1scap-security-guide(8)      System Manager's Manual     scap-security-guide(8)
2
3
4

NAME

6       SCAP  Security Guide - Delivers security guidance, baselines, and asso‐
7       ciated validation mechanisms utilizing the Security Content  Automation
8       Protocol (SCAP).
9
10
11

DESCRIPTION

13       The  project  provides  practical security hardening advice for Red Hat
14       products, and also links it to compliance requirements in order to ease
15       deployment  activities,  such as certification and accreditation. These
16       include requirements in the  U.S.  government  (Federal,  Defense,  and
17       Intelligence Community) as well as of the financial services and health
18       care industries. For example, high-level and  widely-accepted  policies
19       such  as  NIST 800-53 provides prose stating that System Administrators
20       must audit "privileged user actions," but do not  define  what  "privi‐
21       leged  actions" are. The SSG bridges the gap between generalized policy
22       requirements and specific implementation guidance, in SCAP  formats  to
23       support automation whenever possible.
24
25       The  projects  homepage  is located at: https://www.open-scap.org/secu
26       rity-policies/scap-security-guide
27
28
29

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 6

31       Source Datastream:  ssg-centos6-ds.xml
32
33       The Guide to the Secure Configuration of Red Hat Enterprise Linux 6  is
34       broken  into  'profiles', groupings of security settings that correlate
35       to a known policy. Available profiles are:
36
37
38
39       PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
40
41              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
42
43              This is a *draft* profile for PCI-DSS v3.
44
45
46       Server Baseline
47
48              Profile ID:  xccdf_org.ssgproject.content_profile_server
49
50              This profile is for Red Hat  Enterprise  Linux  6  acting  as  a
51              server.
52
53
54       Standard System Security Profile for Red Hat Enterprise Linux 6
55
56              Profile ID:  xccdf_org.ssgproject.content_profile_standard
57
58              This profile contains rules to ensure standard security baseline
59              of a Red Hat Enterprise Linux 6 system. Regardless of your  sys‐
60              tem's workload all of these checks should pass.
61
62
63       Desktop Baseline
64
65              Profile ID:  xccdf_org.ssgproject.content_profile_desktop
66
67              This profile is for a desktop installation of Red Hat Enterprise
68              Linux 6.
69
70
71
72
73

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

75       Source Datastream:  ssg-centos7-ds.xml
76
77       The Guide to the Secure Configuration of Red Hat Enterprise Linux 7  is
78       broken  into  'profiles', groupings of security settings that correlate
79       to a known policy. Available profiles are:
80
81
82
83       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
84
85              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
86
87              Ensures  PCI-DSS  v3.2.1  security  configuration  settings  are
88              applied.
89
90
91       Standard System Security Profile for Red Hat Enterprise Linux 7
92
93              Profile ID:  xccdf_org.ssgproject.content_profile_standard
94
95              This profile contains rules to ensure standard security baseline
96              of a Red Hat Enterprise Linux 7 system. Regardless of your  sys‐
97              tem's workload all of these checks should pass.
98
99
100
101
102

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 8

104       Source Datastream:  ssg-centos8-ds.xml
105
106       The  Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
107       broken into 'profiles', groupings of security settings  that  correlate
108       to a known policy. Available profiles are:
109
110
111
112       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
113
114              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
115
116              Ensures  PCI-DSS  v3.2.1  security  configuration  settings  are
117              applied.
118
119
120       Standard System Security Profile for Red Hat Enterprise Linux 8
121
122              Profile ID:  xccdf_org.ssgproject.content_profile_standard
123
124              This profile contains rules to ensure standard security baseline
125              of  a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
126              tem's workload all of these checks should pass.
127
128
129
130
131

Profiles in Guide to the Secure Configuration of Chromium

133       Source Datastream:  ssg-chromium-ds.xml
134
135       The Guide to the Secure Configuration of Chromium is broken into  'pro‐
136       files',  groupings  of security settings that correlate to a known pol‐
137       icy. Available profiles are:
138
139
140
141       Upstream STIG for Google Chromium
142
143              Profile ID:  xccdf_org.ssgproject.content_profile_stig
144
145              This profile is developed under the DoD consensus model and DISA
146              FSO  Vendor  STIG  process,  serving as the upstream development
147              environment for the Google Chromium STIG.
148
149              As a result of the upstream/downstream relationship between  the
150              SCAP Security Guide project and the official DISA FSO STIG base‐
151              line, users should expect variance between SSG and DISA FSO con‐
152              tent.  For official DISA FSO STIG content, refer to https://pub
153              lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
154              rity%2Cbrowser-guidance.
155
156              While  this  profile  is packaged by Red Hat as part of the SCAP
157              Security Guide package, please note that commercial  support  of
158              this  SCAP content is NOT available. This profile is provided as
159              example SCAP content with no endorsement for suitability or pro‐
160              duction  readiness.  Support for this profile is provided by the
161              upstream SCAP Security Guide community on a  best-effort  basis.
162              The upstream project homepage is https://www.open-scap.org/secu
163              rity-policies/scap-security-guide/.
164
165
166
167
168

Profiles in Guide to the Secure Configuration of Debian 8

170       Source Datastream:  ssg-debian8-ds.xml
171
172       The Guide to the Secure Configuration of Debian 8 is broken into  'pro‐
173       files',  groupings  of security settings that correlate to a known pol‐
174       icy. Available profiles are:
175
176
177
178       Profile for ANSSI DAT-NT28 Minimal Level
179
180              Profile          ID:           xccdf_org.ssgproject.content_pro‐
181              file_anssi_np_nt28_minimal
182
183              This profile contains items to be applied systematically.
184
185
186       Standard System Security Profile for Debian 8
187
188              Profile ID:  xccdf_org.ssgproject.content_profile_standard
189
190              This profile contains rules to ensure standard security baseline
191              of a Debian 8 system. Regardless of your system's  workload  all
192              of these checks should pass.
193
194
195       Profile for ANSSI DAT-NT28 Restrictive Level
196
197              Profile          ID:           xccdf_org.ssgproject.content_pro‐
198              file_anssi_np_nt28_restrictive
199
200              This profile contains items for GNU/Linux installations  exposed
201              to unauthenticated flows or multiple sources.
202
203
204       Profile for ANSSI DAT-NT28 Average (Intermediate) Level
205
206              Profile          ID:           xccdf_org.ssgproject.content_pro‐
207              file_anssi_np_nt28_average
208
209              This profile contains items for GNU/Linux installations  already
210              protected by multiple higher level security stacks.
211
212
213       Profile for ANSSI DAT-NT28 High (Enforced) Level
214
215              Profile          ID:           xccdf_org.ssgproject.content_pro‐
216              file_anssi_np_nt28_high
217
218              This profile contains items for GNU/Linux installations  storing
219              sensitive  informations  that can be accessible from unauthenti‐
220              cated or uncontroled networks.
221
222
223
224
225

