1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
6 SCAP Security Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
13 The project provides practical security hardening advice and also links
14 it to compliance requirements in order to ease deployment activities,
15 such as certification and accreditation. These include requirements in
16 the U.S. government (Federal, Defense, and Intelligence Community) as
17 well as of the financial services and health care industries. For exam‐
18 ple, high-level and widely-accepted policies such as NIST 800-53 pro‐
19 vides prose stating that System Administrators must audit "privileged
20 user actions," but do not define what "privileged actions" are. The SSG
21 bridges the gap between generalized policy requirements and specific
22 implementation guidance, in SCAP formats to support automation whenever
23 possible.
24 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
31 Source Datastream: ssg-centos7-ds.xml
32 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
34 broken into 'profiles', groupings of security settings that correlate
35 to a known policy. Available profiles are:
36 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
40 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
42 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
44 plied.
45 Standard System Security Profile for Red Hat Enterprise Linux 7
48 Profile ID: xccdf_org.ssgproject.content_profile_standard
50 This profile contains rules to ensure standard security baseline
52 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
53 tem's workload all of these checks should pass.
54
60 Source Datastream: ssg-centos8-ds.xml
61 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
63 broken into 'profiles', groupings of security settings that correlate
64 to a known policy. Available profiles are:
65 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
69 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
71 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
73 plied.
74 Standard System Security Profile for Red Hat Enterprise Linux 8
77 Profile ID: xccdf_org.ssgproject.content_profile_standard
79 This profile contains rules to ensure standard security baseline
81 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
82 tem's workload all of these checks should pass.
83
89 Source Datastream: ssg-chromium-ds.xml
90 The Guide to the Secure Configuration of Chromium is broken into 'pro‐
92 files', groupings of security settings that correlate to a known pol‐
93 icy. Available profiles are:
94 Upstream STIG for Google Chromium
98 Profile ID: xccdf_org.ssgproject.content_profile_stig
100 This profile is developed under the DoD consensus model and DISA
102 FSO Vendor STIG process, serving as the upstream development en‐
103 vironment for the Google Chromium STIG.
104 As a result of the upstream/downstream relationship between the
106 SCAP Security Guide project and the official DISA FSO STIG base‐
107 line, users should expect variance between SSG and DISA FSO con‐
108 tent. For official DISA FSO STIG content, refer to https://pub‐
109 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
110 rity%2Cbrowser-guidance.
111 While this profile is packaged by Red Hat as part of the SCAP
113 Security Guide package, please note that commercial support of
114 this SCAP content is NOT available. This profile is provided as
115 example SCAP content with no endorsement for suitability or pro‐
116 duction readiness. Support for this profile is provided by the
117 upstream SCAP Security Guide community on a best-effort basis.
118 The upstream project homepage is https://www.open-scap.org/secu‐
119 rity-policies/scap-security-guide/.
120
126 Source Datastream: ssg-debian10-ds.xml
127 The Guide to the Secure Configuration of Debian 10 is broken into 'pro‐
129 files', groupings of security settings that correlate to a known pol‐
130 icy. Available profiles are:
131 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
135 Profile ID: xccdf_org.ssgproject.content_pro‐
137 file_anssi_np_nt28_average
138 This profile contains items for GNU/Linux installations already
140 protected by multiple higher level security stacks.
141 Profile for ANSSI DAT-NT28 High (Enforced) Level
144 Profile ID: xccdf_org.ssgproject.content_pro‐
146 file_anssi_np_nt28_high
147 This profile contains items for GNU/Linux installations storing
149 sensitive informations that can be accessible from unauthenti‐
150 cated or uncontroled networks.
151 Profile for ANSSI DAT-NT28 Minimal Level
154 Profile ID: xccdf_org.ssgproject.content_pro‐
156 file_anssi_np_nt28_minimal
157 This profile contains items to be applied systematically.
159 Profile for ANSSI DAT-NT28 Restrictive Level
162 Profile ID: xccdf_org.ssgproject.content_pro‐
164 file_anssi_np_nt28_restrictive
165 This profile contains items for GNU/Linux installations exposed
167 to unauthenticated flows or multiple sources.
168 Standard System Security Profile for Debian 10
171 Profile ID: xccdf_org.ssgproject.content_profile_standard
173 This profile contains rules to ensure standard security baseline
175 of a Debian 10 system. Regardless of your system's workload all
176 of these checks should pass.
177
183 Source Datastream: ssg-debian9-ds.xml
184 The Guide to the Secure Configuration of Debian 9 is broken into 'pro‐
186 files', groupings of security settings that correlate to a known pol‐
187 icy. Available profiles are:
188 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
192 Profile ID: xccdf_org.ssgproject.content_pro‐
194 file_anssi_np_nt28_average
195 This profile contains items for GNU/Linux installations already
197 protected by multiple higher level security stacks.
198 Profile for ANSSI DAT-NT28 High (Enforced) Level
201 Profile ID: xccdf_org.ssgproject.content_pro‐
203 file_anssi_np_nt28_high
204 This profile contains items for GNU/Linux installations storing
206 sensitive informations that can be accessible from unauthenti‐
207 cated or uncontroled networks.
208 Profile for ANSSI DAT-NT28 Minimal Level
211 Profile ID: xccdf_org.ssgproject.content_pro‐
213 file_anssi_np_nt28_minimal
214 This profile contains items to be applied systematically.
216 Profile for ANSSI DAT-NT28 Restrictive Level
219 Profile ID: xccdf_org.ssgproject.content_pro‐
221 file_anssi_np_nt28_restrictive
222 This profile contains items for GNU/Linux installations exposed
224 to unauthenticated flows or multiple sources.
