1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
6 SCAP Security Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
13 The project provides practical security hardening advice for Red Hat
14 products, and also links it to compliance requirements in order to ease
15 deployment activities, such as certification and accreditation. These
16 include requirements in the U.S. government (Federal, Defense, and
17 Intelligence Community) as well as of the financial services and health
18 care industries. For example, high-level and widely-accepted policies
19 such as NIST 800-53 provides prose stating that System Administrators
20 must audit "privileged user actions," but do not define what "privi‐
21 leged actions" are. The SSG bridges the gap between generalized policy
22 requirements and specific implementation guidance, in SCAP formats to
23 support automation whenever possible.
24 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
31 Source Datastream: ssg-centos6-ds.xml
32 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
34 broken into 'profiles', groupings of security settings that correlate
35 to a known policy. Available profiles are:
36 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
40 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
42 This is a *draft* profile for PCI-DSS v3.
44 Server Baseline
47 Profile ID: xccdf_org.ssgproject.content_profile_server
49 This profile is for Red Hat Enterprise Linux 6 acting as a
51 server.
52 Standard System Security Profile for Red Hat Enterprise Linux 6
55 Profile ID: xccdf_org.ssgproject.content_profile_standard
57 This profile contains rules to ensure standard security baseline
59 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
60 tem's workload all of these checks should pass.
61 Desktop Baseline
64 Profile ID: xccdf_org.ssgproject.content_profile_desktop
66 This profile is for a desktop installation of Red Hat Enterprise
68 Linux 6.
69
75 Source Datastream: ssg-centos7-ds.xml
76 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
78 broken into 'profiles', groupings of security settings that correlate
79 to a known policy. Available profiles are:
80 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
84 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
86 Ensures PCI-DSS v3.2.1 security configuration settings are
88 applied.
89 Standard System Security Profile for Red Hat Enterprise Linux 7
92 Profile ID: xccdf_org.ssgproject.content_profile_standard
94 This profile contains rules to ensure standard security baseline
96 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
97 tem's workload all of these checks should pass.
98
104 Source Datastream: ssg-centos8-ds.xml
105 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
107 broken into 'profiles', groupings of security settings that correlate
108 to a known policy. Available profiles are:
109 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
113 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
115 Ensures PCI-DSS v3.2.1 security configuration settings are
117 applied.
118 Standard System Security Profile for Red Hat Enterprise Linux 8
121 Profile ID: xccdf_org.ssgproject.content_profile_standard
123 This profile contains rules to ensure standard security baseline
125 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
126 tem's workload all of these checks should pass.
127
133 Source Datastream: ssg-chromium-ds.xml
134 The Guide to the Secure Configuration of Chromium is broken into 'pro‐
136 files', groupings of security settings that correlate to a known pol‐
137 icy. Available profiles are:
138 Upstream STIG for Google Chromium
142 Profile ID: xccdf_org.ssgproject.content_profile_stig
144 This profile is developed under the DoD consensus model and DISA
146 FSO Vendor STIG process, serving as the upstream development
147 environment for the Google Chromium STIG.
148 As a result of the upstream/downstream relationship between the
150 SCAP Security Guide project and the official DISA FSO STIG base‐
151 line, users should expect variance between SSG and DISA FSO con‐
152 tent. For official DISA FSO STIG content, refer to https://pub‐
153 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
154 rity%2Cbrowser-guidance.
155 While this profile is packaged by Red Hat as part of the SCAP
157 Security Guide package, please note that commercial support of
158 this SCAP content is NOT available. This profile is provided as
159 example SCAP content with no endorsement for suitability or pro‐
160 duction readiness. Support for this profile is provided by the
161 upstream SCAP Security Guide community on a best-effort basis.
162 The upstream project homepage is https://www.open-scap.org/secu‐
163 rity-policies/scap-security-guide/.
164
170 Source Datastream: ssg-debian8-ds.xml
171 The Guide to the Secure Configuration of Debian 8 is broken into 'pro‐
173 files', groupings of security settings that correlate to a known pol‐
174 icy. Available profiles are:
175 Profile for ANSSI DAT-NT28 Minimal Level
179 Profile ID: xccdf_org.ssgproject.content_pro‐
181 file_anssi_np_nt28_minimal
182 This profile contains items to be applied systematically.
184 Standard System Security Profile for Debian 8
187 Profile ID: xccdf_org.ssgproject.content_profile_standard
189 This profile contains rules to ensure standard security baseline
191 of a Debian 8 system. Regardless of your system's workload all
192 of these checks should pass.
193 Profile for ANSSI DAT-NT28 Restrictive Level
196 Profile ID: xccdf_org.ssgproject.content_pro‐
198 file_anssi_np_nt28_restrictive
199 This profile contains items for GNU/Linux installations exposed
201 to unauthenticated flows or multiple sources.
202 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
205 Profile ID: xccdf_org.ssgproject.content_pro‐
207 file_anssi_np_nt28_average
208 This profile contains items for GNU/Linux installations already
210 protected by multiple higher level security stacks.
211 Profile for ANSSI DAT-NT28 High (Enforced) Level
214 Profile ID: xccdf_org.ssgproject.content_pro‐
216 file_anssi_np_nt28_high
217 This profile contains items for GNU/Linux installations storing
219 sensitive informations that can be accessible from unauthenti‐
220 cated or uncontroled networks.
221
227 Source Datastream: ssg-debian9-ds.xml
228 The Guide to the Secure Configuration of Debian 9 is broken into 'pro‐
230 files', groupings of security settings that correlate to a known pol‐
231 icy. Available profiles are:
232 Profile for ANSSI DAT-NT28 Minimal Level
236 Profile ID: xccdf_org.ssgproject.content_pro‐
238 file_anssi_np_nt28_minimal
239 This profile contains items to be applied systematically.
241 Standard System Security Profile for Debian 9
244 Profile ID: xccdf_org.ssgproject.content_profile_standard
246 This profile contains rules to ensure standard security baseline
248 of a Debian 9 system. Regardless of your system's workload all
249 of these checks should pass.
250 Profile for ANSSI DAT-NT28 Restrictive Level
253 Profile ID: xccdf_org.ssgproject.content_pro‐
255 file_anssi_np_nt28_restrictive
256 This profile contains items for GNU/Linux installations exposed
258 to unauthenticated flows or multiple sources.
