1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
3
4
6 SCAP Security Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
10
11
13 The project provides practical security hardening advice for Red Hat
14 products, and also links it to compliance requirements in order to ease
15 deployment activities, such as certification and accreditation. These
16 include requirements in the U.S. government (Federal, Defense, and
17 Intelligence Community) as well as of the financial services and health
18 care industries. For example, high-level and widely-accepted policies
19 such as NIST 800-53 provides prose stating that System Administrators
20 must audit "privileged user actions," but do not define what "privi‐
21 leged actions" are. The SSG bridges the gap between generalized policy
22 requirements and specific implementation guidance, in SCAP formats to
23 support automation whenever possible.
24
25 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
28
29
31 Source Datastream: ssg-centos6-ds.xml
32
33 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
34 broken into 'profiles', groupings of security settings that correlate
35 to a known policy. Available profiles are:
36
37
38
39 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
40
41 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
42
43 This is a *draft* profile for PCI-DSS v3.
44
45
46 Server Baseline
47
48 Profile ID: xccdf_org.ssgproject.content_profile_server
49
50 This profile is for Red Hat Enterprise Linux 6 acting as a
51 server.
52
53
54 Standard System Security Profile for Red Hat Enterprise Linux 6
55
56 Profile ID: xccdf_org.ssgproject.content_profile_standard
57
58 This profile contains rules to ensure standard security baseline
59 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
60 tem's workload all of these checks should pass.
61
62
63 Desktop Baseline
64
65 Profile ID: xccdf_org.ssgproject.content_profile_desktop
66
67 This profile is for a desktop installation of Red Hat Enterprise
68 Linux 6.
69
70
71
72
73
75 Source Datastream: ssg-centos7-ds.xml
76
77 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
78 broken into 'profiles', groupings of security settings that correlate
79 to a known policy. Available profiles are:
80
81
82
83 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
84
85 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
86
87 Ensures PCI-DSS v3.2.1 security configuration settings are
88 applied.
89
90
91 Standard System Security Profile for Red Hat Enterprise Linux 7
92
93 Profile ID: xccdf_org.ssgproject.content_profile_standard
94
95 This profile contains rules to ensure standard security baseline
96 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
97 tem's workload all of these checks should pass.
98
99
100
101
102
104 Source Datastream: ssg-centos8-ds.xml
105
106 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
107 broken into 'profiles', groupings of security settings that correlate
108 to a known policy. Available profiles are:
109
110
111
112 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
113
114 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
115
116 Ensures PCI-DSS v3.2.1 security configuration settings are
117 applied.
118
119
120 Standard System Security Profile for Red Hat Enterprise Linux 8
121
122 Profile ID: xccdf_org.ssgproject.content_profile_standard
123
124 This profile contains rules to ensure standard security baseline
125 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
126 tem's workload all of these checks should pass.
127
128
129
130
131
133 Source Datastream: ssg-chromium-ds.xml
134
135 The Guide to the Secure Configuration of Chromium is broken into 'pro‐
136 files', groupings of security settings that correlate to a known pol‐
137 icy. Available profiles are:
138
139
140
141 Upstream STIG for Google Chromium
142
143 Profile ID: xccdf_org.ssgproject.content_profile_stig
144
145 This profile is developed under the DoD consensus model and DISA
146 FSO Vendor STIG process, serving as the upstream development
147 environment for the Google Chromium STIG.
148
149 As a result of the upstream/downstream relationship between the
150 SCAP Security Guide project and the official DISA FSO STIG base‐
151 line, users should expect variance between SSG and DISA FSO con‐
152 tent. For official DISA FSO STIG content, refer to https://pub‐
153 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
154 rity%2Cbrowser-guidance.
155
156 While this profile is packaged by Red Hat as part of the SCAP
157 Security Guide package, please note that commercial support of
158 this SCAP content is NOT available. This profile is provided as
159 example SCAP content with no endorsement for suitability or pro‐
160 duction readiness. Support for this profile is provided by the
161 upstream SCAP Security Guide community on a best-effort basis.
162 The upstream project homepage is https://www.open-scap.org/secu‐
163 rity-policies/scap-security-guide/.
164
165
166
167
168
170 Source Datastream: ssg-debian8-ds.xml
171
172 The Guide to the Secure Configuration of Debian 8 is broken into 'pro‐
173 files', groupings of security settings that correlate to a known pol‐
174 icy. Available profiles are:
175
176
177
178 Profile for ANSSI DAT-NT28 Minimal Level
179
180 Profile ID: xccdf_org.ssgproject.content_pro‐
181 file_anssi_np_nt28_minimal
182
183 This profile contains items to be applied systematically.
184
185
186 Standard System Security Profile for Debian 8
187
188 Profile ID: xccdf_org.ssgproject.content_profile_standard
189
190 This profile contains rules to ensure standard security baseline
191 of a Debian 8 system. Regardless of your system's workload all
192 of these checks should pass.
193
194
195 Profile for ANSSI DAT-NT28 Restrictive Level
196
197 Profile ID: xccdf_org.ssgproject.content_pro‐
198 file_anssi_np_nt28_restrictive
199
200 This profile contains items for GNU/Linux installations exposed
201 to unauthenticated flows or multiple sources.
202
203
204 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
205
206 Profile ID: xccdf_org.ssgproject.content_pro‐
207 file_anssi_np_nt28_average
208
209 This profile contains items for GNU/Linux installations already
210 protected by multiple higher level security stacks.
211
212
213 Profile for ANSSI DAT-NT28 High (Enforced) Level
214
215 Profile ID: xccdf_org.ssgproject.content_pro‐
216 file_anssi_np_nt28_high
217
218 This profile contains items for GNU/Linux installations storing
219 sensitive informations that can be accessible from unauthenti‐
220 cated or uncontroled networks.
221
222
223
224
225
227 Source Datastream: ssg-debian9-ds.xml
228
229 The Guide to the Secure Configuration of Debian 9 is broken into 'pro‐
230 files', groupings of security settings that correlate to a known pol‐
231 icy. Available profiles are:
232
233
234
235 Profile for ANSSI DAT-NT28 Minimal Level
236
237 Profile ID: xccdf_org.ssgproject.content_pro‐
238 file_anssi_np_nt28_minimal
239
240 This profile contains items to be applied systematically.
241
242
243 Standard System Security Profile for Debian 9
244
245 Profile ID: xccdf_org.ssgproject.content_profile_standard
246
247 This profile contains rules to ensure standard security baseline
248 of a Debian 9 system. Regardless of your system's workload all
249 of these checks should pass.
250
251
252 Profile for ANSSI DAT-NT28 Restrictive Level
253
254 Profile ID: xccdf_org.ssgproject.content_pro‐
255 file_anssi_np_nt28_restrictive
256
257 This profile contains items for GNU/Linux installations exposed
258 to unauthenticated flows or multiple sources.
