1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
6 SCAP Security Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
13 The project provides practical security hardening advice for Red Hat
14 products, and also links it to compliance requirements in order to ease
15 deployment activities, such as certification and accreditation. These
16 include requirements in the U.S. government (Federal, Defense, and
17 Intelligence Community) as well as of the financial services and health
18 care industries. For example, high-level and widely-accepted policies
19 such as NIST 800-53 provides prose stating that System Administrators
20 must audit "privileged user actions," but do not define what "privi‐
21 leged actions" are. The SSG bridges the gap between generalized policy
22 requirements and specific implementation guidance, in SCAP formats to
23 support automation whenever possible.
24 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
31 Source Datastream: ssg-centos6-ds.xml
32 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
34 broken into 'profiles', groupings of security settings that correlate
35 to a known policy. Available profiles are:
36 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
40 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
42 This is a *draft* profile for PCI-DSS v3.
44 Desktop Baseline
47 Profile ID: xccdf_org.ssgproject.content_profile_desktop
49 This profile is for a desktop installation of Red Hat Enterprise
51 Linux 6.
52 Server Baseline
55 Profile ID: xccdf_org.ssgproject.content_profile_server
57 This profile is for Red Hat Enterprise Linux 6 acting as a
59 server.
60 Standard System Security Profile for Red Hat Enterprise Linux 6
63 Profile ID: xccdf_org.ssgproject.content_profile_standard
65 This profile contains rules to ensure standard security baseline
67 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
68 tem's workload all of these checks should pass.
69
75 Source Datastream: ssg-centos7-ds.xml
76 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
78 broken into 'profiles', groupings of security settings that correlate
79 to a known policy. Available profiles are:
80 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
84 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
86 Ensures PCI-DSS v3.2.1 security configuration settings are
88 applied.
89 Standard System Security Profile for Red Hat Enterprise Linux 7
92 Profile ID: xccdf_org.ssgproject.content_profile_standard
94 This profile contains rules to ensure standard security baseline
96 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
97 tem's workload all of these checks should pass.
98
104 Source Datastream: ssg-centos8-ds.xml
105 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
107 broken into 'profiles', groupings of security settings that correlate
108 to a known policy. Available profiles are:
109 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
113 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
115 Ensures PCI-DSS v3.2.1 security configuration settings are
117 applied.
118 Standard System Security Profile for Red Hat Enterprise Linux 8
121 Profile ID: xccdf_org.ssgproject.content_profile_standard
123 This profile contains rules to ensure standard security baseline
125 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
126 tem's workload all of these checks should pass.
127
133 Source Datastream: ssg-chromium-ds.xml
134 The Guide to the Secure Configuration of Chromium is broken into 'pro‐
136 files', groupings of security settings that correlate to a known pol‐
137 icy. Available profiles are:
138 Upstream STIG for Google Chromium
142 Profile ID: xccdf_org.ssgproject.content_profile_stig
144 This profile is developed under the DoD consensus model and DISA
146 FSO Vendor STIG process, serving as the upstream development
147 environment for the Google Chromium STIG.
148 As a result of the upstream/downstream relationship between the
150 SCAP Security Guide project and the official DISA FSO STIG base‐
151 line, users should expect variance between SSG and DISA FSO con‐
152 tent. For official DISA FSO STIG content, refer to https://pub‐
153 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
154 rity%2Cbrowser-guidance.
155 While this profile is packaged by Red Hat as part of the SCAP
157 Security Guide package, please note that commercial support of
158 this SCAP content is NOT available. This profile is provided as
159 example SCAP content with no endorsement for suitability or pro‐
160 duction readiness. Support for this profile is provided by the
161 upstream SCAP Security Guide community on a best-effort basis.
162 The upstream project homepage is https://www.open-scap.org/secu‐
163 rity-policies/scap-security-guide/.
164
170 Source Datastream: ssg-debian10-ds.xml
171 The Guide to the Secure Configuration of Debian 10 is broken into 'pro‐
173 files', groupings of security settings that correlate to a known pol‐
174 icy. Available profiles are:
175 Profile for ANSSI DAT-NT28 Minimal Level
179 Profile ID: xccdf_org.ssgproject.content_pro‐
181 file_anssi_np_nt28_minimal
182 This profile contains items to be applied systematically.
184 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
187 Profile ID: xccdf_org.ssgproject.content_pro‐
189 file_anssi_np_nt28_average
190 This profile contains items for GNU/Linux installations already
192 protected by multiple higher level security stacks.
193 Standard System Security Profile for Debian 10
196 Profile ID: xccdf_org.ssgproject.content_profile_standard
198 This profile contains rules to ensure standard security baseline
200 of a Debian 10 system. Regardless of your system's workload all
201 of these checks should pass.
202 Profile for ANSSI DAT-NT28 Restrictive Level
205 Profile ID: xccdf_org.ssgproject.content_pro‐
207 file_anssi_np_nt28_restrictive
208 This profile contains items for GNU/Linux installations exposed
210 to unauthenticated flows or multiple sources.
211 Profile for ANSSI DAT-NT28 High (Enforced) Level
214 Profile ID: xccdf_org.ssgproject.content_pro‐
216 file_anssi_np_nt28_high
217 This profile contains items for GNU/Linux installations storing
219 sensitive informations that can be accessible from unauthenti‐
220 cated or uncontroled networks.
221
227 Source Datastream: ssg-debian8-ds.xml
228 The Guide to the Secure Configuration of Debian 8 is broken into 'pro‐
230 files', groupings of security settings that correlate to a known pol‐
231 icy. Available profiles are:
232 Profile for ANSSI DAT-NT28 Minimal Level
236 Profile ID: xccdf_org.ssgproject.content_pro‐
238 file_anssi_np_nt28_minimal
239 This profile contains items to be applied systematically.
241 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
244 Profile ID: xccdf_org.ssgproject.content_pro‐
246 file_anssi_np_nt28_average
247 This profile contains items for GNU/Linux installations already
249 protected by multiple higher level security stacks.
250 Standard System Security Profile for Debian 8
253 Profile ID: xccdf_org.ssgproject.content_profile_standard
255 This profile contains rules to ensure standard security baseline
257 of a Debian 8 system. Regardless of your system's workload all
258 of these checks should pass.
259 Profile for ANSSI DAT-NT28 Restrictive Level
262 Profile ID: xccdf_org.ssgproject.content_pro‐
264 file_anssi_np_nt28_restrictive
265 This profile contains items for GNU/Linux installations exposed
267 to unauthenticated flows or multiple sources.
268 Profile for ANSSI DAT-NT28 High (Enforced) Level
271 Profile ID: xccdf_org.ssgproject.content_pro‐
273 file_anssi_np_nt28_high
274 This profile contains items for GNU/Linux installations storing
276 sensitive informations that can be accessible from unauthenti‐
277 cated or uncontroled networks.
278
284 Source Datastream: ssg-debian9-ds.xml
285 The Guide to the Secure Configuration of Debian 9 is broken into 'pro‐
287 files', groupings of security settings that correlate to a known pol‐
288 icy. Available profiles are:
289 Profile for ANSSI DAT-NT28 Minimal Level
293 Profile ID: xccdf_org.ssgproject.content_pro‐
295 file_anssi_np_nt28_minimal
296 This profile contains items to be applied systematically.
298 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
301 Profile ID: xccdf_org.ssgproject.content_pro‐
303 file_anssi_np_nt28_average
304 This profile contains items for GNU/Linux installations already
306 protected by multiple higher level security stacks.
