ANSSI-BP-028 (high)
2696 Profile ID: xccdf_org.ssgproject.content_pro‐
2698 file_anssi_nt28_high
2699 This profile contains configurations that align to ANSSI-BP-028
2701 v2.0 at the high hardening level.
2702 ANSSI is the French National Information Security Agency, and
2704 stands for Agence nationale de la sécurité des systèmes d'infor‐
2705 mation. ANSSI-BP-028 is a configuration recommendation for
2706 GNU/Linux systems.
2707 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2709 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2710 securite-relatives-a-un-systeme-gnulinux/
2711 ANSSI-BP-028 (intermediary)
2714 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
2716 termediary
2717 This profile contains configurations that align to ANSSI-BP-028
2719 v2.0 at the intermediary hardening level.
2720 ANSSI is the French National Information Security Agency, and
2722 stands for Agence nationale de la sécurité des systèmes d'infor‐
2723 mation. ANSSI-BP-028 is a configuration recommendation for
2724 GNU/Linux systems.
2725 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2727 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2728 securite-relatives-a-un-systeme-gnulinux/
2729 ANSSI-BP-028 (minimal)
2732 Profile ID: xccdf_org.ssgproject.content_pro‐
2734 file_anssi_nt28_minimal
2735 This profile contains configurations that align to ANSSI-BP-028
2737 v2.0 at the minimal hardening level.
2738 ANSSI is the French National Information Security Agency, and
2740 stands for Agence nationale de la sécurité des systèmes d'infor‐
2741 mation. ANSSI-BP-028 is a configuration recommendation for
2742 GNU/Linux systems.
2743 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2745 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2746 securite-relatives-a-un-systeme-gnulinux/
2747 CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
2750 Profile ID: xccdf_org.ssgproject.content_profile_cis
2752 This profile defines a baseline that aligns to the "Level 2 -
2754 Server" configuration from the Center for Internet Security® Red
2755 Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
2756 This profile includes Center for Internet Security® Red Hat En‐
2758 terprise Linux 7 CIS Benchmarks™ content.
2759 CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
2762 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
2764 This profile defines a baseline that aligns to the "Level 1 -
2766 Server" configuration from the Center for Internet Security® Red
2767 Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
2768 This profile includes Center for Internet Security® Red Hat En‐
2770 terprise Linux 7 CIS Benchmarks™ content.
2771 CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation
2774 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2776 tion_l1
2777 This profile defines a baseline that aligns to the "Level 1 -
2779 Workstation" configuration from the Center for Internet Secu‐
2780 rity® Red Hat Enterprise Linux 7 Benchmark™, v3.1.1, released
2781 05-21-2021.
2782 This profile includes Center for Internet Security® Red Hat En‐
2784 terprise Linux 7 CIS Benchmarks™ content.
2785 CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation
2788 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2790 tion_l2
2791 This profile defines a baseline that aligns to the "Level 2 -
2793 Workstation" configuration from the Center for Internet Secu‐
2794 rity® Red Hat Enterprise Linux 7 Benchmark™, v3.1.1, released
2795 05-21-2021.
2796 This profile includes Center for Internet Security® Red Hat En‐
2798 terprise Linux 7 CIS Benchmarks™ content.
2799 Criminal Justice Information Services (CJIS) Security Policy
2802 Profile ID: xccdf_org.ssgproject.content_profile_cjis
2804 This profile is derived from FBI's CJIS v5.4 Security Policy. A
2806 copy of this policy can be found at the CJIS Security Policy Re‐
2807 source Center:
2808 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
2810 center
2811 Unclassified Information in Non-federal Information Systems and Organi‐
2814 zations (NIST 800-171)
2815 Profile ID: xccdf_org.ssgproject.content_profile_cui
2817 From NIST 800-171, Section 2.2: Security requirements for pro‐
2819 tecting the confidentiality of CUI in non-federal information
2820 systems and organizations have a well-defined structure that
2821 consists of:
2822 (i) a basic security requirements section; (ii) a derived secu‐
2824 rity requirements section.
2825 The basic security requirements are obtained from FIPS Publica‐
2827 tion 200, which provides the high-level and fundamental security
2828 requirements for federal information and information systems.
2829 The derived security requirements, which supplement the basic
2830 security requirements, are taken from the security controls in
2831 NIST Special Publication 800-53.
2832 This profile configures Red Hat Enterprise Linux 7 to the NIST
2834 Special Publication 800-53 controls identified for securing Con‐
2835 trolled Unclassified Information (CUI).
2836 Australian Cyber Security Centre (ACSC) Essential Eight
2839 Profile ID: xccdf_org.ssgproject.content_profile_e8
2841 This profile contains configuration checks for Red Hat Enter‐
2843 prise Linux 7 that align to the Australian Cyber Security Centre
2844 (ACSC) Essential Eight.
2845 A copy of the Essential Eight in Linux Environments guide can be
2847 found at the ACSC website:
2848 https://www.cyber.gov.au/acsc/view-all-content/publica‐
2850 tions/hardening-linux-workstations-and-servers
2851 Health Insurance Portability and Accountability Act (HIPAA)
2854 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
2856 The HIPAA Security Rule establishes U.S. national standards to
2858 protect individuals’ electronic personal health information that
2859 is created, received, used, or maintained by a covered entity.
2860 The Security Rule requires appropriate administrative, physical
2861 and technical safeguards to ensure the confidentiality, integ‐
2862 rity, and security of electronic protected health information.
2863 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
2865 Security Rule identified for securing of electronic protected
2866 health information. Use of this profile in no way guarantees or
2867 makes claims against legal compliance against the HIPAA Security
2868 Rule(s).
2869 NIST National Checklist Program Security Guide
2872 Profile ID: xccdf_org.ssgproject.content_profile_ncp
2874 This compliance profile reflects the core set of security re‐
2876 lated configuration settings for deployment of Red Hat Enter‐
2877 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
2878 agencies. Development partners and sponsors include the U.S.
2879 National Institute of Standards and Technology (NIST), U.S. De‐
2880 partment of Defense, the National Security Agency, and Red Hat.
2881 This baseline implements configuration requirements from the
2883 following sources:
2884 - Committee on National Security Systems Instruction No. 1253
2886 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
2887 800-171) - NIST 800-53 control selections for MODERATE impact
2888 systems (NIST 800-53) - U.S. Government Configuration Baseline
2889 (USGCB) - NIAP Protection Profile for General Purpose Operating
2890 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
2891 Requirements Guide (OS SRG)
2892 For any differing configuration requirements, e.g. password
2894 lengths, the stricter security setting was chosen. Security Re‐
2895 quirement Traceability Guides (RTMs) and sample System Security
2896 Configuration Guides are provided via the scap-security-guide-
2897 docs package.
2898 This profile reflects U.S. Government consensus content and is
2900 developed through the OpenSCAP/SCAP Security Guide initiative,
2901 championed by the National Security Agency. Except for differ‐
2902 ences in formatting to accommodate publishing processes, this
2903 profile mirrors OpenSCAP/SCAP Security Guide content as minor
2904 divergences, such as bugfixes, work through the consensus and
2905 release processes.