259
260
261 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
262
263 Profile ID: xccdf_org.ssgproject.content_pro‐
264 file_anssi_np_nt28_average
265
266 This profile contains items for GNU/Linux installations already
267 protected by multiple higher level security stacks.
268
269
270 Profile for ANSSI DAT-NT28 High (Enforced) Level
271
272 Profile ID: xccdf_org.ssgproject.content_pro‐
273 file_anssi_np_nt28_high
274
275 This profile contains items for GNU/Linux installations storing
276 sensitive informations that can be accessible from unauthenti‐
277 cated or uncontroled networks.
278
279
280
281
282
284 Source Datastream: ssg-eap6-ds.xml
285
286 The Guide to the Secure Configuration of JBoss EAP 6 is broken into
287 'profiles', groupings of security settings that correlate to a known
288 policy. Available profiles are:
289
290
291
292 STIG for JBoss Enterprise Application Platform 6
293
294 Profile ID: xccdf_org.ssgproject.content_profile_stig
295
296 This is a *draft* profile for STIG. This profile is being devel‐
297 oped under the DoD consensus model to become a STIG in coordina‐
298 tion with DISA FSO.
299
300
301
302
303
305 Source Datastream: ssg-fedora-ds.xml
306
307 The Guide to the Secure Configuration of Fedora is broken into 'pro‐
308 files', groupings of security settings that correlate to a known pol‐
309 icy. Available profiles are:
310
311
312
313 PCI-DSS v3 Control Baseline for Fedora
314
315 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
316
317 Ensures PCI-DSS v3 related security configuration settings are
318 applied.
319
320
321 Standard System Security Profile for Fedora
322
323 Profile ID: xccdf_org.ssgproject.content_profile_standard
324
325 This profile contains rules to ensure standard security baseline
326 of a Fedora system. Regardless of your system's workload all of
327 these checks should pass.
328
329
330 OSPP - Protection Profile for General Purpose Operating Systems
331
332 Profile ID: xccdf_org.ssgproject.content_profile_ospp
333
334 This profile reflects mandatory configuration controls identi‐
335 fied in the NIAP Configuration Annex to the Protection Profile
336 for General Purpose Operating Systems (Protection Profile Ver‐
337 sion 4.2).
338
339 As Fedora OS is moving target, this profile does not guarantee
340 to provide security levels required from US National Security
341 Systems. Main goal of the profile is to provide Fedora develop‐
342 ers with hardened environment similar to the one mandated by US
343 National Security Systems.
344
345
346
347
348
350 Source Datastream: ssg-firefox-ds.xml
351
352 The Guide to the Secure Configuration of Firefox is broken into 'pro‐
353 files', groupings of security settings that correlate to a known pol‐
354 icy. Available profiles are:
355
356
357
358 Upstream Firefox STIG
359
360 Profile ID: xccdf_org.ssgproject.content_profile_stig
361
362 This profile is developed under the DoD consensus model and DISA
363 FSO Vendor STIG process, serving as the upstream development
364 environment for the Firefox STIG.
365
366 As a result of the upstream/downstream relationship between the
367 SCAP Security Guide project and the official DISA FSO STIG base‐
368 line, users should expect variance between SSG and DISA FSO con‐
369 tent. For official DISA FSO STIG content, refer to https://pub‐
370 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
371 rity%2Cbrowser-guidance.
372
373 While this profile is packaged by Red Hat as part of the SCAP
374 Security Guide package, please note that commercial support of
375 this SCAP content is NOT available. This profile is provided as
376 example SCAP content with no endorsement for suitability or pro‐
377 duction readiness. Support for this profile is provided by the
378 upstream SCAP Security Guide community on a best-effort basis.
379 The upstream project homepage is https://www.open-scap.org/secu‐
380 rity-policies/scap-security-guide/.
381
382
383
384
385
387 Source Datastream: ssg-fuse6-ds.xml
388
389 The Guide to the Secure Configuration of JBoss Fuse 6 is broken into
390 'profiles', groupings of security settings that correlate to a known
391 policy. Available profiles are:
392
393
394
395 Standard System Security Profile for JBoss
396
397 Profile ID: xccdf_org.ssgproject.content_profile_standard
398
399 This profile contains rules to ensure standard security baseline
400 of JBoss Fuse. Regardless of your system's workload all of these
401 checks should pass.
402
403
404 STIG for Apache ActiveMQ
405
406 Profile ID: xccdf_org.ssgproject.content_profile_amq-stig
407
408 This is a *draft* profile for STIG. This profile is being devel‐
409 oped under the DoD consensus model to become a STIG in coordina‐
410 tion with DISA FSO.
411
412
413 STIG for JBoss Fuse 6
414
415 Profile ID: xccdf_org.ssgproject.content_profile_stig
416
417 This is a *draft* profile for STIG. This profile is being devel‐
418 oped under the DoD consensus model to become a STIG in coordina‐
419 tion with DISA FSO.
420
421
422
423
424
426 Source Datastream: ssg-jre-ds.xml
427
428 The Guide to the Secure Configuration of Java Runtime Environment is
429 broken into 'profiles', groupings of security settings that correlate
430 to a known policy. Available profiles are:
431
432
433
434 Java Runtime Environment (JRE) STIG
435
436 Profile ID: xccdf_org.ssgproject.content_profile_stig
437
438 The Java Runtime Environment (JRE) is a bundle developed and
439 offered by Oracle Corporation which includes the Java Virtual
440 Machine (JVM), class libraries, and other components necessary
441 to run Java applications and applets. Certain default settings
442 within the JRE pose a security risk so it is necessary to deploy
443 system wide properties to ensure a higher degree of security
444 when utilizing the JRE.
445
446 The IBM Corporation also develops and bundles the Java Runtime
447 Environment (JRE) as well as Red Hat with OpenJDK.
448
449
450
451
452
454 Platform 3
455 Source Datastream: ssg-ocp3-ds.xml
456
457 The Guide to the Secure Configuration of Red Hat OpenShift Container
458 Platform 3 is broken into 'profiles', groupings of security settings
459 that correlate to a known policy. Available profiles are:
460
461
462
463 Open Computing Information Security Profile for OpenShift Node
464
465 Profile ID: xccdf_org.ssgproject.content_profile_opencis-node
466
467 This baseline was inspired by the Center for Internet Security
468 (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
469
470 For the ComplianceAsCode project to remain in compliance with
471 CIS' terms and conditions, specifically Restrictions(8), note
472 there is no representation or claim that the OpenCIS profile
473 will ensure a system is in compliance or consistency with the
474 CIS baseline.
475
476
477 Open Computing Information Security Profile for OpenShift Master Node
478
479 Profile ID: xccdf_org.ssgproject.content_profile_opencis-master
480
481 This baseline was inspired by the Center for Internet Security
482 (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
483
484 For the ComplianceAsCode project to remain in compliance with
485 CIS' terms and conditions, specifically Restrictions(8), note
486 there is no representation or claim that the OpenCIS profile
487 will ensure a system is in compliance or consistency with the
488 CIS baseline.
489
490
491
492
493
495 Platform 4
496 Source Datastream: ssg-ocp4-ds.xml
497
498 The Guide to the Secure Configuration of Red Hat OpenShift Container
499 Platform 4 is broken into 'profiles', groupings of security settings
500 that correlate to a known policy. Available profiles are:
501
502
503
504 Open Computing Information Security Profile for OpenShift Node
505
506 Profile ID: xccdf_org.ssgproject.content_profile_opencis-node
507
508 This baseline was inspired by the Center for Internet Security
509 (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
510
511 For the ComplianceAsCode project to remain in compliance with
512 CIS' terms and conditions, specifically Restrictions(8), note
513 there is no representation or claim that the OpenCIS profile
514 will ensure a system is in compliance or consistency with the
515 CIS baseline.
516
517
518
519
520
522 Source Datastream: ssg-ol7-ds.xml
523
524 The Guide to the Secure Configuration of Oracle Linux 7 is broken into
525 'profiles', groupings of security settings that correlate to a known
526 policy. Available profiles are:
527
528
529
530 PCI-DSS v3 Control Baseline Draft for Oracle Linux 7
531
532 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
533
534 Ensures PCI-DSS v3 related security configuration settings are
535 applied.
536
537
538 Standard System Security Profile for Oracle Linux 7
539
540 Profile ID: xccdf_org.ssgproject.content_profile_standard
541
542 This profile contains rules to ensure standard security baseline
543 of Oracle Linux 7 system. Regardless of your system's workload
544 all of these checks should pass.
545
546
547 Security Profile of Oracle Linux 7 for SAP
548
549 Profile ID: xccdf_org.ssgproject.content_profile_sap
550
551 This profile contains rules for Oracle Linux 7 Operating System
552 in compliance with SAP note 2069760 and SAP Security Baseline
553 Template version 1.9 Item I-8 and section 4.1.2.2. Regardless
554 of your system's workload all of these checks should pass.
555
556
557 DRAFT - DISA STIG for Oracle Linux 7
558
559 Profile ID: xccdf_org.ssgproject.content_profile_stig
560
561 This is a *draft* profile for STIG for Oracle Linux 7.
562
563
564
565
566
568 Source Datastream: ssg-ol8-ds.xml
569
570 The Guide to the Secure Configuration of Oracle Linux 8 is broken into
571 'profiles', groupings of security settings that correlate to a known
572 policy. Available profiles are:
573
574
575
576 PCI-DSS v3 Control Baseline Draft for Oracle Linux 8
577
578 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
579
580 Ensures PCI-DSS v3 related security configuration settings are
581 applied.
582
583
584 Health Insurance Portability and Accountability Act (HIPAA)
585
586 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
587
588 The HIPAA Security Rule establishes U.S. national standards to
589 protect individuals’ electronic personal health information that
590 is created, received, used, or maintained by a covered entity.
591 The Security Rule requires appropriate administrative, physical
592 and technical safeguards to ensure the confidentiality,
593 integrity, and security of electronic protected health informa‐
594 tion.
595
596 This profile configures Oracle Linux 8 to the HIPAA Security
597 Rule identified for securing of electronic protected health
598 information.
599
600
601 Standard System Security Profile for Oracle Linux 8
602
603 Profile ID: xccdf_org.ssgproject.content_profile_standard
604
605 This profile contains rules to ensure standard security baseline
606 of Oracle Linux 8 system. Regardless of your system's workload
607 all of these checks should pass.
608
609
610 Unclassified Information in Non-federal Information Systems and Organi‐
611 zations (NIST 800-171)
612
613 Profile ID: xccdf_org.ssgproject.content_profile_cui
614
615 From NIST 800-171, Section 2.2: Security requirements for pro‐
616 tecting the confidentiality of CUI in nonfederal information
617 systems and organizations have a well-defined structure that
618 consists of:
619
620 (i) a basic security requirements section; (ii) a derived secu‐
621 rity requirements section.
622
623 The basic security requirements are obtained from FIPS Publica‐
624 tion 200, which provides the high-level and fundamental security
625 requirements for federal information and information systems.
626 The derived security requirements, which supplement the basic
627 security requirements, are taken from the security controls in
628 NIST Special Publication 800-53.
629
630 This profile configures Oracle Linux 8 to the NIST Special Pub‐
631 lication 800-53 controls identified for securing Controlled
632 Unclassified Information (CUI).
633
634
635 Criminal Justice Information Services (CJIS) Security Policy
636
637 Profile ID: xccdf_org.ssgproject.content_profile_cjis
638
639 This profile is derived from FBI's CJIS v5.4 Security Policy. A
640 copy of this policy can be found at the CJIS Security Policy
641 Resource Center:
642
643 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
644 center
645
646
647 [DRAFT] OSPP - Protection Profile for General Purpose Operating Systems
648
649 Profile ID: xccdf_org.ssgproject.content_profile_ospp
650
651 This profile reflects mandatory configuration controls identi‐
652 fied in the NIAP Configuration Annex to the Protection Profile
653 for General Purpose Operating Systems (Protection Profile Ver‐
654 sion 4.2).
655
656 This profile is currently under review. Use of this profile does
657 not denote or guarantee NIAP approval or certification until
658 this profile has been approved by NIAP.
659
660
661
662
663
665 Source Datastream: ssg-opensuse-ds.xml
666
667 The Guide to the Secure Configuration of openSUSE is broken into 'pro‐
668 files', groupings of security settings that correlate to a known pol‐
669 icy. Available profiles are:
670
671
672
673 Standard System Security Profile for openSUSE
674
675 Profile ID: xccdf_org.ssgproject.content_profile_standard
676
677 This profile contains rules to ensure standard security baseline
678 of an openSUSE system. Regardless of your system's workload all
679 of these checks should pass.
680
681
682
683
684
686 Source Datastream: ssg-rhel6-ds.xml
687
688 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
689 broken into 'profiles', groupings of security settings that correlate
690 to a known policy. Available profiles are:
691
692
693
694 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
695
696 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
697
698 This is a *draft* profile for PCI-DSS v3.
699
700
701 CNSSI 1253 Low/Low/Low Control Baseline
702
703 Profile ID: xccdf_org.ssgproject.content_profile_nist-CL-IL-AL
704
705 This profile follows the Committee on National Security Systems
706 Instruction (CNSSI) No. 1253, "Security Categorization and Con‐
707 trol Selection for National Security Systems" on security con‐
708 trols to meet low confidentiality, low integrity, and low assur‐
709 ance.