307 Standard System Security Profile for Debian 9
310 Profile ID: xccdf_org.ssgproject.content_profile_standard
312 This profile contains rules to ensure standard security baseline
314 of a Debian 9 system. Regardless of your system's workload all
315 of these checks should pass.
316 Profile for ANSSI DAT-NT28 Restrictive Level
319 Profile ID: xccdf_org.ssgproject.content_pro‐
321 file_anssi_np_nt28_restrictive
322 This profile contains items for GNU/Linux installations exposed
324 to unauthenticated flows or multiple sources.
325 Profile for ANSSI DAT-NT28 High (Enforced) Level
328 Profile ID: xccdf_org.ssgproject.content_pro‐
330 file_anssi_np_nt28_high
331 This profile contains items for GNU/Linux installations storing
333 sensitive informations that can be accessible from unauthenti‐
334 cated or uncontroled networks.
335
341 Source Datastream: ssg-eap6-ds.xml
342 The Guide to the Secure Configuration of JBoss EAP 6 is broken into
344 'profiles', groupings of security settings that correlate to a known
345 policy. Available profiles are:
346 STIG for JBoss Enterprise Application Platform 6
350 Profile ID: xccdf_org.ssgproject.content_profile_stig
352 This is a *draft* profile for STIG. This profile is being devel‐
354 oped under the DoD consensus model to become a STIG in coordina‐
355 tion with DISA FSO.
356
362 Source Datastream: ssg-fedora-ds.xml
363 The Guide to the Secure Configuration of Fedora is broken into 'pro‐
365 files', groupings of security settings that correlate to a known pol‐
366 icy. Available profiles are:
367 PCI-DSS v3 Control Baseline for Fedora
371 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
373 Ensures PCI-DSS v3 related security configuration settings are
375 applied.
376 Standard System Security Profile for Fedora
379 Profile ID: xccdf_org.ssgproject.content_profile_standard
381 This profile contains rules to ensure standard security baseline
383 of a Fedora system. Regardless of your system's workload all of
384 these checks should pass.
385 OSPP - Protection Profile for General Purpose Operating Systems
388 Profile ID: xccdf_org.ssgproject.content_profile_ospp
390 This profile reflects mandatory configuration controls identi‐
392 fied in the NIAP Configuration Annex to the Protection Profile
393 for General Purpose Operating Systems (Protection Profile Ver‐
394 sion 4.2).
395 As Fedora OS is moving target, this profile does not guarantee
397 to provide security levels required from US National Security
398 Systems. Main goal of the profile is to provide Fedora develop‐
399 ers with hardened environment similar to the one mandated by US
400 National Security Systems.
401
407 Source Datastream: ssg-firefox-ds.xml
408 The Guide to the Secure Configuration of Firefox is broken into 'pro‐
410 files', groupings of security settings that correlate to a known pol‐
411 icy. Available profiles are:
412 Upstream Firefox STIG
416 Profile ID: xccdf_org.ssgproject.content_profile_stig
418 This profile is developed under the DoD consensus model and DISA
420 FSO Vendor STIG process, serving as the upstream development
421 environment for the Firefox STIG.
422 As a result of the upstream/downstream relationship between the
424 SCAP Security Guide project and the official DISA FSO STIG base‐
425 line, users should expect variance between SSG and DISA FSO con‐
426 tent. For official DISA FSO STIG content, refer to https://pub‐
427 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
428 rity%2Cbrowser-guidance.
429 While this profile is packaged by Red Hat as part of the SCAP
431 Security Guide package, please note that commercial support of
432 this SCAP content is NOT available. This profile is provided as
433 example SCAP content with no endorsement for suitability or pro‐
434 duction readiness. Support for this profile is provided by the
435 upstream SCAP Security Guide community on a best-effort basis.
436 The upstream project homepage is https://www.open-scap.org/secu‐
437 rity-policies/scap-security-guide/.
438
444 Source Datastream: ssg-fuse6-ds.xml
445 The Guide to the Secure Configuration of JBoss Fuse 6 is broken into
447 'profiles', groupings of security settings that correlate to a known
448 policy. Available profiles are:
449 Standard System Security Profile for JBoss
453 Profile ID: xccdf_org.ssgproject.content_profile_standard
455 This profile contains rules to ensure standard security baseline
457 of JBoss Fuse. Regardless of your system's workload all of these
458 checks should pass.
459 STIG for JBoss Fuse 6
462 Profile ID: xccdf_org.ssgproject.content_profile_stig
464 This is a *draft* profile for STIG. This profile is being devel‐
466 oped under the DoD consensus model to become a STIG in coordina‐
467 tion with DISA FSO.
468 STIG for Apache ActiveMQ
471 Profile ID: xccdf_org.ssgproject.content_profile_amq-stig
473 This is a *draft* profile for STIG. This profile is being devel‐
475 oped under the DoD consensus model to become a STIG in coordina‐
476 tion with DISA FSO.
477
483 Source Datastream: ssg-jre-ds.xml
484 The Guide to the Secure Configuration of Java Runtime Environment is
486 broken into 'profiles', groupings of security settings that correlate
487 to a known policy. Available profiles are:
488 Java Runtime Environment (JRE) STIG
492 Profile ID: xccdf_org.ssgproject.content_profile_stig
494 The Java Runtime Environment (JRE) is a bundle developed and
496 offered by Oracle Corporation which includes the Java Virtual
497 Machine (JVM), class libraries, and other components necessary
498 to run Java applications and applets. Certain default settings
499 within the JRE pose a security risk so it is necessary to deploy
500 system wide properties to ensure a higher degree of security
501 when utilizing the JRE.
502 The IBM Corporation also develops and bundles the Java Runtime
504 Environment (JRE) as well as Red Hat with OpenJDK.
505
511 Platform 3
512 Source Datastream: ssg-ocp3-ds.xml
513 The Guide to the Secure Configuration of Red Hat OpenShift Container
515 Platform 3 is broken into 'profiles', groupings of security settings
516 that correlate to a known policy. Available profiles are:
517 Open Computing Information Security Profile for OpenShift Node
521 Profile ID: xccdf_org.ssgproject.content_profile_opencis-node
523 This baseline was inspired by the Center for Internet Security
525 (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
526 For the ComplianceAsCode project to remain in compliance with
528 CIS' terms and conditions, specifically Restrictions(8), note
529 there is no representation or claim that the OpenCIS profile
530 will ensure a system is in compliance or consistency with the
531 CIS baseline.
532 Open Computing Information Security Profile for OpenShift Master Node
535 Profile ID: xccdf_org.ssgproject.content_profile_opencis-master
537 This baseline was inspired by the Center for Internet Security
539 (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
540 For the ComplianceAsCode project to remain in compliance with
542 CIS' terms and conditions, specifically Restrictions(8), note
543 there is no representation or claim that the OpenCIS profile
544 will ensure a system is in compliance or consistency with the
545 CIS baseline.
546
552 Platform 4
553 Source Datastream: ssg-ocp4-ds.xml
554 The Guide to the Secure Configuration of Red Hat OpenShift Container
556 Platform 4 is broken into 'profiles', groupings of security settings
557 that correlate to a known policy. Available profiles are:
558 NIST National Checklist for Red Hat Enterprise Linux CoreOS
562 Profile ID: xccdf_org.ssgproject.content_profile_coreos-ncp
564 This compliance profile reflects the core set of security
566 related configuration settings for deployment of Red Hat Enter‐
567 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
568 agencies. Development partners and sponsors include the U.S.