225 Standard System Security Profile for Debian 9
228 Profile ID: xccdf_org.ssgproject.content_profile_standard
230 This profile contains rules to ensure standard security baseline
232 of a Debian 9 system. Regardless of your system's workload all
233 of these checks should pass.
234
240 Source Datastream: ssg-fedora-ds.xml
241 The Guide to the Secure Configuration of Fedora is broken into 'pro‐
243 files', groupings of security settings that correlate to a known pol‐
244 icy. Available profiles are:
245 OSPP - Protection Profile for General Purpose Operating Systems
249 Profile ID: xccdf_org.ssgproject.content_profile_ospp
251 This profile reflects mandatory configuration controls identi‐
253 fied in the NIAP Configuration Annex to the Protection Profile
254 for General Purpose Operating Systems (Protection Profile Ver‐
255 sion 4.2).
256 As Fedora OS is moving target, this profile does not guarantee
258 to provide security levels required from US National Security
259 Systems. Main goal of the profile is to provide Fedora develop‐
260 ers with hardened environment similar to the one mandated by US
261 National Security Systems.
262 PCI-DSS v3.2.1 Control Baseline for Fedora
265 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
267 Ensures PCI-DSS v3.2.1 related security configuration settings
269 are applied.
270 Standard System Security Profile for Fedora
273 Profile ID: xccdf_org.ssgproject.content_profile_standard
275 This profile contains rules to ensure standard security baseline
277 of a Fedora system. Regardless of your system's workload all of
278 these checks should pass.
279
285 Source Datastream: ssg-firefox-ds.xml
286 The Guide to the Secure Configuration of Firefox is broken into 'pro‐
288 files', groupings of security settings that correlate to a known pol‐
289 icy. Available profiles are:
290 Upstream Firefox STIG
294 Profile ID: xccdf_org.ssgproject.content_profile_stig
296 This profile is developed under the DoD consensus model and DISA
298 FSO Vendor STIG process, serving as the upstream development en‐
299 vironment for the Firefox STIG.
300 As a result of the upstream/downstream relationship between the
302 SCAP Security Guide project and the official DISA FSO STIG base‐
303 line, users should expect variance between SSG and DISA FSO con‐
304 tent. For official DISA FSO STIG content, refer to https://pub‐
305 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
306 rity%2Cbrowser-guidance.
307 While this profile is packaged by Red Hat as part of the SCAP
309 Security Guide package, please note that commercial support of
310 this SCAP content is NOT available. This profile is provided as
311 example SCAP content with no endorsement for suitability or pro‐
312 duction readiness. Support for this profile is provided by the
313 upstream SCAP Security Guide community on a best-effort basis.
314 The upstream project homepage is https://www.open-scap.org/secu‐
315 rity-policies/scap-security-guide/.
316
322 Source Datastream: ssg-fuse6-ds.xml
323 The Guide to the Secure Configuration of JBoss Fuse 6 is broken into
325 'profiles', groupings of security settings that correlate to a known
326 policy. Available profiles are:
327 STIG for Apache ActiveMQ
331 Profile ID: xccdf_org.ssgproject.content_profile_amq-stig
333 This is a *draft* profile for STIG. This profile is being devel‐
335 oped under the DoD consensus model to become a STIG in coordina‐
336 tion with DISA FSO.
337 Standard System Security Profile for JBoss
340 Profile ID: xccdf_org.ssgproject.content_profile_standard
342 This profile contains rules to ensure standard security baseline
344 of JBoss Fuse. Regardless of your system's workload all of these
345 checks should pass.
346 STIG for JBoss Fuse 6
349 Profile ID: xccdf_org.ssgproject.content_profile_stig
351 This is a *draft* profile for STIG. This profile is being devel‐
353 oped under the DoD consensus model to become a STIG in coordina‐
354 tion with DISA FSO.
355
361 Source Datastream: ssg-jre-ds.xml
362 The Guide to the Secure Configuration of Java Runtime Environment is
364 broken into 'profiles', groupings of security settings that correlate
365 to a known policy. Available profiles are:
366 Java Runtime Environment (JRE) STIG
370 Profile ID: xccdf_org.ssgproject.content_profile_stig
372 The Java Runtime Environment (JRE) is a bundle developed and of‐
374 fered by Oracle Corporation which includes the Java Virtual Ma‐
375 chine (JVM), class libraries, and other components necessary to
376 run Java applications and applets. Certain default settings
377 within the JRE pose a security risk so it is necessary to deploy
378 system wide properties to ensure a higher degree of security
379 when utilizing the JRE.
380 The IBM Corporation also develops and bundles the Java Runtime
382 Environment (JRE) as well as Red Hat with OpenJDK.
383
389 Source Datastream: ssg-macos1015-ds.xml
390 The Guide to the Secure Configuration of Apple macOS 10.15 is broken
392 into 'profiles', groupings of security settings that correlate to a
393 known policy. Available profiles are:
394 NIST 800-53 Moderate-Impact Baseline for Apple macOS 10.15 Catalina
398 Profile ID: xccdf_org.ssgproject.content_profile_moderate
400 This compliance profile reflects the core set of Moderate-Impact
402 Baseline configuration settings for deployment of Apple macOS
403 10.15 Catalina into U.S. Defense, Intelligence, and Civilian
404 agencies. Development partners and sponsors include the U.S.