Profiles in Guide to the Secure Configuration of Debian 9

227       Source Datastream:  ssg-debian9-ds.xml
228
229       The Guide to the Secure Configuration of Debian 9 is broken into  'pro‐
230       files',  groupings  of security settings that correlate to a known pol‐
231       icy. Available profiles are:
232
233
234
235       Profile for ANSSI DAT-NT28 Minimal Level
236
237              Profile          ID:           xccdf_org.ssgproject.content_pro‐
238              file_anssi_np_nt28_minimal
239
240              This profile contains items to be applied systematically.
241
242
243       Standard System Security Profile for Debian 9
244
245              Profile ID:  xccdf_org.ssgproject.content_profile_standard
246
247              This profile contains rules to ensure standard security baseline
248              of a Debian 9 system. Regardless of your system's  workload  all
249              of these checks should pass.
250
251
252       Profile for ANSSI DAT-NT28 Restrictive Level
253
254              Profile          ID:           xccdf_org.ssgproject.content_pro‐
255              file_anssi_np_nt28_restrictive
256
257              This profile contains items for GNU/Linux installations  exposed
258              to unauthenticated flows or multiple sources.
259
260
261       Profile for ANSSI DAT-NT28 Average (Intermediate) Level
262
263              Profile          ID:           xccdf_org.ssgproject.content_pro‐
264              file_anssi_np_nt28_average
265
266              This profile contains items for GNU/Linux installations  already
267              protected by multiple higher level security stacks.
268
269
270       Profile for ANSSI DAT-NT28 High (Enforced) Level
271
272              Profile          ID:           xccdf_org.ssgproject.content_pro‐
273              file_anssi_np_nt28_high
274
275              This profile contains items for GNU/Linux installations  storing
276              sensitive  informations  that can be accessible from unauthenti‐
277              cated or uncontroled networks.
278
279
280
281
282

Profiles in Guide to the Secure Configuration of JBoss EAP 6

284       Source Datastream:  ssg-eap6-ds.xml
285
286       The Guide to the Secure Configuration of JBoss EAP  6  is  broken  into
287       'profiles',  groupings  of  security settings that correlate to a known
288       policy. Available profiles are:
289
290
291
292       STIG for JBoss Enterprise Application Platform 6
293
294              Profile ID:  xccdf_org.ssgproject.content_profile_stig
295
296              This is a *draft* profile for STIG. This profile is being devel‐
297              oped under the DoD consensus model to become a STIG in coordina‐
298              tion with DISA FSO.
299
300
301
302
303

Profiles in Guide to the Secure Configuration of Fedora

305       Source Datastream:  ssg-fedora-ds.xml
306
307       The Guide to the Secure Configuration of Fedora is  broken  into  'pro‐
308       files',  groupings  of security settings that correlate to a known pol‐
309       icy. Available profiles are:
310
311
312
313       PCI-DSS v3 Control Baseline for Fedora
314
315              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
316
317              Ensures PCI-DSS v3 related security configuration  settings  are
318              applied.
319
320
321       Standard System Security Profile for Fedora
322
323              Profile ID:  xccdf_org.ssgproject.content_profile_standard
324
325              This profile contains rules to ensure standard security baseline
326              of a Fedora system.  Regardless of your system's workload all of
327              these checks should pass.
328
329
330       OSPP - Protection Profile for General Purpose Operating Systems
331
332              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
333
334              This  profile  reflects mandatory configuration controls identi‐
335              fied in the NIAP Configuration Annex to the  Protection  Profile
336              for  General  Purpose Operating Systems (Protection Profile Ver‐
337              sion 4.2).
338
339              As Fedora OS is moving target, this profile does  not  guarantee
340              to  provide  security  levels required from US National Security
341              Systems. Main goal of the profile is to provide Fedora  develop‐
342              ers  with hardened environment similar to the one mandated by US
343              National Security Systems.
344
345
346
347
348

Profiles in Guide to the Secure Configuration of Firefox

350       Source Datastream:  ssg-firefox-ds.xml
351
352       The Guide to the Secure Configuration of Firefox is broken  into  'pro‐
353       files',  groupings  of security settings that correlate to a known pol‐
354       icy. Available profiles are:
355
356
357
358       Upstream Firefox STIG
359
360              Profile ID:  xccdf_org.ssgproject.content_profile_stig
361
362              This profile is developed under the DoD consensus model and DISA
363              FSO  Vendor  STIG  process,  serving as the upstream development
364              environment for the Firefox STIG.
365
366              As a result of the upstream/downstream relationship between  the
367              SCAP Security Guide project and the official DISA FSO STIG base‐
368              line, users should expect variance between SSG and DISA FSO con‐
369              tent.  For official DISA FSO STIG content, refer to https://pub
370              lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
371              rity%2Cbrowser-guidance.
372
373              While  this  profile  is packaged by Red Hat as part of the SCAP
374              Security Guide package, please note that commercial  support  of
375              this  SCAP content is NOT available. This profile is provided as
376              example SCAP content with no endorsement for suitability or pro‐
377              duction  readiness.  Support for this profile is provided by the
378              upstream SCAP Security Guide community on a  best-effort  basis.
379              The upstream project homepage is https://www.open-scap.org/secu
380              rity-policies/scap-security-guide/.
381
382
383
384
385

Profiles in Guide to the Secure Configuration of JBoss Fuse 6

387       Source Datastream:  ssg-fuse6-ds.xml
388
389       The Guide to the Secure Configuration of JBoss Fuse 6  is  broken  into
390       'profiles',  groupings  of  security settings that correlate to a known
391       policy. Available profiles are:
392
393
394
395       Standard System Security Profile for JBoss
396
397              Profile ID:  xccdf_org.ssgproject.content_profile_standard
398
399              This profile contains rules to ensure standard security baseline
400              of JBoss Fuse. Regardless of your system's workload all of these
401              checks should pass.
402
403
404       STIG for Apache ActiveMQ
405
406              Profile ID:  xccdf_org.ssgproject.content_profile_amq-stig
407
408              This is a *draft* profile for STIG. This profile is being devel‐
409              oped under the DoD consensus model to become a STIG in coordina‐
410              tion with DISA FSO.
411
412
413       STIG for JBoss Fuse 6
414
415              Profile ID:  xccdf_org.ssgproject.content_profile_stig
416
417              This is a *draft* profile for STIG. This profile is being devel‐
418              oped under the DoD consensus model to become a STIG in coordina‐
419              tion with DISA FSO.
420
421
422
423
424

Profiles in Guide to the Secure Configuration of Java Runtime Environment

426       Source Datastream:  ssg-jre-ds.xml
427
428       The Guide to the Secure Configuration of Java  Runtime  Environment  is
429       broken  into  'profiles', groupings of security settings that correlate
430       to a known policy. Available profiles are:
431
432
433
434       Java Runtime Environment (JRE) STIG
435
436              Profile ID:  xccdf_org.ssgproject.content_profile_stig
437
438              The Java Runtime Environment (JRE) is  a  bundle  developed  and
439              offered  by  Oracle  Corporation which includes the Java Virtual
440              Machine (JVM), class libraries, and other  components  necessary
441              to  run  Java applications and applets. Certain default settings
442              within the JRE pose a security risk so it is necessary to deploy
443              system  wide  properties  to  ensure a higher degree of security
444              when utilizing the JRE.
445
446              The IBM Corporation also develops and bundles the  Java  Runtime
447              Environment (JRE) as well as Red Hat with OpenJDK.
448
449
450
451
452

Profiles in Guide to the Secure Configuration of Red Hat OpenShift Container

454       Platform 3
455       Source Datastream:  ssg-ocp3-ds.xml
456
457       The Guide to the Secure Configuration of Red  Hat  OpenShift  Container
458       Platform  3  is  broken into 'profiles', groupings of security settings
459       that correlate to a known policy. Available profiles are:
460
461
462
463       Open Computing Information Security Profile for OpenShift Node
464
465              Profile ID:  xccdf_org.ssgproject.content_profile_opencis-node
466
467              This baseline was inspired by the Center for  Internet  Security
468              (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
469
470              For  the  ComplianceAsCode  project to remain in compliance with
471              CIS' terms and conditions,  specifically  Restrictions(8),  note
472              there  is  no  representation  or claim that the OpenCIS profile
473              will ensure a system is in compliance or  consistency  with  the
474              CIS baseline.
475
476
477       Open Computing Information Security Profile for OpenShift Master Node
478
479              Profile ID:  xccdf_org.ssgproject.content_profile_opencis-master
480
481              This  baseline  was inspired by the Center for Internet Security
482              (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
483
484              For the ComplianceAsCode project to remain  in  compliance  with
485              CIS'  terms  and  conditions, specifically Restrictions(8), note
486              there is no representation or claim  that  the  OpenCIS  profile
487              will  ensure  a  system is in compliance or consistency with the
488              CIS baseline.
489
490
491
492
493