2906 OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
2909 Profile ID: xccdf_org.ssgproject.content_profile_ospp
2911 This profile reflects mandatory configuration controls identi‐
2913 fied in the NIAP Configuration Annex to the Protection Profile
2914 for General Purpose Operating Systems (Protection Profile Ver‐
2915 sion 4.2.1).
2916 This configuration profile is consistent with CNSSI-1253, which
2918 requires U.S. National Security Systems to adhere to certain
2919 configuration parameters. Accordingly, this configuration pro‐
2920 file is suitable for use in U.S. National Security Systems.
2921 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
2924 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2926 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2928 plied.
2929 RHV hardening based on STIG for Red Hat Enterprise Linux 7
2932 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
2934 This profile contains configuration checks for Red Hat Virtual‐
2936 ization based on the the DISA STIG for Red Hat Enterprise Linux
2937 7.
2938 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
2941 ization
2942 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
2944 This compliance profile reflects the core set of security re‐
2946 lated configuration settings for deployment of Red Hat Enter‐
2947 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
2948 gence, and Civilian agencies. Development partners and sponsors
2949 include the U.S. National Institute of Standards and Technology
2950 (NIST), U.S. Department of Defense, the National Security
2951 Agency, and Red Hat.
2952 This baseline implements configuration requirements from the
2954 following sources:
2955 - Committee on National Security Systems Instruction No. 1253
2957 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
2958 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
2959 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
2960 (VPP v1.0)
2961 For any differing configuration requirements, e.g. password
2963 lengths, the stricter security setting was chosen. Security Re‐
2964 quirement Traceability Guides (RTMs) and sample System Security
2965 Configuration Guides are provided via the scap-security-guide-
2966 docs package.
2967 This profile reflects U.S. Government consensus content and is
2969 developed through the ComplianceAsCode project, championed by
2970 the National Security Agency. Except for differences in format‐
2971 ting to accommodate publishing processes, this profile mirrors
2972 ComplianceAsCode content as minor divergences, such as bugfixes,
2973 work through the consensus and release processes.
2974 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
2977 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
2979 This profile contains the minimum security relevant configura‐
2981 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
2982 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
2983 Standard System Security Profile for Red Hat Enterprise Linux 7
2986 Profile ID: xccdf_org.ssgproject.content_profile_standard
2988 This profile contains rules to ensure standard security baseline
2990 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
2991 tem's workload all of these checks should pass.
2992 DISA STIG for Red Hat Enterprise Linux 7
2995 Profile ID: xccdf_org.ssgproject.content_profile_stig
2997 This profile contains configuration checks that align to the
2999 DISA STIG for Red Hat Enterprise Linux V3R12.
3000 In addition to being applicable to Red Hat Enterprise Linux 7,
3002 DISA recognizes this configuration baseline as applicable to the
3003 operating system tier of Red Hat technologies that are based on
3004 Red Hat Enterprise Linux 7, such as:
3005 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
3007 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
3008 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
3009 7 image
3010 DISA STIG with GUI for Red Hat Enterprise Linux 7
3013 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
3015 This profile contains configuration checks that align to the
3017 DISA STIG with GUI for Red Hat Enterprise Linux V3R12.
3018 In addition to being applicable to Red Hat Enterprise Linux 7,
3020 DISA recognizes this configuration baseline as applicable to the
3021 operating system tier of Red Hat technologies that are based on
3022 Red Hat Enterprise Linux 7, such as:
3023 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
3025 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
3026 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
3027 7 image
3028 Warning: The installation and use of a Graphical User Interface
3030 (GUI) increases your attack vector and decreases your overall
3031 security posture. If your Information Systems Security Officer
3032 (ISSO) lacks a documented operational requirement for a graphi‐
3033 cal user interface, please consider using the standard DISA STIG
3034 for Red Hat Enterprise Linux 7 profile.
3035
3041 Source data stream: ssg-rhel8-ds.xml
3042 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
3044 broken into 'profiles', groupings of security settings that correlate
3045 to a known policy. Available profiles are:
3046 ANSSI-BP-028 (enhanced)
3050 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
3052 hanced
3053 This profile contains configurations that align to ANSSI-BP-028
3055 v2.0 at the enhanced hardening level.
3056 ANSSI is the French National Information Security Agency, and
3058 stands for Agence nationale de la sécurité des systèmes d'infor‐
3059 mation. ANSSI-BP-028 is a configuration recommendation for
3060 GNU/Linux systems.
3061 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3063 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3064 securite-relatives-a-un-systeme-gnulinux/
3065 ANSSI-BP-028 (high)
3068 Profile ID: xccdf_org.ssgproject.content_pro‐
3070 file_anssi_bp28_high
3071 This profile contains configurations that align to ANSSI-BP-028
3073 v2.0 at the high hardening level.
3074 ANSSI is the French National Information Security Agency, and
3076 stands for Agence nationale de la sécurité des systèmes d'infor‐
3077 mation. ANSSI-BP-028 is a configuration recommendation for
3078 GNU/Linux systems.
3079 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3081 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3082 securite-relatives-a-un-systeme-gnulinux/
3083 ANSSI-BP-028 (intermediary)
3086 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
3088 termediary
3089 This profile contains configurations that align to ANSSI-BP-028
3091 v2.0 at the intermediary hardening level.
3092 ANSSI is the French National Information Security Agency, and
3094 stands for Agence nationale de la sécurité des systèmes d'infor‐
3095 mation. ANSSI-BP-028 is a configuration recommendation for
3096 GNU/Linux systems.
3097 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3099 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3100 securite-relatives-a-un-systeme-gnulinux/
3101 ANSSI-BP-028 (minimal)
3104 Profile ID: xccdf_org.ssgproject.content_pro‐
3106 file_anssi_bp28_minimal
3107 This profile contains configurations that align to ANSSI-BP-028
3109 v2.0 at the minimal hardening level.
3110 ANSSI is the French National Information Security Agency, and
3112 stands for Agence nationale de la sécurité des systèmes d'infor‐
3113 mation. ANSSI-BP-028 is a configuration recommendation for
3114 GNU/Linux systems.
3115 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3117 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3118 securite-relatives-a-un-systeme-gnulinux/
3119 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
3122 Profile ID: xccdf_org.ssgproject.content_profile_cis
3124 This profile defines a baseline that aligns to the "Level 2 -
3126 Server" configuration from the Center for Internet Security® Red
3127 Hat Enterprise Linux 8 Benchmark™, v2.0.0, released 2022-02-23.
3128 This profile includes Center for Internet Security® Red Hat En‐
3130 terprise Linux 8 CIS Benchmarks™ content.
3131 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
3134 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
3136 This profile defines a baseline that aligns to the "Level 1 -
3138 Server" configuration from the Center for Internet Security® Red
3139 Hat Enterprise Linux 8 Benchmark™, v2.0.0, released 2022-02-23.
3140 This profile includes Center for Internet Security® Red Hat En‐
3142 terprise Linux 8 CIS Benchmarks™ content.