405 National Institute of Standards and Technology (NIST), U.S. De‐
406 partment of Defense, and the the National Security Agency.
407 This baseline implements configuration requirements from the
409 following sources:
410 - NIST 800-53 control selections for Moderate-Impact systems
412 (NIST 800-53)
413 For any differing configuration requirements, e.g. password
415 lengths, the stricter security setting was chosen. Security Re‐
416 quirement Traceability Guides (RTMs) and sample System Security
417 Configuration Guides are provided via the scap-security-guide-
418 docs package.
419 This profile reflects U.S. Government consensus content and is
421 developed through the ComplianceAsCode initiative, championed by
422 the National Security Agency. Except for differences in format‐
423 ting to accommodate publishing processes, this profile mirrors
424 ComplianceAsCode content as minor divergences, such as bugfixes,
425 work through the consensus and release processes.
426
432 Platform 4
433 Source Datastream: ssg-ocp4-ds.xml
434 The Guide to the Secure Configuration of Red Hat OpenShift Container
436 Platform 4 is broken into 'profiles', groupings of security settings
437 that correlate to a known policy. Available profiles are:
438 CIS Red Hat OpenShift Container Platform 4 Benchmark
442 Profile ID: xccdf_org.ssgproject.content_profile_cis-node
444 This profile defines a baseline that aligns to the Center for
446 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
447 mark™, V0.3, currently unreleased.
448 This profile includes Center for Internet Security® Red Hat
450 OpenShift Container Platform 4 CIS Benchmarks™ content.
451 Note that this part of the profile is meant to run on the Oper‐
453 ating System that Red Hat OpenShift Container Platform 4 runs on
454 top of.
455 This profile is applicable to OpenShift versions 4.6 and
457 greater.
458 CIS Red Hat OpenShift Container Platform 4 Benchmark
461 Profile ID: xccdf_org.ssgproject.content_profile_cis
463 This profile defines a baseline that aligns to the Center for
465 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
466 mark™, V0.3, currently unreleased.
467 This profile includes Center for Internet Security® Red Hat
469 OpenShift Container Platform 4 CIS Benchmarks™ content.
470 Note that this part of the profile is meant to run on the Plat‐
472 form that Red Hat OpenShift Container Platform 4 runs on top of.
473 This profile is applicable to OpenShift versions 4.6 and
475 greater.
476 Australian Cyber Security Centre (ACSC) Essential Eight
479 Profile ID: xccdf_org.ssgproject.content_profile_e8
481 This profile contains configuration checks for Red Hat OpenShift
483 Container Platform that align to the Australian Cyber Security
484 Centre (ACSC) Essential Eight.
485 A copy of the Essential Eight in Linux Environments guide can be
487 found at the ACSC website:
488 https://www.cyber.gov.au/acsc/view-all-content/publica‐
490 tions/hardening-linux-workstations-and-servers
491 NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift
494 Profile ID: xccdf_org.ssgproject.content_profile_moderate
496 This compliance profile reflects the core set of Moderate-Impact
498 Baseline configuration settings for deployment of Red Hat Open‐
499 Shift Container Platform into U.S. Defense, Intelligence, and
500 Civilian agencies. Development partners and sponsors include
501 the U.S. National Institute of Standards and Technology (NIST),
502 U.S. Department of Defense, the National Security Agency, and
503 Red Hat.
504 This baseline implements configuration requirements from the
506 following sources:
507 - NIST 800-53 control selections for Moderate-Impact systems
509 (NIST 800-53)
510 For any differing configuration requirements, e.g. password
512 lengths, the stricter security setting was chosen. Security Re‐
513 quirement Traceability Guides (RTMs) and sample System Security
514 Configuration Guides are provided via the scap-security-guide-
515 docs package.
516 This profile reflects U.S. Government consensus content and is
518 developed through the ComplianceAsCode initiative, championed by
519 the National Security Agency. Except for differences in format‐
520 ting to accommodate publishing processes, this profile mirrors
521 ComplianceAsCode content as minor divergences, such as bugfixes,
522 work through the consensus and release processes.
523 NIST National Checklist for Red Hat OpenShift Container Platform
526 Profile ID: xccdf_org.ssgproject.content_profile_ncp
528 This compliance profile reflects the core set of security re‐
530 lated configuration settings for deployment of Red Hat OpenShift
531 Container Platform into U.S. Defense, Intelligence, and Civilian
532 agencies. Development partners and sponsors include the U.S.
533 National Institute of Standards and Technology (NIST), U.S. De‐
534 partment of Defense, the National Security Agency, and Red Hat.
535 This baseline implements configuration requirements from the
537 following sources:
538 - Committee on National Security Systems Instruction No. 1253
540 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
541 800-171) - NIST 800-53 control selections for Moderate-Impact
542 systems (NIST 800-53) - U.S. Government Configuration Baseline
543 (USGCB) - NIAP Protection Profile for General Purpose Operating
544 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
545 Requirements Guide (OS SRG)
546 For any differing configuration requirements, e.g. password
548 lengths, the stricter security setting was chosen. Security Re‐
549 quirement Traceability Guides (RTMs) and sample System Security
550 Configuration Guides are provided via the scap-security-guide-
551 docs package.
552 This profile reflects U.S. Government consensus content and is
554 developed through the ComplianceAsCode initiative, championed by
555 the National Security Agency. Except for differences in format‐
556 ting to accommodate publishing processes, this profile mirrors
557 ComplianceAsCode content as minor divergences, such as bugfixes,
558 work through the consensus and release processes.