259 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
262 Profile ID: xccdf_org.ssgproject.content_pro‐
264 file_anssi_np_nt28_average
265 This profile contains items for GNU/Linux installations already
267 protected by multiple higher level security stacks.
268 Profile for ANSSI DAT-NT28 High (Enforced) Level
271 Profile ID: xccdf_org.ssgproject.content_pro‐
273 file_anssi_np_nt28_high
274 This profile contains items for GNU/Linux installations storing
276 sensitive informations that can be accessible from unauthenti‐
277 cated or uncontroled networks.
278
284 Source Datastream: ssg-eap6-ds.xml
285 The Guide to the Secure Configuration of JBoss EAP 6 is broken into
287 'profiles', groupings of security settings that correlate to a known
288 policy. Available profiles are:
289 STIG for JBoss Enterprise Application Platform 6
293 Profile ID: xccdf_org.ssgproject.content_profile_stig
295 This is a *draft* profile for STIG. This profile is being devel‐
297 oped under the DoD consensus model to become a STIG in coordina‐
298 tion with DISA FSO.
299
305 Source Datastream: ssg-fedora-ds.xml
306 The Guide to the Secure Configuration of Fedora is broken into 'pro‐
308 files', groupings of security settings that correlate to a known pol‐
309 icy. Available profiles are:
310 PCI-DSS v3 Control Baseline for Fedora
314 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
316 Ensures PCI-DSS v3 related security configuration settings are
318 applied.
319 Standard System Security Profile for Fedora
322 Profile ID: xccdf_org.ssgproject.content_profile_standard
324 This profile contains rules to ensure standard security baseline
326 of a Fedora system. Regardless of your system's workload all of
327 these checks should pass.
328 OSPP - Protection Profile for General Purpose Operating Systems
331 Profile ID: xccdf_org.ssgproject.content_profile_ospp
333 This profile reflects mandatory configuration controls identi‐
335 fied in the NIAP Configuration Annex to the Protection Profile
336 for General Purpose Operating Systems (Protection Profile Ver‐
337 sion 4.2).
338 As Fedora OS is moving target, this profile does not guarantee
340 to provide security levels required from US National Security
341 Systems. Main goal of the profile is to provide Fedora develop‐
342 ers with hardened environment similar to the one mandated by US
343 National Security Systems.
344
350 Source Datastream: ssg-firefox-ds.xml
351 The Guide to the Secure Configuration of Firefox is broken into 'pro‐
353 files', groupings of security settings that correlate to a known pol‐
354 icy. Available profiles are:
355 Upstream Firefox STIG
359 Profile ID: xccdf_org.ssgproject.content_profile_stig
361 This profile is developed under the DoD consensus model and DISA
363 FSO Vendor STIG process, serving as the upstream development
364 environment for the Firefox STIG.
365 As a result of the upstream/downstream relationship between the
367 SCAP Security Guide project and the official DISA FSO STIG base‐
368 line, users should expect variance between SSG and DISA FSO con‐
369 tent. For official DISA FSO STIG content, refer to https://pub‐
370 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
371 rity%2Cbrowser-guidance.
372 While this profile is packaged by Red Hat as part of the SCAP
374 Security Guide package, please note that commercial support of
375 this SCAP content is NOT available. This profile is provided as
376 example SCAP content with no endorsement for suitability or pro‐
377 duction readiness. Support for this profile is provided by the
378 upstream SCAP Security Guide community on a best-effort basis.
379 The upstream project homepage is https://www.open-scap.org/secu‐
380 rity-policies/scap-security-guide/.
381
387 Source Datastream: ssg-fuse6-ds.xml
388 The Guide to the Secure Configuration of JBoss Fuse 6 is broken into
390 'profiles', groupings of security settings that correlate to a known
391 policy. Available profiles are:
392 Standard System Security Profile for JBoss
396 Profile ID: xccdf_org.ssgproject.content_profile_standard
398 This profile contains rules to ensure standard security baseline
400 of JBoss Fuse. Regardless of your system's workload all of these
401 checks should pass.
402 STIG for Apache ActiveMQ
405 Profile ID: xccdf_org.ssgproject.content_profile_amq-stig
407 This is a *draft* profile for STIG. This profile is being devel‐
409 oped under the DoD consensus model to become a STIG in coordina‐
410 tion with DISA FSO.
411 STIG for JBoss Fuse 6
414 Profile ID: xccdf_org.ssgproject.content_profile_stig
416 This is a *draft* profile for STIG. This profile is being devel‐
418 oped under the DoD consensus model to become a STIG in coordina‐
419 tion with DISA FSO.
420
426 Source Datastream: ssg-jre-ds.xml
427 The Guide to the Secure Configuration of Java Runtime Environment is
429 broken into 'profiles', groupings of security settings that correlate
430 to a known policy. Available profiles are:
431 Java Runtime Environment (JRE) STIG
435 Profile ID: xccdf_org.ssgproject.content_profile_stig
437 The Java Runtime Environment (JRE) is a bundle developed and
439 offered by Oracle Corporation which includes the Java Virtual
440 Machine (JVM), class libraries, and other components necessary
441 to run Java applications and applets. Certain default settings
442 within the JRE pose a security risk so it is necessary to deploy
443 system wide properties to ensure a higher degree of security
444 when utilizing the JRE.
445 The IBM Corporation also develops and bundles the Java Runtime
447 Environment (JRE) as well as Red Hat with OpenJDK.
448
454 Platform 3
455 Source Datastream: ssg-ocp3-ds.xml
456 The Guide to the Secure Configuration of Red Hat OpenShift Container
458 Platform 3 is broken into 'profiles', groupings of security settings
459 that correlate to a known policy. Available profiles are:
460 Open Computing Information Security Profile for OpenShift Node
464 Profile ID: xccdf_org.ssgproject.content_profile_opencis-node
466 This baseline was inspired by the Center for Internet Security
468 (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
469 For the ComplianceAsCode project to remain in compliance with
471 CIS' terms and conditions, specifically Restrictions(8), note
472 there is no representation or claim that the OpenCIS profile
473 will ensure a system is in compliance or consistency with the
474 CIS baseline.
475 Open Computing Information Security Profile for OpenShift Master Node
478 Profile ID: xccdf_org.ssgproject.content_profile_opencis-master
480 This baseline was inspired by the Center for Internet Security
482 (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
483 For the ComplianceAsCode project to remain in compliance with
485 CIS' terms and conditions, specifically Restrictions(8), note
486 there is no representation or claim that the OpenCIS profile
487 will ensure a system is in compliance or consistency with the
488 CIS baseline.
489
495 Platform 4
496 Source Datastream: ssg-ocp4-ds.xml
497 The Guide to the Secure Configuration of Red Hat OpenShift Container
499 Platform 4 is broken into 'profiles', groupings of security settings
500 that correlate to a known policy. Available profiles are:
501 Open Computing Information Security Profile for OpenShift Node
505 Profile ID: xccdf_org.ssgproject.content_profile_opencis-node
507 This baseline was inspired by the Center for Internet Security
509 (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
510 For the ComplianceAsCode project to remain in compliance with
512 CIS' terms and conditions, specifically Restrictions(8), note
513 there is no representation or claim that the OpenCIS profile
514 will ensure a system is in compliance or consistency with the
515 CIS baseline.
516
522 Source Datastream: ssg-ol7-ds.xml
523 The Guide to the Secure Configuration of Oracle Linux 7 is broken into
525 'profiles', groupings of security settings that correlate to a known
526 policy. Available profiles are:
527 PCI-DSS v3 Control Baseline Draft for Oracle Linux 7
531 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
533 Ensures PCI-DSS v3 related security configuration settings are
535 applied.
536 Standard System Security Profile for Oracle Linux 7
539 Profile ID: xccdf_org.ssgproject.content_profile_standard
541 This profile contains rules to ensure standard security baseline
543 of Oracle Linux 7 system. Regardless of your system's workload
544 all of these checks should pass.
545 Security Profile of Oracle Linux 7 for SAP
548 Profile ID: xccdf_org.ssgproject.content_profile_sap
550 This profile contains rules for Oracle Linux 7 Operating System
552 in compliance with SAP note 2069760 and SAP Security Baseline
553 Template version 1.9 Item I-8 and section 4.1.2.2. Regardless
554 of your system's workload all of these checks should pass.
555 DRAFT - DISA STIG for Oracle Linux 7
558 Profile ID: xccdf_org.ssgproject.content_profile_stig
560 This is a *draft* profile for STIG for Oracle Linux 7.
562
568 Source Datastream: ssg-ol8-ds.xml
569 The Guide to the Secure Configuration of Oracle Linux 8 is broken into
571 'profiles', groupings of security settings that correlate to a known
572 policy. Available profiles are:
573 PCI-DSS v3 Control Baseline Draft for Oracle Linux 8
577 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
579 Ensures PCI-DSS v3 related security configuration settings are
581 applied.
582 Health Insurance Portability and Accountability Act (HIPAA)
585 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
587 The HIPAA Security Rule establishes U.S. national standards to
589 protect individuals’ electronic personal health information that
590 is created, received, used, or maintained by a covered entity.
591 The Security Rule requires appropriate administrative, physical
592 and technical safeguards to ensure the confidentiality,
593 integrity, and security of electronic protected health informa‐
594 tion.
595 This profile configures Oracle Linux 8 to the HIPAA Security
597 Rule identified for securing of electronic protected health
598 information.
599 Standard System Security Profile for Oracle Linux 8
602 Profile ID: xccdf_org.ssgproject.content_profile_standard
604 This profile contains rules to ensure standard security baseline
606 of Oracle Linux 8 system. Regardless of your system's workload
607 all of these checks should pass.
608 Unclassified Information in Non-federal Information Systems and Organi‐
611 zations (NIST 800-171)
612 Profile ID: xccdf_org.ssgproject.content_profile_cui
614 From NIST 800-171, Section 2.2: Security requirements for pro‐
616 tecting the confidentiality of CUI in nonfederal information
617 systems and organizations have a well-defined structure that
618 consists of:
619 (i) a basic security requirements section; (ii) a derived secu‐
621 rity requirements section.
622 The basic security requirements are obtained from FIPS Publica‐
624 tion 200, which provides the high-level and fundamental security
625 requirements for federal information and information systems.
626 The derived security requirements, which supplement the basic
627 security requirements, are taken from the security controls in
628 NIST Special Publication 800-53.
629 This profile configures Oracle Linux 8 to the NIST Special Pub‐
631 lication 800-53 controls identified for securing Controlled
632 Unclassified Information (CUI).
633 Criminal Justice Information Services (CJIS) Security Policy
636 Profile ID: xccdf_org.ssgproject.content_profile_cjis
638 This profile is derived from FBI's CJIS v5.4 Security Policy. A
640 copy of this policy can be found at the CJIS Security Policy
641 Resource Center:
642 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
644 center
645 [DRAFT] OSPP - Protection Profile for General Purpose Operating Systems
648 Profile ID: xccdf_org.ssgproject.content_profile_ospp
650 This profile reflects mandatory configuration controls identi‐
652 fied in the NIAP Configuration Annex to the Protection Profile
653 for General Purpose Operating Systems (Protection Profile Ver‐
654 sion 4.2).
655 This profile is currently under review. Use of this profile does
657 not denote or guarantee NIAP approval or certification until
658 this profile has been approved by NIAP.
659
665 Source Datastream: ssg-opensuse-ds.xml
666 The Guide to the Secure Configuration of openSUSE is broken into 'pro‐
668 files', groupings of security settings that correlate to a known pol‐
669 icy. Available profiles are:
670 Standard System Security Profile for openSUSE
674 Profile ID: xccdf_org.ssgproject.content_profile_standard
676 This profile contains rules to ensure standard security baseline
678 of an openSUSE system. Regardless of your system's workload all
679 of these checks should pass.
680
686 Source Datastream: ssg-rhel6-ds.xml
687 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
689 broken into 'profiles', groupings of security settings that correlate
690 to a known policy. Available profiles are:
691 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
695 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
697 This is a *draft* profile for PCI-DSS v3.
699 CNSSI 1253 Low/Low/Low Control Baseline
702 Profile ID: xccdf_org.ssgproject.content_profile_nist-CL-IL-AL
704 This profile follows the Committee on National Security Systems
706 Instruction (CNSSI) No. 1253, "Security Categorization and Con‐
707 trol Selection for National Security Systems" on security con‐
708 trols to meet low confidentiality, low integrity, and low assur‐
709 ance.