710
711
712 C2S for Red Hat Enterprise Linux 6
713
714 Profile ID: xccdf_org.ssgproject.content_profile_C2S
715
716 This profile demonstrates compliance against the U.S. Government
717 Commercial Cloud Services (C2S) baseline. nThis baseline was
718 inspired by the Center for Internet Security (CIS) Red Hat
719 Enterprise Linux 6 Benchmark, v1.2.0 - 06-25-2013. For the SCAP
720 Security Guide project to remain in compliance with CIS' terms
721 and conditions, specifically Restrictions(8), note there is no
722 representation or claim that the C2S profile will ensure a sys‐
723 tem is in compliance or consistency with the CIS baseline.
724
725
726 CSCF RHEL6 MLS Core Baseline
727
728 Profile ID: xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS
729
730 This profile reflects the Centralized Super Computing Facility
731 (CSCF) baseline for Red Hat Enterprise Linux 6. This baseline
732 has received government ATO through the ICD 503 process, utiliz‐
733 ing the CNSSI 1253 cross domain overlay. This profile should be
734 considered in active development. Additional tailoring will be
735 needed, such as the creation of RBAC roles for production
736 deployment.
737
738
739 United States Government Configuration Baseline (USGCB)
740
741 Profile ID: xccdf_org.ssgproject.content_profile_usgcb-
742 rhel6-server
743
744 This profile is a working draft for a USGCB submission against
745 RHEL6 Server.
746
747
748 Server Baseline
749
750 Profile ID: xccdf_org.ssgproject.content_profile_server
751
752 This profile is for Red Hat Enterprise Linux 6 acting as a
753 server.
754
755
756 Standard System Security Profile for Red Hat Enterprise Linux 6
757
758 Profile ID: xccdf_org.ssgproject.content_profile_standard
759
760 This profile contains rules to ensure standard security baseline
761 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
762 tem's workload all of these checks should pass.
763
764
765 Desktop Baseline
766
767 Profile ID: xccdf_org.ssgproject.content_profile_desktop
768
769 This profile is for a desktop installation of Red Hat Enterprise
770 Linux 6.
771
772
773 DISA STIG for Red Hat Enterprise Linux 6
774
775 Profile ID: xccdf_org.ssgproject.content_profile_stig
776
777 This profile contains configuration checks that align to the
778 DISA STIG for Red Hat Enterprise Linux 6.
779
780 In addition to being applicable to RHEL6, DISA recognizes this
781 configuration baseline as applicable to the operating system
782 tier of Red Hat technologies that are based on RHEL6, such as
783 RHEL Server, RHV-H, RHEL for HPC, RHEL Workstation, and Red Hat
784 Storage deployments.
785
786
787 FTP Server Profile (vsftpd)
788
789 Profile ID: xccdf_org.ssgproject.content_profile_ftp-server
790
791 This is a profile for the vsftpd FTP server.
792
793
794 Example Server Profile
795
796 Profile ID: xccdf_org.ssgproject.content_profile_CS2
797
798 This profile is an example of a customized server profile.
799
800
801 FISMA Medium for Red Hat Enterprise Linux 6
802
803 Profile ID: xccdf_org.ssgproject.content_profile_fisma-medium-
804 rhel6-server
805
806 FISMA Medium for Red Hat Enterprise Linux 6.
807
808
809 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
810
811 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
812
813 This is a *draft* SCAP profile for Red Hat Certified Cloud
814 Providers
815
816
817
818
819
821 Source Datastream: ssg-rhel7-ds.xml
822
823 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
824 broken into 'profiles', groupings of security settings that correlate
825 to a known policy. Available profiles are:
826
827
828
829 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
830
831 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
832
833 Ensures PCI-DSS v3.2.1 security configuration settings are
834 applied.
835
836
837 C2S for Red Hat Enterprise Linux 7
838
839 Profile ID: xccdf_org.ssgproject.content_profile_C2S
840
841 This profile demonstrates compliance against the U.S. Government
842 Commercial Cloud Services (C2S) baseline.
843
844 This baseline was inspired by the Center for Internet Security
845 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
846
847 For the SCAP Security Guide project to remain in compliance with
848 CIS' terms and conditions, specifically Restrictions(8), note
849 there is no representation or claim that the C2S profile will
850 ensure a system is in compliance or consistency with the CIS
851 baseline.
852
853
854 [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host
855 (RHELH)
856
857 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
858
859 This *draft* profile contains configuration checks that align to
860 the DISA STIG for Red Hat Enterprise Linux Virtualization Host
861 (RHELH).
862
863
864 DRAFT - ANSSI DAT-NT28 (high)
865
866 Profile ID: xccdf_org.ssgproject.content_pro‐
867 file_anssi_nt28_high
868
869 Draft profile for ANSSI compliance at the high level. ANSSI
870 stands for Agence nationale de la sécurité des systèmes d'infor‐
871 mation. Based on https://www.ssi.gouv.fr/.
872
873
874 Health Insurance Portability and Accountability Act (HIPAA)
875
876 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
877
878 The HIPAA Security Rule establishes U.S. national standards to
879 protect individuals’ electronic personal health information that
880 is created, received, used, or maintained by a covered entity.
881 The Security Rule requires appropriate administrative, physical
882 and technical safeguards to ensure the confidentiality,
883 integrity, and security of electronic protected health informa‐
884 tion.
885
886 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
887 Security Rule identified for securing of electronic protected
888 health information.
889
890
891 Standard System Security Profile for Red Hat Enterprise Linux 7
892
893 Profile ID: xccdf_org.ssgproject.content_profile_standard
894
895 This profile contains rules to ensure standard security baseline
896 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
897 tem's workload all of these checks should pass.
898
899
900 DRAFT - ANSSI DAT-NT28 (intermediary)
901
902 Profile ID: xccdf_org.ssgproject.content_pro‐
903 file_anssi_nt28_intermediary
904
905 Draft profile for ANSSI compliance at the intermediary level.
906 ANSSI stands for Agence nationale de la sécurité des systèmes
907 d'information. Based on https://www.ssi.gouv.fr/.
908
909
910 Unclassified Information in Non-federal Information Systems and Organi‐
911 zations (NIST 800-171)
912
913 Profile ID: xccdf_org.ssgproject.content_profile_cui
914
915 From NIST 800-171, Section 2.2: Security requirements for pro‐
916 tecting the confidentiality of CUI in non-federal information
917 systems and organizations have a well-defined structure that
918 consists of:
919
920 (i) a basic security requirements section; (ii) a derived secu‐
921 rity requirements section.
922
923 The basic security requirements are obtained from FIPS Publica‐
924 tion 200, which provides the high-level and fundamental security
925 requirements for federal information and information systems.
926 The derived security requirements, which supplement the basic
927 security requirements, are taken from the security controls in
928 NIST Special Publication 800-53.
929
930 This profile configures Red Hat Enterprise Linux 7 to the NIST
931 Special Publication 800-53 controls identified for securing Con‐
932 trolled Unclassified Information (CUI).