3143 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation
3146 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
3148 tion_l1
3149 This profile defines a baseline that aligns to the "Level 1 -
3151 Workstation" configuration from the Center for Internet Secu‐
3152 rity® Red Hat Enterprise Linux 8 Benchmark™, v2.0.0, released
3153 2022-02-23.
3154 This profile includes Center for Internet Security® Red Hat En‐
3156 terprise Linux 8 CIS Benchmarks™ content.
3157 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation
3160 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
3162 tion_l2
3163 This profile defines a baseline that aligns to the "Level 2 -
3165 Workstation" configuration from the Center for Internet Secu‐
3166 rity® Red Hat Enterprise Linux 8 Benchmark™, v2.0.0, released
3167 2022-02-23.
3168 This profile includes Center for Internet Security® Red Hat En‐
3170 terprise Linux 8 CIS Benchmarks™ content.
3171 Criminal Justice Information Services (CJIS) Security Policy
3174 Profile ID: xccdf_org.ssgproject.content_profile_cjis
3176 This profile is derived from FBI's CJIS v5.4 Security Policy. A
3178 copy of this policy can be found at the CJIS Security Policy Re‐
3179 source Center:
3180 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
3182 center
3183 Unclassified Information in Non-federal Information Systems and Organi‐
3186 zations (NIST 800-171)
3187 Profile ID: xccdf_org.ssgproject.content_profile_cui
3189 From NIST 800-171, Section 2.2: Security requirements for pro‐
3191 tecting the confidentiality of CUI in nonfederal information
3192 systems and organizations have a well-defined structure that
3193 consists of:
3194 (i) a basic security requirements section; (ii) a derived secu‐
3196 rity requirements section.
3197 The basic security requirements are obtained from FIPS Publica‐
3199 tion 200, which provides the high-level and fundamental security
3200 requirements for federal information and information systems.
3201 The derived security requirements, which supplement the basic
3202 security requirements, are taken from the security controls in
3203 NIST Special Publication 800-53.
3204 This profile configures Red Hat Enterprise Linux 8 to the NIST
3206 Special Publication 800-53 controls identified for securing Con‐
3207 trolled Unclassified Information (CUI)."
3208 Australian Cyber Security Centre (ACSC) Essential Eight
3211 Profile ID: xccdf_org.ssgproject.content_profile_e8
3213 This profile contains configuration checks for Red Hat Enter‐
3215 prise Linux 8 that align to the Australian Cyber Security Centre
3216 (ACSC) Essential Eight.
3217 A copy of the Essential Eight in Linux Environments guide can be
3219 found at the ACSC website:
3220 https://www.cyber.gov.au/acsc/view-all-content/publica‐
3222 tions/hardening-linux-workstations-and-servers
3223 Health Insurance Portability and Accountability Act (HIPAA)
3226 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
3228 The HIPAA Security Rule establishes U.S. national standards to
3230 protect individuals’ electronic personal health information that
3231 is created, received, used, or maintained by a covered entity.
3232 The Security Rule requires appropriate administrative, physical
3233 and technical safeguards to ensure the confidentiality, integ‐
3234 rity, and security of electronic protected health information.
3235 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
3237 Security Rule identified for securing of electronic protected
3238 health information. Use of this profile in no way guarantees or
3239 makes claims against legal compliance against the HIPAA Security
3240 Rule(s).
3241 Australian Cyber Security Centre (ACSC) ISM Official
3244 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
3246 This profile contains configuration checks for Red Hat Enter‐
3248 prise Linux 8 that align to the Australian Cyber Security Centre
3249 (ACSC) Information Security Manual (ISM) with the applicability
3250 marking of OFFICIAL.
3251 The ISM uses a risk-based approach to cyber security. This pro‐
3253 file provides a guide to aligning Red Hat Enterprise Linux secu‐
3254 rity controls with the ISM, which can be used to select controls
3255 specific to an organisation's security posture and risk profile.
3256 A copy of the ISM can be found at the ACSC website:
3258 https://www.cyber.gov.au/ism
3260 Protection Profile for General Purpose Operating Systems
3263 Profile ID: xccdf_org.ssgproject.content_profile_ospp
3265 This profile reflects mandatory configuration controls identi‐
3267 fied in the NIAP Configuration Annex to the Protection Profile
3268 for General Purpose Operating Systems (Protection Profile Ver‐
3269 sion 4.2.1).
3270 This configuration profile is consistent with CNSSI-1253, which
3272 requires U.S. National Security Systems to adhere to certain
3273 configuration parameters. Accordingly, this configuration pro‐
3274 file is suitable for use in U.S. National Security Systems.
3275 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
3278 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
3280 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
3282 plied.
3283 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
3286 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
3288 This profile contains the minimum security relevant configura‐
3290 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
3291 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
3292 Standard System Security Profile for Red Hat Enterprise Linux 8
3295 Profile ID: xccdf_org.ssgproject.content_profile_standard
3297 This profile contains rules to ensure standard security baseline
3299 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
3300 tem's workload all of these checks should pass.
3301 DISA STIG for Red Hat Enterprise Linux 8
3304 Profile ID: xccdf_org.ssgproject.content_profile_stig
3306 This profile contains configuration checks that align to the
3308 DISA STIG for Red Hat Enterprise Linux 8 V1R11.
3309 In addition to being applicable to Red Hat Enterprise Linux 8,
3311 DISA recognizes this configuration baseline as applicable to the
3312 operating system tier of Red Hat technologies that are based on
3313 Red Hat Enterprise Linux 8, such as:
3314 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
3316 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
3317 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
3318 8 image
3319 DISA STIG with GUI for Red Hat Enterprise Linux 8
3322 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
3324 This profile contains configuration checks that align to the
3326 DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R11.
3327 In addition to being applicable to Red Hat Enterprise Linux 8,
3329 DISA recognizes this configuration baseline as applicable to the
3330 operating system tier of Red Hat technologies that are based on
3331 Red Hat Enterprise Linux 8, such as:
3332 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
3334 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
3335 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
3336 8 image
3337 Warning: The installation and use of a Graphical User Interface
3339 (GUI) increases your attack vector and decreases your overall
3340 security posture. If your Information Systems Security Officer
3341 (ISSO) lacks a documented operational requirement for a graphi‐
3342 cal user interface, please consider using the standard DISA STIG
3343 for Red Hat Enterprise Linux 8 profile.
3344
3350 Source data stream: ssg-rhel9-ds.xml
3351 The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is
3353 broken into 'profiles', groupings of security settings that correlate
3354 to a known policy. Available profiles are:
3355 ANSSI-BP-028 (enhanced)
3359 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
3361 hanced
3362 This profile contains configurations that align to ANSSI-BP-028
3364 v2.0 at the enhanced hardening level.
3365 ANSSI is the French National Information Security Agency, and
3367 stands for Agence nationale de la sécurité des systèmes d'infor‐
3368 mation. ANSSI-BP-028 is a configuration recommendation for
3369 GNU/Linux systems.
3370 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3372 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3373 securite-relatives-a-un-systeme-gnulinux/
3374 ANSSI-BP-028 (high)
3377 Profile ID: xccdf_org.ssgproject.content_pro‐
3379 file_anssi_bp28_high
3380 This profile contains configurations that align to ANSSI-BP-028
3382 v2.0 at the high hardening level.