569 National Institute of Standards and Technology (NIST), U.S.
570 Department of Defense, the National Security Agency, and Red
571 Hat.
572 This baseline implements configuration requirements from the
574 following sources:
575 - Committee on National Security Systems Instruction No. 1253
577 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
578 800-171) - NIST 800-53 control selections for MODERATE impact
579 systems (NIST 800-53) - U.S. Government Configuration Baseline
580 (USGCB) - NIAP Protection Profile for General Purpose Operating
581 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
582 Requirements Guide (OS SRG)
583 For any differing configuration requirements, e.g. password
585 lengths, the stricter security setting was chosen. Security
586 Requirement Traceability Guides (RTMs) and sample System Secu‐
587 rity Configuration Guides are provided via the scap-security-
588 guide-docs package.
589 This profile reflects U.S. Government consensus content and is
591 developed through the OpenSCAP/SCAP Security Guide initiative,
592 championed by the National Security Agency. Except for differ‐
593 ences in formatting to accommodate publishing processes, this
594 profile mirrors OpenSCAP/SCAP Security Guide content as minor
595 divergences, such as bugfixes, work through the consensus and
596 release processes.
597 Open Computing Information Security Profile for OpenShift Node
600 Profile ID: xccdf_org.ssgproject.content_profile_opencis-node
602 This baseline was inspired by the Center for Internet Security
604 (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
605 For the ComplianceAsCode project to remain in compliance with
607 CIS' terms and conditions, specifically Restrictions(8), note
608 there is no representation or claim that the OpenCIS profile
609 will ensure a system is in compliance or consistency with the
610 CIS baseline.
611 NIST National Checklist for Red Hat Enterprise Linux CoreOS
614 Profile ID: xccdf_org.ssgproject.content_profile_moderate
616 This compliance profile reflects the core set of security
618 related configuration settings for deployment of Red Hat Enter‐
619 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
620 agencies. Development partners and sponsors include the U.S.
621 National Institute of Standards and Technology (NIST), U.S.
622 Department of Defense, the National Security Agency, and Red
623 Hat.
624 This baseline implements configuration requirements from the
626 following sources:
627 - Committee on National Security Systems Instruction No. 1253
629 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
630 800-171) - NIST 800-53 control selections for MODERATE impact
631 systems (NIST 800-53) - U.S. Government Configuration Baseline
632 (USGCB) - NIAP Protection Profile for General Purpose Operating
633 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
634 Requirements Guide (OS SRG)
635 For any differing configuration requirements, e.g. password
637 lengths, the stricter security setting was chosen. Security
638 Requirement Traceability Guides (RTMs) and sample System Secu‐
639 rity Configuration Guides are provided via the scap-security-
640 guide-docs package.
641 This profile reflects U.S. Government consensus content and is
643 developed through the OpenSCAP/SCAP Security Guide initiative,
644 championed by the National Security Agency. Except for differ‐
645 ences in formatting to accommodate publishing processes, this
646 profile mirrors OpenSCAP/SCAP Security Guide content as minor
647 divergences, such as bugfixes, work through the consensus and
648 release processes.
649 Open Computing Information Security Profile for OpenShift Master Node
652 Profile ID: xccdf_org.ssgproject.content_profile_opencis-master
654 This baseline was inspired by the Center for Internet Security
656 (CIS) Kubernetes Benchmark, v1.5.0 - 10-14-2019.
657 For the ComplianceAsCode project to remain in compliance with
659 CIS' terms and conditions, specifically Restrictions(8), note
660 there is no representation or claim that the OpenCIS profile
661 will ensure a system is in compliance or consistency with the
662 CIS baseline.
663
669 Source Datastream: ssg-ol7-ds.xml
670 The Guide to the Secure Configuration of Oracle Linux 7 is broken into
672 'profiles', groupings of security settings that correlate to a known
673 policy. Available profiles are:
674 PCI-DSS v3 Control Baseline Draft for Oracle Linux 7
678 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
680 Ensures PCI-DSS v3 related security configuration settings are
682 applied.
683 Standard System Security Profile for Oracle Linux 7
686 Profile ID: xccdf_org.ssgproject.content_profile_standard
688 This profile contains rules to ensure standard security baseline
690 of Oracle Linux 7 system. Regardless of your system's workload
691 all of these checks should pass.
692 DRAFT - DISA STIG for Oracle Linux 7
695 Profile ID: xccdf_org.ssgproject.content_profile_stig
697 This is a *draft* profile for STIG for Oracle Linux 7.
699 Security Profile of Oracle Linux 7 for SAP
702 Profile ID: xccdf_org.ssgproject.content_profile_sap
704 This profile contains rules for Oracle Linux 7 Operating System
706 in compliance with SAP note 2069760 and SAP Security Baseline
707 Template version 1.9 Item I-8 and section 4.1.2.2. Regardless
708 of your system's workload all of these checks should pass.
709
715 Source Datastream: ssg-ol8-ds.xml
716 The Guide to the Secure Configuration of Oracle Linux 8 is broken into
718 'profiles', groupings of security settings that correlate to a known
719 policy. Available profiles are:
720 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8
724 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
726 Ensures PCI-DSS v3.2.1 related security configuration settings
728 are applied.
729 Criminal Justice Information Services (CJIS) Security Policy
732 Profile ID: xccdf_org.ssgproject.content_profile_cjis
734 This profile is derived from FBI's CJIS v5.4 Security Policy. A
736 copy of this policy can be found at the CJIS Security Policy
737 Resource Center:
738 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
740 center
741 Standard System Security Profile for Oracle Linux 8
744 Profile ID: xccdf_org.ssgproject.content_profile_standard
746 This profile contains rules to ensure standard security baseline
748 of Oracle Linux 8 system. Regardless of your system's workload
749 all of these checks should pass.
750 [DRAFT] Protection Profile for General Purpose Operating Systems
753 Profile ID: xccdf_org.ssgproject.content_profile_ospp
755 This profile reflects mandatory configuration controls identi‐
757 fied in the NIAP Configuration Annex to the Protection Profile
758 for General Purpose Operating Systems (Protection Profile Ver‐
759 sion 4.2.1).
760 This configuration profile is consistent with CNSSI-1253, which
762 requires U.S. National Security Systems to adhere to certain
763 configuration parameters. Accordingly, this configuration pro‐
764 file is suitable for use in U.S. National Security Systems.
765 Unclassified Information in Non-federal Information Systems and Organi‐
768 zations (NIST 800-171)
769 Profile ID: xccdf_org.ssgproject.content_profile_cui
771 From NIST 800-171, Section 2.2: Security requirements for pro‐
773 tecting the confidentiality of CUI in nonfederal information
774 systems and organizations have a well-defined structure that
775 consists of:
776 (i) a basic security requirements section; (ii) a derived secu‐
778 rity requirements section.
779 The basic security requirements are obtained from FIPS Publica‐
781 tion 200, which provides the high-level and fundamental security
782 requirements for federal information and information systems.