933
934
935 NIST National Checklist Program Security Guide
936
937 Profile ID: xccdf_org.ssgproject.content_profile_ncp
938
939 This compliance profile reflects the core set of security
940 related configuration settings for deployment of Red Hat Enter‐
941 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
942 agencies. Development partners and sponsors include the U.S.
943 National Institute of Standards and Technology (NIST), U.S.
944 Department of Defense, the National Security Agency, and Red
945 Hat.
946
947 This baseline implements configuration requirements from the
948 following sources:
949
950 - Committee on National Security Systems Instruction No. 1253
951 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
952 800-171) - NIST 800-53 control selections for MODERATE impact
953 systems (NIST 800-53) - U.S. Government Configuration Baseline
954 (USGCB) - NIAP Protection Profile for General Purpose Operating
955 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
956 Requirements Guide (OS SRG)
957
958 For any differing configuration requirements, e.g. password
959 lengths, the stricter security setting was chosen. Security
960 Requirement Traceability Guides (RTMs) and sample System Secu‐
961 rity Configuration Guides are provided via the scap-security-
962 guide-docs package.
963
964 This profile reflects U.S. Government consensus content and is
965 developed through the OpenSCAP/SCAP Security Guide initiative,
966 championed by the National Security Agency. Except for differ‐
967 ences in formatting to accommodate publishing processes, this
968 profile mirrors OpenSCAP/SCAP Security Guide content as minor
969 divergences, such as bugfixes, work through the consensus and
970 release processes.
971
972
973 DRAFT - ANSSI DAT-NT28 (enhanced)
974
975 Profile ID: xccdf_org.ssgproject.content_pro‐
976 file_anssi_nt28_enhanced
977
978 Draft profile for ANSSI compliance at the enhanced level. ANSSI
979 stands for Agence nationale de la sécurité des systèmes d'infor‐
980 mation. Based on https://www.ssi.gouv.fr/.
981
982
983 Criminal Justice Information Services (CJIS) Security Policy
984
985 Profile ID: xccdf_org.ssgproject.content_profile_cjis
986
987 This profile is derived from FBI's CJIS v5.4 Security Policy. A
988 copy of this policy can be found at the CJIS Security Policy
989 Resource Center:
990
991 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
992 center
993
994
995 DISA STIG for Red Hat Enterprise Linux 7
996
997 Profile ID: xccdf_org.ssgproject.content_profile_stig
998
999 This profile contains configuration checks that align to the
1000 DISA STIG for Red Hat Enterprise Linux V1R4.
1001
1002 In addition to being applicable to Red Hat Enterprise Linux 7,
1003 DISA recognizes this configuration baseline as applicable to the
1004 operating system tier of Red Hat technologies that are based on
1005 Red Hat Enterprise Linux 7, such as:
1006
1007 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1008 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1009 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1010 7 image
1011
1012
1013 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enter‐
1014 prise Linux Hypervisor (RHELH)
1015
1016 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
1017
1018 This compliance profile reflects the core set of security
1019 related configuration settings for deployment of Red Hat Enter‐
1020 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
1021 gence, and Civilian agencies. Development partners and sponsors
1022 include the U.S. National Institute of Standards and Technology
1023 (NIST), U.S. Department of Defense, the National Security
1024 Agency, and Red Hat.
1025
1026 This baseline implements configuration requirements from the
1027 following sources:
1028
1029 - Committee on National Security Systems Instruction No. 1253
1030 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
1031 impact systems (NIST 800-53) - U.S. Government Configuration
1032 Baseline (USGCB) - NIAP Protection Profile for Virtualization
1033 v1.0 (VPP v1.0)
1034
1035 For any differing configuration requirements, e.g. password
1036 lengths, the stricter security setting was chosen. Security
1037 Requirement Traceability Guides (RTMs) and sample System Secu‐
1038 rity Configuration Guides are provided via the scap-security-
1039 guide-docs package.
1040
1041 This profile reflects U.S. Government consensus content and is
1042 developed through the ComplianceAsCode project, championed by
1043 the National Security Agency. Except for differences in format‐
1044 ting to accommodate publishing processes, this profile mirrors
1045 ComplianceAsCode content as minor divergences, such as bugfixes,
1046 work through the consensus and release processes.
1047
1048
1049 DRAFT - ANSSI DAT-NT28 (minimal)
1050
1051 Profile ID: xccdf_org.ssgproject.content_pro‐
1052 file_anssi_nt28_minimal
1053
1054 Draft profile for ANSSI compliance at the minimal level. ANSSI
1055 stands for Agence nationale de la sécurité des systèmes d'infor‐
1056 mation. Based on https://www.ssi.gouv.fr/.
1057
1058
1059 OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
1060
1061 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1062
1063 This profile reflects mandatory configuration controls identi‐
1064 fied in the NIAP Configuration Annex to the Protection Profile
1065 for General Purpose Operating Systems (Protection Profile Ver‐
1066 sion 4.2.1).
1067
1068 This configuration profile is consistent with CNSSI-1253, which
1069 requires U.S. National Security Systems to adhere to certain
1070 configuration parameters. Accordingly, this configuration pro‐
1071 file is suitable for use in U.S. National Security Systems.
1072
1073
1074 Australian Cyber Security Centre (ACSC) Essential Eight
1075
1076 Profile ID: xccdf_org.ssgproject.content_profile_e8
1077
1078 This profile contains configuration checks for Red Hat Enter‐
1079 prise Linux 7 that align to the Australian Cyber Security Centre
1080 (ACSC) Essential Eight.
1081
1082 A copy of the Essential Eight in Linux Environments guide can be
1083 found at the ACSC website:
1084
1085 https://www.cyber.gov.au/publications/essential-eight-in-linux-
1086 environments
1087
1088
1089 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1090
1091 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1092
1093 This profile contains the minimum security relevant configura‐
1094 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1095 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
1096
1097
1098
1099
1100
1102 Source Datastream: ssg-rhel8-ds.xml
1103
1104 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
1105 broken into 'profiles', groupings of security settings that correlate
1106 to a known policy. Available profiles are:
1107
1108
1109
1110 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
1111
1112 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1113
1114 Ensures PCI-DSS v3.2.1 security configuration settings are
1115 applied.
1116
1117
1118 Health Insurance Portability and Accountability Act (HIPAA)
1119
1120 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1121
1122 The HIPAA Security Rule establishes U.S. national standards to
1123 protect individuals’ electronic personal health information that
1124 is created, received, used, or maintained by a covered entity.
1125 The Security Rule requires appropriate administrative, physical
1126 and technical safeguards to ensure the confidentiality,
1127 integrity, and security of electronic protected health informa‐
1128 tion.
1129
1130 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
1131 Security Rule identified for securing of electronic protected
1132 health information.
