1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
6 SCAP Security Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
13 The project provides practical security hardening advice for Red Hat
14 products, and also links it to compliance requirements in order to ease
15 deployment activities, such as certification and accreditation. These
16 include requirements in the U.S. government (Federal, Defense, and
17 Intelligence Community) as well as of the financial services and health
18 care industries. For example, high-level and widely-accepted policies
19 such as NIST 800-53 provides prose stating that System Administrators
20 must audit "privileged user actions," but do not define what "privi‐
21 leged actions" are. The SSG bridges the gap between generalized policy
22 requirements and specific implementation guidance, in SCAP formats to
23 support automation whenever possible.
24 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
31 The Red Hat Enterprise Linux 6 SSG content is broken into 'profiles,'
32 groupings of security settings that correlate to a known policy. Avail‐
33 able profiles are:
34 C2S
36 The C2S profile demonstrates compliance against the U.S. Govern‐
37 ment Commercial Cloud Services (C2S) baseline.
38 This baseline was inspired by the Center for Internet Security
40 (CIS) Red Hat Enterprise Linux 7 Benchmark, v1.1.0 - 04-02-2015.
41 For the SCAP Security Guide project to remain in compliance with
42 CIS' terms and conditions, specifically Restrictions(8), note
43 there is no representation or claim that the C2S profile will
44 ensure a system is in compliance or consistency with the CIS
45 baseline.
46 CS2
48 The CS2 is an example of a customized server profile.
49 CSCF-RHEL6-MLS
51 The CSCF RHEL6 MLS Core Baseline profile reflects the Central‐
52 ized Super Computing Facility (CSCF) baseline for Red Hat Enter‐
53 prise Linux 6. This baseline has received government ATO through
54 the ICD 503 process, utilizing the CNSSI 1253 cross domain over‐
55 lay. This profile should be considered in active development.
56 Additional tailoring will be needed, such as the creation of
57 RBAC roles for production deployment.
58 desktop
60 The Desktop Baseline profile is for a desktop installation of
61 Red Hat Enterprise Linux 6.
62 fisma-medium-rhel6-server
64 A FISMA Medium profile for Red Hat Enterprise Linux 6
65 ftp
67 A profile for FTP servers
68 nist-cl-il-al
70 The CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enter‐
71 prise Linux 6 Profile follows the Committee on National Security
72 Systems Instruction (CNSSI) No. 1253, "Security Categorization
73 and Control Selection for National Security Systems" on security
74 controls to meet low confidentiality, low integrity, and low
75 assurance."
76 pci-dss
78 The PCI-DSS v3 Control Baseline Profile for Red Hat Enterprise
79 Linux 6 is a *draft* profile for PCI-DSS v3
80 rht-ccp
82 The Red Hat Corporate Profile for Certified Cloud Providers (RH
83 CCP) profile is a *draft* SCAP profile for Red Hat Certified
84 Cloud Providers.
85 server
87 The Server Baseline profile is for Red Hat Enterprise Linux 6
88 acting as a server.
89 standard
91 The Standard System Security Profile contains rules to ensure
92 standard security baseline of Red Hat Enterprise Linux 6 system.
93 Regardless of your system's workload all of these checks should
94 pass.
95 stig-rhel6-disa
97 The Security Technical Implementation Guides (STIGs) and the NSA
98 Guides are the configuration standards for DOD IA and IA-enabled
99 devices/systems. Since 1998, DISA Field Security Operations
100 (FSO) has played a critical role enhancing the security posture
101 of DoD's security systems by providing the Security Technical
102 Implementation Guides (STIGs). This profile was created as a
103 collaboration effort between the National Security Agency, DISA
104 FSO, and Red Hat.
105 As a result of the upstream/downstream relationship between the
107 SCAP Security Guide project and the official DISA FSO STIG base‐
108 line, users should expect variance between SSG and DISA FSO con‐
109 tent. For additional information relating to STIGs, please refer
110 to the DISA FSO webpage at http://iase.disa.mil/stigs/
111 While this profile is packaged by Red Hat as part of the SCAP
113 Security Guide package, please note that commercial support of
114 this SCAP content is NOT available. This profile is provided as
115 example SCAP content with no endorsement for suitability or pro‐
116 duction readiness. Support for this profile is provided by the
117 upstream SCAP Security Guide community on a best-effort basis.
118 The upstream project homepage is https://www.open-scap.org/secu‐
119 rity-policies/scap-security-guide.
120 This profile is being developed under the DoD consensus model to
122 become a STIG in coordination with DISA FSO.