3383 ANSSI is the French National Information Security Agency, and
3385 stands for Agence nationale de la sécurité des systèmes d'infor‐
3386 mation. ANSSI-BP-028 is a configuration recommendation for
3387 GNU/Linux systems.
3388 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3390 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3391 securite-relatives-a-un-systeme-gnulinux/
3392 ANSSI-BP-028 (intermediary)
3395 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
3397 termediary
3398 This profile contains configurations that align to ANSSI-BP-028
3400 v2.0 at the intermediary hardening level.
3401 ANSSI is the French National Information Security Agency, and
3403 stands for Agence nationale de la sécurité des systèmes d'infor‐
3404 mation. ANSSI-BP-028 is a configuration recommendation for
3405 GNU/Linux systems.
3406 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3408 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3409 securite-relatives-a-un-systeme-gnulinux/
3410 ANSSI-BP-028 (minimal)
3413 Profile ID: xccdf_org.ssgproject.content_pro‐
3415 file_anssi_bp28_minimal
3416 This profile contains configurations that align to ANSSI-BP-028
3418 v2.0 at the minimal hardening level.
3419 ANSSI is the French National Information Security Agency, and
3421 stands for Agence nationale de la sécurité des systèmes d'infor‐
3422 mation. ANSSI-BP-028 is a configuration recommendation for
3423 GNU/Linux systems.
3424 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3426 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3427 securite-relatives-a-un-systeme-gnulinux/
3428 CCN Red Hat Enterprise Linux 9 - Advanced
3431 Profile ID: xccdf_org.ssgproject.content_profile_ccn_advanced
3433 This profile defines a baseline that aligns with the "Advanced"
3435 configuration of the CCN-STIC-610A22 Guide issued by the Na‐
3436 tional Cryptological Center of Spain in 2022-10.
3437 The CCN-STIC-610A22 guide includes hardening settings for Red
3439 Hat Enterprise Linux 9 at basic, intermediate, and advanced lev‐
3440 els.
3441 CCN Red Hat Enterprise Linux 9 - Basic
3444 Profile ID: xccdf_org.ssgproject.content_profile_ccn_basic
3446 This profile defines a baseline that aligns with the "Basic"
3448 configuration of the CCN-STIC-610A22 Guide issued by the Na‐
3449 tional Cryptological Center of Spain in 2022-10.
3450 The CCN-STIC-610A22 guide includes hardening settings for Red
3452 Hat Enterprise Linux 9 at basic, intermediate, and advanced lev‐
3453 els.
3454 CCN Red Hat Enterprise Linux 9 - Intermediate
3457 Profile ID: xccdf_org.ssgproject.content_profile_ccn_intermedi‐
3459 ate
3460 This profile defines a baseline that aligns with the "Intermedi‐
3462 ate" configuration of the CCN-STIC-610A22 Guide issued by the
3463 National Cryptological Center of Spain in 2022-10.
3464 The CCN-STIC-610A22 guide includes hardening settings for Red
3466 Hat Enterprise Linux 9 at basic, intermediate, and advanced lev‐
3467 els.
3468 CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
3471 Profile ID: xccdf_org.ssgproject.content_profile_cis
3473 This profile defines a baseline that aligns to the "Level 2 -
3475 Server" configuration from the Center for Internet Security® Red
3476 Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
3477 This profile includes Center for Internet Security® Red Hat En‐
3479 terprise Linux 9 CIS Benchmarks™ content.
3480 CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
3483 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
3485 This profile defines a baseline that aligns to the "Level 1 -
3487 Server" configuration from the Center for Internet Security® Red
3488 Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
3489 This profile includes Center for Internet Security® Red Hat En‐
3491 terprise Linux 9 CIS Benchmarks™ content.
3492 CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
3495 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
3497 tion_l1
3498 This profile defines a baseline that aligns to the "Level 1 -
3500 Workstation" configuration from the Center for Internet Secu‐
3501 rity® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released
3502 2022-11-28.
3503 This profile includes Center for Internet Security® Red Hat En‐
3505 terprise Linux 9 CIS Benchmarks™ content.
3506 CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
3509 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
3511 tion_l2
3512 This profile defines a baseline that aligns to the "Level 2 -
3514 Workstation" configuration from the Center for Internet Secu‐
3515 rity® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released
3516 2022-11-28.
3517 This profile includes Center for Internet Security® Red Hat En‐
3519 terprise Linux 9 CIS Benchmarks™ content.
3520 DRAFT - Unclassified Information in Non-federal Information Systems and
3523 Organizations (NIST 800-171)
3524 Profile ID: xccdf_org.ssgproject.content_profile_cui
3526 From NIST 800-171, Section 2.2: Security requirements for pro‐
3528 tecting the confidentiality of CUI in nonfederal information
3529 systems and organizations have a well-defined structure that
3530 consists of:
3531 (i) a basic security requirements section; (ii) a derived secu‐
3533 rity requirements section.
3534 The basic security requirements are obtained from FIPS Publica‐
3536 tion 200, which provides the high-level and fundamental security
3537 requirements for federal information and information systems.
3538 The derived security requirements, which supplement the basic
3539 security requirements, are taken from the security controls in
3540 NIST Special Publication 800-53.
3541 This profile configures Red Hat Enterprise Linux 9 to the NIST
3543 Special Publication 800-53 controls identified for securing Con‐
3544 trolled Unclassified Information (CUI)."
3545 Australian Cyber Security Centre (ACSC) Essential Eight
3548 Profile ID: xccdf_org.ssgproject.content_profile_e8
3550 This profile contains configuration checks for Red Hat Enter‐
3552 prise Linux 9 that align to the Australian Cyber Security Centre
3553 (ACSC) Essential Eight.
3554 A copy of the Essential Eight in Linux Environments guide can be
3556 found at the ACSC website:
3557 https://www.cyber.gov.au/acsc/view-all-content/publica‐
3559 tions/hardening-linux-workstations-and-servers
3560 Health Insurance Portability and Accountability Act (HIPAA)
3563 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
3565 The HIPAA Security Rule establishes U.S. national standards to
3567 protect individuals’ electronic personal health information that
3568 is created, received, used, or maintained by a covered entity.
3569 The Security Rule requires appropriate administrative, physical
3570 and technical safeguards to ensure the confidentiality, integ‐
3571 rity, and security of electronic protected health information.
3572 This profile configures Red Hat Enterprise Linux 9 to the HIPAA
3574 Security Rule identified for securing of electronic protected
3575 health information. Use of this profile in no way guarantees or
3576 makes claims against legal compliance against the HIPAA Security
3577 Rule(s).
3578 Australian Cyber Security Centre (ACSC) ISM Official
3581 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
3583 This profile contains configuration checks for Red Hat Enter‐
3585 prise Linux 9 that align to the Australian Cyber Security Centre
3586 (ACSC) Information Security Manual (ISM) with the applicability
3587 marking of OFFICIAL.