559
565 Source Datastream: ssg-ol7-ds.xml
566 The Guide to the Secure Configuration of Oracle Linux 7 is broken into
568 'profiles', groupings of security settings that correlate to a known
569 policy. Available profiles are:
570 ANSSI-BP-028 (enhanced)
574 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
576 hanced
577 This profile contains configurations that align to ANSSI-BP-028
579 at the enhanced hardening level.
580 ANSSI is the French National Information Security Agency, and
582 stands for Agence nationale de la sécurité des systèmes d'infor‐
583 mation. ANSSI-BP-028 is a configuration recommendation for
584 GNU/Linux systems.
585 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
587 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
588 securite-relatives-a-un-systeme-gnulinux/
589 DRAFT - ANSSI-BP-028 (high)
592 Profile ID: xccdf_org.ssgproject.content_pro‐
594 file_anssi_nt28_high
595 This profile contains configurations that align to ANSSI-BP-028
597 at the high hardening level.
598 ANSSI is the French National Information Security Agency, and
600 stands for Agence nationale de la sécurité des systèmes d'infor‐
601 mation. ANSSI-BP-028 is a configuration recommendation for
602 GNU/Linux systems.
603 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
605 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
606 securite-relatives-a-un-systeme-gnulinux/
607 ANSSI-BP-028 (intermediary)
610 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
612 termediary
613 This profile contains configurations that align to ANSSI-BP-028
615 at the intermediary hardening level.
616 ANSSI is the French National Information Security Agency, and
618 stands for Agence nationale de la sécurité des systèmes d'infor‐
619 mation. ANSSI-BP-028 is a configuration recommendation for
620 GNU/Linux systems.
621 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
623 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
624 securite-relatives-a-un-systeme-gnulinux/
625 ANSSI-BP-028 (minimal)
628 Profile ID: xccdf_org.ssgproject.content_pro‐
630 file_anssi_nt28_minimal
631 This profile contains configurations that align to ANSSI-BP-028
633 at the minimal hardening level.
634 ANSSI is the French National Information Security Agency, and
636 stands for Agence nationale de la sécurité des systèmes d'infor‐
637 mation. ANSSI-BP-028 is a configuration recommendation for
638 GNU/Linux systems.
639 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
641 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
642 securite-relatives-a-un-systeme-gnulinux/
643 Criminal Justice Information Services (CJIS) Security Policy
646 Profile ID: xccdf_org.ssgproject.content_profile_cjis
648 This profile is derived from FBI's CJIS v5.4 Security Policy. A
650 copy of this policy can be found at the CJIS Security Policy Re‐
651 source Center:
652 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
654 center
655 Unclassified Information in Non-federal Information Systems and Organi‐
658 zations (NIST 800-171)
659 Profile ID: xccdf_org.ssgproject.content_profile_cui
661 From NIST 800-171, Section 2.2: Security requirements for pro‐
663 tecting the confidentiality of CUI in non-federal information
664 systems and organizations have a well-defined structure that
665 consists of:
666 (i) a basic security requirements section; (ii) a derived secu‐
668 rity requirements section.
669 The basic security requirements are obtained from FIPS Publica‐
671 tion 200, which provides the high-level and fundamental security
672 requirements for federal information and information systems.
673 The derived security requirements, which supplement the basic
674 security requirements, are taken from the security controls in
675 NIST Special Publication 800-53.
676 This profile configures Oracle Linux 7 to the NIST Special Pub‐
678 lication 800-53 controls identified for securing Controlled Un‐
679 classified Information (CUI).
680 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
683 Profile ID: xccdf_org.ssgproject.content_profile_e8
685 This profile contains configuration checks for Oracle Linux 7
687 that align to the Australian Cyber Security Centre (ACSC) Essen‐
688 tial Eight.
689 A copy of the Essential Eight in Linux Environments guide can be
691 found at the ACSC website:
692 https://www.cyber.gov.au/acsc/view-all-content/publica‐
694 tions/hardening-linux-workstations-and-servers
695 Health Insurance Portability and Accountability Act (HIPAA)
698 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
700 The HIPAA Security Rule establishes U.S. national standards to
702 protect individuals’ electronic personal health information that
703 is created, received, used, or maintained by a covered entity.
704 The Security Rule requires appropriate administrative, physical
705 and technical safeguards to ensure the confidentiality, integ‐
706 rity, and security of electronic protected health information.
707 This profile configures Oracle Linux 7 to the HIPAA Security
709 Rule identified for securing of electronic protected health in‐
710 formation. Use of this profile in no way guarantees or makes
711 claims against legal compliance against the HIPAA Security
712 Rule(s).
713 [DRAFT] Protection Profile for General Purpose Operating Systems
716 Profile ID: xccdf_org.ssgproject.content_profile_ospp
718 This profile reflects mandatory configuration controls identi‐
720 fied in the NIAP Configuration Annex to the Protection Profile
721 for General Purpose Operating Systems (Protection Profile Ver‐
722 sion 4.2.1).
723 This configuration profile is consistent with CNSSI-1253, which
725 requires U.S. National Security Systems to adhere to certain
726 configuration parameters. Accordingly, this configuration pro‐
727 file is suitable for use in U.S. National Security Systems.
728 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7
731 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
733 Ensures PCI-DSS v3.2.1 related security configuration settings
735 are applied.