1133
1134
1135 Standard System Security Profile for Red Hat Enterprise Linux 8
1136
1137 Profile ID: xccdf_org.ssgproject.content_profile_standard
1138
1139 This profile contains rules to ensure standard security baseline
1140 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
1141 tem's workload all of these checks should pass.
1142
1143
1144 Unclassified Information in Non-federal Information Systems and Organi‐
1145 zations (NIST 800-171)
1146
1147 Profile ID: xccdf_org.ssgproject.content_profile_cui
1148
1149 From NIST 800-171, Section 2.2: Security requirements for pro‐
1150 tecting the confidentiality of CUI in nonfederal information
1151 systems and organizations have a well-defined structure that
1152 consists of:
1153
1154 (i) a basic security requirements section; (ii) a derived secu‐
1155 rity requirements section.
1156
1157 The basic security requirements are obtained from FIPS Publica‐
1158 tion 200, which provides the high-level and fundamental security
1159 requirements for federal information and information systems.
1160 The derived security requirements, which supplement the basic
1161 security requirements, are taken from the security controls in
1162 NIST Special Publication 800-53.
1163
1164 This profile configures Red Hat Enterprise Linux 8 to the NIST
1165 Special Publication 800-53 controls identified for securing Con‐
1166 trolled Unclassified Information (CUI)."
1167
1168
1169 Criminal Justice Information Services (CJIS) Security Policy
1170
1171 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1172
1173 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1174 copy of this policy can be found at the CJIS Security Policy
1175 Resource Center:
1176
1177 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1178 center
1179
1180
1181 Protection Profile for General Purpose Operating Systems
1182
1183 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1184
1185 This profile reflects mandatory configuration controls identi‐
1186 fied in the NIAP Configuration Annex to the Protection Profile
1187 for General Purpose Operating Systems (Protection Profile Ver‐
1188 sion 4.2.1).
1189
1190 This configuration profile is consistent with CNSSI-1253, which
1191 requires U.S. National Security Systems to adhere to certain
1192 configuration parameters. Accordingly, this configuration pro‐
1193 file is suitable for use in U.S. National Security Systems.
1194
1195
1196 Australian Cyber Security Centre (ACSC) Essential Eight
1197
1198 Profile ID: xccdf_org.ssgproject.content_profile_e8
1199
1200 This profile contains configuration checks for Red Hat Enter‐
1201 prise Linux 8 that align to the Australian Cyber Security Centre
1202 (ACSC) Essential Eight.
1203
1204 A copy of the Essential Eight in Linux Environments guide can be
1205 found at the ACSC website:
1206
1207 https://www.cyber.gov.au/publications/essential-eight-in-linux-
1208 environments
1209
1210
1211 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1212
1213 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1214
1215 This profile contains the minimum security relevant configura‐
1216 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1217 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
1218
1219
1220
1221
1222
1224
1225 Source Datastream: ssg-rhosp13-ds.xml
1226
1227 The Guide to the Secure Configuration of Red Hat OpenStack Platform 13
1228 is broken into 'profiles', groupings of security settings that corre‐
1229 late to a known policy. Available profiles are:
1230
1231
1232
1233 RHOSP STIG
1234
1235 Profile ID: xccdf_org.ssgproject.content_profile_stig
1236
1237 Sample profile description.
1238
1239
1240
1241
1242
1244 Source Datastream: ssg-rhv4-ds.xml
1245
1246 The Guide to the Secure Configuration of Red Hat Virtualization 4 is
1247 broken into 'profiles', groupings of security settings that correlate
1248 to a known policy. Available profiles are:
1249
1250
1251
1252 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
1253 ization Host (RHVH)
1254
1255 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
1256
1257 This compliance profile reflects the core set of security
1258 related configuration settings for deployment of Red Hat Virtu‐
1259 alization Host (RHVH) 4.x into U.S. Defense, Intelligence, and
1260 Civilian agencies. Development partners and sponsors include
1261 the U.S. National Institute of Standards and Technology (NIST),
1262 U.S. Department of Defense, the National Security Agency, and
1263 Red Hat.
1264
1265 This baseline implements configuration requirements from the
1266 following sources:
1267
1268 - Committee on National Security Systems Instruction No. 1253
1269 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
1270 impact systems (NIST 800-53) - U.S. Government Configuration
1271 Baseline (USGCB) - NIAP Protection Profile for Virtualization
1272 v1.0 (VPP v1.0)
1273
1274 For any differing configuration requirements, e.g. password
1275 lengths, the stricter security setting was chosen. Security
1276 Requirement Traceability Guides (RTMs) and sample System Secu‐
1277 rity Configuration Guides are provided via the scap-security-
1278 guide-docs package.
1279
1280 This profile reflects U.S. Government consensus content and is
1281 developed through the ComplianceAsCode project, championed by
1282 the National Security Agency. Except for differences in format‐
1283 ting to accommodate publishing processes, this profile mirrors
1284 ComplianceAsCode content as minor divergences, such as bugfixes,
1285 work through the consensus and release processes.
1286
1287
1288 [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
1289
1290 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
1291
1292 This *draft* profile contains configuration checks that align to
1293 the DISA STIG for Red Hat Virtualization Host (RHVH).
1294
1295
1296
1297
1298
1300 Source Datastream: ssg-sl6-ds.xml
1301
1302 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
1303 broken into 'profiles', groupings of security settings that correlate
1304 to a known policy. Available profiles are:
1305
1306
1307
1308 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
1309
1310 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1311
1312 This is a *draft* profile for PCI-DSS v3.
1313
1314
1315 Server Baseline
1316
1317 Profile ID: xccdf_org.ssgproject.content_profile_server
1318
1319 This profile is for Red Hat Enterprise Linux 6 acting as a
1320 server.
1321
1322
1323 Standard System Security Profile for Red Hat Enterprise Linux 6
1324
1325 Profile ID: xccdf_org.ssgproject.content_profile_standard
1326
1327 This profile contains rules to ensure standard security baseline
1328 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
1329 tem's workload all of these checks should pass.
1330
1331
1332 Desktop Baseline
1333
1334 Profile ID: xccdf_org.ssgproject.content_profile_desktop
1335
1336 This profile is for a desktop installation of Red Hat Enterprise
1337 Linux 6.
1338
1339
1340
1341
1342
1344 Source Datastream: ssg-sl7-ds.xml
1345
1346 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
1347 broken into 'profiles', groupings of security settings that correlate
1348 to a known policy. Available profiles are:
1349
1350
1351
1352 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1353
1354 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1355
1356 Ensures PCI-DSS v3.2.1 security configuration settings are
1357 applied.
1358
1359
1360 Standard System Security Profile for Red Hat Enterprise Linux 7
1361
1362 Profile ID: xccdf_org.ssgproject.content_profile_standard
1363
1364 This profile contains rules to ensure standard security baseline
1365 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
1366 tem's workload all of these checks should pass.