710 C2S for Red Hat Enterprise Linux 6
713 Profile ID: xccdf_org.ssgproject.content_profile_C2S
715 This profile demonstrates compliance against the U.S. Government
717 Commercial Cloud Services (C2S) baseline. nThis baseline was
718 inspired by the Center for Internet Security (CIS) Red Hat
719 Enterprise Linux 6 Benchmark, v1.2.0 - 06-25-2013. For the SCAP
720 Security Guide project to remain in compliance with CIS' terms
721 and conditions, specifically Restrictions(8), note there is no
722 representation or claim that the C2S profile will ensure a sys‐
723 tem is in compliance or consistency with the CIS baseline.
724 CSCF RHEL6 MLS Core Baseline
727 Profile ID: xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS
729 This profile reflects the Centralized Super Computing Facility
731 (CSCF) baseline for Red Hat Enterprise Linux 6. This baseline
732 has received government ATO through the ICD 503 process, utiliz‐
733 ing the CNSSI 1253 cross domain overlay. This profile should be
734 considered in active development. Additional tailoring will be
735 needed, such as the creation of RBAC roles for production
736 deployment.
737 United States Government Configuration Baseline (USGCB)
740 Profile ID: xccdf_org.ssgproject.content_profile_usgcb-
742 rhel6-server
743 This profile is a working draft for a USGCB submission against
745 RHEL6 Server.
746 Server Baseline
749 Profile ID: xccdf_org.ssgproject.content_profile_server
751 This profile is for Red Hat Enterprise Linux 6 acting as a
753 server.
754 Standard System Security Profile for Red Hat Enterprise Linux 6
757 Profile ID: xccdf_org.ssgproject.content_profile_standard
759 This profile contains rules to ensure standard security baseline
761 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
762 tem's workload all of these checks should pass.
763 Desktop Baseline
766 Profile ID: xccdf_org.ssgproject.content_profile_desktop
768 This profile is for a desktop installation of Red Hat Enterprise
770 Linux 6.
771 DISA STIG for Red Hat Enterprise Linux 6
774 Profile ID: xccdf_org.ssgproject.content_profile_stig
776 This profile contains configuration checks that align to the
778 DISA STIG for Red Hat Enterprise Linux 6.
779 In addition to being applicable to RHEL6, DISA recognizes this
781 configuration baseline as applicable to the operating system
782 tier of Red Hat technologies that are based on RHEL6, such as
783 RHEL Server, RHV-H, RHEL for HPC, RHEL Workstation, and Red Hat
784 Storage deployments.
785 FTP Server Profile (vsftpd)
788 Profile ID: xccdf_org.ssgproject.content_profile_ftp-server
790 This is a profile for the vsftpd FTP server.
792 Example Server Profile
795 Profile ID: xccdf_org.ssgproject.content_profile_CS2
797 This profile is an example of a customized server profile.
799 FISMA Medium for Red Hat Enterprise Linux 6
802 Profile ID: xccdf_org.ssgproject.content_profile_fisma-medium-
804 rhel6-server
805 FISMA Medium for Red Hat Enterprise Linux 6.
807 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
810 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
812 This is a *draft* SCAP profile for Red Hat Certified Cloud
814 Providers
815
821 Source Datastream: ssg-rhel7-ds.xml
822 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
824 broken into 'profiles', groupings of security settings that correlate
825 to a known policy. Available profiles are:
826 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
830 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
832 Ensures PCI-DSS v3.2.1 security configuration settings are
834 applied.
835 C2S for Red Hat Enterprise Linux 7
838 Profile ID: xccdf_org.ssgproject.content_profile_C2S
840 This profile demonstrates compliance against the U.S. Government
842 Commercial Cloud Services (C2S) baseline.
843 This baseline was inspired by the Center for Internet Security
845 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
846 For the SCAP Security Guide project to remain in compliance with
848 CIS' terms and conditions, specifically Restrictions(8), note
849 there is no representation or claim that the C2S profile will
850 ensure a system is in compliance or consistency with the CIS
851 baseline.
852 [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host
855 (RHELH)
856 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
858 This *draft* profile contains configuration checks that align to
860 the DISA STIG for Red Hat Enterprise Linux Virtualization Host
861 (RHELH).
862 DRAFT - ANSSI DAT-NT28 (high)
865 Profile ID: xccdf_org.ssgproject.content_pro‐
867 file_anssi_nt28_high
868 Draft profile for ANSSI compliance at the high level. ANSSI
870 stands for Agence nationale de la sécurité des systèmes d'infor‐
871 mation. Based on https://www.ssi.gouv.fr/.
872 Health Insurance Portability and Accountability Act (HIPAA)
875 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
877 The HIPAA Security Rule establishes U.S. national standards to
879 protect individuals’ electronic personal health information that
880 is created, received, used, or maintained by a covered entity.
881 The Security Rule requires appropriate administrative, physical
882 and technical safeguards to ensure the confidentiality,
883 integrity, and security of electronic protected health informa‐
884 tion.
885 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
887 Security Rule identified for securing of electronic protected
888 health information.
889 Standard System Security Profile for Red Hat Enterprise Linux 7
892 Profile ID: xccdf_org.ssgproject.content_profile_standard
894 This profile contains rules to ensure standard security baseline
896 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
897 tem's workload all of these checks should pass.
898 DRAFT - ANSSI DAT-NT28 (intermediary)
901 Profile ID: xccdf_org.ssgproject.content_pro‐
903 file_anssi_nt28_intermediary
904 Draft profile for ANSSI compliance at the intermediary level.
906 ANSSI stands for Agence nationale de la sécurité des systèmes
907 d'information. Based on https://www.ssi.gouv.fr/.
908 Unclassified Information in Non-federal Information Systems and Organi‐
911 zations (NIST 800-171)
912 Profile ID: xccdf_org.ssgproject.content_profile_cui
914 From NIST 800-171, Section 2.2: Security requirements for pro‐
916 tecting the confidentiality of CUI in non-federal information
917 systems and organizations have a well-defined structure that
918 consists of:
919 (i) a basic security requirements section; (ii) a derived secu‐
921 rity requirements section.
922 The basic security requirements are obtained from FIPS Publica‐
924 tion 200, which provides the high-level and fundamental security
925 requirements for federal information and information systems.