736 Security Profile of Oracle Linux 7 for SAP
739 Profile ID: xccdf_org.ssgproject.content_profile_sap
741 This profile contains rules for Oracle Linux 7 Operating System
743 in compliance with SAP note 2069760 and SAP Security Baseline
744 Template version 1.9 Item I-8 and section 4.1.2.2. Regardless
745 of your system's workload all of these checks should pass.
746 Standard System Security Profile for Oracle Linux 7
749 Profile ID: xccdf_org.ssgproject.content_profile_standard
751 This profile contains rules to ensure standard security baseline
753 of Oracle Linux 7 system. Regardless of your system's workload
754 all of these checks should pass.
755 DISA STIG for Oracle Linux 7
758 Profile ID: xccdf_org.ssgproject.content_profile_stig
760 This profile contains configuration checks that align to the
762 DISA STIG for Oracle Linux V2R2.
763
769 Source Datastream: ssg-ol8-ds.xml
770 The Guide to the Secure Configuration of Oracle Linux 8 is broken into
772 'profiles', groupings of security settings that correlate to a known
773 policy. Available profiles are:
774 ANSSI-BP-028 (enhanced)
778 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
780 hanced
781 This profile contains configurations that align to ANSSI-BP-028
783 at the enhanced hardening level.
784 ANSSI is the French National Information Security Agency, and
786 stands for Agence nationale de la sécurité des systèmes d'infor‐
787 mation. ANSSI-BP-028 is a configuration recommendation for
788 GNU/Linux systems.
789 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
791 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
792 securite-relatives-a-un-systeme-gnulinux/
793 DRAFT - ANSSI-BP-028 (high)
796 Profile ID: xccdf_org.ssgproject.content_pro‐
798 file_anssi_bp28_high
799 This profile contains configurations that align to ANSSI-BP-028
801 at the high hardening level.
802 ANSSI is the French National Information Security Agency, and
804 stands for Agence nationale de la sécurité des systèmes d'infor‐
805 mation. ANSSI-BP-028 is a configuration recommendation for
806 GNU/Linux systems.
807 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
809 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
810 securite-relatives-a-un-systeme-gnulinux/
811 ANSSI-BP-028 (intermediary)
814 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
816 termediary
817 This profile contains configurations that align to ANSSI-BP-028
819 at the intermediary hardening level.
820 ANSSI is the French National Information Security Agency, and
822 stands for Agence nationale de la sécurité des systèmes d'infor‐
823 mation. ANSSI-BP-028 is a configuration recommendation for
824 GNU/Linux systems.
825 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
827 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
828 securite-relatives-a-un-systeme-gnulinux/
829 ANSSI-BP-028 (minimal)
832 Profile ID: xccdf_org.ssgproject.content_pro‐
834 file_anssi_bp28_minimal
835 This profile contains configurations that align to ANSSI-BP-028
837 at the minimal hardening level.
838 ANSSI is the French National Information Security Agency, and
840 stands for Agence nationale de la sécurité des systèmes d'infor‐
841 mation. ANSSI-BP-028 is a configuration recommendation for
842 GNU/Linux systems.
843 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
845 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
846 securite-relatives-a-un-systeme-gnulinux/
847 Criminal Justice Information Services (CJIS) Security Policy
850 Profile ID: xccdf_org.ssgproject.content_profile_cjis
852 This profile is derived from FBI's CJIS v5.4 Security Policy. A
854 copy of this policy can be found at the CJIS Security Policy Re‐
855 source Center:
856 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
858 center
859 Unclassified Information in Non-federal Information Systems and Organi‐
862 zations (NIST 800-171)
863 Profile ID: xccdf_org.ssgproject.content_profile_cui
865 From NIST 800-171, Section 2.2: Security requirements for pro‐
867 tecting the confidentiality of CUI in non-federal information
868 systems and organizations have a well-defined structure that
869 consists of:
870 (i) a basic security requirements section; (ii) a derived secu‐
872 rity requirements section.
873 The basic security requirements are obtained from FIPS Publica‐
875 tion 200, which provides the high-level and fundamental security
876 requirements for federal information and information systems.
877 The derived security requirements, which supplement the basic
878 security requirements, are taken from the security controls in
879 NIST Special Publication 800-53.
880 This profile configures Oracle Linux 8 to the NIST Special Pub‐
882 lication 800-53 controls identified for securing Controlled Un‐
883 classified Information (CUI).
884 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
887 Profile ID: xccdf_org.ssgproject.content_profile_e8
889 This profile contains configuration checks for Oracle Linux 8
891 that align to the Australian Cyber Security Centre (ACSC) Essen‐
892 tial Eight.
893 A copy of the Essential Eight in Linux Environments guide can be
895 found at the ACSC website:
896 https://www.cyber.gov.au/acsc/view-all-content/publica‐
898 tions/hardening-linux-workstations-and-servers
899 Health Insurance Portability and Accountability Act (HIPAA)
902 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
904 The HIPAA Security Rule establishes U.S. national standards to
906 protect individuals’ electronic personal health information that
907 is created, received, used, or maintained by a covered entity.
908 The Security Rule requires appropriate administrative, physical
909 and technical safeguards to ensure the confidentiality, integ‐
910 rity, and security of electronic protected health information.