Profiles in Guide to the Secure Configuration of Red Hat OpenShift Container

495       Platform 4
496       Source Datastream:  ssg-ocp4-ds.xml
497
498       The  Guide  to  the Secure Configuration of Red Hat OpenShift Container
499       Platform 4 is broken into 'profiles', groupings  of  security  settings
500       that correlate to a known policy. Available profiles are:
501
502
503
504       Open Computing Information Security Profile for OpenShift Node
505
506              Profile ID:  xccdf_org.ssgproject.content_profile_opencis-node
507
508              This  baseline  was inspired by the Center for Internet Security
509              (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
510
511              For the ComplianceAsCode project to remain  in  compliance  with
512              CIS'  terms  and  conditions, specifically Restrictions(8), note
513              there is no representation or claim  that  the  OpenCIS  profile
514              will  ensure  a  system is in compliance or consistency with the
515              CIS baseline.
516
517
518
519
520

Profiles in Guide to the Secure Configuration of Oracle Linux 7

522       Source Datastream:  ssg-ol7-ds.xml
523
524       The Guide to the Secure Configuration of Oracle Linux 7 is broken  into
525       'profiles',  groupings  of  security settings that correlate to a known
526       policy. Available profiles are:
527
528
529
530       PCI-DSS v3 Control Baseline Draft for Oracle Linux 7
531
532              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
533
534              Ensures PCI-DSS v3 related security configuration  settings  are
535              applied.
536
537
538       Standard System Security Profile for Oracle Linux 7
539
540              Profile ID:  xccdf_org.ssgproject.content_profile_standard
541
542              This profile contains rules to ensure standard security baseline
543              of Oracle Linux 7 system. Regardless of your  system's  workload
544              all of these checks should pass.
545
546
547       Security Profile of Oracle Linux 7 for SAP
548
549              Profile ID:  xccdf_org.ssgproject.content_profile_sap
550
551              This  profile contains rules for Oracle Linux 7 Operating System
552              in compliance with SAP note 2069760 and  SAP  Security  Baseline
553              Template  version  1.9 Item I-8 and section 4.1.2.2.  Regardless
554              of your system's workload all of these checks should pass.
555
556
557       DRAFT - DISA STIG for Oracle Linux 7
558
559              Profile ID:  xccdf_org.ssgproject.content_profile_stig
560
561              This is a *draft* profile for STIG for Oracle Linux 7.
562
563
564
565
566

Profiles in Guide to the Secure Configuration of Oracle Linux 8

568       Source Datastream:  ssg-ol8-ds.xml
569
570       The Guide to the Secure Configuration of Oracle Linux 8 is broken  into
571       'profiles',  groupings  of  security settings that correlate to a known
572       policy. Available profiles are:
573
574
575
576       PCI-DSS v3 Control Baseline Draft for Oracle Linux 8
577
578              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
579
580              Ensures PCI-DSS v3 related security configuration  settings  are
581              applied.
582
583
584       Health Insurance Portability and Accountability Act (HIPAA)
585
586              Profile ID:  xccdf_org.ssgproject.content_profile_hipaa
587
588              The  HIPAA  Security Rule establishes U.S. national standards to
589              protect individuals’ electronic personal health information that
590              is  created,  received, used, or maintained by a covered entity.
591              The Security Rule requires appropriate administrative,  physical
592              and   technical   safeguards   to  ensure  the  confidentiality,
593              integrity, and security of electronic protected health  informa‐
594              tion.
595
596              This  profile  configures  Oracle  Linux 8 to the HIPAA Security
597              Rule identified for  securing  of  electronic  protected  health
598              information.
599
600
601       Standard System Security Profile for Oracle Linux 8
602
603              Profile ID:  xccdf_org.ssgproject.content_profile_standard
604
605              This profile contains rules to ensure standard security baseline
606              of Oracle Linux 8 system. Regardless of your  system's  workload
607              all of these checks should pass.
608
609
610       Unclassified Information in Non-federal Information Systems and Organi‐
611       zations (NIST 800-171)
612
613              Profile ID:  xccdf_org.ssgproject.content_profile_cui
614
615              From NIST 800-171, Section 2.2: Security requirements  for  pro‐
616              tecting  the  confidentiality  of  CUI in nonfederal information
617              systems and organizations have  a  well-defined  structure  that
618              consists of:
619
620              (i)  a basic security requirements section; (ii) a derived secu‐
621              rity requirements section.
622
623              The basic security requirements are obtained from FIPS  Publica‐
624              tion 200, which provides the high-level and fundamental security
625              requirements for federal information  and  information  systems.
626              The  derived  security  requirements, which supplement the basic
627              security requirements, are taken from the security  controls  in
628              NIST Special Publication 800-53.
629
630              This  profile configures Oracle Linux 8 to the NIST Special Pub‐
631              lication 800-53  controls  identified  for  securing  Controlled
632              Unclassified Information (CUI).
633
634
635       Criminal Justice Information Services (CJIS) Security Policy
636
637              Profile ID:  xccdf_org.ssgproject.content_profile_cjis
638
639              This  profile is derived from FBI's CJIS v5.4 Security Policy. A
640              copy of this policy can be found at  the  CJIS  Security  Policy
641              Resource Center:
642
643              https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
644              center
645
646
647       [DRAFT] OSPP - Protection Profile for General Purpose Operating Systems
648
649              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
650
651              This profile reflects mandatory configuration  controls  identi‐
652              fied  in  the NIAP Configuration Annex to the Protection Profile
653              for General Purpose Operating Systems (Protection  Profile  Ver‐
654              sion 4.2).
655
656              This profile is currently under review. Use of this profile does
657              not denote or guarantee NIAP  approval  or  certification  until
658              this profile has been approved by NIAP.
659
660
661
662
663

Profiles in Guide to the Secure Configuration of openSUSE

665       Source Datastream:  ssg-opensuse-ds.xml
666
667       The  Guide to the Secure Configuration of openSUSE is broken into 'pro‐
668       files', groupings of security settings that correlate to a  known  pol‐
669       icy. Available profiles are:
670
671
672
673       Standard System Security Profile for openSUSE
674
675              Profile ID:  xccdf_org.ssgproject.content_profile_standard
676
677              This profile contains rules to ensure standard security baseline
678              of an openSUSE system. Regardless of your system's workload  all
679              of these checks should pass.
680
681
682
683
684