3588 The ISM uses a risk-based approach to cyber security. This pro‐
3590 file provides a guide to aligning Red Hat Enterprise Linux secu‐
3591 rity controls with the ISM, which can be used to select controls
3592 specific to an organisation's security posture and risk profile.
3593 A copy of the ISM can be found at the ACSC website:
3595 https://www.cyber.gov.au/ism
3597 Protection Profile for General Purpose Operating Systems
3600 Profile ID: xccdf_org.ssgproject.content_profile_ospp
3602 This profile is part of Red Hat Enterprise Linux 9 Common Crite‐
3604 ria Guidance documentation for Target of Evaluation based on
3605 Protection Profile for General Purpose Operating Systems (OSPP)
3606 version 4.3 and Functional Package for SSH version 1.0.
3607 Where appropriate, CNSSI 1253 or DoD-specific values are used
3609 for configuration, based on Configuration Annex to the OSPP.
3610 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
3613 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
3615 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
3617 plied.
3618 DRAFT - DISA STIG for Red Hat Enterprise Linux 9
3621 Profile ID: xccdf_org.ssgproject.content_profile_stig
3623 This is a draft profile based on its RHEL8 version for experi‐
3625 mental purposes. It is not based on the DISA STIG for RHEL9,
3626 because this one was not available at time of the release.
3627 In addition to being applicable to Red Hat Enterprise Linux 9,
3629 DISA recognizes this configuration baseline as applicable to the
3630 operating system tier of Red Hat technologies that are based on
3631 Red Hat Enterprise Linux 9, such as:
3632 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
3634 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
3635 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
3636 9 image
3637 DRAFT - DISA STIG with GUI for Red Hat Enterprise Linux 9
3640 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
3642 This is a draft profile based on its RHEL8 version for experi‐
3644 mental purposes. It is not based on the DISA STIG for RHEL9,
3645 because this one was not available at time of the release.
3646 In addition to being applicable to Red Hat Enterprise Linux 9,
3648 DISA recognizes this configuration baseline as applicable to the
3649 operating system tier of Red Hat technologies that are based on
3650 Red Hat Enterprise Linux 9, such as:
3651 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
3653 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
3654 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
3655 9 image
3656 Warning: The installation and use of a Graphical User Interface
3658 (GUI) increases your attack vector and decreases your overall
3659 security posture. If your Information Systems Security Officer
3660 (ISSO) lacks a documented operational requirement for a graphi‐
3661 cal user interface, please consider using the standard DISA STIG
3662 for Red Hat Enterprise Linux 9 profile.
3663
3669 Source data stream: ssg-rhv4-ds.xml
3670 The Guide to the Secure Configuration of Red Hat Virtualization 4 is
3672 broken into 'profiles', groupings of security settings that correlate
3673 to a known policy. Available profiles are:
3674 PCI-DSS v3.2.1 Control Baseline for Red Hat Virtualization Host (RHVH)
3678 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
3680 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
3682 plied.
3683 DRAFT - DISA STIG for Red Hat Virtualization Host (RHVH)
3686 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
3688 This *draft* profile contains configuration checks that align to
3690 the DISA STIG for Red Hat Virtualization Host (RHVH).
3691 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
3694 ization Host (RHVH)
3695 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
3697 This compliance profile reflects the core set of security re‐
3699 lated configuration settings for deployment of Red Hat Virtual‐
3700 ization Host (RHVH) 4.x into U.S. Defense, Intelligence, and
3701 Civilian agencies. Development partners and sponsors include
3702 the U.S. National Institute of Standards and Technology (NIST),
3703 U.S. Department of Defense, the National Security Agency, and
3704 Red Hat.
3705 This baseline implements configuration requirements from the
3707 following sources:
3708 - Committee on National Security Systems Instruction No. 1253
3710 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
3711 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
3712 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
3713 (VPP v1.0)
3714 For any differing configuration requirements, e.g. password
3716 lengths, the stricter security setting was chosen. Security Re‐
3717 quirement Traceability Guides (RTMs) and sample System Security
3718 Configuration Guides are provided via the scap-security-guide-
3719 docs package.
3720 This profile reflects U.S. Government consensus content and is
3722 developed through the ComplianceAsCode project, championed by
3723 the National Security Agency. Except for differences in format‐
3724 ting to accommodate publishing processes, this profile mirrors
3725 ComplianceAsCode content as minor divergences, such as bugfixes,
3726 work through the consensus and release processes.
3727
3733 Source data stream: ssg-sl7-ds.xml
3734 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
3736 broken into 'profiles', groupings of security settings that correlate
3737 to a known policy. Available profiles are:
3738 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
3742 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
3744 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
3746 plied.
3747 Standard System Security Profile for Red Hat Enterprise Linux 7
3750 Profile ID: xccdf_org.ssgproject.content_profile_standard
3752 This profile contains rules to ensure standard security baseline
3754 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
3755 tem's workload all of these checks should pass.
3756
3762 Source data stream: ssg-sle12-ds.xml
3763 The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is
3765 broken into 'profiles', groupings of security settings that correlate
3766 to a known policy. Available profiles are:
3767 ANSSI-BP-028 (enhanced)
3771 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
3773 hanced
3774 This profile contains configurations that align to ANSSI-BP-028
3776 v2.0 at the enhanced hardening level.
3777 ANSSI is the French National Information Security Agency, and
3779 stands for Agence nationale de la sécurité des systèmes d'infor‐
3780 mation. ANSSI-BP-028 is a configuration recommendation for
3781 GNU/Linux systems.
3782 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3784 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3785 securite-relatives-a-un-systeme-gnulinux/
3786 Only the components strictly necessary to the service provided
3788 by the system should be installed. Those whose presence can not
3789 be justified should be disabled, removed or deleted. Performing
3790 a minimal install is a good starting point, but doesn't provide
3791 any assurance over any package installed later. Manual review
3792 is required to assess if the installed services are minimal.
3793 ANSSI-BP-028 (high)
3796 Profile ID: xccdf_org.ssgproject.content_pro‐
3798 file_anssi_bp28_high
3799 This profile contains configurations that align to ANSSI-BP-028
3801 v2.0 at the high hardening level.
3802 ANSSI is the French National Information Security Agency, and
3804 stands for Agence nationale de la sécurité des systèmes d'infor‐
3805 mation. ANSSI-BP-028 is a configuration recommendation for
3806 GNU/Linux systems.
3807 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3809 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3810 securite-relatives-a-un-systeme-gnulinux/
3811 Only the components strictly necessary to the service provided
3813 by the system should be installed. Those whose presence can not
3814 be justified should be disabled, removed or deleted. Performing
3815 a minimal install is a good starting point, but doesn't provide
3816 any assurance over any package installed later. Manual review
3817 is required to assess if the installed services are minimal.
3818 ANSSI-BP-028 (intermediary)
3821 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
3823 termediary
3824 This profile contains configurations that align to ANSSI-BP-028
3826 v2.0 at the intermediary hardening level.