926 The derived security requirements, which supplement the basic
927 security requirements, are taken from the security controls in
928 NIST Special Publication 800-53.
929 This profile configures Red Hat Enterprise Linux 7 to the NIST
931 Special Publication 800-53 controls identified for securing Con‐
932 trolled Unclassified Information (CUI).
933 NIST National Checklist Program Security Guide
936 Profile ID: xccdf_org.ssgproject.content_profile_ncp
938 This compliance profile reflects the core set of security
940 related configuration settings for deployment of Red Hat Enter‐
941 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
942 agencies. Development partners and sponsors include the U.S.
943 National Institute of Standards and Technology (NIST), U.S.
944 Department of Defense, the National Security Agency, and Red
945 Hat.
946 This baseline implements configuration requirements from the
948 following sources:
949 - Committee on National Security Systems Instruction No. 1253
951 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
952 800-171) - NIST 800-53 control selections for MODERATE impact
953 systems (NIST 800-53) - U.S. Government Configuration Baseline
954 (USGCB) - NIAP Protection Profile for General Purpose Operating
955 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
956 Requirements Guide (OS SRG)
957 For any differing configuration requirements, e.g. password
959 lengths, the stricter security setting was chosen. Security
960 Requirement Traceability Guides (RTMs) and sample System Secu‐
961 rity Configuration Guides are provided via the scap-security-
962 guide-docs package.
963 This profile reflects U.S. Government consensus content and is
965 developed through the OpenSCAP/SCAP Security Guide initiative,
966 championed by the National Security Agency. Except for differ‐
967 ences in formatting to accommodate publishing processes, this
968 profile mirrors OpenSCAP/SCAP Security Guide content as minor
969 divergences, such as bugfixes, work through the consensus and
970 release processes.
971 DRAFT - ANSSI DAT-NT28 (enhanced)
974 Profile ID: xccdf_org.ssgproject.content_pro‐
976 file_anssi_nt28_enhanced
977 Draft profile for ANSSI compliance at the enhanced level. ANSSI
979 stands for Agence nationale de la sécurité des systèmes d'infor‐
980 mation. Based on https://www.ssi.gouv.fr/.
981 Criminal Justice Information Services (CJIS) Security Policy
984 Profile ID: xccdf_org.ssgproject.content_profile_cjis
986 This profile is derived from FBI's CJIS v5.4 Security Policy. A
988 copy of this policy can be found at the CJIS Security Policy
989 Resource Center:
990 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
992 center
993 DISA STIG for Red Hat Enterprise Linux 7
996 Profile ID: xccdf_org.ssgproject.content_profile_stig
998 This profile contains configuration checks that align to the
1000 DISA STIG for Red Hat Enterprise Linux V1R4.
1001 In addition to being applicable to Red Hat Enterprise Linux 7,
1003 DISA recognizes this configuration baseline as applicable to the
1004 operating system tier of Red Hat technologies that are based on
1005 Red Hat Enterprise Linux 7, such as:
1006 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1008 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1009 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1010 7 image
1011 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enter‐
1014 prise Linux Hypervisor (RHELH)
1015 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
1017 This compliance profile reflects the core set of security
1019 related configuration settings for deployment of Red Hat Enter‐
1020 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
1021 gence, and Civilian agencies. Development partners and sponsors
1022 include the U.S. National Institute of Standards and Technology
1023 (NIST), U.S. Department of Defense, the National Security
1024 Agency, and Red Hat.
1025 This baseline implements configuration requirements from the
1027 following sources:
1028 - Committee on National Security Systems Instruction No. 1253
1030 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
1031 impact systems (NIST 800-53) - U.S. Government Configuration
1032 Baseline (USGCB) - NIAP Protection Profile for Virtualization
1033 v1.0 (VPP v1.0)
1034 For any differing configuration requirements, e.g. password
1036 lengths, the stricter security setting was chosen. Security
1037 Requirement Traceability Guides (RTMs) and sample System Secu‐
1038 rity Configuration Guides are provided via the scap-security-
1039 guide-docs package.
1040 This profile reflects U.S. Government consensus content and is
1042 developed through the ComplianceAsCode project, championed by
1043 the National Security Agency. Except for differences in format‐
1044 ting to accommodate publishing processes, this profile mirrors
1045 ComplianceAsCode content as minor divergences, such as bugfixes,
1046 work through the consensus and release processes.
1047 DRAFT - ANSSI DAT-NT28 (minimal)
1050 Profile ID: xccdf_org.ssgproject.content_pro‐
1052 file_anssi_nt28_minimal
1053 Draft profile for ANSSI compliance at the minimal level. ANSSI
1055 stands for Agence nationale de la sécurité des systèmes d'infor‐
1056 mation. Based on https://www.ssi.gouv.fr/.
1057 OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
1060 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1062 This profile reflects mandatory configuration controls identi‐
1064 fied in the NIAP Configuration Annex to the Protection Profile
1065 for General Purpose Operating Systems (Protection Profile Ver‐
1066 sion 4.2.1).
1067 This configuration profile is consistent with CNSSI-1253, which
1069 requires U.S. National Security Systems to adhere to certain
1070 configuration parameters. Accordingly, this configuration pro‐
1071 file is suitable for use in U.S. National Security Systems.
1072 Australian Cyber Security Centre (ACSC) Essential Eight
1075 Profile ID: xccdf_org.ssgproject.content_profile_e8
1077 This profile contains configuration checks for Red Hat Enter‐
1079 prise Linux 7 that align to the Australian Cyber Security Centre
1080 (ACSC) Essential Eight.
1081 A copy of the Essential Eight in Linux Environments guide can be
1083 found at the ACSC website:
1084 https://www.cyber.gov.au/publications/essential-eight-in-linux-
1086 environments
1087 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1090 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1092 This profile contains the minimum security relevant configura‐
1094 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1095 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
1096
1102 Source Datastream: ssg-rhel8-ds.xml
1103 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
1105 broken into 'profiles', groupings of security settings that correlate
1106 to a known policy. Available profiles are:
1107 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
1111 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1113 Ensures PCI-DSS v3.2.1 security configuration settings are
1115 applied.
1116 Health Insurance Portability and Accountability Act (HIPAA)
1119 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1121 The HIPAA Security Rule establishes U.S. national standards to
1123 protect individuals’ electronic personal health information that
1124 is created, received, used, or maintained by a covered entity.