783 The derived security requirements, which supplement the basic
784 security requirements, are taken from the security controls in
785 NIST Special Publication 800-53.
786 This profile configures Oracle Linux 8 to the NIST Special Pub‐
788 lication 800-53 controls identified for securing Controlled
789 Unclassified Information (CUI).
790 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
793 Profile ID: xccdf_org.ssgproject.content_profile_e8
795 This profile contains configuration checks for Oracle Linux 8
797 that align to the Australian Cyber Security Centre (ACSC) Essen‐
798 tial Eight.
799 A copy of the Essential Eight in Linux Environments guide can be
801 found at the ACSC website:
802 https://www.cyber.gov.au/publications/essential-eight-in-linux-
804 environments
805 Health Insurance Portability and Accountability Act (HIPAA)
808 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
810 The HIPAA Security Rule establishes U.S. national standards to
812 protect individuals’ electronic personal health information that
813 is created, received, used, or maintained by a covered entity.
814 The Security Rule requires appropriate administrative, physical
815 and technical safeguards to ensure the confidentiality,
816 integrity, and security of electronic protected health informa‐
817 tion.
818 This profile configures Oracle Linux 8 to the HIPAA Security
820 Rule identified for securing of electronic protected health
821 information.
822
828 Source Datastream: ssg-opensuse-ds.xml
829 The Guide to the Secure Configuration of openSUSE is broken into 'pro‐
831 files', groupings of security settings that correlate to a known pol‐
832 icy. Available profiles are:
833 Standard System Security Profile for openSUSE
837 Profile ID: xccdf_org.ssgproject.content_profile_standard
839 This profile contains rules to ensure standard security baseline
841 of an openSUSE system. Regardless of your system's workload all
842 of these checks should pass.
843
849 Source Datastream: ssg-rhel6-ds.xml
850 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
852 broken into 'profiles', groupings of security settings that correlate
853 to a known policy. Available profiles are:
854 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
858 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
860 This is a *draft* profile for PCI-DSS v3.
862 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
865 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
867 This is a *draft* SCAP profile for Red Hat Certified Cloud
869 Providers
870 Desktop Baseline
873 Profile ID: xccdf_org.ssgproject.content_profile_desktop
875 This profile is for a desktop installation of Red Hat Enterprise
877 Linux 6.
878 Server Baseline
881 Profile ID: xccdf_org.ssgproject.content_profile_server
883 This profile is for Red Hat Enterprise Linux 6 acting as a
885 server.
886 CNSSI 1253 Low/Low/Low Control Baseline
889 Profile ID: xccdf_org.ssgproject.content_profile_nist-CL-IL-AL
891 This profile follows the Committee on National Security Systems
893 Instruction (CNSSI) No. 1253, "Security Categorization and Con‐
894 trol Selection for National Security Systems" on security con‐
895 trols to meet low confidentiality, low integrity, and low assur‐
896 ance.
897 Standard System Security Profile for Red Hat Enterprise Linux 6
900 Profile ID: xccdf_org.ssgproject.content_profile_standard
902 This profile contains rules to ensure standard security baseline
904 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
905 tem's workload all of these checks should pass.
906 Example Server Profile
909 Profile ID: xccdf_org.ssgproject.content_profile_CS2
911 This profile is an example of a customized server profile.
913 DISA STIG for Red Hat Enterprise Linux 6
916 Profile ID: xccdf_org.ssgproject.content_profile_stig
918 This profile contains configuration checks that align to the
920 DISA STIG for Red Hat Enterprise Linux 6.
921 In addition to being applicable to RHEL6, DISA recognizes this
923 configuration baseline as applicable to the operating system
924 tier of Red Hat technologies that are based on RHEL6, such as
925 RHEL Server, RHV-H, RHEL for HPC, RHEL Workstation, and Red Hat
926 Storage deployments.
927 United States Government Configuration Baseline (USGCB)
930 Profile ID: xccdf_org.ssgproject.content_profile_usgcb-
932 rhel6-server
933 This profile is a working draft for a USGCB submission against
935 RHEL6 Server.
936 FTP Server Profile (vsftpd)
939 Profile ID: xccdf_org.ssgproject.content_profile_ftp-server
941 This is a profile for the vsftpd FTP server.
943 CSCF RHEL6 MLS Core Baseline
946 Profile ID: xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS
948 This profile reflects the Centralized Super Computing Facility
950 (CSCF) baseline for Red Hat Enterprise Linux 6. This baseline
951 has received government ATO through the ICD 503 process, utiliz‐
952 ing the CNSSI 1253 cross domain overlay. This profile should be
953 considered in active development. Additional tailoring will be
954 needed, such as the creation of RBAC roles for production
955 deployment.
956 C2S for Red Hat Enterprise Linux 6
959 Profile ID: xccdf_org.ssgproject.content_profile_C2S
961 This profile demonstrates compliance against the U.S. Government
963 Commercial Cloud Services (C2S) baseline. nThis baseline was
964 inspired by the Center for Internet Security (CIS) Red Hat
965 Enterprise Linux 6 Benchmark, v1.2.0 - 06-25-2013. For the SCAP
966 Security Guide project to remain in compliance with CIS' terms
967 and conditions, specifically Restrictions(8), note there is no
968 representation or claim that the C2S profile will ensure a sys‐
969 tem is in compliance or consistency with the CIS baseline.
970 FISMA Medium for Red Hat Enterprise Linux 6
973 Profile ID: xccdf_org.ssgproject.content_profile_fisma-medium-
975 rhel6-server
976 FISMA Medium for Red Hat Enterprise Linux 6.
978
984 Source Datastream: ssg-rhel7-ds.xml
985 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
987 broken into 'profiles', groupings of security settings that correlate
988 to a known policy. Available profiles are:
989 DRAFT - ANSSI DAT-NT28 (enhanced)
993 Profile ID: xccdf_org.ssgproject.content_pro‐
995 file_anssi_nt28_enhanced
996 Draft profile for ANSSI compliance at the enhanced level. ANSSI
998 stands for Agence nationale de la sécurité des systèmes d'infor‐
999 mation. Based on https://www.ssi.gouv.fr/.
1000 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1003 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1005 Ensures PCI-DSS v3.2.1 security configuration settings are
1007 applied.
1008 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1011 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1013 This profile contains the minimum security relevant configura‐
1015 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1016 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
1017 Criminal Justice Information Services (CJIS) Security Policy
1020 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1022 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1024 copy of this policy can be found at the CJIS Security Policy
1025 Resource Center:
1026 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1028 center
1029 Standard System Security Profile for Red Hat Enterprise Linux 7
1032 Profile ID: xccdf_org.ssgproject.content_profile_standard
1034 This profile contains rules to ensure standard security baseline
1036 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
1037 tem's workload all of these checks should pass.
1038 DISA STIG for Red Hat Enterprise Linux 7
1041 Profile ID: xccdf_org.ssgproject.content_profile_stig
1043 This profile contains configuration checks that align to the
1045 DISA STIG for Red Hat Enterprise Linux V1R4.
1046 In addition to being applicable to Red Hat Enterprise Linux 7,
1048 DISA recognizes this configuration baseline as applicable to the
1049 operating system tier of Red Hat technologies that are based on
1050 Red Hat Enterprise Linux 7, such as:
1051 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1053 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1054 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1055 7 image
1056 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enter‐
1059 prise Linux Hypervisor (RHELH)
1060 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
1062 This compliance profile reflects the core set of security
1064 related configuration settings for deployment of Red Hat Enter‐
1065 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
1066 gence, and Civilian agencies. Development partners and sponsors
1067 include the U.S. National Institute of Standards and Technology
1068 (NIST), U.S. Department of Defense, the National Security
1069 Agency, and Red Hat.
1070 This baseline implements configuration requirements from the
1072 following sources:
1073 - Committee on National Security Systems Instruction No. 1253
1075 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
1076 impact systems (NIST 800-53) - U.S. Government Configuration
1077 Baseline (USGCB) - NIAP Protection Profile for Virtualization
1078 v1.0 (VPP v1.0)
1079 For any differing configuration requirements, e.g. password
1081 lengths, the stricter security setting was chosen. Security
1082 Requirement Traceability Guides (RTMs) and sample System Secu‐
1083 rity Configuration Guides are provided via the scap-security-
1084 guide-docs package.