3827 ANSSI is the French National Information Security Agency, and
3829 stands for Agence nationale de la sécurité des systèmes d'infor‐
3830 mation. ANSSI-BP-028 is a configuration recommendation for
3831 GNU/Linux systems.
3832 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3834 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3835 securite-relatives-a-un-systeme-gnulinux/
3836 Only the components strictly necessary to the service provided
3838 by the system should be installed. Those whose presence can not
3839 be justified should be disabled, removed or deleted. Performing
3840 a minimal install is a good starting point, but doesn't provide
3841 any assurance over any package installed later. Manual review
3842 is required to assess if the installed services are minimal.
3843 ANSSI-BP-028 (minimal)
3846 Profile ID: xccdf_org.ssgproject.content_pro‐
3848 file_anssi_bp28_minimal
3849 This profile contains configurations that align to ANSSI-BP-028
3851 v2.0 at the minimal hardening level.
3852 ANSSI is the French National Information Security Agency, and
3854 stands for Agence nationale de la sécurité des systèmes d'infor‐
3855 mation. ANSSI-BP-028 is a configuration recommendation for
3856 GNU/Linux systems.
3857 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3859 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3860 securite-relatives-a-un-systeme-gnulinux/
3861 Only the components strictly necessary to the service provided
3863 by the system should be installed. Those whose presence can not
3864 be justified should be disabled, removed or deleted. Performing
3865 a minimal install is a good starting point, but doesn't provide
3866 any assurance over any package installed later. Manual review
3867 is required to assess if the installed services are minimal.
3868 CIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server
3871 Profile ID: xccdf_org.ssgproject.content_profile_cis
3873 This profile defines a baseline that aligns to the "Level 2 -
3875 Server" configuration from the Center for Internet Security®
3876 SUSE Linux Enterprise 12 Benchmark™, v3.1.0, released
3877 01-24-2022.
3878 This profile includes Center for Internet Security® SUSE Linux
3880 Enterprise 12 CIS Benchmarks™ content.
3881 CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server
3884 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
3886 This profile defines a baseline that aligns to the "Level 1 -
3888 Server" configuration from the Center for Internet Security®
3889 SUSE Linux Enterprise 12 Benchmark™, v3.1.0, released
3890 01-24-2022.
3891 This profile includes Center for Internet Security® SUSE Linux
3893 Enterprise 12 CIS Benchmarks™ content.
3894 CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation
3897 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
3899 tion_l1
3900 This profile defines a baseline that aligns to the "Level 1 -
3902 Workstation" configuration from the Center for Internet Secu‐
3903 rity® SUSE Linux Enterprise 12 Benchmark™, v3.1.0, released
3904 01-24-2022.
3905 This profile includes Center for Internet Security® SUSE Linux
3907 Enterprise 12 CIS Benchmarks™ content.
3908 CIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation
3911 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
3913 tion_l2
3914 This profile defines a baseline that aligns to the "Level 2 -
3916 Workstation" configuration from the Center for Internet Secu‐
3917 rity® SUSE Linux Enterprise 12 Benchmark™, v3.1.0, released
3918 01-24-2022.
3919 This profile includes Center for Internet Security® SUSE Linux
3921 Enterprise 12 CIS Benchmarks™ content.
3922 PCI-DSS v4 Control Baseline for SUSE Linux enterprise 12
3925 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-4
3927 Ensures PCI-DSS v4 security configuration settings are applied.
3929 PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 12
3932 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
3934 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
3936 plied.
3937 Standard System Security Profile for SUSE Linux Enterprise 12
3940 Profile ID: xccdf_org.ssgproject.content_profile_standard
3942 This profile contains rules to ensure standard security baseline
3944 of a SUSE Linux Enterprise 12 system. Regardless of your sys‐
3945 tem's workload all of these checks should pass.
3946 DISA STIG for SUSE Linux Enterprise 12
3949 Profile ID: xccdf_org.ssgproject.content_profile_stig
3951 This profile contains configuration checks that align to the
3953 DISA STIG for SUSE Linux Enterprise 12 V2R5.
3954
3960 Source data stream: ssg-sle15-ds.xml
3961 The Guide to the Secure Configuration of SUSE Linux Enterprise 15 is
3963 broken into 'profiles', groupings of security settings that correlate
3964 to a known policy. Available profiles are:
3965 ANSSI-BP-028 (enhanced)
3969 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
3971 hanced
3972 This profile contains configurations that align to ANSSI-BP-028
3974 v2.0 at the enhanced hardening level.
3975 ANSSI is the French National Information Security Agency, and
3977 stands for Agence nationale de la sécurité des systèmes d'infor‐
3978 mation. ANSSI-BP-028 is a configuration recommendation for
3979 GNU/Linux systems.
3980 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3982 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3983 securite-relatives-a-un-systeme-gnulinux/
3984 Only the components strictly necessary to the service provided
3986 by the system should be installed. Those whose presence can not
3987 be justified should be disabled, removed or deleted. Performing
3988 a minimal install is a good starting point, but doesn't provide
3989 any assurance over any package installed later. Manual review
3990 is required to assess if the installed services are minimal.
3991 ANSSI-BP-028 (high)
3994 Profile ID: xccdf_org.ssgproject.content_pro‐
3996 file_anssi_bp28_high
3997 This profile contains configurations that align to ANSSI-BP-028
3999 v2.0 at the high hardening level.
4000 ANSSI is the French National Information Security Agency, and
4002 stands for Agence nationale de la sécurité des systèmes d'infor‐
4003 mation. ANSSI-BP-028 is a configuration recommendation for
4004 GNU/Linux systems.
4005 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
4007 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
4008 securite-relatives-a-un-systeme-gnulinux/
4009 Only the components strictly necessary to the service provided
4011 by the system should be installed. Those whose presence can not
4012 be justified should be disabled, removed or deleted. Performing
4013 a minimal install is a good starting point, but doesn't provide
4014 any assurance over any package installed later. Manual review
4015 is required to assess if the installed services are minimal.
4016 ANSSI-BP-028 (intermediary)
4019 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
4021 termediary
4022 This profile contains configurations that align to ANSSI-BP-028
4024 v2.0 at the intermediary hardening level.
4025 ANSSI is the French National Information Security Agency, and
4027 stands for Agence nationale de la sécurité des systèmes d'infor‐
4028 mation. ANSSI-BP-028 is a configuration recommendation for
4029 GNU/Linux systems.
4030 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
4032 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
4033 securite-relatives-a-un-systeme-gnulinux/
4034 Only the components strictly necessary to the service provided
4036 by the system should be installed. Those whose presence can not
4037 be justified should be disabled, removed or deleted. Performing
4038 a minimal install is a good starting point, but doesn't provide
4039 any assurance over any package installed later. Manual review
4040 is required to assess if the installed services are minimal.
4041 ANSSI-BP-028 (minimal)
4044 Profile ID: xccdf_org.ssgproject.content_pro‐
4046 file_anssi_bp28_minimal
4047 This profile contains configurations that align to ANSSI-BP-028
4049 v2.0 at the minimal hardening level.
