1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
6 SCAP Security Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
13 The project provides practical security hardening advice for Red Hat
14 products, and also links it to compliance requirements in order to ease
15 deployment activities, such as certification and accreditation. These
16 include requirements in the U.S. government (Federal, Defense, and
17 Intelligence Community) as well as of the financial services and health
18 care industries. For example, high-level and widely-accepted policies
19 such as NIST 800-53 provides prose stating that System Administrators
20 must audit "privileged user actions," but do not define what "privi‐
21 leged actions" are. The SSG bridges the gap between generalized policy
22 requirements and specific implementation guidance, in SCAP formats to
23 support automation whenever possible.
24 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
31 Source Datastream: ssg-centos6-ds.xml
32 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
34 broken into 'profiles', groupings of security settings that correlate
35 to a known policy. Available profiles are:
36 Desktop Baseline
40 Profile ID: xccdf_org.ssgproject.content_profile_desktop
42 This profile is for a desktop installation of Red Hat Enterprise
44 Linux 6.
45 Standard System Security Profile for Red Hat Enterprise Linux 6
48 Profile ID: xccdf_org.ssgproject.content_profile_standard
50 This profile contains rules to ensure standard security baseline
52 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
53 tem's workload all of these checks should pass.
54 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
57 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
59 This is a *draft* profile for PCI-DSS v3.
61 Server Baseline
64 Profile ID: xccdf_org.ssgproject.content_profile_server
66 This profile is for Red Hat Enterprise Linux 6 acting as a
68 server.
69
75 Source Datastream: ssg-centos7-ds.xml
76 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
78 broken into 'profiles', groupings of security settings that correlate
79 to a known policy. Available profiles are:
80 Standard System Security Profile for Red Hat Enterprise Linux 7
84 Profile ID: xccdf_org.ssgproject.content_profile_standard
86 This profile contains rules to ensure standard security baseline
88 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
89 tem's workload all of these checks should pass.
90 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
93 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
95 Ensures PCI-DSS v3.2.1 security configuration settings are
97 applied.
98
104 Source Datastream: ssg-centos8-ds.xml
105 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
107 broken into 'profiles', groupings of security settings that correlate
108 to a known policy. Available profiles are:
109 Standard System Security Profile for Red Hat Enterprise Linux 8
113 Profile ID: xccdf_org.ssgproject.content_profile_standard
115 This profile contains rules to ensure standard security baseline
117 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
118 tem's workload all of these checks should pass.
119 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
122 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
124 Ensures PCI-DSS v3.2.1 security configuration settings are
126 applied.
127
133 Source Datastream: ssg-chromium-ds.xml
134 The Guide to the Secure Configuration of Chromium is broken into 'pro‐
136 files', groupings of security settings that correlate to a known pol‐
137 icy. Available profiles are:
138 Upstream STIG for Google Chromium
142 Profile ID: xccdf_org.ssgproject.content_profile_stig
144 This profile is developed under the DoD consensus model and DISA
146 FSO Vendor STIG process, serving as the upstream development
147 environment for the Google Chromium STIG.
148 As a result of the upstream/downstream relationship between the
150 SCAP Security Guide project and the official DISA FSO STIG base‐
151 line, users should expect variance between SSG and DISA FSO con‐
152 tent. For official DISA FSO STIG content, refer to
153 http://iase.disa.mil/stigs/app-security/browser-guid‐
154 ance/Pages/index.aspx.
155 While this profile is packaged by Red Hat as part of the SCAP
157 Security Guide package, please note that commercial support of
158 this SCAP content is NOT available. This profile is provided as
159 example SCAP content with no endorsement for suitability or pro‐
160 duction readiness. Support for this profile is provided by the
161 upstream SCAP Security Guide community on a best-effort basis.
162 The upstream project homepage is https://www.open-scap.org/secu‐
163 rity-policies/scap-security-guide/.
164
170 Source Datastream: ssg-debian8-ds.xml
171 The Guide to the Secure Configuration of Debian 8 is broken into 'pro‐
173 files', groupings of security settings that correlate to a known pol‐
174 icy. Available profiles are:
175 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
179 Profile ID: xccdf_org.ssgproject.content_pro‐
181 file_anssi_np_nt28_average
182 This profile contains items for GNU/Linux installations already
184 protected by multiple higher level security stacks.
185 Profile for ANSSI DAT-NT28 High (Enforced) Level
188 Profile ID: xccdf_org.ssgproject.content_pro‐
190 file_anssi_np_nt28_high
191 This profile contains items for GNU/Linux installations storing
193 sensitive informations that can be accessible from unauthenti‐
194 cated or uncontroled networks.
195 Profile for ANSSI DAT-NT28 Restrictive Level
198 Profile ID: xccdf_org.ssgproject.content_pro‐
200 file_anssi_np_nt28_restrictive
201 This profile contains items for GNU/Linux installations exposed
203 to unauthenticated flows or multiple sources.
204 Standard System Security Profile for Debian 8
207 Profile ID: xccdf_org.ssgproject.content_profile_standard
209 This profile contains rules to ensure standard security baseline
211 of a Debian 8 system. Regardless of your system's workload all
212 of these checks should pass.
213 Profile for ANSSI DAT-NT28 Minimal Level
216 Profile ID: xccdf_org.ssgproject.content_pro‐
218 file_anssi_np_nt28_minimal
219 This profile contains items to be applied systematically.
221
227 Source Datastream: ssg-eap6-ds.xml
228 The Guide to the Secure Configuration of JBoss EAP 6 is broken into
230 'profiles', groupings of security settings that correlate to a known
231 policy. Available profiles are:
232 STIG for JBoss Enterprise Application Platform 6
236 Profile ID: xccdf_org.ssgproject.content_profile_stig
238 This is a *draft* profile for STIG. This profile is being devel‐
240 oped under the DoD consensus model to become a STIG in coordina‐
241 tion with DISA FSO.