911 This profile configures Oracle Linux 8 to the HIPAA Security
913 Rule identified for securing of electronic protected health in‐
914 formation. Use of this profile in no way guarantees or makes
915 claims against legal compliance against the HIPAA Security
916 Rule(s).
917 [DRAFT] Protection Profile for General Purpose Operating Systems
920 Profile ID: xccdf_org.ssgproject.content_profile_ospp
922 This profile reflects mandatory configuration controls identi‐
924 fied in the NIAP Configuration Annex to the Protection Profile
925 for General Purpose Operating Systems (Protection Profile Ver‐
926 sion 4.2.1).
927 This configuration profile is consistent with CNSSI-1253, which
929 requires U.S. National Security Systems to adhere to certain
930 configuration parameters. Accordingly, this configuration pro‐
931 file is suitable for use in U.S. National Security Systems.
932 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8
935 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
937 Ensures PCI-DSS v3.2.1 related security configuration settings
939 are applied.
940 Standard System Security Profile for Oracle Linux 8
943 Profile ID: xccdf_org.ssgproject.content_profile_standard
945 This profile contains rules to ensure standard security baseline
947 of Oracle Linux 8 system. Regardless of your system's workload
948 all of these checks should pass.
949
955 Source Datastream: ssg-opensuse-ds.xml
956 The Guide to the Secure Configuration of openSUSE is broken into 'pro‐
958 files', groupings of security settings that correlate to a known pol‐
959 icy. Available profiles are:
960 Standard System Security Profile for openSUSE
964 Profile ID: xccdf_org.ssgproject.content_profile_standard
966 This profile contains rules to ensure standard security baseline
968 of an openSUSE system. Regardless of your system's workload all
969 of these checks should pass.
970
976 CoreOS 4
977 Source Datastream: ssg-rhcos4-ds.xml
978 The Guide to the Secure Configuration of Red Hat Enterprise Linux
980 CoreOS 4 is broken into 'profiles', groupings of security settings that
981 correlate to a known policy. Available profiles are:
982 DRAFT - ANSSI-BP-028 (enhanced)
986 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
988 hanced
989 This profile contains configurations that align to ANSSI-BP-028
991 at the enhanced hardening level.
992 ANSSI is the French National Information Security Agency, and
994 stands for Agence nationale de la sécurité des systèmes d'infor‐
995 mation. ANSSI-BP-028 is a configuration recommendation for
996 GNU/Linux systems.
997 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
999 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1000 securite-relatives-a-un-systeme-gnulinux/
1001 DRAFT - ANSSI-BP-028 (high)
1004 Profile ID: xccdf_org.ssgproject.content_pro‐
1006 file_anssi_bp28_high
1007 This profile contains configurations that align to ANSSI-BP-028
1009 at the high hardening level.
1010 ANSSI is the French National Information Security Agency, and
1012 stands for Agence nationale de la sécurité des systèmes d'infor‐
1013 mation. ANSSI-BP-028 is a configuration recommendation for
1014 GNU/Linux systems.
1015 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1017 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1018 securite-relatives-a-un-systeme-gnulinux/
1019 DRAFT - ANSSI-BP-028 (intermediary)
1022 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1024 termediary
1025 This profile contains configurations that align to ANSSI-BP-028
1027 at the intermediary hardening level.
1028 ANSSI is the French National Information Security Agency, and
1030 stands for Agence nationale de la sécurité des systèmes d'infor‐
1031 mation. ANSSI-BP-028 is a configuration recommendation for
1032 GNU/Linux systems.
1033 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1035 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1036 securite-relatives-a-un-systeme-gnulinux/
1037 DRAFT - ANSSI-BP-028 (minimal)
1040 Profile ID: xccdf_org.ssgproject.content_pro‐
1042 file_anssi_bp28_minimal
1043 This profile contains configurations that align to ANSSI-BP-028
1045 at the minimal hardening level.
1046 ANSSI is the French National Information Security Agency, and
1048 stands for Agence nationale de la sécurité des systèmes d'infor‐
1049 mation. ANSSI-BP-028 is a configuration recommendation for
1050 GNU/Linux systems.
1051 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1053 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1054 securite-relatives-a-un-systeme-gnulinux/
1055 Australian Cyber Security Centre (ACSC) Essential Eight
1058 Profile ID: xccdf_org.ssgproject.content_profile_e8
1060 This profile contains configuration checks for Red Hat Enter‐
1062 prise Linux CoreOS that align to the Australian Cyber Security
1063 Centre (ACSC) Essential Eight.
1064 A copy of the Essential Eight in Linux Environments guide can be
1066 found at the ACSC website:
1067 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1069 tions/hardening-linux-workstations-and-servers
1070 NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux
1073 CoreOS
1074 Profile ID: xccdf_org.ssgproject.content_profile_moderate
1076 This compliance profile reflects the core set of Moderate-Impact
1078 Baseline configuration settings for deployment of Red Hat Enter‐
1079 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
1080 agencies. Development partners and sponsors include the U.S.
1081 National Institute of Standards and Technology (NIST), U.S. De‐
1082 partment of Defense, the National Security Agency, and Red Hat.
1083 This baseline implements configuration requirements from the
1085 following sources:
1086 - NIST 800-53 control selections for Moderate-Impact systems
1088 (NIST 800-53)
1089 For any differing configuration requirements, e.g. password
1091 lengths, the stricter security setting was chosen. Security Re‐
1092 quirement Traceability Guides (RTMs) and sample System Security
1093 Configuration Guides are provided via the scap-security-guide-
1094 docs package.