4050 ANSSI is the French National Information Security Agency, and
4052 stands for Agence nationale de la sécurité des systèmes d'infor‐
4053 mation. ANSSI-BP-028 is a configuration recommendation for
4054 GNU/Linux systems.
4055 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
4057 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
4058 securite-relatives-a-un-systeme-gnulinux/
4059 Only the components strictly necessary to the service provided
4061 by the system should be installed. Those whose presence can not
4062 be justified should be disabled, removed or deleted. Performing
4063 a minimal install is a good starting point, but doesn't provide
4064 any assurance over any package installed later. Manual review
4065 is required to assess if the installed services are minimal.
4066 CIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server
4069 Profile ID: xccdf_org.ssgproject.content_profile_cis
4071 This profile defines a baseline that aligns to the "Level 2 -
4073 Server" configuration from the Center for Internet Security®
4074 SUSE Linux Enterprise 15 Benchmark™, v1.1.1, released
4075 01-24-2022.
4076 This profile includes Center for Internet Security® SUSE Linux
4078 Enterprise 15 CIS Benchmarks™ content.
4079 CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server
4082 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
4084 This profile defines a baseline that aligns to the "Level 1 -
4086 Server" configuration from the Center for Internet Security®
4087 SUSE Linux Enterprise 15 Benchmark™, v1.1.1, released
4088 01-24-2022.
4089 This profile includes Center for Internet Security® SUSE Linux
4091 Enterprise 15 CIS Benchmarks™ content.
4092 CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation
4095 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
4097 tion_l1
4098 This profile defines a baseline that aligns to the "Level 1 -
4100 Workstation" configuration from the Center for Internet Secu‐
4101 rity® SUSE Linux Enterprise 15 Benchmark™, v1.1.1, released
4102 01-24-2022.
4103 This profile includes Center for Internet Security® SUSE Linux
4105 Enterprise 15 CIS Benchmarks™ content.
4106 CIS SUSE Linux Enterprise 15 Benchmark Level 2 - Workstation
4109 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
4111 tion_l2
4112 This profile defines a baseline that aligns to the "Level 2 -
4114 Workstation" configuration from the Center for Internet Secu‐
4115 rity® SUSE Linux Enterprise 15 Benchmark™, v1.1.1, released
4116 01-24-2022.
4117 This profile includes Center for Internet Security® SUSE Linux
4119 Enterprise 15 CIS Benchmarks™ content.
4120 Health Insurance Portability and Accountability Act (HIPAA)
4123 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
4125 The HIPAA Security Rule establishes U.S. national standards to
4127 protect individuals’ electronic personal health information that
4128 is created, received, used, or maintained by a covered entity.
4129 The Security Rule requires appropriate administrative, physical
4130 and technical safeguards to ensure the confidentiality, integ‐
4131 rity, and security of electronic protected health information.
4132 This profile contains configuration checks that align to the
4134 HIPPA Security Rule for SUSE Linux Enterprise 15 V1R3.
4135 PCI-DSS v4 Control Baseline for SUSE Linux enterprise 15
4138 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-4
4140 Ensures PCI-DSS v4 security configuration settings are applied.
4142 PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 15
4145 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
4147 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
4149 plied.
4150 Hardening for Public Cloud Image of SUSE Linux Enterprise Server (SLES)
4153 for SAP Applications 15
4154 Profile ID: xccdf_org.ssgproject.content_profile_pcs-hardening-
4156 sap
4157 This profile contains configuration rules to be used to harden
4159 the images of SUSE Linux Enterprise Server (SLES) for SAP Appli‐
4160 cations 15 including all Service Packs, for Public Cloud
4161 providers, currently AWS, Microsoft Azure, and Google Cloud.
4162 Public Cloud Hardening for SUSE Linux Enterprise 15
4165 Profile ID: xccdf_org.ssgproject.content_profile_pcs-hardening
4167 This profile contains configuration checks to be used to harden
4169 SUSE Linux Enterprise 15 for use with public cloud providers.
4170 Standard System Security Profile for SUSE Linux Enterprise 15
4173 Profile ID: xccdf_org.ssgproject.content_profile_standard
4175 This profile contains rules to ensure standard security baseline
4177 of a SUSE Linux Enterprise 15 system based off of the SUSE Hard‐
4178 ening Guide. Regardless of your system's workload all of these
4179 checks should pass.
4180 DISA STIG for SUSE Linux Enterprise 15
4183 Profile ID: xccdf_org.ssgproject.content_profile_stig
4185 This profile contains configuration checks that align to the
4187 DISA STIG for SUSE Linux Enterprise 15 V1R4.
4188
4194 Source data stream: ssg-ubuntu1604-ds.xml
4195 The Guide to the Secure Configuration of Ubuntu 16.04 is broken into
4197 'profiles', groupings of security settings that correlate to a known
4198 policy. Available profiles are:
4199 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
4203 Profile ID: xccdf_org.ssgproject.content_pro‐
4205 file_anssi_np_nt28_average
4206 This profile contains items for GNU/Linux installations already
4208 protected by multiple higher level security stacks.
4209 Profile for ANSSI DAT-NT28 High (Enforced) Level
4212 Profile ID: xccdf_org.ssgproject.content_pro‐
4214 file_anssi_np_nt28_high
4215 This profile contains items for GNU/Linux installations storing
4217 sensitive information that can be accessible from unauthenti‐
4218 cated or uncontroled networks.
4219 Profile for ANSSI DAT-NT28 Minimal Level
4222 Profile ID: xccdf_org.ssgproject.content_pro‐
4224 file_anssi_np_nt28_minimal
4225 This profile contains items to be applied systematically.
4227 Profile for ANSSI DAT-NT28 Restrictive Level
4230 Profile ID: xccdf_org.ssgproject.content_pro‐
4232 file_anssi_np_nt28_restrictive
4233 This profile contains items for GNU/Linux installations exposed
4235 to unauthenticated flows or multiple sources.
4236 Standard System Security Profile for Ubuntu 16.04
4239 Profile ID: xccdf_org.ssgproject.content_profile_standard
4241 This profile contains rules to ensure standard security baseline
4243 of an Ubuntu 16.04 system. Regardless of your system's workload
4244 all of these checks should pass.
4245
4251 Source data stream: ssg-ubuntu1804-ds.xml
4252 The Guide to the Secure Configuration of Ubuntu 18.04 is broken into
4254 'profiles', groupings of security settings that correlate to a known
4255 policy. Available profiles are:
4256 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
4260 Profile ID: xccdf_org.ssgproject.content_pro‐
4262 file_anssi_np_nt28_average
4263 This profile contains items for GNU/Linux installations already
4265 protected by multiple higher level security stacks.
4266 Profile for ANSSI DAT-NT28 High (Enforced) Level
4269 Profile ID: xccdf_org.ssgproject.content_pro‐
4271 file_anssi_np_nt28_high
4272 This profile contains items for GNU/Linux installations storing
4274 sensitive information that can be accessible from unauthenti‐
4275 cated or uncontroled networks.