1125 The Security Rule requires appropriate administrative, physical
1126 and technical safeguards to ensure the confidentiality,
1127 integrity, and security of electronic protected health informa‐
1128 tion.
1129 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
1131 Security Rule identified for securing of electronic protected
1132 health information.
1133 Standard System Security Profile for Red Hat Enterprise Linux 8
1136 Profile ID: xccdf_org.ssgproject.content_profile_standard
1138 This profile contains rules to ensure standard security baseline
1140 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
1141 tem's workload all of these checks should pass.
1142 Unclassified Information in Non-federal Information Systems and Organi‐
1145 zations (NIST 800-171)
1146 Profile ID: xccdf_org.ssgproject.content_profile_cui
1148 From NIST 800-171, Section 2.2: Security requirements for pro‐
1150 tecting the confidentiality of CUI in nonfederal information
1151 systems and organizations have a well-defined structure that
1152 consists of:
1153 (i) a basic security requirements section; (ii) a derived secu‐
1155 rity requirements section.
1156 The basic security requirements are obtained from FIPS Publica‐
1158 tion 200, which provides the high-level and fundamental security
1159 requirements for federal information and information systems.
1160 The derived security requirements, which supplement the basic
1161 security requirements, are taken from the security controls in
1162 NIST Special Publication 800-53.
1163 This profile configures Red Hat Enterprise Linux 8 to the NIST
1165 Special Publication 800-53 controls identified for securing Con‐
1166 trolled Unclassified Information (CUI)."
1167 Criminal Justice Information Services (CJIS) Security Policy
1170 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1172 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1174 copy of this policy can be found at the CJIS Security Policy
1175 Resource Center:
1176 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1178 center
1179 Protection Profile for General Purpose Operating Systems
1182 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1184 This profile reflects mandatory configuration controls identi‐
1186 fied in the NIAP Configuration Annex to the Protection Profile
1187 for General Purpose Operating Systems (Protection Profile Ver‐
1188 sion 4.2.1).
1189 This configuration profile is consistent with CNSSI-1253, which
1191 requires U.S. National Security Systems to adhere to certain
1192 configuration parameters. Accordingly, this configuration pro‐
1193 file is suitable for use in U.S. National Security Systems.
1194 Australian Cyber Security Centre (ACSC) Essential Eight
1197 Profile ID: xccdf_org.ssgproject.content_profile_e8
1199 This profile contains configuration checks for Red Hat Enter‐
1201 prise Linux 8 that align to the Australian Cyber Security Centre
1202 (ACSC) Essential Eight.
1203 A copy of the Essential Eight in Linux Environments guide can be
1205 found at the ACSC website:
1206 https://www.cyber.gov.au/publications/essential-eight-in-linux-
1208 environments
1209 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1212 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1214 This profile contains the minimum security relevant configura‐
1216 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1217 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
1218
1224 Source Datastream: ssg-rhosp13-ds.xml
1226 The Guide to the Secure Configuration of Red Hat OpenStack Platform 13
1228 is broken into 'profiles', groupings of security settings that corre‐
1229 late to a known policy. Available profiles are:
1230 RHOSP STIG
1234 Profile ID: xccdf_org.ssgproject.content_profile_stig
1236 Sample profile description.
1238
1244 Source Datastream: ssg-rhv4-ds.xml
1245 The Guide to the Secure Configuration of Red Hat Virtualization 4 is
1247 broken into 'profiles', groupings of security settings that correlate
1248 to a known policy. Available profiles are:
1249 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
1253 ization Host (RHVH)
1254 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
1256 This compliance profile reflects the core set of security
1258 related configuration settings for deployment of Red Hat Virtu‐
1259 alization Host (RHVH) 4.x into U.S. Defense, Intelligence, and
1260 Civilian agencies. Development partners and sponsors include
1261 the U.S. National Institute of Standards and Technology (NIST),
1262 U.S. Department of Defense, the National Security Agency, and
1263 Red Hat.
1264 This baseline implements configuration requirements from the
1266 following sources:
1267 - Committee on National Security Systems Instruction No. 1253
1269 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
1270 impact systems (NIST 800-53) - U.S. Government Configuration
1271 Baseline (USGCB) - NIAP Protection Profile for Virtualization
1272 v1.0 (VPP v1.0)
1273 For any differing configuration requirements, e.g. password
1275 lengths, the stricter security setting was chosen. Security
1276 Requirement Traceability Guides (RTMs) and sample System Secu‐
1277 rity Configuration Guides are provided via the scap-security-
1278 guide-docs package.
1279 This profile reflects U.S. Government consensus content and is
1281 developed through the ComplianceAsCode project, championed by
1282 the National Security Agency. Except for differences in format‐
1283 ting to accommodate publishing processes, this profile mirrors
1284 ComplianceAsCode content as minor divergences, such as bugfixes,
1285 work through the consensus and release processes.
1286 [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
1289 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
1291 This *draft* profile contains configuration checks that align to
1293 the DISA STIG for Red Hat Virtualization Host (RHVH).
1294
1300 Source Datastream: ssg-sl6-ds.xml
1301 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
1303 broken into 'profiles', groupings of security settings that correlate
1304 to a known policy. Available profiles are:
1305 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
1309 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1311 This is a *draft* profile for PCI-DSS v3.
1313 Server Baseline
1316 Profile ID: xccdf_org.ssgproject.content_profile_server
1318 This profile is for Red Hat Enterprise Linux 6 acting as a
1320 server.
1321 Standard System Security Profile for Red Hat Enterprise Linux 6
1324 Profile ID: xccdf_org.ssgproject.content_profile_standard
1326 This profile contains rules to ensure standard security baseline
1328 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
1329 tem's workload all of these checks should pass.
1330 Desktop Baseline
1333 Profile ID: xccdf_org.ssgproject.content_profile_desktop
1335 This profile is for a desktop installation of Red Hat Enterprise
1337 Linux 6.
1338
1344 Source Datastream: ssg-sl7-ds.xml
1345 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
1347 broken into 'profiles', groupings of security settings that correlate
1348 to a known policy. Available profiles are:
1349 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1353 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1355 Ensures PCI-DSS v3.2.1 security configuration settings are
1357 applied.