242
248 Source Datastream: ssg-fedora-ds.xml
249 The Guide to the Secure Configuration of Fedora is broken into 'pro‐
251 files', groupings of security settings that correlate to a known pol‐
252 icy. Available profiles are:
253 Standard System Security Profile for Fedora
257 Profile ID: xccdf_org.ssgproject.content_profile_standard
259 This profile contains rules to ensure standard security baseline
261 of a Fedora system. Regardless of your system's workload all of
262 these checks should pass.
263 OSPP - Protection Profile for General Purpose Operating Systems
266 Profile ID: xccdf_org.ssgproject.content_profile_ospp
268 This profile reflects mandatory configuration controls identi‐
270 fied in the NIAP Configuration Annex to the Protection Profile
271 for General Purpose Operating Systems (Protection Profile Ver‐
272 sion 4.2).
273 As Fedora OS is moving target, this profile does not guarantee
275 to provide security levels required from US National Security
276 Systems. Main goal of the profile is to provide Fedora develop‐
277 ers with hardened environment similar to the one mandated by US
278 National Security Systems.
279 PCI-DSS v3 Control Baseline for Fedora
282 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
284 Ensures PCI-DSS v3 related security configuration settings are
286 applied.
287
293 Source Datastream: ssg-firefox-ds.xml
294 The Guide to the Secure Configuration of Firefox is broken into 'pro‐
296 files', groupings of security settings that correlate to a known pol‐
297 icy. Available profiles are:
298 Upstream Firefox STIG
302 Profile ID: xccdf_org.ssgproject.content_profile_stig
304 This profile is developed under the DoD consensus model and DISA
306 FSO Vendor STIG process, serving as the upstream development
307 environment for the Firefox STIG.
308 As a result of the upstream/downstream relationship between the
310 SCAP Security Guide project and the official DISA FSO STIG base‐
311 line, users should expect variance between SSG and DISA FSO con‐
312 tent. For official DISA FSO STIG content, refer to
313 http://iase.disa.mil/stigs/app-security/browser-guid‐
314 ance/Pages/index.aspx.
315 While this profile is packaged by Red Hat as part of the SCAP
317 Security Guide package, please note that commercial support of
318 this SCAP content is NOT available. This profile is provided as
319 example SCAP content with no endorsement for suitability or pro‐
320 duction readiness. Support for this profile is provided by the
321 upstream SCAP Security Guide community on a best-effort basis.
322 The upstream project homepage is https://www.open-scap.org/secu‐
323 rity-policies/scap-security-guide/.
324
330 Source Datastream: ssg-fuse6-ds.xml
331 The Guide to the Secure Configuration of JBoss Fuse 6 is broken into
333 'profiles', groupings of security settings that correlate to a known
334 policy. Available profiles are:
335 STIG for JBoss Fuse 6
339 Profile ID: xccdf_org.ssgproject.content_profile_stig
341 This is a *draft* profile for STIG. This profile is being devel‐
343 oped under the DoD consensus model to become a STIG in coordina‐
344 tion with DISA FSO.
345 STIG for Apache ActiveMQ
348 Profile ID: xccdf_org.ssgproject.content_profile_amq-stig
350 This is a *draft* profile for STIG. This profile is being devel‐
352 oped under the DoD consensus model to become a STIG in coordina‐
353 tion with DISA FSO.
354 Standard System Security Profile for JBoss
357 Profile ID: xccdf_org.ssgproject.content_profile_standard
359 This profile contains rules to ensure standard security baseline
361 of JBoss Fuse. Regardless of your system's workload all of these
362 checks should pass.
363
369 Source Datastream: ssg-jre-ds.xml
370 The Guide to the Secure Configuration of Java Runtime Environment is
372 broken into 'profiles', groupings of security settings that correlate
373 to a known policy. Available profiles are:
374 Java Runtime Environment (JRE) STIG
378 Profile ID: xccdf_org.ssgproject.content_profile_stig
380 The Java Runtime Environment (JRE) is a bundle developed and
382 offered by Oracle Corporation which includes the Java Virtual
383 Machine (JVM), class libraries, and other components necessary
384 to run Java applications and applets. Certain default settings
385 within the JRE pose a security risk so it is necessary to deploy
386 system wide properties to ensure a higher degree of security
387 when utilizing the JRE.
388 The IBM Corporation also develops and bundles the Java Runtime
390 Environment (JRE) as well as Red Hat with OpenJDK.
391
397 Platform 3
398 Source Datastream: ssg-ocp3-ds.xml
399 The Guide to the Secure Configuration of Red Hat OpenShift Container
401 Platform 3 is broken into 'profiles', groupings of security settings
402 that correlate to a known policy. Available profiles are:
403 Open Computing Information Security Profile for OpenShift Master Node
407 Profile ID: xccdf_org.ssgproject.content_profile_opencis-master
409 This baseline was inspired by the Center for Internet Security
411 (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
412 For the ComplianceAsCode project to remain in compliance with
414 CIS' terms and conditions, specifically Restrictions(8), note
415 there is no representation or claim that the OpenCIS profile
416 will ensure a system is in compliance or consistency with the
417 CIS baseline.
418 Open Computing Information Security Profile for OpenShift Node
421 Profile ID: xccdf_org.ssgproject.content_profile_opencis-node
423 This baseline was inspired by the Center for Internet Security
425 (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
426 For the ComplianceAsCode project to remain in compliance with
428 CIS' terms and conditions, specifically Restrictions(8), note
429 there is no representation or claim that the OpenCIS profile
430 will ensure a system is in compliance or consistency with the
431 CIS baseline.
432
438 Source Datastream: ssg-ol7-ds.xml
439 The Guide to the Secure Configuration of Oracle Linux 7 is broken into
441 'profiles', groupings of security settings that correlate to a known
442 policy. Available profiles are:
443 Security Profile of Oracle Linux 7 for SAP
447 Profile ID: xccdf_org.ssgproject.content_profile_sap
449 This profile contains rules for Oracle Linux 7 Operating System
451 in compliance with SAP note 2069760 and SAP Security Baseline
452 Template version 1.9 Item I-8 and section 4.1.2.2. Regardless
453 of your system's workload all of these checks should pass.
454 DRAFT - DISA STIG for Oracle Linux 7
457 Profile ID: xccdf_org.ssgproject.content_profile_stig
459 This is a *draft* profile for STIG for Oracle Linux 7.
461 Standard System Security Profile for Oracle Linux 7
464 Profile ID: xccdf_org.ssgproject.content_profile_standard
466 This profile contains rules to ensure standard security baseline
468 of Oracle Linux 7 system. Regardless of your system's workload
469 all of these checks should pass.
470 PCI-DSS v3 Control Baseline Draft for Oracle Linux 7
473 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
475 Ensures PCI-DSS v3 related security configuration settings are
477 applied.
478
484 Source Datastream: ssg-ol8-ds.xml
485 The Guide to the Secure Configuration of Oracle Linux 8 is broken into
487 'profiles', groupings of security settings that correlate to a known
488 policy. Available profiles are:
489 Criminal Justice Information Services (CJIS) Security Policy
493 Profile ID: xccdf_org.ssgproject.content_profile_cjis
495 This profile is derived from FBI's CJIS v5.4 Security Policy. A
497 copy of this policy can be found at the CJIS Security Policy
498 Resource Center:
499 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
501 center
502 Health Insurance Portability and Accountability Act (HIPAA)
505 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
507 The HIPAA Security Rule establishes U.S. national standards to
509 protect individuals’ electronic personal health information that
510 is created, received, used, or maintained by a covered entity.
511 The Security Rule requires appropriate administrative, physical
512 and technical safeguards to ensure the confidentiality,
513 integrity, and security of electronic protected health informa‐
514 tion.
515 This profile configures Oracle Linux 8 to the HIPAA Security
517 Rule identified for securing of electronic protected health
518 information.
519 Standard System Security Profile for Oracle Linux 8
522 Profile ID: xccdf_org.ssgproject.content_profile_standard
524 This profile contains rules to ensure standard security baseline
526 of Oracle Linux 8 system. Regardless of your system's workload
527 all of these checks should pass.
528 [DRAFT] OSPP - Protection Profile for General Purpose Operating Systems
531 Profile ID: xccdf_org.ssgproject.content_profile_ospp
533 This profile reflects mandatory configuration controls identi‐
535 fied in the NIAP Configuration Annex to the Protection Profile
536 for General Purpose Operating Systems (Protection Profile Ver‐
537 sion 4.2).
538 This profile is currently under review. Use of this profile does
540 not denote or guarantee NIAP approval or certification until
541 this profile has been approved by NIAP.
542 Unclassified Information in Non-federal Information Systems and Organi‐
545 zations (NIST 800-171)
546 Profile ID: xccdf_org.ssgproject.content_profile_cui
548 From NIST 800-171, Section 2.2: Security requirements for pro‐
550 tecting the confidentiality of CUI in nonfederal information
551 systems and organizations have a well-defined structure that
552 consists of:
553 (i) a basic security requirements section; (ii) a derived secu‐
555 rity requirements section.
556 The basic security requirements are obtained from FIPS Publica‐
558 tion 200, which provides the high-level and fundamental security
559 requirements for federal information and information systems.
560 The derived security requirements, which supplement the basic
561 security requirements, are taken from the security controls in
562 NIST Special Publication 800-53.
563 This profile configures Oracle Linux 8 to the NIST Special Pub‐
565 lication 800-53 controls identified for securing Controlled
566 Unclassified Information (CUI).
567 PCI-DSS v3 Control Baseline Draft for Oracle Linux 8
570 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
572 Ensures PCI-DSS v3 related security configuration settings are
574 applied.
575
581 Source Datastream: ssg-opensuse-ds.xml
582 The Guide to the Secure Configuration of openSUSE is broken into 'pro‐
584 files', groupings of security settings that correlate to a known pol‐
585 icy. Available profiles are:
586 Standard System Security Profile for openSUSE
590 Profile ID: xccdf_org.ssgproject.content_profile_standard
592 This profile contains rules to ensure standard security baseline
594 of an openSUSE system. Regardless of your system's workload all
595 of these checks should pass.
596
602 Source Datastream: ssg-rhel6-ds.xml
603 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
605 broken into 'profiles', groupings of security settings that correlate
606 to a known policy. Available profiles are:
607 FTP Server Profile (vsftpd)
611 Profile ID: xccdf_org.ssgproject.content_profile_ftp-server
613 This is a profile for the vsftpd FTP server.
615 CNSSI 1253 Low/Low/Low Control Baseline
618 Profile ID: xccdf_org.ssgproject.content_profile_nist-CL-IL-AL
620 This profile follows the Committee on National Security Systems
622 Instruction (CNSSI) No. 1253, "Security Categorization and Con‐
623 trol Selection for National Security Systems" on security con‐
624 trols to meet low confidentiality, low integrity, and low assur‐
625 ance.