1085 This profile reflects U.S. Government consensus content and is
1087 developed through the ComplianceAsCode project, championed by
1088 the National Security Agency. Except for differences in format‐
1089 ting to accommodate publishing processes, this profile mirrors
1090 ComplianceAsCode content as minor divergences, such as bugfixes,
1091 work through the consensus and release processes.
1092 NIST National Checklist Program Security Guide
1095 Profile ID: xccdf_org.ssgproject.content_profile_ncp
1097 This compliance profile reflects the core set of security
1099 related configuration settings for deployment of Red Hat Enter‐
1100 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
1101 agencies. Development partners and sponsors include the U.S.
1102 National Institute of Standards and Technology (NIST), U.S.
1103 Department of Defense, the National Security Agency, and Red
1104 Hat.
1105 This baseline implements configuration requirements from the
1107 following sources:
1108 - Committee on National Security Systems Instruction No. 1253
1110 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
1111 800-171) - NIST 800-53 control selections for MODERATE impact
1112 systems (NIST 800-53) - U.S. Government Configuration Baseline
1113 (USGCB) - NIAP Protection Profile for General Purpose Operating
1114 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
1115 Requirements Guide (OS SRG)
1116 For any differing configuration requirements, e.g. password
1118 lengths, the stricter security setting was chosen. Security
1119 Requirement Traceability Guides (RTMs) and sample System Secu‐
1120 rity Configuration Guides are provided via the scap-security-
1121 guide-docs package.
1122 This profile reflects U.S. Government consensus content and is
1124 developed through the OpenSCAP/SCAP Security Guide initiative,
1125 championed by the National Security Agency. Except for differ‐
1126 ences in formatting to accommodate publishing processes, this
1127 profile mirrors OpenSCAP/SCAP Security Guide content as minor
1128 divergences, such as bugfixes, work through the consensus and
1129 release processes.
1130 OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
1133 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1135 This profile reflects mandatory configuration controls identi‐
1137 fied in the NIAP Configuration Annex to the Protection Profile
1138 for General Purpose Operating Systems (Protection Profile Ver‐
1139 sion 4.2.1).
1140 This configuration profile is consistent with CNSSI-1253, which
1142 requires U.S. National Security Systems to adhere to certain
1143 configuration parameters. Accordingly, this configuration pro‐
1144 file is suitable for use in U.S. National Security Systems.
1145 Unclassified Information in Non-federal Information Systems and Organi‐
1148 zations (NIST 800-171)
1149 Profile ID: xccdf_org.ssgproject.content_profile_cui
1151 From NIST 800-171, Section 2.2: Security requirements for pro‐
1153 tecting the confidentiality of CUI in non-federal information
1154 systems and organizations have a well-defined structure that
1155 consists of:
1156 (i) a basic security requirements section; (ii) a derived secu‐
1158 rity requirements section.
1159 The basic security requirements are obtained from FIPS Publica‐
1161 tion 200, which provides the high-level and fundamental security
1162 requirements for federal information and information systems.
1163 The derived security requirements, which supplement the basic
1164 security requirements, are taken from the security controls in
1165 NIST Special Publication 800-53.
1166 This profile configures Red Hat Enterprise Linux 7 to the NIST
1168 Special Publication 800-53 controls identified for securing Con‐
1169 trolled Unclassified Information (CUI).
1170 DRAFT - ANSSI DAT-NT28 (high)
1173 Profile ID: xccdf_org.ssgproject.content_pro‐
1175 file_anssi_nt28_high
1176 Draft profile for ANSSI compliance at the high level. ANSSI
1178 stands for Agence nationale de la sécurité des systèmes d'infor‐
1179 mation. Based on https://www.ssi.gouv.fr/.
1180 DRAFT - ANSSI DAT-NT28 (minimal)
1183 Profile ID: xccdf_org.ssgproject.content_pro‐
1185 file_anssi_nt28_minimal
1186 Draft profile for ANSSI compliance at the minimal level. ANSSI
1188 stands for Agence nationale de la sécurité des systèmes d'infor‐
1189 mation. Based on https://www.ssi.gouv.fr/.
1190 [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host
1193 (RHELH)
1194 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
1196 This *draft* profile contains configuration checks that align to
1198 the DISA STIG for Red Hat Enterprise Linux Virtualization Host
1199 (RHELH).
1200 Australian Cyber Security Centre (ACSC) Essential Eight
1203 Profile ID: xccdf_org.ssgproject.content_profile_e8
1205 This profile contains configuration checks for Red Hat Enter‐
1207 prise Linux 7 that align to the Australian Cyber Security Centre
1208 (ACSC) Essential Eight.
1209 A copy of the Essential Eight in Linux Environments guide can be
1211 found at the ACSC website:
1212 https://www.cyber.gov.au/publications/essential-eight-in-linux-
1214 environments
1215 DRAFT - ANSSI DAT-NT28 (intermediary)
1218 Profile ID: xccdf_org.ssgproject.content_pro‐
1220 file_anssi_nt28_intermediary
1221 Draft profile for ANSSI compliance at the intermediary level.
1223 ANSSI stands for Agence nationale de la sécurité des systèmes
1224 d'information. Based on https://www.ssi.gouv.fr/.
1225 C2S for Red Hat Enterprise Linux 7
1228 Profile ID: xccdf_org.ssgproject.content_profile_C2S
1230 This profile demonstrates compliance against the U.S. Government
1232 Commercial Cloud Services (C2S) baseline.
1233 This baseline was inspired by the Center for Internet Security
1235 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
1236 For the SCAP Security Guide project to remain in compliance with
1238 CIS' terms and conditions, specifically Restrictions(8), note
1239 there is no representation or claim that the C2S profile will
1240 ensure a system is in compliance or consistency with the CIS
1241 baseline.
1242 Health Insurance Portability and Accountability Act (HIPAA)
1245 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1247 The HIPAA Security Rule establishes U.S. national standards to
1249 protect individuals’ electronic personal health information that
1250 is created, received, used, or maintained by a covered entity.
1251 The Security Rule requires appropriate administrative, physical
1252 and technical safeguards to ensure the confidentiality,
1253 integrity, and security of electronic protected health informa‐
1254 tion.
1255 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
1257 Security Rule identified for securing of electronic protected
1258 health information.
1259
1265 Source Datastream: ssg-rhel8-ds.xml
1266 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
1268 broken into 'profiles', groupings of security settings that correlate
1269 to a known policy. Available profiles are:
1270 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
1274 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1276 Ensures PCI-DSS v3.2.1 security configuration settings are
1278 applied.