123 usgcb-rhel6-server
125 The purpose of the United States Government Configuration Base‐
126 line (USGCB) initiative is to create security configuration
127 baselines for Information Technology products widely deployed
128 across the federal agencies. The USGCB baseline evolved from the
129 Federal Desktop Core Configuration mandate. The USGCB is a Fed‐
130 eral government-wide initiative that provides guidance to agen‐
131 cies on what should be done to improve and maintain an effective
132 configuration settings focusing primarily on security.
133 NOTE: While the current content maps to USGCB requirements, it
135 has NOT been validated by NIST as of yet. This content should be
136 considered draft, we are highly interested in feedback.
137 For additional information relating to USGCB, please refer to
139 the NIST webpage at http://usgcb.nist.gov/usgcb_content.html.
140
144 The Red Hat Enterprise Linux 7 SSG content is broken into 'profiles,'
145 groupings of security settings that correlate to a known policy. Avail‐
146 able profiles are:
147 C2S
149 The C2S profile demonstrates compliance against the U.S. Govern‐
150 ment Commercial Cloud Services (C2S) baseline.
151 This baseline was inspired by the Center for Internet Security
153 (CIS) Red Hat Enterprise Linux 7 Benchmark, v1.1.0 - 04-02-2015.
154 For the SCAP Security Guide project to remain in compliance with
155 CIS' terms and conditions, specifically Restrictions(8), note
156 there is no representation or claim that the C2S profile will
157 ensure a system is in compliance or consistency with the CIS
158 baseline.
159 cjis-rhel7-server
161 The Criminal Justice Information Services Security Policy is a
162 *draft* profile for CJIS v5.4. The scope of this profile is to
163 configure Red Hat Enteprise Linux 7 against the U. S. Department
164 of Justice, FBI CJIS Security Policy.
165 common
167 The common profile is intended to be used as a base, universal
168 profile for scanning of general-purpose Red Hat Enterprise Linux
169 systems.
170 docker-host
172 The Standard Docker Host Security Profile contains rules to
173 ensure standard security baseline of Red Hat Enterprise Linux 7
174 system running the docker daemon. This discussion is currently
175 being held on open-scap-list@redhat.com and scap-security-
176 guide@lists.fedorahosted.org.
177 ospp
179 This profile is developed in partnership with the U.S. National
180 Institute of Science and Technology (NIST), U.S. Department of
181 Defense, the National Security Agency, and Red Hat. The USGCB is
182 intended to be the core set of security related configuration
183 settings by which all federal agencies should comply.
184 pci-dss
186 The PCI-DSS v3 Control Baseline Profile for Red Hat Enterprise
187 Linux 7 is a *draft* profile for PCI-DSS v3
188 rht-ccp
190 The Red Hat Corporate Profile for Certified Cloud Providers (RH
191 CCP) profile is a *draft* SCAP profile for Red Hat Certified
192 Cloud Providers.
193 standard
195 The Standard System Security Profile contains rules to ensure
196 standard security baseline of Red Hat Enterprise Linux 7 system.
197 Regardless of your system's workload all of these checks should
198 pass.
199 stig-rhel7-disa
201 The DISA STIG for Red Hat Enterprise Linux 7 Server V1R4.
202 The Security Technical Implementation Guides (STIGs) and the NSA
204 Guides are the configuration standards for DOD IA and IA-enabled
205 devices/systems. Since 1998, DISA Field Security Operations
206 (FSO) has played a critical role enhancing the security posture
207 of DoD's security systems by providing the Security Technical
208 Implementation Guides (STIGs). This profile was created as a
209 collaboration effort between the National Security Agency, DISA
210 FSO, and Red Hat.
211 As a result of the upstream/downstream relationship between the
213 SCAP Security Guide project and the official DISA FSO STIG base‐
214 line, users should expect variance between SSG and DISA FSO con‐
215 tent. For additional information relating to STIGs, please refer
216 to the DISA FSO webpage at http://iase.disa.mil/stigs/
217 While this profile is packaged by Red Hat as part of the SCAP
219 Security Guide package, please note that commercial support of
220 this SCAP content is NOT available. This profile is provided as
221 example SCAP content with no endorsement for suitability or pro‐
222 duction readiness. Support for this profile is provided by the
223 upstream SCAP Security Guide community on a best-effort basis.
224 The upstream project homepage is https://www.open-scap.org/secu‐
225 rity-policies/scap-security-guide.
226 This profile is developed under the DoD consensus model to
228 become a STIG in coordination with DISA FSO.