626 CSCF RHEL6 MLS Core Baseline
629 Profile ID: xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS
631 This profile reflects the Centralized Super Computing Facility
633 (CSCF) baseline for Red Hat Enterprise Linux 6. This baseline
634 has received government ATO through the ICD 503 process, utiliz‐
635 ing the CNSSI 1253 cross domain overlay. This profile should be
636 considered in active development. Additional tailoring will be
637 needed, such as the creation of RBAC roles for production
638 deployment.
639 FISMA Medium for Red Hat Enterprise Linux 6
642 Profile ID: xccdf_org.ssgproject.content_profile_fisma-medium-
644 rhel6-server
645 FISMA Medium for Red Hat Enterprise Linux 6.
647 DISA STIG for Red Hat Enterprise Linux 6
650 Profile ID: xccdf_org.ssgproject.content_profile_stig
652 This profile contains configuration checks that align to the
654 DISA STIG for Red Hat Enterprise Linux 6.
655 In addition to being applicable to RHEL6, DISA recognizes this
657 configuration baseline as applicable to the operating system
658 tier of Red Hat technologies that are based off RHEL6, such as
659 RHEL Server, RHV-H, RHEL for HPC, RHEL Workstation, and Red Hat
660 Storage deployments.
661 Desktop Baseline
664 Profile ID: xccdf_org.ssgproject.content_profile_desktop
666 This profile is for a desktop installation of Red Hat Enterprise
668 Linux 6.
669 Standard System Security Profile for Red Hat Enterprise Linux 6
672 Profile ID: xccdf_org.ssgproject.content_profile_standard
674 This profile contains rules to ensure standard security baseline
676 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
677 tem's workload all of these checks should pass.
678 United States Government Configuration Baseline (USGCB)
681 Profile ID: xccdf_org.ssgproject.content_profile_usgcb-
683 rhel6-server
684 This profile is a working draft for a USGCB submission against
686 RHEL6 Server.
687 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
690 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
692 This is a *draft* SCAP profile for Red Hat Certified Cloud
694 Providers
695 C2S for Red Hat Enterprise Linux 6
698 Profile ID: xccdf_org.ssgproject.content_profile_C2S
700 This profile demonstrates compliance against the U.S. Government
702 Commercial Cloud Services (C2S) baseline. nThis baseline was
703 inspired by the Center for Internet Security (CIS) Red Hat
704 Enterprise Linux 6 Benchmark, v1.2.0 - 06-25-2013. For the SCAP
705 Security Guide project to remain in compliance with CIS' terms
706 and conditions, specifically Restrictions(8), note there is no
707 representation or claim that the C2S profile will ensure a sys‐
708 tem is in compliance or consistency with the CIS baseline.
709 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
712 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
714 This is a *draft* profile for PCI-DSS v3.
716 Example Server Profile
719 Profile ID: xccdf_org.ssgproject.content_profile_CS2
721 This profile is an example of a customized server profile.
723 Server Baseline
726 Profile ID: xccdf_org.ssgproject.content_profile_server
728 This profile is for Red Hat Enterprise Linux 6 acting as a
730 server.
731
737 Source Datastream: ssg-rhel7-ds.xml
738 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
740 broken into 'profiles', groupings of security settings that correlate
741 to a known policy. Available profiles are:
742 [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host
746 (RHELH)
747 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
749 This *draft* profile contains configuration checks that align to
751 the DISA STIG for Red Hat Enterprise Linux Virtualization Host
752 (RHELH).
753 DISA STIG for Red Hat Enterprise Linux 7
756 Profile ID: xccdf_org.ssgproject.content_profile_stig
758 This profile contains configuration checks that align to the
760 DISA STIG for Red Hat Enterprise Linux V1R4.
761 In addition to being applicable to RHEL7, DISA recognizes this
763 configuration baseline as applicable to the operating system
764 tier of Red Hat technologies that are based off RHEL7, such as:
765 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
767 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
768 Hat Storage
769 Criminal Justice Information Services (CJIS) Security Policy
772 Profile ID: xccdf_org.ssgproject.content_profile_cjis
774 This profile is derived from FBI's CJIS v5.4 Security Policy. A
776 copy of this policy can be found at the CJIS Security Policy
777 Resource Center:
778 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
780 center
781 Health Insurance Portability and Accountability Act (HIPAA)
784 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
786 The HIPAA Security Rule establishes U.S. national standards to
788 protect individuals’ electronic personal health information that
789 is created, received, used, or maintained by a covered entity.
790 The Security Rule requires appropriate administrative, physical
791 and technical safeguards to ensure the confidentiality,
792 integrity, and security of electronic protected health informa‐
793 tion.
794 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
796 Security Rule identified for securing of electronic protected
797 health information.
798 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enter‐
801 prise Linux Hypervisor (RHELH)
802 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
804 This compliance profile reflects the core set of security
806 related configuration settings for deployment of Red Hat Enter‐
807 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
808 gence, and Civilian agencies. Development partners and sponsors
809 include the U.S. National Institute of Standards and Technology
810 (NIST), U.S. Department of Defense, the National Security
811 Agency, and Red Hat.
812 This baseline implements configuration requirements from the
814 following sources:
815 - Committee on National Security Systems Instruction No. 1253
817 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
818 impact systems (NIST 800-53) - U.S. Government Configuration
819 Baseline (USGCB) - NIAP Protection Profile for Virtualization
820 v1.0 (VPP v1.0)
821 For any differing configuration requirements, e.g. password
823 lengths, the stricter security setting was chosen. Security
824 Requirement Traceability Guides (RTMs) and sample System Secu‐
825 rity Configuration Guides are provided via the scap-security-
826 guide-docs package.