1358 Standard System Security Profile for Red Hat Enterprise Linux 7
1361 Profile ID: xccdf_org.ssgproject.content_profile_standard
1363 This profile contains rules to ensure standard security baseline
1365 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
1366 tem's workload all of these checks should pass.
1367
1373 Source Datastream: ssg-sle11-ds.xml
1374 The Guide to the Secure Configuration of SUSE Linux Enterprise 11 is
1376 broken into 'profiles', groupings of security settings that correlate
1377 to a known policy. Available profiles are:
1378 Server Baseline
1382 Profile ID: xccdf_org.ssgproject.content_profile_server
1384 This profile is for SUSE Enterprise Linux 11 acting as a server.
1386 Standard System Security Profile for SUSE Linux Enterprise 11
1389 Profile ID: xccdf_org.ssgproject.content_profile_standard
1391 This profile contains rules to ensure standard security baseline
1393 of a SUSE Linux Enterprise 11 system. Regardless of your sys‐
1394 tem's workload all of these checks should pass.
1395
1401 Source Datastream: ssg-sle12-ds.xml
1402 The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is
1404 broken into 'profiles', groupings of security settings that correlate
1405 to a known policy. Available profiles are:
1406 Standard System Security Profile for SUSE Linux Enterprise 12
1410 Profile ID: xccdf_org.ssgproject.content_profile_standard
1412 This profile contains rules to ensure standard security baseline
1414 of a SUSE Linux Enterprise 12 system. Regardless of your sys‐
1415 tem's workload all of these checks should pass.
1416
1422 Source Datastream: ssg-ubuntu1404-ds.xml
1423 The Guide to the Secure Configuration of Ubuntu 14.04 is broken into
1425 'profiles', groupings of security settings that correlate to a known
1426 policy. Available profiles are:
1427 Profile for ANSSI DAT-NT28 Minimal Level
1431 Profile ID: xccdf_org.ssgproject.content_pro‐
1433 file_anssi_np_nt28_minimal
1434 This profile contains items to be applied systematically.
1436 Standard System Security Profile for Ubuntu 14.04
1439 Profile ID: xccdf_org.ssgproject.content_profile_standard
1441 This profile contains rules to ensure standard security baseline
1443 of an Ubuntu 14.04 system. Regardless of your system's workload
1444 all of these checks should pass.
1445 Profile for ANSSI DAT-NT28 Restrictive Level
1448 Profile ID: xccdf_org.ssgproject.content_pro‐
1450 file_anssi_np_nt28_restrictive
1451 This profile contains items for GNU/Linux installations exposed
1453 to unauthenticated flows or multiple sources.
1454 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1457 Profile ID: xccdf_org.ssgproject.content_pro‐
1459 file_anssi_np_nt28_average
1460 This profile contains items for GNU/Linux installations already
1462 protected by multiple higher level security stacks.
1463 Profile for ANSSI DAT-NT28 High (Enforced) Level
1466 Profile ID: xccdf_org.ssgproject.content_pro‐
1468 file_anssi_np_nt28_high
1469 This profile contains items for GNU/Linux installations storing
1471 sensitive informations that can be accessible from unauthenti‐
1472 cated or uncontroled networks.
1473
1479 Source Datastream: ssg-ubuntu1604-ds.xml
1480 The Guide to the Secure Configuration of Ubuntu 16.04 is broken into
1482 'profiles', groupings of security settings that correlate to a known
1483 policy. Available profiles are:
1484 Profile for ANSSI DAT-NT28 Minimal Level
1488 Profile ID: xccdf_org.ssgproject.content_pro‐
1490 file_anssi_np_nt28_minimal
1491 This profile contains items to be applied systematically.
1493 Standard System Security Profile for Ubuntu 16.04
1496 Profile ID: xccdf_org.ssgproject.content_profile_standard
1498 This profile contains rules to ensure standard security baseline
1500 of an Ubuntu 16.04 system. Regardless of your system's workload
1501 all of these checks should pass.
1502 Profile for ANSSI DAT-NT28 Restrictive Level
1505 Profile ID: xccdf_org.ssgproject.content_pro‐
1507 file_anssi_np_nt28_restrictive
1508 This profile contains items for GNU/Linux installations exposed
1510 to unauthenticated flows or multiple sources.
1511 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1514 Profile ID: xccdf_org.ssgproject.content_pro‐
1516 file_anssi_np_nt28_average
1517 This profile contains items for GNU/Linux installations already
1519 protected by multiple higher level security stacks.
1520 Profile for ANSSI DAT-NT28 High (Enforced) Level
1523 Profile ID: xccdf_org.ssgproject.content_pro‐
1525 file_anssi_np_nt28_high
1526 This profile contains items for GNU/Linux installations storing
1528 sensitive informations that can be accessible from unauthenti‐
1529 cated or uncontroled networks.
1530
1536 Source Datastream: ssg-ubuntu1804-ds.xml
1537 The Guide to the Secure Configuration of Ubuntu 18.04 is broken into
1539 'profiles', groupings of security settings that correlate to a known
1540 policy. Available profiles are:
1541 Profile for ANSSI DAT-NT28 Minimal Level
1545 Profile ID: xccdf_org.ssgproject.content_pro‐
1547 file_anssi_np_nt28_minimal
1548 This profile contains items to be applied systematically.
1550 Standard System Security Profile for Ubuntu 18.04
1553 Profile ID: xccdf_org.ssgproject.content_profile_standard
1555 This profile contains rules to ensure standard security baseline
1557 of an Ubuntu 18.04 system. Regardless of your system's workload
1558 all of these checks should pass.
1559 Profile for ANSSI DAT-NT28 Restrictive Level
1562 Profile ID: xccdf_org.ssgproject.content_pro‐
1564 file_anssi_np_nt28_restrictive
1565 This profile contains items for GNU/Linux installations exposed
1567 to unauthenticated flows or multiple sources.
1568 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1571 Profile ID: xccdf_org.ssgproject.content_pro‐
1573 file_anssi_np_nt28_average
1574 This profile contains items for GNU/Linux installations already
1576 protected by multiple higher level security stacks.
1577 Profile for ANSSI DAT-NT28 High (Enforced) Level
1580 Profile ID: xccdf_org.ssgproject.content_pro‐
1582 file_anssi_np_nt28_high
1583 This profile contains items for GNU/Linux installations storing
1585 sensitive informations that can be accessible from unauthenti‐
1586 cated or uncontroled networks.