1367
1368
1369
1370
1371
1373 Source Datastream: ssg-sle11-ds.xml
1374
1375 The Guide to the Secure Configuration of SUSE Linux Enterprise 11 is
1376 broken into 'profiles', groupings of security settings that correlate
1377 to a known policy. Available profiles are:
1378
1379
1380
1381 Server Baseline
1382
1383 Profile ID: xccdf_org.ssgproject.content_profile_server
1384
1385 This profile is for SUSE Enterprise Linux 11 acting as a server.
1386
1387
1388 Standard System Security Profile for SUSE Linux Enterprise 11
1389
1390 Profile ID: xccdf_org.ssgproject.content_profile_standard
1391
1392 This profile contains rules to ensure standard security baseline
1393 of a SUSE Linux Enterprise 11 system. Regardless of your sys‐
1394 tem's workload all of these checks should pass.
1395
1396
1397
1398
1399
1401 Source Datastream: ssg-sle12-ds.xml
1402
1403 The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is
1404 broken into 'profiles', groupings of security settings that correlate
1405 to a known policy. Available profiles are:
1406
1407
1408
1409 Standard System Security Profile for SUSE Linux Enterprise 12
1410
1411 Profile ID: xccdf_org.ssgproject.content_profile_standard
1412
1413 This profile contains rules to ensure standard security baseline
1414 of a SUSE Linux Enterprise 12 system. Regardless of your sys‐
1415 tem's workload all of these checks should pass.
1416
1417
1418
1419
1420
1422 Source Datastream: ssg-ubuntu1404-ds.xml
1423
1424 The Guide to the Secure Configuration of Ubuntu 14.04 is broken into
1425 'profiles', groupings of security settings that correlate to a known
1426 policy. Available profiles are:
1427
1428
1429
1430 Profile for ANSSI DAT-NT28 Minimal Level
1431
1432 Profile ID: xccdf_org.ssgproject.content_pro‐
1433 file_anssi_np_nt28_minimal
1434
1435 This profile contains items to be applied systematically.
1436
1437
1438 Standard System Security Profile for Ubuntu 14.04
1439
1440 Profile ID: xccdf_org.ssgproject.content_profile_standard
1441
1442 This profile contains rules to ensure standard security baseline
1443 of an Ubuntu 14.04 system. Regardless of your system's workload
1444 all of these checks should pass.
1445
1446
1447 Profile for ANSSI DAT-NT28 Restrictive Level
1448
1449 Profile ID: xccdf_org.ssgproject.content_pro‐
1450 file_anssi_np_nt28_restrictive
1451
1452 This profile contains items for GNU/Linux installations exposed
1453 to unauthenticated flows or multiple sources.
1454
1455
1456 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1457
1458 Profile ID: xccdf_org.ssgproject.content_pro‐
1459 file_anssi_np_nt28_average
1460
1461 This profile contains items for GNU/Linux installations already
1462 protected by multiple higher level security stacks.
1463
1464
1465 Profile for ANSSI DAT-NT28 High (Enforced) Level
1466
1467 Profile ID: xccdf_org.ssgproject.content_pro‐
1468 file_anssi_np_nt28_high
1469
1470 This profile contains items for GNU/Linux installations storing
1471 sensitive informations that can be accessible from unauthenti‐
1472 cated or uncontroled networks.
1473
1474
1475
1476
1477
1479 Source Datastream: ssg-ubuntu1604-ds.xml
1480
1481 The Guide to the Secure Configuration of Ubuntu 16.04 is broken into
1482 'profiles', groupings of security settings that correlate to a known
1483 policy. Available profiles are:
1484
1485
1486
1487 Profile for ANSSI DAT-NT28 Minimal Level
1488
1489 Profile ID: xccdf_org.ssgproject.content_pro‐
1490 file_anssi_np_nt28_minimal
1491
1492 This profile contains items to be applied systematically.
1493
1494
1495 Standard System Security Profile for Ubuntu 16.04
1496
1497 Profile ID: xccdf_org.ssgproject.content_profile_standard
1498
1499 This profile contains rules to ensure standard security baseline
1500 of an Ubuntu 16.04 system. Regardless of your system's workload
1501 all of these checks should pass.
1502
1503
1504 Profile for ANSSI DAT-NT28 Restrictive Level
1505
1506 Profile ID: xccdf_org.ssgproject.content_pro‐
1507 file_anssi_np_nt28_restrictive
1508
1509 This profile contains items for GNU/Linux installations exposed
1510 to unauthenticated flows or multiple sources.
1511
1512
1513 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1514
1515 Profile ID: xccdf_org.ssgproject.content_pro‐
1516 file_anssi_np_nt28_average
1517
1518 This profile contains items for GNU/Linux installations already
1519 protected by multiple higher level security stacks.
1520
1521
1522 Profile for ANSSI DAT-NT28 High (Enforced) Level
1523
1524 Profile ID: xccdf_org.ssgproject.content_pro‐
1525 file_anssi_np_nt28_high
1526
1527 This profile contains items for GNU/Linux installations storing
1528 sensitive informations that can be accessible from unauthenti‐
1529 cated or uncontroled networks.
1530
1531
1532
1533
1534
1536 Source Datastream: ssg-ubuntu1804-ds.xml
1537
1538 The Guide to the Secure Configuration of Ubuntu 18.04 is broken into
1539 'profiles', groupings of security settings that correlate to a known
1540 policy. Available profiles are:
1541
1542
1543
1544 Profile for ANSSI DAT-NT28 Minimal Level
1545
1546 Profile ID: xccdf_org.ssgproject.content_pro‐
1547 file_anssi_np_nt28_minimal
1548
1549 This profile contains items to be applied systematically.
1550
1551
1552 Standard System Security Profile for Ubuntu 18.04
1553
1554 Profile ID: xccdf_org.ssgproject.content_profile_standard
1555
1556 This profile contains rules to ensure standard security baseline
1557 of an Ubuntu 18.04 system. Regardless of your system's workload
1558 all of these checks should pass.
1559
1560
1561 Profile for ANSSI DAT-NT28 Restrictive Level
1562
1563 Profile ID: xccdf_org.ssgproject.content_pro‐
1564 file_anssi_np_nt28_restrictive
1565
1566 This profile contains items for GNU/Linux installations exposed
1567 to unauthenticated flows or multiple sources.
1568
1569
1570 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1571
1572 Profile ID: xccdf_org.ssgproject.content_pro‐
1573 file_anssi_np_nt28_average
1574
1575 This profile contains items for GNU/Linux installations already
1576 protected by multiple higher level security stacks.
1577
1578
1579 Profile for ANSSI DAT-NT28 High (Enforced) Level
1580
1581 Profile ID: xccdf_org.ssgproject.content_pro‐
1582 file_anssi_np_nt28_high
1583
1584 This profile contains items for GNU/Linux installations storing
1585 sensitive informations that can be accessible from unauthenti‐
1586 cated or uncontroled networks.