827 This profile reflects U.S. Government consensus content and is
829 developed through the ComplianceAsCode project, championed by
830 the National Security Agency. Except for differences in format‐
831 ting to accommodate publishing processes, this profile mirrors
832 ComplianceAsCode content as minor divergences, such as bugfixes,
833 work through the consensus and release processes.
834 Standard System Security Profile for Red Hat Enterprise Linux 7
837 Profile ID: xccdf_org.ssgproject.content_profile_standard
839 This profile contains rules to ensure standard security baseline
841 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
842 tem's workload all of these checks should pass.
843 United States Government Configuration Baseline
846 Profile ID: xccdf_org.ssgproject.content_profile_ospp
848 This compliance profile reflects the core set of security
850 related configuration settings for deployment of Red Hat Enter‐
851 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
852 agencies. Development partners and sponsors include the U.S.
853 National Institute of Standards and Technology (NIST), U.S.
854 Department of Defense, the National Security Agency, and Red
855 Hat.
856 This baseline implements configuration requirements from the
858 following sources:
859 - Committee on National Security Systems Instruction No. 1253
861 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
862 800-171) - NIST 800-53 control selections for MODERATE impact
863 systems (NIST 800-53) - U.S. Government Configuration Baseline
864 (USGCB) - NIAP Protection Profile for General Purpose Operating
865 Systems v4.0 (OSPP v4.0) - DISA Operating System Security
866 Requirements Guide (OS SRG)
867 For any differing configuration requirements, e.g. password
869 lengths, the stricter security setting was chosen. Security
870 Requirement Traceability Guides (RTMs) and sample System Secu‐
871 rity Configuration Guides are provided via the scap-security-
872 guide-docs package.
873 This profile reflects U.S. Government consensus content and is
875 developed through the OpenSCAP/SCAP Security Guide initiative,
876 championed by the National Security Agency. Except for differ‐
877 ences in formatting to accommodate publishing processes, this
878 profile mirrors OpenSCAP/SCAP Security Guide content as minor
879 divergences, such as bugfixes, work through the consensus and
880 release processes.
881 OSPP - Protection Profile for General Purpose Operating Systems v. 4.2
884 Profile ID: xccdf_org.ssgproject.content_profile_ospp42
886 This profile reflects mandatory configuration controls identi‐
888 fied in the NIAP Configuration Annex to the Protection Profile
889 for General Purpose Operating Systems (Protection Profile Ver‐
890 sion 4.2).
891 This Annex is consistent with CNSSI-1253, which requires US
893 National Security Systems to adhere to certain configuration
894 parameters. Accordingly, configuration guidance produced accord‐
895 ing to the requirements of this Annex is suitable for use in US
896 National Security Systems.
897 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
900 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
902 This profile contains the minimum security relevant configura‐
904 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
905 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
906 C2S for Red Hat Enterprise Linux 7
909 Profile ID: xccdf_org.ssgproject.content_profile_C2S
911 This profile demonstrates compliance against the U.S. Government
913 Commercial Cloud Services (C2S) baseline.
914 This baseline was inspired by the Center for Internet Security
916 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
917 For the SCAP Security Guide project to remain in compliance with
919 CIS' terms and conditions, specifically Restrictions(8), note
920 there is no representation or claim that the C2S profile will
921 ensure a system is in compliance or consistency with the CIS
922 baseline.
923 Unclassified Information in Non-federal Information Systems and Organi‐
926 zations (NIST 800-171)
927 Profile ID: xccdf_org.ssgproject.content_profile_cui
929 From NIST 800-171, Section 2.2: Security requirements for pro‐
931 tecting the confidentiality of CUI in non-federal information
932 systems and organizations have a well-defined structure that
933 consists of:
934 (i) a basic security requirements section; (ii) a derived secu‐
936 rity requirements section.
937 The basic security requirements are obtained from FIPS Publica‐
939 tion 200, which provides the high-level and fundamental security
940 requirements for federal information and information systems.
941 The derived security requirements, which supplement the basic
942 security requirements, are taken from the security controls in
943 NIST Special Publication 800-53.
944 This profile configures Red Hat Enterprise Linux 7 to the NIST
946 Special Publication 800-53 controls identified for securing Con‐
947 trolled Unclassified Information (CUI).
948 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
951 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
953 Ensures PCI-DSS v3.2.1 security configuration settings are
955 applied.
956
962 Source Datastream: ssg-rhel8-ds.xml
963 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
965 broken into 'profiles', groupings of security settings that correlate
966 to a known policy. Available profiles are:
967 Criminal Justice Information Services (CJIS) Security Policy
971 Profile ID: xccdf_org.ssgproject.content_profile_cjis
973 This profile is derived from FBI's CJIS v5.4 Security Policy. A
975 copy of this policy can be found at the CJIS Security Policy
976 Resource Center:
977 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
979 center
980 Health Insurance Portability and Accountability Act (HIPAA)
983 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
985 The HIPAA Security Rule establishes U.S. national standards to
987 protect individuals’ electronic personal health information that
988 is created, received, used, or maintained by a covered entity.