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 6

686       Source Datastream:  ssg-rhel6-ds.xml
687
688       The  Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
689       broken into 'profiles', groupings of security settings  that  correlate
690       to a known policy. Available profiles are:
691
692
693
694       PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
695
696              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
697
698              This is a *draft* profile for PCI-DSS v3.
699
700
701       CNSSI 1253 Low/Low/Low Control Baseline
702
703              Profile ID:  xccdf_org.ssgproject.content_profile_nist-CL-IL-AL
704
705              This  profile follows the Committee on National Security Systems
706              Instruction (CNSSI) No. 1253, "Security Categorization and  Con‐
707              trol  Selection  for National Security Systems" on security con‐
708              trols to meet low confidentiality, low integrity, and low assur‐
709              ance.
710
711
712       C2S for Red Hat Enterprise Linux 6
713
714              Profile ID:  xccdf_org.ssgproject.content_profile_C2S
715
716              This profile demonstrates compliance against the U.S. Government
717              Commercial Cloud Services (C2S) baseline.   nThis  baseline  was
718              inspired  by  the  Center  for  Internet  Security (CIS) Red Hat
719              Enterprise Linux 6 Benchmark, v1.2.0 - 06-25-2013.  For the SCAP
720              Security  Guide  project to remain in compliance with CIS' terms
721              and conditions, specifically Restrictions(8), note there  is  no
722              representation  or claim that the C2S profile will ensure a sys‐
723              tem is in compliance or consistency with the CIS baseline.
724
725
726       CSCF RHEL6 MLS Core Baseline
727
728              Profile ID:  xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS
729
730              This profile reflects the Centralized Super  Computing  Facility
731              (CSCF)  baseline  for  Red Hat Enterprise Linux 6. This baseline
732              has received government ATO through the ICD 503 process, utiliz‐
733              ing  the CNSSI 1253 cross domain overlay. This profile should be
734              considered in active development.  Additional tailoring will  be
735              needed,  such  as  the  creation  of  RBAC  roles for production
736              deployment.
737
738
739       United States Government Configuration Baseline (USGCB)
740
741              Profile     ID:      xccdf_org.ssgproject.content_profile_usgcb-
742              rhel6-server
743
744              This  profile  is a working draft for a USGCB submission against
745              RHEL6 Server.
746
747
748       Server Baseline
749
750              Profile ID:  xccdf_org.ssgproject.content_profile_server
751
752              This profile is for Red Hat  Enterprise  Linux  6  acting  as  a
753              server.
754
755
756       Standard System Security Profile for Red Hat Enterprise Linux 6
757
758              Profile ID:  xccdf_org.ssgproject.content_profile_standard
759
760              This profile contains rules to ensure standard security baseline
761              of a Red Hat Enterprise Linux 6 system. Regardless of your  sys‐
762              tem's workload all of these checks should pass.
763
764
765       Desktop Baseline
766
767              Profile ID:  xccdf_org.ssgproject.content_profile_desktop
768
769              This profile is for a desktop installation of Red Hat Enterprise
770              Linux 6.
771
772
773       DISA STIG for Red Hat Enterprise Linux 6
774
775              Profile ID:  xccdf_org.ssgproject.content_profile_stig
776
777              This profile contains configuration checks  that  align  to  the
778              DISA STIG for Red Hat Enterprise Linux 6.
779
780              In  addition  to being applicable to RHEL6, DISA recognizes this
781              configuration baseline as applicable  to  the  operating  system
782              tier  of  Red  Hat technologies that are based on RHEL6, such as
783              RHEL Server,  RHV-H, RHEL for HPC, RHEL Workstation, and Red Hat
784              Storage deployments.
785
786
787       FTP Server Profile (vsftpd)
788
789              Profile ID:  xccdf_org.ssgproject.content_profile_ftp-server
790
791              This is a profile for the vsftpd FTP server.
792
793
794       Example Server Profile
795
796              Profile ID:  xccdf_org.ssgproject.content_profile_CS2
797
798              This profile is an example of a customized server profile.
799
800
801       FISMA Medium for Red Hat Enterprise Linux 6
802
803              Profile  ID:  xccdf_org.ssgproject.content_profile_fisma-medium-
804              rhel6-server
805
806              FISMA Medium for Red Hat Enterprise Linux 6.
807
808
809       Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
810
811              Profile ID:  xccdf_org.ssgproject.content_profile_rht-ccp
812
813              This is a *draft* SCAP  profile  for  Red  Hat  Certified  Cloud
814              Providers
815
816
817
818
819