1095 This profile reflects U.S. Government consensus content and is
1097 developed through the ComplianceAsCode initiative, championed by
1098 the National Security Agency. Except for differences in format‐
1099 ting to accommodate publishing processes, this profile mirrors
1100 ComplianceAsCode content as minor divergences, such as bugfixes,
1101 work through the consensus and release processes.
1102 NIST National Checklist for Red Hat Enterprise Linux CoreOS
1105 Profile ID: xccdf_org.ssgproject.content_profile_ncp
1107 This compliance profile reflects the core set of security re‐
1109 lated configuration settings for deployment of Red Hat Enter‐
1110 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
1111 agencies. Development partners and sponsors include the U.S.
1112 National Institute of Standards and Technology (NIST), U.S. De‐
1113 partment of Defense, the National Security Agency, and Red Hat.
1114 This baseline implements configuration requirements from the
1116 following sources:
1117 - Committee on National Security Systems Instruction No. 1253
1119 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
1120 800-171) - NIST 800-53 control selections for Moderate-Impact
1121 systems (NIST 800-53) - U.S. Government Configuration Baseline
1122 (USGCB) - NIAP Protection Profile for General Purpose Operating
1123 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
1124 Requirements Guide (OS SRG)
1125 For any differing configuration requirements, e.g. password
1127 lengths, the stricter security setting was chosen. Security Re‐
1128 quirement Traceability Guides (RTMs) and sample System Security
1129 Configuration Guides are provided via the scap-security-guide-
1130 docs package.
1131 This profile reflects U.S. Government consensus content and is
1133 developed through the ComplianceAsCode initiative, championed by
1134 the National Security Agency. Except for differences in format‐
1135 ting to accommodate publishing processes, this profile mirrors
1136 ComplianceAsCode content as minor divergences, such as bugfixes,
1137 work through the consensus and release processes.
1138 Protection Profile for General Purpose Operating Systems
1141 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1143 This profile reflects mandatory configuration controls identi‐
1145 fied in the NIAP Configuration Annex to the Protection Profile
1146 for General Purpose Operating Systems (Protection Profile Ver‐
1147 sion 4.2.1).
1148 This configuration profile is consistent with CNSSI-1253, which
1150 requires U.S. National Security Systems to adhere to certain
1151 configuration parameters. Accordingly, this configuration pro‐
1152 file is suitable for use in U.S. National Security Systems.
1153 [DRAFT] DISA STIG for Red Hat Enterprise Linux CoreOS
1156 Profile ID: xccdf_org.ssgproject.content_profile_stig
1158 This profile contains configuration checks that align to the
1160 [DRAFT] DISA STIG for Red Hat Enterprise Linux CoreOS which is
1161 the operating system layer of Red Hat OpenShift Container Plat‐
1162 form.
1163
1169 Source Datastream: ssg-rhel7-ds.xml
1170 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
1172 broken into 'profiles', groupings of security settings that correlate
1173 to a known policy. Available profiles are:
1174 C2S for Red Hat Enterprise Linux 7
1178 Profile ID: xccdf_org.ssgproject.content_profile_C2S
1180 This profile demonstrates compliance against the U.S. Government
1182 Commercial Cloud Services (C2S) baseline.
1183 This baseline was inspired by the Center for Internet Security
1185 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
1186 For the SCAP Security Guide project to remain in compliance with
1188 CIS' terms and conditions, specifically Restrictions(8), note
1189 there is no representation or claim that the C2S profile will
1190 ensure a system is in compliance or consistency with the CIS
1191 baseline.
1192 ANSSI-BP-028 (enhanced)
1195 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
1197 hanced
1198 This profile contains configurations that align to ANSSI-BP-028
1200 at the enhanced hardening level.
1201 ANSSI is the French National Information Security Agency, and
1203 stands for Agence nationale de la sécurité des systèmes d'infor‐
1204 mation. ANSSI-BP-028 is a configuration recommendation for
1205 GNU/Linux systems.
1206 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1208 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1209 securite-relatives-a-un-systeme-gnulinux/
1210 DRAFT - ANSSI-BP-028 (high)
1213 Profile ID: xccdf_org.ssgproject.content_pro‐
1215 file_anssi_nt28_high
1216 This profile contains configurations that align to ANSSI-BP-028
1218 at the high hardening level.
1219 ANSSI is the French National Information Security Agency, and
1221 stands for Agence nationale de la sécurité des systèmes d'infor‐
1222 mation. ANSSI-BP-028 is a configuration recommendation for
1223 GNU/Linux systems.
1224 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1226 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1227 securite-relatives-a-un-systeme-gnulinux/
1228 ANSSI-BP-028 (intermediary)
1231 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
1233 termediary
1234 This profile contains configurations that align to ANSSI-BP-028
1236 at the intermediary hardening level.
1237 ANSSI is the French National Information Security Agency, and
1239 stands for Agence nationale de la sécurité des systèmes d'infor‐
1240 mation. ANSSI-BP-028 is a configuration recommendation for
1241 GNU/Linux systems.
1242 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1244 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1245 securite-relatives-a-un-systeme-gnulinux/
1246 ANSSI-BP-028 (minimal)
1249 Profile ID: xccdf_org.ssgproject.content_pro‐
1251 file_anssi_nt28_minimal
1252 This profile contains configurations that align to ANSSI-BP-028
1254 at the minimal hardening level.