1279 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1282 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1284 This profile contains the minimum security relevant configura‐
1286 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1287 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
1288 Criminal Justice Information Services (CJIS) Security Policy
1291 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1293 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1295 copy of this policy can be found at the CJIS Security Policy
1296 Resource Center:
1297 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1299 center
1300 Standard System Security Profile for Red Hat Enterprise Linux 8
1303 Profile ID: xccdf_org.ssgproject.content_profile_standard
1305 This profile contains rules to ensure standard security baseline
1307 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
1308 tem's workload all of these checks should pass.
1309 [DRAFT] DISA STIG for Red Hat Enterprise Linux 8
1312 Profile ID: xccdf_org.ssgproject.content_profile_stig
1314 This profile contains configuration checks that align to the
1316 [DRAFT] DISA STIG for Red Hat Enterprise Linux 8.
1317 In addition to being applicable to Red Hat Enterprise Linux 8,
1319 DISA recognizes this configuration baseline as applicable to the
1320 operating system tier of Red Hat technologies that are based on
1321 Red Hat Enterprise Linux 8, such as:
1322 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1324 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1325 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1326 8 image
1327 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enter‐
1330 prise Linux Hypervisor (RHELH)
1331 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
1333 This compliance profile reflects the core set of security
1335 related configuration settings for deployment of Red Hat Enter‐
1336 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
1337 gence, and Civilian agencies. Development partners and sponsors
1338 include the U.S. National Institute of Standards and Technology
1339 (NIST), U.S. Department of Defense, the National Security
1340 Agency, and Red Hat.
1341 This baseline implements configuration requirements from the
1343 following sources:
1344 - Committee on National Security Systems Instruction No. 1253
1346 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
1347 impact systems (NIST 800-53) - U.S. Government Configuration
1348 Baseline (USGCB) - NIAP Protection Profile for Virtualization
1349 v1.0 (VPP v1.0)
1350 For any differing configuration requirements, e.g. password
1352 lengths, the stricter security setting was chosen. Security
1353 Requirement Traceability Guides (RTMs) and sample System Secu‐
1354 rity Configuration Guides are provided via the scap-security-
1355 guide-docs package.
1356 This profile reflects U.S. Government consensus content and is
1358 developed through the ComplianceAsCode project, championed by
1359 the National Security Agency. Except for differences in format‐
1360 ting to accommodate publishing processes, this profile mirrors
1361 ComplianceAsCode content as minor divergences, such as bugfixes,
1362 work through the consensus and release processes.
1363 Protection Profile for General Purpose Operating Systems
1366 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1368 This profile reflects mandatory configuration controls identi‐
1370 fied in the NIAP Configuration Annex to the Protection Profile
1371 for General Purpose Operating Systems (Protection Profile Ver‐
1372 sion 4.2.1).
1373 This configuration profile is consistent with CNSSI-1253, which
1375 requires U.S. National Security Systems to adhere to certain
1376 configuration parameters. Accordingly, this configuration pro‐
1377 file is suitable for use in U.S. National Security Systems.
1378 Unclassified Information in Non-federal Information Systems and Organi‐
1381 zations (NIST 800-171)
1382 Profile ID: xccdf_org.ssgproject.content_profile_cui
1384 From NIST 800-171, Section 2.2: Security requirements for pro‐
1386 tecting the confidentiality of CUI in nonfederal information
1387 systems and organizations have a well-defined structure that
1388 consists of:
1389 (i) a basic security requirements section; (ii) a derived secu‐
1391 rity requirements section.
1392 The basic security requirements are obtained from FIPS Publica‐
1394 tion 200, which provides the high-level and fundamental security
1395 requirements for federal information and information systems.
1396 The derived security requirements, which supplement the basic
1397 security requirements, are taken from the security controls in
1398 NIST Special Publication 800-53.
1399 This profile configures Red Hat Enterprise Linux 8 to the NIST
1401 Special Publication 800-53 controls identified for securing Con‐
1402 trolled Unclassified Information (CUI)."
1403 [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host
1406 (RHELH)
1407 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
1409 This *draft* profile contains configuration checks that align to
1411 the DISA STIG for Red Hat Enterprise Linux Virtualization Host
1412 (RHELH).
1413 Australian Cyber Security Centre (ACSC) Essential Eight
1416 Profile ID: xccdf_org.ssgproject.content_profile_e8
1418 This profile contains configuration checks for Red Hat Enter‐
1420 prise Linux 8 that align to the Australian Cyber Security Centre
1421 (ACSC) Essential Eight.
1422 A copy of the Essential Eight in Linux Environments guide can be
1424 found at the ACSC website:
1425 https://www.cyber.gov.au/publications/essential-eight-in-linux-
1427 environments
1428 Health Insurance Portability and Accountability Act (HIPAA)
1431 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1433 The HIPAA Security Rule establishes U.S. national standards to
1435 protect individuals’ electronic personal health information that
1436 is created, received, used, or maintained by a covered entity.
1437 The Security Rule requires appropriate administrative, physical
1438 and technical safeguards to ensure the confidentiality,
1439 integrity, and security of electronic protected health informa‐
1440 tion.
1441 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
1443 Security Rule identified for securing of electronic protected
1444 health information.
1445
1451 Source Datastream: ssg-rhosp10-ds.xml
1453 The Guide to the Secure Configuration of Red Hat OpenStack Platform 10
1455 is broken into 'profiles', groupings of security settings that corre‐
1456 late to a known policy. Available profiles are:
1457 [DRAFT] STIG for Red Hat OpenStack Plaform 10
1461 Profile ID: xccdf_org.ssgproject.content_profile_stig
1463 Controls for scanning against classified STIG for rhosp10
1465 [DRAFT] Controlled Unclassified Infomration (CUI) Profile for Red Hat
1468 OpenStack Plaform 10
1469 Profile ID: xccdf_org.ssgproject.content_profile_cui
1471 These are the controls for scanning against CUI for rhosp10
1473
1479 Source Datastream: ssg-rhosp13-ds.xml
1481 The Guide to the Secure Configuration of Red Hat OpenStack Platform 13
1483 is broken into 'profiles', groupings of security settings that corre‐
1484 late to a known policy. Available profiles are:
1485 RHOSP STIG
1489 Profile ID: xccdf_org.ssgproject.content_profile_stig
1491 Sample profile description.
1493
1499 Source Datastream: ssg-rhv4-ds.xml
1500 The Guide to the Secure Configuration of Red Hat Virtualization 4 is
1502 broken into 'profiles', groupings of security settings that correlate
1503 to a known policy. Available profiles are:
1504 [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
1508 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
1510 This *draft* profile contains configuration checks that align to
1512 the DISA STIG for Red Hat Virtualization Host (RHVH).
1513 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
1516 ization Host (RHVH)
1517 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
1519 This compliance profile reflects the core set of security
1521 related configuration settings for deployment of Red Hat Virtu‐
1522 alization Host (RHVH) 4.x into U.S. Defense, Intelligence, and
1523 Civilian agencies. Development partners and sponsors include
1524 the U.S. National Institute of Standards and Technology (NIST),
1525 U.S. Department of Defense, the National Security Agency, and
1526 Red Hat.
1527 This baseline implements configuration requirements from the
1529 following sources:
1530 - Committee on National Security Systems Instruction No. 1253
1532 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
1533 impact systems (NIST 800-53) - U.S. Government Configuration
1534 Baseline (USGCB) - NIAP Protection Profile for Virtualization
1535 v1.0 (VPP v1.0)
1536 For any differing configuration requirements, e.g. password
1538 lengths, the stricter security setting was chosen. Security
1539 Requirement Traceability Guides (RTMs) and sample System Secu‐
1540 rity Configuration Guides are provided via the scap-security-
1541 guide-docs package.