1587
1593 Source Datastream: ssg-wrlinux1019-ds.xml
1594 The Guide to the Secure Configuration of WRLinux 1019 is broken into
1596 'profiles', groupings of security settings that correlate to a known
1597 policy. Available profiles are:
1598 DRAFT DISA STIG for Wind River Linux
1602 Profile ID: xccdf_org.ssgproject.content_pro‐
1604 file_draft_stig_wrlinux_disa
1605 This profile contains configuration checks that align to the
1607 DISA STIG for Wind River Linux. This profile is being developed
1608 under the DoD consensus model to become a STIG in coordination
1609 with DISA FSO. What is the status of the Wind River Linux STIG?
1610 The Wind River Linux STIG is in development under the DoD con‐
1611 sensus model and Wind River has started the process to get
1612 approval from DISA. However, in the absence of an approved SRG
1613 or STIG, vendor recommendations may be used instead. The current
1614 contents constitute the vendor recommendations at the time of
1615 the product release containing these contents. Note that
1616 changes are expected before approval is granted, and those
1617 changes will be made available in future Wind River Linux Secu‐
1618 rity Profile 1019 RCPL releases. More information, including
1619 the following, is available from the DISA FAQs at https://pub‐
1620 lic.cyber.mil/stigs/faqs/
1621 Basic Profile for Embedded Systems
1624 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
1626 This profile contains items common to many embedded Linux
1628 installations. Regardless of your system's deployment objec‐
1629 tive, all of these checks should pass.
1630
1636 Source Datastream: ssg-wrlinux8-ds.xml
1637 The Guide to the Secure Configuration of WRLinux 8 is broken into 'pro‐
1639 files', groupings of security settings that correlate to a known pol‐
1640 icy. Available profiles are:
1641 Basic Profile for Embedded Systems
1645 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
1647 This profile contains items common to many embedded Linux
1649 installations. Regardless of your system's deployment objec‐
1650 tive, all of these checks should pass.
1651
1658 To scan your system utilizing the OpenSCAP utility against the ospp
1659 profile:
1660 oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-
1662 results.xml --report /tmp/`hostname`-ssg-results.html --oval-results
1663 /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
1664 Additional details can be found on the projects wiki page:
1666 https://www.github.com/OpenSCAP/scap-security-guide/wiki
1667
1671 /usr/share/xml/scap/ssg/content
1672 Houses SCAP content utilizing the following naming conventions:
1673 SCAP Source Datastreams: ssg-{product}-ds.xml
1675 CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
1677 CPE OVAL Content: ssg-{product}-cpe-oval.xml
1679 OVAL Content: ssg-{product}-oval.xml
1681 XCCDF Content: ssg-{product}-xccdf.xml
1683 /usr/share/doc/scap-security-guide/guides/
1685 HTML versions of SSG profiles.
1686 /usr/share/scap-security-guide/ansible/
1688 Contains Ansible Playbooks for SSG profiles.
1689 /usr/share/scap-security-guide/bash/
1691 Contains Bash remediation scripts for SSG profiles.
1692
1695 The SCAP Security Guide, an open source project jointly maintained by
1696 Red Hat and the NSA, provides XCCDF and OVAL content for Red Hat tech‐
1697 nologies. As an open source project, community participation extends
1698 into U.S. Department of Defense agencies, civilian agencies, academia,
1699 and other industrial partners.
1700 SCAP Security Guide is provided to consumers through Red Hat's Extended
1702 Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security
1703 Guide content is considered "vendor provided."
1704 Note that while Red Hat hosts the infrastructure for this project and
1706 Red Hat engineers are involved as maintainers and leaders, there is no
1707 commercial support contracts or service level agreements provided by
1708 Red Hat.
1709 Support, for both users and developers, is provided through the SCAP
1711 Security Guide community.
1712 Homepage: https://www.open-scap.org/security-policies/scap-security-
1714 guide
1715 Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-
1717 security-guide
1718
1722 SCAP Security Guide content is considered vendor (Red Hat) provided
1723 content. Per guidance from the U.S. National Institute of Standards
1724 and Technology (NIST), U.S. Government programs are allowed to use Ven‐
1725 dor produced SCAP content in absence of "Governmental Authority" check‐
1726 lists. The specific NIST verbage:
1727 http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
1728
1732 DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT
1733 products incorporated into DoD information systems shall be configured
1734 in accordance with DoD-approved security configuration guidelines" and
1735 tasks Defense Information Systems Agency (DISA) to "develop and provide
1736 security configuration guidance for IA and IA-enabled IT products in
1737 coordination with Director, NSA." The output of this authority is the
1738 DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
1739 the process of moving the STIGs towards the use of the NIST Security
1740 Content Automation Protocol (SCAP) in order to "automate" compliance
1741 reporting of the STIGs.
1742 Through a common, shared vision, the SCAP Security Guide community
1744 enjoys close collaboration directly with NSA, NIST, and DISA FSO. As
1745 stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
1746 Version 1, Release 2, issued on 03-JUNE-2013:
1747 "The consensus content was developed using an open-source project
1749 called SCAP Security Guide. The project's website is https://www.open-
1750 scap.org/security-policies/scap-security-guide. Except for differences
1751 in formatting to accomodate the DISA STIG publishing process, the con‐
1752 tent of the Red Hat Enterprise Linux 6 STIG should mirror the SCAP
1753 Security Guide content with only minor divergence as updates from mul‐
1754 tiple sources work through the consensus process."
1755 The DoD STIG for Red Hat Enterprise Linux 7, revision V2R4, was
1757 released in July 2019 Currently, the DoD Red Hat Enterprise Linux 7
1758 STIG contains only XCCDF content and is available online: https://pub‐
1759 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-sys‐
1760 tems%2Cunix-linux
1761 Content published against the public.cyber.mil website is authoritative
1763 STIG content. The SCAP Security Guide project, as noted in the STIG
1764 overview, is considered upstream content. Unlike DISA FSO, the SCAP
1765 Security Guide project does publish OVAL automation content. Individual
1766 programs and C&A evaluators make program-level determinations on the
1767 direct usage of the SCAP Security Guide. Currently there is no blanket
1768 approval.
1769
1773 oscap(8)
1774
1778 Please direct all questions to the SSG mailing list:
1779 https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
1780version 1 26 Jan 2013 scap-security-guide(8)