4276 Profile for ANSSI DAT-NT28 Minimal Level
4279 Profile ID: xccdf_org.ssgproject.content_pro‐
4281 file_anssi_np_nt28_minimal
4282 This profile contains items to be applied systematically.
4284 Profile for ANSSI DAT-NT28 Restrictive Level
4287 Profile ID: xccdf_org.ssgproject.content_pro‐
4289 file_anssi_np_nt28_restrictive
4290 This profile contains items for GNU/Linux installations exposed
4292 to unauthenticated flows or multiple sources.
4293 CIS Ubuntu 18.04 LTS Benchmark
4296 Profile ID: xccdf_org.ssgproject.content_profile_cis
4298 This baseline aligns to the Center for Internet Security Ubuntu
4300 18.04 LTS Benchmark, v1.0.0, released 08-13-2018.
4301 Standard System Security Profile for Ubuntu 18.04
4304 Profile ID: xccdf_org.ssgproject.content_profile_standard
4306 This profile contains rules to ensure standard security baseline
4308 of an Ubuntu 18.04 system. Regardless of your system's workload
4309 all of these checks should pass.
4310
4316 Source data stream: ssg-ubuntu2004-ds.xml
4317 The Guide to the Secure Configuration of Ubuntu 20.04 is broken into
4319 'profiles', groupings of security settings that correlate to a known
4320 policy. Available profiles are:
4321 CIS Ubuntu 20.04 Level 1 Server Benchmark
4325 Profile ID: xccdf_org.ssgproject.content_pro‐
4327 file_cis_level1_server
4328 This baseline aligns to the Center for Internet Security Ubuntu
4330 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
4331 CIS Ubuntu 20.04 Level 1 Workstation Benchmark
4334 Profile ID: xccdf_org.ssgproject.content_pro‐
4336 file_cis_level1_workstation
4337 This baseline aligns to the Center for Internet Security Ubuntu
4339 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
4340 CIS Ubuntu 20.04 Level 2 Server Benchmark
4343 Profile ID: xccdf_org.ssgproject.content_pro‐
4345 file_cis_level2_server
4346 This baseline aligns to the Center for Internet Security Ubuntu
4348 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
4349 CIS Ubuntu 20.04 Level 2 Workstation Benchmark
4352 Profile ID: xccdf_org.ssgproject.content_pro‐
4354 file_cis_level2_workstation
4355 This baseline aligns to the Center for Internet Security Ubuntu
4357 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
4358 Standard System Security Profile for Ubuntu 20.04
4361 Profile ID: xccdf_org.ssgproject.content_profile_standard
4363 This profile contains rules to ensure standard security baseline
4365 of an Ubuntu 20.04 system. Regardless of your system's workload
4366 all of these checks should pass.
4367 Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide
4370 (STIG) V1R9
4371 Profile ID: xccdf_org.ssgproject.content_profile_stig
4373 This Security Technical Implementation Guide is published as a
4375 tool to improve the security of Department of Defense (DoD) in‐
4376 formation systems. The requirements are derived from the Na‐
4377 tional Institute of Standards and Technology (NIST) 800-53 and
4378 related documents.
4379
4385 Source data stream: ssg-ubuntu2204-ds.xml
4386 The Guide to the Secure Configuration of Ubuntu 22.04 is broken into
4388 'profiles', groupings of security settings that correlate to a known
4389 policy. Available profiles are:
4390 CIS Ubuntu 22.04 Level 1 Server Benchmark
4394 Profile ID: xccdf_org.ssgproject.content_pro‐
4396 file_cis_level1_server
4397 This baseline aligns to the Center for Internet Security Ubuntu
4399 22.04 LTS Benchmark, v1.0.0, released 08-30-2022.
4400 CIS Ubuntu 22.04 Level 1 Workstation Benchmark
4403 Profile ID: xccdf_org.ssgproject.content_pro‐
4405 file_cis_level1_workstation
4406 This baseline aligns to the Center for Internet Security Ubuntu
4408 22.04 LTS Benchmark, v1.0.0, released 08-30-2022.
4409 CIS Ubuntu 22.04 Level 2 Server Benchmark
4412 Profile ID: xccdf_org.ssgproject.content_pro‐
4414 file_cis_level2_server
4415 This baseline aligns to the Center for Internet Security Ubuntu
4417 22.04 LTS Benchmark, v1.0.0, released 08-30-2022.
4418 CIS Ubuntu 22.04 Level 2 Workstation Benchmark
4421 Profile ID: xccdf_org.ssgproject.content_pro‐
4423 file_cis_level2_workstation
4424 This baseline aligns to the Center for Internet Security Ubuntu
4426 22.04 LTS Benchmark, v1.0.0, released 08-30-2022.
4427 Standard System Security Profile for Ubuntu 22.04
4430 Profile ID: xccdf_org.ssgproject.content_profile_standard
4432 This profile contains rules to ensure standard security baseline
4434 of an Ubuntu 22.04 system. Regardless of your system's workload
4435 all of these checks should pass.
4436
4442 Source data stream: ssg-uos20-ds.xml
4443 The Guide to the Secure Configuration of UnionTech OS Server 20 is bro‐
4445 ken into 'profiles', groupings of security settings that correlate to a
4446 known policy. Available profiles are:
4447 Standard System Security Profile for UnionTech OS Server 20
4451 Profile ID: xccdf_org.ssgproject.content_profile_standard
4453 This profile contains rules to ensure standard security baseline
4455 of a UnionTech OS Server 20 system. Regardless of your system's
4456 workload all of these checks should pass.
4457
4464 To scan your system utilizing the OpenSCAP utility against the ospp
4465 profile:
4466 oscap xccdf eval --profile ospp --results-arf /tmp/`hostname`-ssg-re‐
4468 sults.xml --report /tmp/`hostname`-ssg-results.html
4469 /usr/share/xml/scap/ssg/content/ssg-{product}-xccdf.xml
4470 Additional details can be found on the following websites:
4472 https://www.github.com/ComplianceAsCode/content
4474 The project's Github page.
4475 https://complianceascode.readthedocs.io
4477 The project's ReadTheDocs page.
4478 https://app.gitter.im/#/room/#Compliance-As-Code-The_content:gitter.im
4480 The project's Gitter IM space
4481
4484 /usr/share/xml/scap/ssg/content
4485 Houses SCAP content utilizing the following naming conventions:
4486 SCAP Source data streams: ssg-{product}-ds.xml
4488 /usr/share/scap-security-guide/ansible/
4494 Contains Ansible Playbooks for SSG profiles.
4495 /usr/share/scap-security-guide/kickstart/
4504 Contains example kickstarts that install systems hardened
4505 against a particular profile.
4506 /usr/share/scap-security-guide/tailoring/
4509 Contains tailoring files that enable rules that are not covered
4510 by third-party SCAP content and disables rules that are covered
4511 by the content shipped in scap-security-guide.
4512
4516 oscap(8)
4517
4521 Please direct all questions to the SSG mailing list: https://lists.fe‐
4522 dorahosted.org/mailman/listinfo/scap-security-guide
4523version 1 26 Jan 2013 scap-security-guide(8)