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

821       Source Datastream:  ssg-rhel7-ds.xml
822
823       The  Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
824       broken into 'profiles', groupings of security settings  that  correlate
825       to a known policy. Available profiles are:
826
827
828
829       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
830
831              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
832
833              Ensures  PCI-DSS  v3.2.1  security  configuration  settings  are
834              applied.
835
836
837       C2S for Red Hat Enterprise Linux 7
838
839              Profile ID:  xccdf_org.ssgproject.content_profile_C2S
840
841              This profile demonstrates compliance against the U.S. Government
842              Commercial Cloud Services (C2S) baseline.
843
844              This  baseline  was inspired by the Center for Internet Security
845              (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
846
847              For the SCAP Security Guide project to remain in compliance with
848              CIS'  terms  and  conditions, specifically Restrictions(8), note
849              there is no representation or claim that the  C2S  profile  will
850              ensure  a  system  is  in compliance or consistency with the CIS
851              baseline.
852
853
854       [DRAFT] DISA STIG for Red  Hat  Enterprise  Linux  Virtualization  Host
855       (RHELH)
856
857              Profile ID:  xccdf_org.ssgproject.content_profile_rhelh-stig
858
859              This *draft* profile contains configuration checks that align to
860              the DISA STIG for Red Hat Enterprise Linux  Virtualization  Host
861              (RHELH).
862
863
864       DRAFT - ANSSI DAT-NT28 (high)
865
866              Profile          ID:           xccdf_org.ssgproject.content_pro‐
867              file_anssi_nt28_high
868
869              Draft profile for ANSSI compliance  at  the  high  level.  ANSSI
870              stands for Agence nationale de la sécurité des systèmes d'infor‐
871              mation. Based on https://www.ssi.gouv.fr/.
872
873
874       Health Insurance Portability and Accountability Act (HIPAA)
875
876              Profile ID:  xccdf_org.ssgproject.content_profile_hipaa
877
878              The HIPAA Security Rule establishes U.S. national  standards  to
879              protect individuals’ electronic personal health information that
880              is created, received, used, or maintained by a  covered  entity.
881              The  Security Rule requires appropriate administrative, physical
882              and  technical  safeguards  to   ensure   the   confidentiality,
883              integrity,  and security of electronic protected health informa‐
884              tion.
885
886              This profile configures Red Hat Enterprise Linux 7 to the  HIPAA
887              Security  Rule  identified  for securing of electronic protected
888              health information.
889
890
891       Standard System Security Profile for Red Hat Enterprise Linux 7
892
893              Profile ID:  xccdf_org.ssgproject.content_profile_standard
894
895              This profile contains rules to ensure standard security baseline
896              of  a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
897              tem's workload all of these checks should pass.
898
899
900       DRAFT - ANSSI DAT-NT28 (intermediary)
901
902              Profile          ID:           xccdf_org.ssgproject.content_pro‐
903              file_anssi_nt28_intermediary
904
905              Draft  profile  for  ANSSI compliance at the intermediary level.
906              ANSSI stands for Agence nationale de la  sécurité  des  systèmes
907              d'information. Based on https://www.ssi.gouv.fr/.
908
909
910       Unclassified Information in Non-federal Information Systems and Organi‐
911       zations (NIST 800-171)
912
913              Profile ID:  xccdf_org.ssgproject.content_profile_cui
914
915              From NIST 800-171, Section 2.2: Security requirements  for  pro‐
916              tecting  the  confidentiality  of CUI in non-federal information
917              systems and organizations have  a  well-defined  structure  that
918              consists of:
919
920              (i)  a basic security requirements section; (ii) a derived secu‐
921              rity requirements section.
922
923              The basic security requirements are obtained from FIPS  Publica‐
924              tion 200, which provides the high-level and fundamental security
925              requirements for federal information  and  information  systems.
926              The  derived  security  requirements, which supplement the basic
927              security requirements, are taken from the security  controls  in
928              NIST Special Publication 800-53.
929
930              This  profile  configures Red Hat Enterprise Linux 7 to the NIST
931              Special Publication 800-53 controls identified for securing Con‐
932              trolled Unclassified Information (CUI).
933
934
935       NIST National Checklist Program Security Guide
936
937              Profile ID:  xccdf_org.ssgproject.content_profile_ncp
938
939              This  compliance  profile  reflects  the  core  set  of security
940              related configuration settings for deployment of Red Hat  Enter‐
941              prise  Linux  7.x  into U.S. Defense, Intelligence, and Civilian
942              agencies.  Development partners and sponsors  include  the  U.S.
943              National  Institute  of  Standards  and  Technology (NIST), U.S.
944              Department of Defense, the National  Security  Agency,  and  Red
945              Hat.
946
947              This  baseline  implements  configuration  requirements from the
948              following sources:
949
950              - Committee on National Security Systems  Instruction  No.  1253
951              (CNSSI  1253)  -  NIST Controlled Unclassified Information (NIST
952              800-171) - NIST 800-53 control selections  for  MODERATE  impact
953              systems  (NIST  800-53) - U.S. Government Configuration Baseline
954              (USGCB) - NIAP Protection Profile for General Purpose  Operating
955              Systems  v4.2.1  (OSPP  v4.2.1) - DISA Operating System Security
956              Requirements Guide (OS SRG)
957
958              For any  differing  configuration  requirements,  e.g.  password
959              lengths,  the  stricter  security  setting  was chosen. Security
960              Requirement Traceability Guides (RTMs) and sample  System  Secu‐
961              rity  Configuration  Guides  are provided via the scap-security-
962              guide-docs package.
963
964              This profile reflects U.S. Government consensus content  and  is
965              developed  through  the OpenSCAP/SCAP Security Guide initiative,
966              championed by the National Security Agency. Except  for  differ‐
967              ences  in  formatting  to accommodate publishing processes, this
968              profile mirrors OpenSCAP/SCAP Security Guide  content  as  minor
969              divergences,  such  as  bugfixes, work through the consensus and
970              release processes.
971
972
973       DRAFT - ANSSI DAT-NT28 (enhanced)
974
975              Profile          ID:           xccdf_org.ssgproject.content_pro‐
976              file_anssi_nt28_enhanced
977
978              Draft  profile for ANSSI compliance at the enhanced level. ANSSI
979              stands for Agence nationale de la sécurité des systèmes d'infor‐
980              mation. Based on https://www.ssi.gouv.fr/.
981
982
983       Criminal Justice Information Services (CJIS) Security Policy
984
985              Profile ID:  xccdf_org.ssgproject.content_profile_cjis
986
987              This  profile is derived from FBI's CJIS v5.4 Security Policy. A
988              copy of this policy can be found at  the  CJIS  Security  Policy
989              Resource Center:
990
991              https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
992              center
993
994
995       DISA STIG for Red Hat Enterprise Linux 7
996
997              Profile ID:  xccdf_org.ssgproject.content_profile_stig
998
999              This profile contains configuration checks  that  align  to  the
1000              DISA STIG for Red Hat Enterprise Linux V1R4.
1001
1002              In  addition  to being applicable to Red Hat Enterprise Linux 7,
1003              DISA recognizes this configuration baseline as applicable to the
1004              operating  system tier of Red Hat technologies that are based on
1005              Red Hat Enterprise Linux 7, such as:
1006
1007              - Red Hat Enterprise Linux Server -  Red  Hat  Enterprise  Linux
1008              Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1009              Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1010              7 image
1011
1012
1013       VPP  -  Protection Profile for Virtualization v. 1.0 for Red Hat Enter‐
1014       prise Linux Hypervisor (RHELH)
1015
1016              Profile ID:  xccdf_org.ssgproject.content_profile_rhelh-vpp
1017
1018              This compliance  profile  reflects  the  core  set  of  security
1019              related  configuration settings for deployment of Red Hat Enter‐
1020              prise Linux Hypervisor (RHELH) 7.x into U.S.  Defense,  Intelli‐
1021              gence, and Civilian agencies.  Development partners and sponsors
1022              include the U.S. National Institute of Standards and  Technology
1023              (NIST),  U.S.  Department  of  Defense,  the  National  Security
1024              Agency, and Red Hat.
1025
1026              This baseline implements  configuration  requirements  from  the
1027              following sources:
1028
1029              -  Committee  on  National Security Systems Instruction No. 1253
1030              (CNSSI 1253) -  NIST  800-53  control  selections  for  MODERATE
1031              impact  systems  (NIST  800-53)  - U.S. Government Configuration
1032              Baseline (USGCB) - NIAP Protection  Profile  for  Virtualization
1033              v1.0 (VPP v1.0)
1034
1035              For  any  differing  configuration  requirements,  e.g. password
1036              lengths, the stricter  security  setting  was  chosen.  Security
1037              Requirement  Traceability  Guides (RTMs) and sample System Secu‐
1038              rity Configuration Guides are provided  via  the  scap-security-
1039              guide-docs package.
1040
1041              This  profile  reflects U.S. Government consensus content and is
1042              developed through the ComplianceAsCode  project,  championed  by
1043              the  National Security Agency. Except for differences in format‐
1044              ting to accommodate publishing processes, this  profile  mirrors
1045              ComplianceAsCode content as minor divergences, such as bugfixes,
1046              work through the consensus and release processes.
1047
1048
1049       DRAFT - ANSSI DAT-NT28 (minimal)
1050
1051              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1052              file_anssi_nt28_minimal
1053
1054              Draft  profile  for ANSSI compliance at the minimal level. ANSSI
1055              stands for Agence nationale de la sécurité des systèmes d'infor‐
1056              mation. Based on https://www.ssi.gouv.fr/.
1057
1058
1059       OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
1060
1061              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
1062
1063              This  profile  reflects mandatory configuration controls identi‐
1064              fied in the NIAP Configuration Annex to the  Protection  Profile
1065              for  General  Purpose Operating Systems (Protection Profile Ver‐
1066              sion 4.2.1).
1067
1068              This configuration profile is consistent with CNSSI-1253,  which
1069              requires  U.S.  National  Security  Systems to adhere to certain
1070              configuration parameters. Accordingly, this  configuration  pro‐
1071              file is suitable for use in U.S. National Security Systems.
1072
1073
1074       Australian Cyber Security Centre (ACSC) Essential Eight
1075
1076              Profile ID:  xccdf_org.ssgproject.content_profile_e8
1077
1078              This  profile  contains  configuration checks for Red Hat Enter‐
1079              prise Linux 7 that align to the Australian Cyber Security Centre
1080              (ACSC) Essential Eight.
1081
1082              A copy of the Essential Eight in Linux Environments guide can be
1083              found at the ACSC website:
1084
1085              https://www.cyber.gov.au/publications/essential-eight-in-linux-
1086              environments
1087
1088
1089       Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1090
1091              Profile ID:  xccdf_org.ssgproject.content_profile_rht-ccp
1092
1093              This  profile  contains the minimum security relevant configura‐
1094              tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1095              Linux 7 instances deployed by Red Hat Certified Cloud Providers.
1096
1097
1098
1099
1100