989 The Security Rule requires appropriate administrative, physical
990 and technical safeguards to ensure the confidentiality,
991 integrity, and security of electronic protected health informa‐
992 tion.
993 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
995 Security Rule identified for securing of electronic protected
996 health information.
997 Standard System Security Profile for Red Hat Enterprise Linux 8
1000 Profile ID: xccdf_org.ssgproject.content_profile_standard
1002 This profile contains rules to ensure standard security baseline
1004 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
1005 tem's workload all of these checks should pass.
1006 Protection Profile for General Purpose Operating Systems
1009 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1011 This profile reflects mandatory configuration controls identi‐
1013 fied in the NIAP Configuration Annex to the Protection Profile
1014 for General Purpose Operating Systems (Protection Profile Ver‐
1015 sion 4.2).
1016 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1019 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1021 This profile contains the minimum security relevant configura‐
1023 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1024 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
1025 Unclassified Information in Non-federal Information Systems and Organi‐
1028 zations (NIST 800-171)
1029 Profile ID: xccdf_org.ssgproject.content_profile_cui
1031 From NIST 800-171, Section 2.2: Security requirements for pro‐
1033 tecting the confidentiality of CUI in nonfederal information
1034 systems and organizations have a well-defined structure that
1035 consists of:
1036 (i) a basic security requirements section; (ii) a derived secu‐
1038 rity requirements section.
1039 The basic security requirements are obtained from FIPS Publica‐
1041 tion 200, which provides the high-level and fundamental security
1042 requirements for federal information and information systems.
1043 The derived security requirements, which supplement the basic
1044 security requirements, are taken from the security controls in
1045 NIST Special Publication 800-53.
1046 This profile configures Red Hat Enterprise Linux 8 to the NIST
1048 Special Publication 800-53 controls identified for securing Con‐
1049 trolled Unclassified Information (CUI)."
1050 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
1053 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1055 Ensures PCI-DSS v3.2.1 security configuration settings are
1057 applied.
1058
1064 Source Datastream: ssg-rhosp13-ds.xml
1066 The Guide to the Secure Configuration of Red Hat OpenStack Platform 13
1068 is broken into 'profiles', groupings of security settings that corre‐
1069 late to a known policy. Available profiles are:
1070 RHOSP STIG
1074 Profile ID: xccdf_org.ssgproject.content_profile_stig
1076 Sample profile description.
1078
1084 Source Datastream: ssg-rhv4-ds.xml
1085 The Guide to the Secure Configuration of Red Hat Virtualization 4 is
1087 broken into 'profiles', groupings of security settings that correlate
1088 to a known policy. Available profiles are:
1089 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
1093 ization Hypervisor (RHVH)
1094 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
1096 This compliance profile reflects the core set of security
1098 related configuration settings for deployment of Red Hat Virtu‐
1099 alization Hypervisor (RHVH) 4.x into U.S. Defense, Intelligence,
1100 and Civilian agencies. Development partners and sponsors
1101 include the U.S. National Institute of Standards and Technology
1102 (NIST), U.S. Department of Defense, the National Security
1103 Agency, and Red Hat.
1104 This baseline implements configuration requirements from the
1106 following sources:
1107 - Committee on National Security Systems Instruction No. 1253
1109 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
1110 impact systems (NIST 800-53) - U.S. Government Configuration
1111 Baseline (USGCB) - NIAP Protection Profile for Virtualization
1112 v1.0 (VPP v1.0)
1113 For any differing configuration requirements, e.g. password
1115 lengths, the stricter security setting was chosen. Security
1116 Requirement Traceability Guides (RTMs) and sample System Secu‐
1117 rity Configuration Guides are provided via the scap-security-
1118 guide-docs package.
1119 This profile reflects U.S. Government consensus content and is
1121 developed through the ComplianceAsCode project, championed by
1122 the National Security Agency. Except for differences in format‐
1123 ting to accommodate publishing processes, this profile mirrors
1124 ComplianceAsCode content as minor divergences, such as bugfixes,
1125 work through the consensus and release processes.
1126 [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
1129 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
1131 This *draft* profile contains configuration checks that align to
1133 the DISA STIG for Red Hat Virtualization Host (RHVH).
1134
1140 Source Datastream: ssg-sl6-ds.xml
1141 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
1143 broken into 'profiles', groupings of security settings that correlate
1144 to a known policy. Available profiles are:
1145 Desktop Baseline
1149 Profile ID: xccdf_org.ssgproject.content_profile_desktop
1151 This profile is for a desktop installation of Red Hat Enterprise
1153 Linux 6.
1154 Standard System Security Profile for Red Hat Enterprise Linux 6
1157 Profile ID: xccdf_org.ssgproject.content_profile_standard
1159 This profile contains rules to ensure standard security baseline
1161 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
1162 tem's workload all of these checks should pass.
1163 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
1166 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1168 This is a *draft* profile for PCI-DSS v3.
1170 Server Baseline
1173 Profile ID: xccdf_org.ssgproject.content_profile_server
1175 This profile is for Red Hat Enterprise Linux 6 acting as a
1177 server.
1178
1184 Source Datastream: ssg-sl7-ds.xml
1185 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
1187 broken into 'profiles', groupings of security settings that correlate
1188 to a known policy. Available profiles are:
1189 Standard System Security Profile for Red Hat Enterprise Linux 7
1193 Profile ID: xccdf_org.ssgproject.content_profile_standard
1195 This profile contains rules to ensure standard security baseline
1197 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
1198 tem's workload all of these checks should pass.
1199 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1202 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1204 Ensures PCI-DSS v3.2.1 security configuration settings are
1206 applied.