1542 This profile reflects U.S. Government consensus content and is
1544 developed through the ComplianceAsCode project, championed by
1545 the National Security Agency. Except for differences in format‐
1546 ting to accommodate publishing processes, this profile mirrors
1547 ComplianceAsCode content as minor divergences, such as bugfixes,
1548 work through the consensus and release processes.
1549
1555 Source Datastream: ssg-sl6-ds.xml
1556 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
1558 broken into 'profiles', groupings of security settings that correlate
1559 to a known policy. Available profiles are:
1560 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
1564 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1566 This is a *draft* profile for PCI-DSS v3.
1568 Desktop Baseline
1571 Profile ID: xccdf_org.ssgproject.content_profile_desktop
1573 This profile is for a desktop installation of Red Hat Enterprise
1575 Linux 6.
1576 Server Baseline
1579 Profile ID: xccdf_org.ssgproject.content_profile_server
1581 This profile is for Red Hat Enterprise Linux 6 acting as a
1583 server.
1584 Standard System Security Profile for Red Hat Enterprise Linux 6
1587 Profile ID: xccdf_org.ssgproject.content_profile_standard
1589 This profile contains rules to ensure standard security baseline
1591 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
1592 tem's workload all of these checks should pass.
1593
1599 Source Datastream: ssg-sl7-ds.xml
1600 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
1602 broken into 'profiles', groupings of security settings that correlate
1603 to a known policy. Available profiles are:
1604 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1608 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1610 Ensures PCI-DSS v3.2.1 security configuration settings are
1612 applied.
1613 Standard System Security Profile for Red Hat Enterprise Linux 7
1616 Profile ID: xccdf_org.ssgproject.content_profile_standard
1618 This profile contains rules to ensure standard security baseline
1620 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
1621 tem's workload all of these checks should pass.
1622
1628 Source Datastream: ssg-sle11-ds.xml
1629 The Guide to the Secure Configuration of SUSE Linux Enterprise 11 is
1631 broken into 'profiles', groupings of security settings that correlate
1632 to a known policy. Available profiles are:
1633 Server Baseline
1637 Profile ID: xccdf_org.ssgproject.content_profile_server
1639 This profile is for SUSE Enterprise Linux 11 acting as a server.
1641 Standard System Security Profile for SUSE Linux Enterprise 11
1644 Profile ID: xccdf_org.ssgproject.content_profile_standard
1646 This profile contains rules to ensure standard security baseline
1648 of a SUSE Linux Enterprise 11 system. Regardless of your sys‐
1649 tem's workload all of these checks should pass.
1650
1656 Source Datastream: ssg-sle12-ds.xml
1657 The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is
1659 broken into 'profiles', groupings of security settings that correlate
1660 to a known policy. Available profiles are:
1661 Standard System Security Profile for SUSE Linux Enterprise 12
1665 Profile ID: xccdf_org.ssgproject.content_profile_standard
1667 This profile contains rules to ensure standard security baseline
1669 of a SUSE Linux Enterprise 12 system. Regardless of your sys‐
1670 tem's workload all of these checks should pass.
1671 DISA STIG for SUSE Linux Enterprise 12
1674 Profile ID: xccdf_org.ssgproject.content_profile_stig
1676 This profile contains configuration checks that align to the
1678 DISA STIG for SUSE Linux Enterprise 12 V1R2.
1679
1685 Source Datastream: ssg-ubuntu1404-ds.xml
1686 The Guide to the Secure Configuration of Ubuntu 14.04 is broken into
1688 'profiles', groupings of security settings that correlate to a known
1689 policy. Available profiles are:
1690 Profile for ANSSI DAT-NT28 Minimal Level
1694 Profile ID: xccdf_org.ssgproject.content_pro‐
1696 file_anssi_np_nt28_minimal
1697 This profile contains items to be applied systematically.
1699 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1702 Profile ID: xccdf_org.ssgproject.content_pro‐
1704 file_anssi_np_nt28_average
1705 This profile contains items for GNU/Linux installations already
1707 protected by multiple higher level security stacks.
1708 Standard System Security Profile for Ubuntu 14.04
1711 Profile ID: xccdf_org.ssgproject.content_profile_standard
1713 This profile contains rules to ensure standard security baseline
1715 of an Ubuntu 14.04 system. Regardless of your system's workload
1716 all of these checks should pass.
1717 Profile for ANSSI DAT-NT28 Restrictive Level
1720 Profile ID: xccdf_org.ssgproject.content_pro‐
1722 file_anssi_np_nt28_restrictive
1723 This profile contains items for GNU/Linux installations exposed
1725 to unauthenticated flows or multiple sources.
1726 Profile for ANSSI DAT-NT28 High (Enforced) Level
1729 Profile ID: xccdf_org.ssgproject.content_pro‐
1731 file_anssi_np_nt28_high
1732 This profile contains items for GNU/Linux installations storing
1734 sensitive informations that can be accessible from unauthenti‐
1735 cated or uncontroled networks.
1736
1742 Source Datastream: ssg-ubuntu1604-ds.xml
1743 The Guide to the Secure Configuration of Ubuntu 16.04 is broken into
1745 'profiles', groupings of security settings that correlate to a known
1746 policy. Available profiles are:
1747 Profile for ANSSI DAT-NT28 Minimal Level
1751 Profile ID: xccdf_org.ssgproject.content_pro‐
1753 file_anssi_np_nt28_minimal
1754 This profile contains items to be applied systematically.
1756 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1759 Profile ID: xccdf_org.ssgproject.content_pro‐
1761 file_anssi_np_nt28_average
1762 This profile contains items for GNU/Linux installations already
1764 protected by multiple higher level security stacks.
1765 Standard System Security Profile for Ubuntu 16.04
1768 Profile ID: xccdf_org.ssgproject.content_profile_standard
1770 This profile contains rules to ensure standard security baseline
1772 of an Ubuntu 16.04 system. Regardless of your system's workload
1773 all of these checks should pass.
1774 Profile for ANSSI DAT-NT28 Restrictive Level
1777 Profile ID: xccdf_org.ssgproject.content_pro‐
1779 file_anssi_np_nt28_restrictive
1780 This profile contains items for GNU/Linux installations exposed
1782 to unauthenticated flows or multiple sources.
1783 Profile for ANSSI DAT-NT28 High (Enforced) Level
1786 Profile ID: xccdf_org.ssgproject.content_pro‐
1788 file_anssi_np_nt28_high
1789 This profile contains items for GNU/Linux installations storing
1791 sensitive informations that can be accessible from unauthenti‐
1792 cated or uncontroled networks.
1793
1799 Source Datastream: ssg-ubuntu1804-ds.xml
1800 The Guide to the Secure Configuration of Ubuntu 18.04 is broken into
1802 'profiles', groupings of security settings that correlate to a known
1803 policy. Available profiles are:
1804 Profile for ANSSI DAT-NT28 Minimal Level
1808 Profile ID: xccdf_org.ssgproject.content_pro‐
1810 file_anssi_np_nt28_minimal
1811 This profile contains items to be applied systematically.
1813 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1816 Profile ID: xccdf_org.ssgproject.content_pro‐
1818 file_anssi_np_nt28_average
1819 This profile contains items for GNU/Linux installations already
1821 protected by multiple higher level security stacks.