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 8

1102       Source Datastream:  ssg-rhel8-ds.xml
1103
1104       The  Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
1105       broken into 'profiles', groupings of security settings  that  correlate
1106       to a known policy. Available profiles are:
1107
1108
1109
1110       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
1111
1112              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
1113
1114              Ensures  PCI-DSS  v3.2.1  security  configuration  settings  are
1115              applied.
1116
1117
1118       Health Insurance Portability and Accountability Act (HIPAA)
1119
1120              Profile ID:  xccdf_org.ssgproject.content_profile_hipaa
1121
1122              The HIPAA Security Rule establishes U.S. national  standards  to
1123              protect individuals’ electronic personal health information that
1124              is created, received, used, or maintained by a  covered  entity.
1125              The  Security Rule requires appropriate administrative, physical
1126              and  technical  safeguards  to   ensure   the   confidentiality,
1127              integrity,  and security of electronic protected health informa‐
1128              tion.
1129
1130              This profile configures Red Hat Enterprise Linux 8 to the  HIPAA
1131              Security  Rule  identified  for securing of electronic protected
1132              health information.
1133
1134
1135       Standard System Security Profile for Red Hat Enterprise Linux 8
1136
1137              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1138
1139              This profile contains rules to ensure standard security baseline
1140              of  a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
1141              tem's workload all of these checks should pass.
1142
1143
1144       Unclassified Information in Non-federal Information Systems and Organi‐
1145       zations (NIST 800-171)
1146
1147              Profile ID:  xccdf_org.ssgproject.content_profile_cui
1148
1149              From  NIST  800-171, Section 2.2: Security requirements for pro‐
1150              tecting the confidentiality of  CUI  in  nonfederal  information
1151              systems  and  organizations  have  a well-defined structure that
1152              consists of:
1153
1154              (i) a basic security requirements section; (ii) a derived  secu‐
1155              rity requirements section.
1156
1157              The  basic security requirements are obtained from FIPS Publica‐
1158              tion 200, which provides the high-level and fundamental security
1159              requirements  for  federal  information and information systems.
1160              The derived security requirements, which  supplement  the  basic
1161              security  requirements,  are taken from the security controls in
1162              NIST Special Publication 800-53.
1163
1164              This profile configures Red Hat Enterprise Linux 8 to  the  NIST
1165              Special Publication 800-53 controls identified for securing Con‐
1166              trolled Unclassified Information (CUI)."
1167
1168
1169       Criminal Justice Information Services (CJIS) Security Policy
1170
1171              Profile ID:  xccdf_org.ssgproject.content_profile_cjis
1172
1173              This profile is derived from FBI's CJIS v5.4 Security Policy.  A
1174              copy  of  this  policy  can be found at the CJIS Security Policy
1175              Resource Center:
1176
1177              https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1178              center
1179
1180
1181       Protection Profile for General Purpose Operating Systems
1182
1183              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
1184
1185              This  profile  reflects mandatory configuration controls identi‐
1186              fied in the NIAP Configuration Annex to the  Protection  Profile
1187              for  General  Purpose Operating Systems (Protection Profile Ver‐
1188              sion 4.2.1).
1189
1190              This configuration profile is consistent with CNSSI-1253,  which
1191              requires  U.S.  National  Security  Systems to adhere to certain
1192              configuration parameters. Accordingly, this  configuration  pro‐
1193              file is suitable for use in U.S. National Security Systems.
1194
1195
1196       Australian Cyber Security Centre (ACSC) Essential Eight
1197
1198              Profile ID:  xccdf_org.ssgproject.content_profile_e8
1199
1200              This  profile  contains  configuration checks for Red Hat Enter‐
1201              prise Linux 8 that align to the Australian Cyber Security Centre
1202              (ACSC) Essential Eight.
1203
1204              A copy of the Essential Eight in Linux Environments guide can be
1205              found at the ACSC website:
1206
1207              https://www.cyber.gov.au/publications/essential-eight-in-linux-
1208              environments
1209
1210
1211       Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1212
1213              Profile ID:  xccdf_org.ssgproject.content_profile_rht-ccp
1214
1215              This  profile  contains the minimum security relevant configura‐
1216              tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1217              Linux 8 instances deployed by Red Hat Certified Cloud Providers.
1218
1219
1220
1221
1222

Profiles in Guide to the Secure Configuration of Red Hat OpenStack Platform 13

1224
1225       Source Datastream:  ssg-rhosp13-ds.xml
1226
1227       The Guide to the Secure Configuration of Red Hat OpenStack Platform  13
1228       is  broken  into 'profiles', groupings of security settings that corre‐
1229       late to a known policy. Available profiles are:
1230
1231
1232
1233       RHOSP STIG
1234
1235              Profile ID:  xccdf_org.ssgproject.content_profile_stig
1236
1237              Sample profile description.
1238
1239
1240
1241
1242

Profiles in Guide to the Secure Configuration of Red Hat Virtualization 4

1244       Source Datastream:  ssg-rhv4-ds.xml
1245
1246       The Guide to the Secure Configuration of Red Hat  Virtualization  4  is
1247       broken  into  'profiles', groupings of security settings that correlate
1248       to a known policy. Available profiles are:
1249
1250
1251
1252       VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
1253       ization Host (RHVH)
1254
1255              Profile ID:  xccdf_org.ssgproject.content_profile_rhvh-vpp
1256
1257              This  compliance  profile  reflects  the  core  set  of security
1258              related configuration settings for deployment of Red Hat  Virtu‐
1259              alization  Host  (RHVH) 4.x into U.S. Defense, Intelligence, and
1260              Civilian agencies.  Development partners  and  sponsors  include
1261              the  U.S. National Institute of Standards and Technology (NIST),
1262              U.S. Department of Defense, the National  Security  Agency,  and
1263              Red Hat.
1264
1265              This  baseline  implements  configuration  requirements from the
1266              following sources:
1267
1268              - Committee on National Security Systems  Instruction  No.  1253
1269              (CNSSI  1253)  -  NIST  800-53  control  selections for MODERATE
1270              impact systems (NIST 800-53)  -  U.S.  Government  Configuration
1271              Baseline  (USGCB)  -  NIAP Protection Profile for Virtualization
1272              v1.0 (VPP v1.0)
1273
1274              For any  differing  configuration  requirements,  e.g.  password
1275              lengths,  the  stricter  security  setting  was chosen. Security
1276              Requirement Traceability Guides (RTMs) and sample  System  Secu‐
1277              rity  Configuration  Guides  are provided via the scap-security-
1278              guide-docs package.
1279
1280              This profile reflects U.S. Government consensus content  and  is
1281              developed  through  the  ComplianceAsCode project, championed by
1282              the National Security Agency. Except for differences in  format‐
1283              ting  to  accommodate publishing processes, this profile mirrors
1284              ComplianceAsCode content as minor divergences, such as bugfixes,
1285              work through the consensus and release processes.
1286
1287
1288       [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
1289
1290              Profile ID:  xccdf_org.ssgproject.content_profile_rhvh-stig
1291
1292              This *draft* profile contains configuration checks that align to
1293              the DISA STIG for Red Hat Virtualization Host (RHVH).
1294
1295
1296
1297
1298

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 6

1300       Source Datastream:  ssg-sl6-ds.xml
1301
1302       The Guide to the Secure Configuration of Red Hat Enterprise Linux 6  is
1303       broken  into  'profiles', groupings of security settings that correlate
1304       to a known policy. Available profiles are:
1305
1306
1307
1308       PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
1309
1310              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
1311
1312              This is a *draft* profile for PCI-DSS v3.
1313
1314
1315       Server Baseline
1316
1317              Profile ID:  xccdf_org.ssgproject.content_profile_server
1318
1319              This profile is for Red Hat  Enterprise  Linux  6  acting  as  a
1320              server.
1321
1322
1323       Standard System Security Profile for Red Hat Enterprise Linux 6
1324
1325              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1326
1327              This profile contains rules to ensure standard security baseline
1328              of a Red Hat Enterprise Linux 6 system. Regardless of your  sys‐
1329              tem's workload all of these checks should pass.
1330
1331
1332       Desktop Baseline
1333
1334              Profile ID:  xccdf_org.ssgproject.content_profile_desktop
1335
1336              This profile is for a desktop installation of Red Hat Enterprise
1337              Linux 6.
1338
1339
1340
1341
1342