229 nist-800-171-cui
231 Unclassified Information in Non-federal Information Systems and
232 Organizations (NIST 800-171)
233 From NIST 800-171, Section 2.2: Security requirements for pro‐
235 tecting the confidentiality of CUI in nonfederal information
236 systems and organizations have a well-defined structure that
237 consists of: (i) a basic security requirements section; and (ii)
238 a derived security requirements section. The basic security
239 requirements are obtained from FIPS Publication 200, which pro‐
240 vides the high-level and fundamental security requirements for
241 federal information and information systems. The derived secu‐
242 rity requirements, which supplement the basic security require‐
243 ments, are taken from the security controls in NIST Special Pub‐
244 lication 800-53.
245 This profile configures Red Hat Enterprise Linux 7 to the NIST
247 Special Publication 800-53 controls identified for securing Con‐
248 trolled Unclassified Information (CUI).
249
253 To scan your system utilizing the OpenSCAP utility against the ospp
254 profile:
255 oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-
257 results.xml --report /tmp/`hostname`-ssg-results.html --oval-results
258 /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
259 Additional details can be found on the projects wiki page:
261 https://www.github.com/OpenSCAP/scap-security-guide/wiki
262
266 /usr/share/xml/scap/ssg/content
267 Houses SCAP content utilizing the following naming conventions:
268 CPE_Dictionaries: ssg-{profile}-cpe-dictionary.xml
270 CPE_OVAL_Content: ssg-{profile}-cpe-oval.xml
272 OVAL_Content: ssg-{profile}-oval.xml
274 XCCDF_Content: ssg-{profile}-xccdf.xml
276 /usr/share/doc/scap-security-guide/guides/
278 HTML versions of SSG profiles.
279
283 The SCAP Security Guide, an open source project jointly maintained by
284 Red Hat and the NSA, provides XCCDF and OVAL content for Red Hat tech‐
285 nologies. As an open source project, community participation extends
286 into U.S. Department of Defense agencies, civilian agencies, academia,
287 and other industrial partners.
288 SCAP Security Guide is provided to consumers through Red Hat's Extended
290 Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security
291 Guide content is considered "vendor provided."
292 Note that while Red Hat hosts the infrastructure for this project and
294 Red Hat engineers are involved as maintainers and leaders, there is no
295 commercial support contracts or service level agreements provided by
296 Red Hat.
297 Support, for both users and developers, is provided through the SCAP
299 Security Guide community.
300 Homepage: https://www.open-scap.org/security-policies/scap-security-
302 guide
303 Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-
305 security-guide
306
310 SCAP Security Guide content is considered vendor (Red Hat) provided
311 content. Per guidance from the U.S. National Institute of Standards
312 and Technology (NIST), U.S. Government programs are allowed to use Ven‐
313 dor produced SCAP content in absence of "Governmental Authority" check‐
314 lists. The specific NIST verbage:
315 http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
316
320 DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT
321 products incorporated into DoD information systems shall be configured
322 in accordance with DoD-approved security configuration guidelines" and
323 tasks Defense Information Systems Agency (DISA) to "develop and provide
324 security configuration guidance for IA and IA-enabled IT products in
325 coordination with Director, NSA." The output of this authority is the
326 DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
327 the process of moving the STIGs towards the use of the NIST Security
328 Content Automation Protocol (SCAP) in order to "automate" compliance
329 reporting of the STIGs.
330 Through a common, shared vision, the SCAP Security Guide community
332 enjoys close collaboration directly with NSA, NIST, and DISA FSO. As
333 stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
334 Version 1, Release 2, issued on 03-JUNE-2013:
335 "The consensus content was developed using an open-source project
337 called SCAP Security Guide. The project's website is https://www.open-
338 scap.org/security-policies/scap-security-guide. Except for differences
339 in formatting to accomodate the DISA STIG publishing process, the con‐
340 tent of the Red Hat Enterprise Linux 6 STIG should mirrot the SCAP
341 Security Guide content with only minor divergence as updates from mul‐
342 tiple sources work through the concensus process."
343 The DoD STIG for Red Hat Enterprise Linux 6 was released June 2013.
345 Currently, the DoD Red Hat Enterprise Linux 6 STIG contains only XCCDF
346 content and is available online: http://iase.disa.mil/stigs/os/unix-
347 linux/Pages/red-hat.aspx
348 Content published against the iase.disa.mil website is authoritative
350 STIG content. The SCAP Security Guide project, as noted in the STIG
351 overview, is considered upstream content. Unlike DISA FSO, the SCAP
352 Security Guide project does publish OVAL automation content. Individual
353 programs and C&A evaluators make program-level determinations on the
354 direct usage of the SCAP Security Guide. Currently there is no blanket
355 approval.
356
360 oscap(8)
361
365 Please direct all questions to the SSG mailing list:
366 https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
367version 1 26 Jan 2013 scap-security-guide(8)