1822 Standard System Security Profile for Ubuntu 18.04
1825 Profile ID: xccdf_org.ssgproject.content_profile_standard
1827 This profile contains rules to ensure standard security baseline
1829 of an Ubuntu 18.04 system. Regardless of your system's workload
1830 all of these checks should pass.
1831 Profile for ANSSI DAT-NT28 Restrictive Level
1834 Profile ID: xccdf_org.ssgproject.content_pro‐
1836 file_anssi_np_nt28_restrictive
1837 This profile contains items for GNU/Linux installations exposed
1839 to unauthenticated flows or multiple sources.
1840 Profile for ANSSI DAT-NT28 High (Enforced) Level
1843 Profile ID: xccdf_org.ssgproject.content_pro‐
1845 file_anssi_np_nt28_high
1846 This profile contains items for GNU/Linux installations storing
1848 sensitive informations that can be accessible from unauthenti‐
1849 cated or uncontroled networks.
1850
1856 Source Datastream: ssg-wrlinux1019-ds.xml
1857 The Guide to the Secure Configuration of WRLinux 1019 is broken into
1859 'profiles', groupings of security settings that correlate to a known
1860 policy. Available profiles are:
1861 Basic Profile for Embedded Systems
1865 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
1867 This profile contains items common to many embedded Linux
1869 installations. Regardless of your system's deployment objec‐
1870 tive, all of these checks should pass.
1871 DRAFT DISA STIG for Wind River Linux
1874 Profile ID: xccdf_org.ssgproject.content_pro‐
1876 file_draft_stig_wrlinux_disa
1877 This profile contains configuration checks that align to the
1879 DISA STIG for Wind River Linux. This profile is being developed
1880 under the DoD consensus model to become a STIG in coordination
1881 with DISA FSO. What is the status of the Wind River Linux STIG?
1882 The Wind River Linux STIG is in development under the DoD con‐
1883 sensus model and Wind River has started the process to get
1884 approval from DISA. However, in the absence of an approved SRG
1885 or STIG, vendor recommendations may be used instead. The current
1886 contents constitute the vendor recommendations at the time of
1887 the product release containing these contents. Note that
1888 changes are expected before approval is granted, and those
1889 changes will be made available in future Wind River Linux Secu‐
1890 rity Profile 1019 RCPL releases. More information, including
1891 the following, is available from the DISA FAQs at https://pub‐
1892 lic.cyber.mil/stigs/faqs/
1893
1899 Source Datastream: ssg-wrlinux8-ds.xml
1900 The Guide to the Secure Configuration of WRLinux 8 is broken into 'pro‐
1902 files', groupings of security settings that correlate to a known pol‐
1903 icy. Available profiles are:
1904 Basic Profile for Embedded Systems
1908 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
1910 This profile contains items common to many embedded Linux
1912 installations. Regardless of your system's deployment objec‐
1913 tive, all of these checks should pass.
1914
1921 To scan your system utilizing the OpenSCAP utility against the ospp
1922 profile:
1923 oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-
1925 results.xml --report /tmp/`hostname`-ssg-results.html --oval-results
1926 /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
1927 Additional details can be found on the projects wiki page:
1929 https://www.github.com/OpenSCAP/scap-security-guide/wiki
1930
1934 /usr/share/xml/scap/ssg/content
1935 Houses SCAP content utilizing the following naming conventions:
1936 SCAP Source Datastreams: ssg-{product}-ds.xml
1938 CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
1940 CPE OVAL Content: ssg-{product}-cpe-oval.xml
1942 OVAL Content: ssg-{product}-oval.xml
1944 XCCDF Content: ssg-{product}-xccdf.xml
1946 /usr/share/doc/scap-security-guide/guides/
1948 HTML versions of SSG profiles.
1949 /usr/share/scap-security-guide/ansible/
1951 Contains Ansible Playbooks for SSG profiles.
1952 /usr/share/scap-security-guide/bash/
1954 Contains Bash remediation scripts for SSG profiles.
1955
1958 The SCAP Security Guide, an open source project jointly maintained by
1959 Red Hat and the NSA, provides XCCDF and OVAL content for Red Hat tech‐
1960 nologies. As an open source project, community participation extends
1961 into U.S. Department of Defense agencies, civilian agencies, academia,
1962 and other industrial partners.
1963 SCAP Security Guide is provided to consumers through Red Hat's Extended
1965 Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security
1966 Guide content is considered "vendor provided."
1967 Note that while Red Hat hosts the infrastructure for this project and
1969 Red Hat engineers are involved as maintainers and leaders, there is no
1970 commercial support contracts or service level agreements provided by
1971 Red Hat.
1972 Support, for both users and developers, is provided through the SCAP
1974 Security Guide community.
1975 Homepage: https://www.open-scap.org/security-policies/scap-security-
1977 guide
1978 Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-
1980 security-guide
1981
1985 SCAP Security Guide content is considered vendor (Red Hat) provided
1986 content. Per guidance from the U.S. National Institute of Standards
1987 and Technology (NIST), U.S. Government programs are allowed to use Ven‐
1988 dor produced SCAP content in absence of "Governmental Authority" check‐
1989 lists. The specific NIST verbage:
1990 http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
1991
1995 DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT
1996 products incorporated into DoD information systems shall be configured
1997 in accordance with DoD-approved security configuration guidelines" and
1998 tasks Defense Information Systems Agency (DISA) to "develop and provide
1999 security configuration guidance for IA and IA-enabled IT products in
2000 coordination with Director, NSA." The output of this authority is the
2001 DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
2002 the process of moving the STIGs towards the use of the NIST Security
2003 Content Automation Protocol (SCAP) in order to "automate" compliance
2004 reporting of the STIGs.
2005 Through a common, shared vision, the SCAP Security Guide community
2007 enjoys close collaboration directly with NSA, NIST, and DISA FSO. As
2008 stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
2009 Version 1, Release 2, issued on 03-JUNE-2013:
2010 "The consensus content was developed using an open-source project
2012 called SCAP Security Guide. The project's website is https://www.open-
2013 scap.org/security-policies/scap-security-guide. Except for differences
2014 in formatting to accomodate the DISA STIG publishing process, the con‐
2015 tent of the Red Hat Enterprise Linux 6 STIG should mirror the SCAP
2016 Security Guide content with only minor divergence as updates from mul‐
2017 tiple sources work through the consensus process."
2018 The DoD STIG for Red Hat Enterprise Linux 7, revision V2R4, was
2020 released in July 2019 Currently, the DoD Red Hat Enterprise Linux 7
2021 STIG contains only XCCDF content and is available online: https://pub‐
2022 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-sys‐
2023 tems%2Cunix-linux
2024 Content published against the public.cyber.mil website is authoritative
2026 STIG content. The SCAP Security Guide project, as noted in the STIG
2027 overview, is considered upstream content. Unlike DISA FSO, the SCAP
2028 Security Guide project does publish OVAL automation content. Individual
2029 programs and C&A evaluators make program-level determinations on the
2030 direct usage of the SCAP Security Guide. Currently there is no blanket
2031 approval.
2032
2036 oscap(8)
2037
2041 Please direct all questions to the SSG mailing list:
2042 https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
2043version 1 26 Jan 2013 scap-security-guide(8)