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

1344       Source Datastream:  ssg-sl7-ds.xml
1345
1346       The Guide to the Secure Configuration of Red Hat Enterprise Linux 7  is
1347       broken  into  'profiles', groupings of security settings that correlate
1348       to a known policy. Available profiles are:
1349
1350
1351
1352       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1353
1354              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
1355
1356              Ensures  PCI-DSS  v3.2.1  security  configuration  settings  are
1357              applied.
1358
1359
1360       Standard System Security Profile for Red Hat Enterprise Linux 7
1361
1362              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1363
1364              This profile contains rules to ensure standard security baseline
1365              of a Red Hat Enterprise Linux 7 system. Regardless of your  sys‐
1366              tem's workload all of these checks should pass.
1367
1368
1369
1370
1371

Profiles in Guide to the Secure Configuration of SUSE Linux Enterprise 11

1373       Source Datastream:  ssg-sle11-ds.xml
1374
1375       The  Guide  to  the Secure Configuration of SUSE Linux Enterprise 11 is
1376       broken into 'profiles', groupings of security settings  that  correlate
1377       to a known policy. Available profiles are:
1378
1379
1380
1381       Server Baseline
1382
1383              Profile ID:  xccdf_org.ssgproject.content_profile_server
1384
1385              This profile is for SUSE Enterprise Linux 11 acting as a server.
1386
1387
1388       Standard System Security Profile for SUSE Linux Enterprise 11
1389
1390              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1391
1392              This profile contains rules to ensure standard security baseline
1393              of a SUSE Linux Enterprise 11 system. Regardless  of  your  sys‐
1394              tem's workload all of these checks should pass.
1395
1396
1397
1398
1399

Profiles in Guide to the Secure Configuration of SUSE Linux Enterprise 12

1401       Source Datastream:  ssg-sle12-ds.xml
1402
1403       The  Guide  to  the Secure Configuration of SUSE Linux Enterprise 12 is
1404       broken into 'profiles', groupings of security settings  that  correlate
1405       to a known policy. Available profiles are:
1406
1407
1408
1409       Standard System Security Profile for SUSE Linux Enterprise 12
1410
1411              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1412
1413              This profile contains rules to ensure standard security baseline
1414              of a SUSE Linux Enterprise 12 system. Regardless  of  your  sys‐
1415              tem's workload all of these checks should pass.
1416
1417
1418
1419
1420

Profiles in Guide to the Secure Configuration of Ubuntu 14.04

1422       Source Datastream:  ssg-ubuntu1404-ds.xml
1423
1424       The  Guide  to  the Secure Configuration of Ubuntu 14.04 is broken into
1425       'profiles', groupings of security settings that correlate  to  a  known
1426       policy. Available profiles are:
1427
1428
1429
1430       Profile for ANSSI DAT-NT28 Minimal Level
1431
1432              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1433              file_anssi_np_nt28_minimal
1434
1435              This profile contains items to be applied systematically.
1436
1437
1438       Standard System Security Profile for Ubuntu 14.04
1439
1440              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1441
1442              This profile contains rules to ensure standard security baseline
1443              of  an Ubuntu 14.04 system. Regardless of your system's workload
1444              all of these checks should pass.
1445
1446
1447       Profile for ANSSI DAT-NT28 Restrictive Level
1448
1449              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1450              file_anssi_np_nt28_restrictive
1451
1452              This  profile contains items for GNU/Linux installations exposed
1453              to unauthenticated flows or multiple sources.
1454
1455
1456       Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1457
1458              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1459              file_anssi_np_nt28_average
1460
1461              This  profile contains items for GNU/Linux installations already
1462              protected by multiple higher level security stacks.
1463
1464
1465       Profile for ANSSI DAT-NT28 High (Enforced) Level
1466
1467              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1468              file_anssi_np_nt28_high
1469
1470              This  profile contains items for GNU/Linux installations storing
1471              sensitive informations that can be accessible  from  unauthenti‐
1472              cated or uncontroled networks.
1473
1474
1475
1476
1477

Profiles in Guide to the Secure Configuration of Ubuntu 16.04

1479       Source Datastream:  ssg-ubuntu1604-ds.xml
1480
1481       The  Guide  to  the Secure Configuration of Ubuntu 16.04 is broken into
1482       'profiles', groupings of security settings that correlate  to  a  known
1483       policy. Available profiles are:
1484
1485
1486
1487       Profile for ANSSI DAT-NT28 Minimal Level
1488
1489              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1490              file_anssi_np_nt28_minimal
1491
1492              This profile contains items to be applied systematically.
1493
1494
1495       Standard System Security Profile for Ubuntu 16.04
1496
1497              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1498
1499              This profile contains rules to ensure standard security baseline
1500              of  an Ubuntu 16.04 system. Regardless of your system's workload
1501              all of these checks should pass.
1502
1503
1504       Profile for ANSSI DAT-NT28 Restrictive Level
1505
1506              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1507              file_anssi_np_nt28_restrictive
1508
1509              This  profile contains items for GNU/Linux installations exposed
1510              to unauthenticated flows or multiple sources.
1511
1512
1513       Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1514
1515              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1516              file_anssi_np_nt28_average
1517
1518              This  profile contains items for GNU/Linux installations already
1519              protected by multiple higher level security stacks.
1520
1521
1522       Profile for ANSSI DAT-NT28 High (Enforced) Level
1523
1524              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1525              file_anssi_np_nt28_high
1526
1527              This  profile contains items for GNU/Linux installations storing
1528              sensitive informations that can be accessible  from  unauthenti‐
1529              cated or uncontroled networks.
1530
1531
1532
1533
1534

Profiles in Guide to the Secure Configuration of Ubuntu 18.04

1536       Source Datastream:  ssg-ubuntu1804-ds.xml
1537
1538       The  Guide  to  the Secure Configuration of Ubuntu 18.04 is broken into
1539       'profiles', groupings of security settings that correlate  to  a  known
1540       policy. Available profiles are:
1541
1542
1543
1544       Profile for ANSSI DAT-NT28 Minimal Level
1545
1546              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1547              file_anssi_np_nt28_minimal
1548
1549              This profile contains items to be applied systematically.
1550
1551
1552       Standard System Security Profile for Ubuntu 18.04
1553
1554              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1555
1556              This profile contains rules to ensure standard security baseline
1557              of  an Ubuntu 18.04 system. Regardless of your system's workload
1558              all of these checks should pass.
1559
1560
1561       Profile for ANSSI DAT-NT28 Restrictive Level
1562
1563              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1564              file_anssi_np_nt28_restrictive
1565
1566              This  profile contains items for GNU/Linux installations exposed
1567              to unauthenticated flows or multiple sources.
1568
1569
1570       Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1571
1572              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1573              file_anssi_np_nt28_average
1574
1575              This  profile contains items for GNU/Linux installations already
1576              protected by multiple higher level security stacks.
1577
1578
1579       Profile for ANSSI DAT-NT28 High (Enforced) Level
1580
1581              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1582              file_anssi_np_nt28_high
1583
1584              This  profile contains items for GNU/Linux installations storing
1585              sensitive informations that can be accessible  from  unauthenti‐
1586              cated or uncontroled networks.
1587
1588
1589
1590
1591