1207
1213 Source Datastream: ssg-sle11-ds.xml
1214 The Guide to the Secure Configuration of SUSE Linux Enterprise 11 is
1216 broken into 'profiles', groupings of security settings that correlate
1217 to a known policy. Available profiles are:
1218 Standard System Security Profile for SUSE Linux Enterprise 11
1222 Profile ID: xccdf_org.ssgproject.content_profile_standard
1224 This profile contains rules to ensure standard security baseline
1226 of a SUSE Linux Enterprise 11 system. Regardless of your sys‐
1227 tem's workload all of these checks should pass.
1228 Server Baseline
1231 Profile ID: xccdf_org.ssgproject.content_profile_server
1233 This profile is for SUSE Enterprise Linux 11 acting as a server.
1235
1241 Source Datastream: ssg-sle12-ds.xml
1242 The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is
1244 broken into 'profiles', groupings of security settings that correlate
1245 to a known policy. Available profiles are:
1246 Standard System Security Profile for SUSE Linux Enterprise 12
1250 Profile ID: xccdf_org.ssgproject.content_profile_standard
1252 This profile contains rules to ensure standard security baseline
1254 of a SUSE Linux Enterprise 12 system. Regardless of your sys‐
1255 tem's workload all of these checks should pass.
1256
1262 Source Datastream: ssg-ubuntu1404-ds.xml
1263 The Guide to the Secure Configuration of Ubuntu 14.04 is broken into
1265 'profiles', groupings of security settings that correlate to a known
1266 policy. Available profiles are:
1267 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1271 Profile ID: xccdf_org.ssgproject.content_pro‐
1273 file_anssi_np_nt28_average
1274 This profile contains items for GNU/Linux installations already
1276 protected by multiple higher level security stacks.
1277 Profile for ANSSI DAT-NT28 High (Enforced) Level
1280 Profile ID: xccdf_org.ssgproject.content_pro‐
1282 file_anssi_np_nt28_high
1283 This profile contains items for GNU/Linux installations storing
1285 sensitive informations that can be accessible from unauthenti‐
1286 cated or uncontroled networks.
1287 Profile for ANSSI DAT-NT28 Restrictive Level
1290 Profile ID: xccdf_org.ssgproject.content_pro‐
1292 file_anssi_np_nt28_restrictive
1293 This profile contains items for GNU/Linux installations exposed
1295 to unauthenticated flows or multiple sources.
1296 Standard System Security Profile for Ubuntu 14.04
1299 Profile ID: xccdf_org.ssgproject.content_profile_standard
1301 This profile contains rules to ensure standard security baseline
1303 of an Ubuntu 14.04 system. Regardless of your system's workload
1304 all of these checks should pass.
1305 Profile for ANSSI DAT-NT28 Minimal Level
1308 Profile ID: xccdf_org.ssgproject.content_pro‐
1310 file_anssi_np_nt28_minimal
1311 This profile contains items to be applied systematically.
1313
1319 Source Datastream: ssg-ubuntu1604-ds.xml
1320 The Guide to the Secure Configuration of Ubuntu 16.04 is broken into
1322 'profiles', groupings of security settings that correlate to a known
1323 policy. Available profiles are:
1324 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1328 Profile ID: xccdf_org.ssgproject.content_pro‐
1330 file_anssi_np_nt28_average
1331 This profile contains items for GNU/Linux installations already
1333 protected by multiple higher level security stacks.
1334 Profile for ANSSI DAT-NT28 High (Enforced) Level
1337 Profile ID: xccdf_org.ssgproject.content_pro‐
1339 file_anssi_np_nt28_high
1340 This profile contains items for GNU/Linux installations storing
1342 sensitive informations that can be accessible from unauthenti‐
1343 cated or uncontroled networks.
1344 Profile for ANSSI DAT-NT28 Restrictive Level
1347 Profile ID: xccdf_org.ssgproject.content_pro‐
1349 file_anssi_np_nt28_restrictive
1350 This profile contains items for GNU/Linux installations exposed
1352 to unauthenticated flows or multiple sources.
1353 Standard System Security Profile for Ubuntu 16.04
1356 Profile ID: xccdf_org.ssgproject.content_profile_standard
1358 This profile contains rules to ensure standard security baseline
1360 of an Ubuntu 16.04 system. Regardless of your system's workload
1361 all of these checks should pass.
1362 Profile for ANSSI DAT-NT28 Minimal Level
1365 Profile ID: xccdf_org.ssgproject.content_pro‐
1367 file_anssi_np_nt28_minimal
1368 This profile contains items to be applied systematically.
1370
1376 Source Datastream: ssg-ubuntu1804-ds.xml
1377 The Guide to the Secure Configuration of Ubuntu 18.04 is broken into
1379 'profiles', groupings of security settings that correlate to a known
1380 policy. Available profiles are:
1381 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1385 Profile ID: xccdf_org.ssgproject.content_pro‐
1387 file_anssi_np_nt28_average
1388 This profile contains items for GNU/Linux installations already
1390 protected by multiple higher level security stacks.
1391 Profile for ANSSI DAT-NT28 High (Enforced) Level
1394 Profile ID: xccdf_org.ssgproject.content_pro‐
1396 file_anssi_np_nt28_high
1397 This profile contains items for GNU/Linux installations storing
1399 sensitive informations that can be accessible from unauthenti‐
1400 cated or uncontroled networks.