1587
1588
1589
1590
1591
1593 Source Datastream: ssg-wrlinux1019-ds.xml
1594
1595 The Guide to the Secure Configuration of WRLinux 1019 is broken into
1596 'profiles', groupings of security settings that correlate to a known
1597 policy. Available profiles are:
1598
1599
1600
1601 DRAFT DISA STIG for Wind River Linux
1602
1603 Profile ID: xccdf_org.ssgproject.content_pro‐
1604 file_draft_stig_wrlinux_disa
1605
1606 This profile contains configuration checks that align to the
1607 DISA STIG for Wind River Linux. This profile is being developed
1608 under the DoD consensus model to become a STIG in coordination
1609 with DISA FSO. What is the status of the Wind River Linux STIG?
1610 The Wind River Linux STIG is in development under the DoD con‐
1611 sensus model and Wind River has started the process to get
1612 approval from DISA. However, in the absence of an approved SRG
1613 or STIG, vendor recommendations may be used instead. The current
1614 contents constitute the vendor recommendations at the time of
1615 the product release containing these contents. Note that
1616 changes are expected before approval is granted, and those
1617 changes will be made available in future Wind River Linux Secu‐
1618 rity Profile 1019 RCPL releases. More information, including
1619 the following, is available from the DISA FAQs at https://pub‐
1620 lic.cyber.mil/stigs/faqs/
1621
1622
1623 Basic Profile for Embedded Systems
1624
1625 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
1626
1627 This profile contains items common to many embedded Linux
1628 installations. Regardless of your system's deployment objec‐
1629 tive, all of these checks should pass.
1630
1631
1632
1633
1634
1636 Source Datastream: ssg-wrlinux8-ds.xml
1637
1638 The Guide to the Secure Configuration of WRLinux 8 is broken into 'pro‐
1639 files', groupings of security settings that correlate to a known pol‐
1640 icy. Available profiles are:
1641
1642
1643
1644 Basic Profile for Embedded Systems
1645
1646 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
1647
1648 This profile contains items common to many embedded Linux
1649 installations. Regardless of your system's deployment objec‐
1650 tive, all of these checks should pass.
1651
1652
1653
1654
1655
1656
1658 To scan your system utilizing the OpenSCAP utility against the ospp
1659 profile:
1660
1661 oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-
1662 results.xml --report /tmp/`hostname`-ssg-results.html --oval-results
1663 /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
1664
1665 Additional details can be found on the projects wiki page:
1666 https://www.github.com/OpenSCAP/scap-security-guide/wiki
1667
1668
1669
1671 /usr/share/xml/scap/ssg/content
1672 Houses SCAP content utilizing the following naming conventions:
1673
1674 SCAP Source Datastreams: ssg-{product}-ds.xml
1675
1676 CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
1677
1678 CPE OVAL Content: ssg-{product}-cpe-oval.xml
1679
1680 OVAL Content: ssg-{product}-oval.xml
1681
1682 XCCDF Content: ssg-{product}-xccdf.xml
1683
1684 /usr/share/doc/scap-security-guide/guides/
1685 HTML versions of SSG profiles.
1686
1687 /usr/share/scap-security-guide/ansible/
1688 Contains Ansible Playbooks for SSG profiles.
1689
1690 /usr/share/scap-security-guide/bash/
1691 Contains Bash remediation scripts for SSG profiles.
1692
1693
1695 The SCAP Security Guide, an open source project jointly maintained by
1696 Red Hat and the NSA, provides XCCDF and OVAL content for Red Hat tech‐
1697 nologies. As an open source project, community participation extends
1698 into U.S. Department of Defense agencies, civilian agencies, academia,
1699 and other industrial partners.
1700
1701 SCAP Security Guide is provided to consumers through Red Hat's Extended
1702 Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security
1703 Guide content is considered "vendor provided."
1704
1705 Note that while Red Hat hosts the infrastructure for this project and
1706 Red Hat engineers are involved as maintainers and leaders, there is no
1707 commercial support contracts or service level agreements provided by
1708 Red Hat.
1709
1710 Support, for both users and developers, is provided through the SCAP
1711 Security Guide community.
1712
1713 Homepage: https://www.open-scap.org/security-policies/scap-security-
1714 guide
1715
1716 Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-
1717 security-guide
1718
1719
1720
1722 SCAP Security Guide content is considered vendor (Red Hat) provided
1723 content. Per guidance from the U.S. National Institute of Standards
1724 and Technology (NIST), U.S. Government programs are allowed to use Ven‐
1725 dor produced SCAP content in absence of "Governmental Authority" check‐
1726 lists. The specific NIST verbage:
1727 http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
1728
1729
1730
1732 DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT
1733 products incorporated into DoD information systems shall be configured
1734 in accordance with DoD-approved security configuration guidelines" and
1735 tasks Defense Information Systems Agency (DISA) to "develop and provide
1736 security configuration guidance for IA and IA-enabled IT products in
1737 coordination with Director, NSA." The output of this authority is the
1738 DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
1739 the process of moving the STIGs towards the use of the NIST Security
1740 Content Automation Protocol (SCAP) in order to "automate" compliance
1741 reporting of the STIGs.
1742
1743 Through a common, shared vision, the SCAP Security Guide community
1744 enjoys close collaboration directly with NSA, NIST, and DISA FSO. As
1745 stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
1746 Version 1, Release 2, issued on 03-JUNE-2013:
1747
1748 "The consensus content was developed using an open-source project
1749 called SCAP Security Guide. The project's website is https://www.open-
1750 scap.org/security-policies/scap-security-guide. Except for differences
1751 in formatting to accomodate the DISA STIG publishing process, the con‐
1752 tent of the Red Hat Enterprise Linux 6 STIG should mirror the SCAP
1753 Security Guide content with only minor divergence as updates from mul‐
1754 tiple sources work through the consensus process."
1755
1756 The DoD STIG for Red Hat Enterprise Linux 7, revision V2R4, was
1757 released in July 2019 Currently, the DoD Red Hat Enterprise Linux 7
1758 STIG contains only XCCDF content and is available online: https://pub‐
1759 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-sys‐
1760 tems%2Cunix-linux
1761
1762 Content published against the public.cyber.mil website is authoritative
1763 STIG content. The SCAP Security Guide project, as noted in the STIG
1764 overview, is considered upstream content. Unlike DISA FSO, the SCAP
1765 Security Guide project does publish OVAL automation content. Individual
1766 programs and C&A evaluators make program-level determinations on the
1767 direct usage of the SCAP Security Guide. Currently there is no blanket
1768 approval.
1769
1770
1771
1773 oscap(8)
1774
1775
1776
1778 Please direct all questions to the SSG mailing list:
1779 https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
1780
1781
1782
1783version 1 26 Jan 2013 scap-security-guide(8)