Profiles in Guide to the Secure Configuration of WRLinux 1019

1593       Source Datastream:  ssg-wrlinux1019-ds.xml
1594
1595       The  Guide  to  the Secure Configuration of WRLinux 1019 is broken into
1596       'profiles', groupings of security settings that correlate  to  a  known
1597       policy. Available profiles are:
1598
1599
1600
1601       DRAFT DISA STIG for Wind River Linux
1602
1603              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1604              file_draft_stig_wrlinux_disa
1605
1606              This profile contains configuration checks  that  align  to  the
1607              DISA STIG for Wind River Linux.  This profile is being developed
1608              under the DoD consensus model to become a STIG  in  coordination
1609              with DISA FSO.  What is the status of the Wind River Linux STIG?
1610              The Wind River Linux STIG is in development under the  DoD  con‐
1611              sensus  model  and  Wind  River  has  started the process to get
1612              approval from DISA. However, in the absence of an  approved  SRG
1613              or STIG, vendor recommendations may be used instead. The current
1614              contents constitute the vendor recommendations at  the  time  of
1615              the  product  release  containing  these  contents.   Note  that
1616              changes are expected  before  approval  is  granted,  and  those
1617              changes  will be made available in future Wind River Linux Secu‐
1618              rity Profile 1019 RCPL releases.   More  information,  including
1619              the  following,  is available from the DISA FAQs at https://pub
1620              lic.cyber.mil/stigs/faqs/
1621
1622
1623       Basic Profile for Embedded Systems
1624
1625              Profile ID:  xccdf_org.ssgproject.content_profile_basic-embedded
1626
1627              This profile  contains  items  common  to  many  embedded  Linux
1628              installations.   Regardless  of  your system's deployment objec‐
1629              tive, all of these checks should pass.
1630
1631
1632
1633
1634

Profiles in Guide to the Secure Configuration of WRLinux 8

1636       Source Datastream:  ssg-wrlinux8-ds.xml
1637
1638       The Guide to the Secure Configuration of WRLinux 8 is broken into 'pro‐
1639       files',  groupings  of security settings that correlate to a known pol‐
1640       icy. Available profiles are:
1641
1642
1643
1644       Basic Profile for Embedded Systems
1645
1646              Profile ID:  xccdf_org.ssgproject.content_profile_basic-embedded
1647
1648              This profile  contains  items  common  to  many  embedded  Linux
1649              installations.   Regardless  of  your system's deployment objec‐
1650              tive, all of these checks should pass.
1651
1652
1653
1654
1655
1656

EXAMPLES

1658       To scan your system utilizing the OpenSCAP  utility  against  the  ospp
1659       profile:
1660
1661       oscap   xccdf   eval   --profile  ospp  --results  /tmp/`hostname`-ssg-
1662       results.xml  --report  /tmp/`hostname`-ssg-results.html  --oval-results
1663       /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
1664
1665       Additional   details   can   be   found  on  the  projects  wiki  page:
1666       https://www.github.com/OpenSCAP/scap-security-guide/wiki
1667
1668
1669

FILES

1671       /usr/share/xml/scap/ssg/content
1672              Houses SCAP content utilizing the following naming conventions:
1673
1674              SCAP Source Datastreams: ssg-{product}-ds.xml
1675
1676              CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
1677
1678              CPE OVAL Content: ssg-{product}-cpe-oval.xml
1679
1680              OVAL Content: ssg-{product}-oval.xml
1681
1682              XCCDF Content: ssg-{product}-xccdf.xml
1683
1684       /usr/share/doc/scap-security-guide/guides/
1685              HTML versions of SSG profiles.
1686
1687       /usr/share/scap-security-guide/ansible/
1688              Contains Ansible Playbooks for SSG profiles.
1689
1690       /usr/share/scap-security-guide/bash/
1691              Contains Bash remediation scripts for SSG profiles.
1692
1693

STATEMENT OF SUPPORT

1695       The SCAP Security Guide, an open source project jointly  maintained  by
1696       Red  Hat and the NSA, provides XCCDF and OVAL content for Red Hat tech‐
1697       nologies. As an open source project,  community  participation  extends
1698       into  U.S. Department of Defense agencies, civilian agencies, academia,
1699       and other industrial partners.
1700
1701       SCAP Security Guide is provided to consumers through Red Hat's Extended
1702       Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security
1703       Guide content is considered "vendor provided."
1704
1705       Note that while Red Hat hosts the infrastructure for this  project  and
1706       Red  Hat engineers are involved as maintainers and leaders, there is no
1707       commercial support contracts or service level  agreements  provided  by
1708       Red Hat.
1709
1710       Support,  for  both  users and developers, is provided through the SCAP
1711       Security Guide community.
1712
1713       Homepage:    https://www.open-scap.org/security-policies/scap-security-
1714       guide
1715
1716       Mailing   List:   https://lists.fedorahosted.org/mailman/listinfo/scap-
1717       security-guide
1718
1719
1720

DEPLOYMENT TO U.S. CIVILIAN GOVERNMENT SYSTEMS

1722       SCAP Security Guide content is considered  vendor  (Red  Hat)  provided
1723       content.   Per  guidance  from the U.S. National Institute of Standards
1724       and Technology (NIST), U.S. Government programs are allowed to use Ven‐
1725       dor produced SCAP content in absence of "Governmental Authority" check‐
1726       lists.          The          specific           NIST           verbage:
1727       http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
1728
1729
1730

DEPLOYMENT TO U.S. MILITARY SYSTEMS

1732       DoD  Directive  (DoDD)  8500.1  requires that "all IA and IA-enabled IT
1733       products incorporated into DoD information systems shall be  configured
1734       in  accordance with DoD-approved security configuration guidelines" and
1735       tasks Defense Information Systems Agency (DISA) to "develop and provide
1736       security  configuration  guidance  for IA and IA-enabled IT products in
1737       coordination with Director, NSA."  The output of this authority is  the
1738       DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
1739       the process of moving the STIGs towards the use of  the  NIST  Security
1740       Content  Automation  Protocol  (SCAP) in order to "automate" compliance
1741       reporting of the STIGs.
1742
1743       Through a common, shared vision,  the  SCAP  Security  Guide  community
1744       enjoys  close  collaboration  directly with NSA, NIST, and DISA FSO. As
1745       stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG  Overview,
1746       Version 1, Release 2, issued on 03-JUNE-2013:
1747
1748       "The  consensus  content  was  developed  using  an open-source project
1749       called SCAP Security Guide. The project's website is  https://www.open-
1750       scap.org/security-policies/scap-security-guide.  Except for differences
1751       in formatting to accomodate the DISA STIG publishing process, the  con‐
1752       tent  of  the  Red  Hat  Enterprise Linux 6 STIG should mirror the SCAP
1753       Security Guide content with only minor divergence as updates from  mul‐
1754       tiple sources work through the consensus process."
1755
1756       The  DoD  STIG  for  Red  Hat  Enterprise  Linux  7, revision V2R4, was
1757       released in July 2019 Currently, the DoD Red  Hat  Enterprise  Linux  7
1758       STIG  contains only XCCDF content and is available online: https://pub
1759       lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-sys‐
1760       tems%2Cunix-linux
1761
1762       Content published against the public.cyber.mil website is authoritative
1763       STIG content. The SCAP Security Guide project, as  noted  in  the  STIG
1764       overview,  is  considered  upstream  content. Unlike DISA FSO, the SCAP
1765       Security Guide project does publish OVAL automation content. Individual
1766       programs  and  C&A  evaluators make program-level determinations on the
1767       direct usage of the SCAP Security Guide.  Currently there is no blanket
1768       approval.
1769
1770
1771

SEE ALSO

1773       oscap(8)
1774
1775
1776

AUTHOR

1778       Please    direct    all    questions   to   the   SSG   mailing   list:
1779       https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
1780
1781
1782
1783version 1                         26 Jan 2013           scap-security-guide(8)
Impressum