1401 Profile for ANSSI DAT-NT28 Restrictive Level
1404 Profile ID: xccdf_org.ssgproject.content_pro‐
1406 file_anssi_np_nt28_restrictive
1407 This profile contains items for GNU/Linux installations exposed
1409 to unauthenticated flows or multiple sources.
1410 Standard System Security Profile for Ubuntu 18.04
1413 Profile ID: xccdf_org.ssgproject.content_profile_standard
1415 This profile contains rules to ensure standard security baseline
1417 of an Ubuntu 18.04 system. Regardless of your system's workload
1418 all of these checks should pass.
1419 Profile for ANSSI DAT-NT28 Minimal Level
1422 Profile ID: xccdf_org.ssgproject.content_pro‐
1424 file_anssi_np_nt28_minimal
1425 This profile contains items to be applied systematically.
1427
1433 Source Datastream: ssg-wrlinux-ds.xml
1434 The Guide to the Secure Configuration of WRLinux is broken into 'pro‐
1436 files', groupings of security settings that correlate to a known pol‐
1437 icy. Available profiles are:
1438 Basic Profile for Embedded Systems
1442 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
1444 This profile contains items common to many embedded Linux
1446 installations. Regardless of your system's deployment objec‐
1447 tive, all of these checks should pass.
1448
1455 To scan your system utilizing the OpenSCAP utility against the ospp
1456 profile:
1457 oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-
1459 results.xml --report /tmp/`hostname`-ssg-results.html --oval-results
1460 /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
1461 Additional details can be found on the projects wiki page:
1463 https://www.github.com/OpenSCAP/scap-security-guide/wiki
1464
1468 /usr/share/xml/scap/ssg/content
1469 Houses SCAP content utilizing the following naming conventions:
1470 SCAP Source Datastreams: ssg-{product}-ds.xml
1472 CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
1474 CPE OVAL Content: ssg-{product}-cpe-oval.xml
1476 OVAL Content: ssg-{product}-oval.xml
1478 XCCDF Content: ssg-{product}-xccdf.xml
1480 /usr/share/doc/scap-security-guide/guides/
1482 HTML versions of SSG profiles.
1483 /usr/share/scap-security-guide/ansible/
1485 Contains Ansible Playbooks for SSG profiles.
1486 /usr/share/scap-security-guide/bash/
1488 Contains Bash remediation scripts for SSG profiles.
1489
1492 The SCAP Security Guide, an open source project jointly maintained by
1493 Red Hat and the NSA, provides XCCDF and OVAL content for Red Hat tech‐
1494 nologies. As an open source project, community participation extends
1495 into U.S. Department of Defense agencies, civilian agencies, academia,
1496 and other industrial partners.
1497 SCAP Security Guide is provided to consumers through Red Hat's Extended
1499 Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security
1500 Guide content is considered "vendor provided."
1501 Note that while Red Hat hosts the infrastructure for this project and
1503 Red Hat engineers are involved as maintainers and leaders, there is no
1504 commercial support contracts or service level agreements provided by
1505 Red Hat.
1506 Support, for both users and developers, is provided through the SCAP
1508 Security Guide community.
1509 Homepage: https://www.open-scap.org/security-policies/scap-security-
1511 guide
1512 Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-
1514 security-guide
1515
1519 SCAP Security Guide content is considered vendor (Red Hat) provided
1520 content. Per guidance from the U.S. National Institute of Standards
1521 and Technology (NIST), U.S. Government programs are allowed to use Ven‐
1522 dor produced SCAP content in absence of "Governmental Authority" check‐
1523 lists. The specific NIST verbage:
1524 http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
1525
1529 DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT
1530 products incorporated into DoD information systems shall be configured
1531 in accordance with DoD-approved security configuration guidelines" and
1532 tasks Defense Information Systems Agency (DISA) to "develop and provide
1533 security configuration guidance for IA and IA-enabled IT products in
1534 coordination with Director, NSA." The output of this authority is the
1535 DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
1536 the process of moving the STIGs towards the use of the NIST Security
1537 Content Automation Protocol (SCAP) in order to "automate" compliance
1538 reporting of the STIGs.
1539 Through a common, shared vision, the SCAP Security Guide community
1541 enjoys close collaboration directly with NSA, NIST, and DISA FSO. As
1542 stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
1543 Version 1, Release 2, issued on 03-JUNE-2013:
1544 "The consensus content was developed using an open-source project
1546 called SCAP Security Guide. The project's website is https://www.open-
1547 scap.org/security-policies/scap-security-guide. Except for differences
1548 in formatting to accomodate the DISA STIG publishing process, the con‐
1549 tent of the Red Hat Enterprise Linux 6 STIG should mirrot the SCAP
1550 Security Guide content with only minor divergence as updates from mul‐
1551 tiple sources work through the concensus process."
1552 The DoD STIG for Red Hat Enterprise Linux 6 was released June 2013.
1554 Currently, the DoD Red Hat Enterprise Linux 6 STIG contains only XCCDF
1555 content and is available online: http://iase.disa.mil/stigs/os/unix-
1556 linux/Pages/red-hat.aspx
1557 Content published against the iase.disa.mil website is authoritative
1559 STIG content. The SCAP Security Guide project, as noted in the STIG
1560 overview, is considered upstream content. Unlike DISA FSO, the SCAP
1561 Security Guide project does publish OVAL automation content. Individual
1562 programs and C&A evaluators make program-level determinations on the
1563 direct usage of the SCAP Security Guide. Currently there is no blanket
1564 approval.
1565
1569 oscap(8)
1570
1574 Please direct all questions to the SSG mailing list:
1575 https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
1576version 1 26 Jan 2013 scap-security-guide(8)