1255 ANSSI is the French National Information Security Agency, and
1257 stands for Agence nationale de la sécurité des systèmes d'infor‐
1258 mation. ANSSI-BP-028 is a configuration recommendation for
1259 GNU/Linux systems.
1260 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1262 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1263 securite-relatives-a-un-systeme-gnulinux/
1264 CIS Red Hat Enterprise Linux 7 Benchmark
1267 Profile ID: xccdf_org.ssgproject.content_profile_cis
1269 This profile defines a baseline that aligns to the Center for
1271 Internet Security® Red Hat Enterprise Linux 7 Benchmark™,
1272 v2.2.0, released 12-27-2017.
1273 This profile includes Center for Internet Security® Red Hat En‐
1275 terprise Linux 7 CIS Benchmarks™ content.
1276 Criminal Justice Information Services (CJIS) Security Policy
1279 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1281 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1283 copy of this policy can be found at the CJIS Security Policy Re‐
1284 source Center:
1285 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1287 center
1288 Unclassified Information in Non-federal Information Systems and Organi‐
1291 zations (NIST 800-171)
1292 Profile ID: xccdf_org.ssgproject.content_profile_cui
1294 From NIST 800-171, Section 2.2: Security requirements for pro‐
1296 tecting the confidentiality of CUI in non-federal information
1297 systems and organizations have a well-defined structure that
1298 consists of:
1299 (i) a basic security requirements section; (ii) a derived secu‐
1301 rity requirements section.
1302 The basic security requirements are obtained from FIPS Publica‐
1304 tion 200, which provides the high-level and fundamental security
1305 requirements for federal information and information systems.
1306 The derived security requirements, which supplement the basic
1307 security requirements, are taken from the security controls in
1308 NIST Special Publication 800-53.
1309 This profile configures Red Hat Enterprise Linux 7 to the NIST
1311 Special Publication 800-53 controls identified for securing Con‐
1312 trolled Unclassified Information (CUI).
1313 Australian Cyber Security Centre (ACSC) Essential Eight
1316 Profile ID: xccdf_org.ssgproject.content_profile_e8
1318 This profile contains configuration checks for Red Hat Enter‐
1320 prise Linux 7 that align to the Australian Cyber Security Centre
1321 (ACSC) Essential Eight.
1322 A copy of the Essential Eight in Linux Environments guide can be
1324 found at the ACSC website:
1325 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1327 tions/hardening-linux-workstations-and-servers
1328 Health Insurance Portability and Accountability Act (HIPAA)
1331 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1333 The HIPAA Security Rule establishes U.S. national standards to
1335 protect individuals’ electronic personal health information that
1336 is created, received, used, or maintained by a covered entity.
1337 The Security Rule requires appropriate administrative, physical
1338 and technical safeguards to ensure the confidentiality, integ‐
1339 rity, and security of electronic protected health information.
1340 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
1342 Security Rule identified for securing of electronic protected
1343 health information. Use of this profile in no way guarantees or
1344 makes claims against legal compliance against the HIPAA Security
1345 Rule(s).
1346 NIST National Checklist Program Security Guide
1349 Profile ID: xccdf_org.ssgproject.content_profile_ncp
1351 This compliance profile reflects the core set of security re‐
1353 lated configuration settings for deployment of Red Hat Enter‐
1354 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
1355 agencies. Development partners and sponsors include the U.S.
1356 National Institute of Standards and Technology (NIST), U.S. De‐
1357 partment of Defense, the National Security Agency, and Red Hat.
1358 This baseline implements configuration requirements from the
1360 following sources:
1361 - Committee on National Security Systems Instruction No. 1253
1363 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
1364 800-171) - NIST 800-53 control selections for MODERATE impact
1365 systems (NIST 800-53) - U.S. Government Configuration Baseline
1366 (USGCB) - NIAP Protection Profile for General Purpose Operating
1367 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
1368 Requirements Guide (OS SRG)
1369 For any differing configuration requirements, e.g. password
1371 lengths, the stricter security setting was chosen. Security Re‐
1372 quirement Traceability Guides (RTMs) and sample System Security
1373 Configuration Guides are provided via the scap-security-guide-
1374 docs package.
1375 This profile reflects U.S. Government consensus content and is
1377 developed through the OpenSCAP/SCAP Security Guide initiative,
1378 championed by the National Security Agency. Except for differ‐
1379 ences in formatting to accommodate publishing processes, this
1380 profile mirrors OpenSCAP/SCAP Security Guide content as minor
1381 divergences, such as bugfixes, work through the consensus and
1382 release processes.
1383 OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
1386 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1388 This profile reflects mandatory configuration controls identi‐
1390 fied in the NIAP Configuration Annex to the Protection Profile
1391 for General Purpose Operating Systems (Protection Profile Ver‐
1392 sion 4.2.1).
1393 This configuration profile is consistent with CNSSI-1253, which
1395 requires U.S. National Security Systems to adhere to certain
1396 configuration parameters. Accordingly, this configuration pro‐
1397 file is suitable for use in U.S. National Security Systems.
1398 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1401 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1403 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1405 plied.
1406 [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host
1409 (RHELH)
1410 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
1412 This *draft* profile contains configuration checks that align to
1414 the DISA STIG for Red Hat Enterprise Linux Virtualization Host
1415 (RHELH).
1416 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enter‐
1419 prise Linux Hypervisor (RHELH)
1420 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
1422 This compliance profile reflects the core set of security re‐
1424 lated configuration settings for deployment of Red Hat Enter‐
1425 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
1426 gence, and Civilian agencies. Development partners and sponsors
1427 include the U.S. National Institute of Standards and Technology
1428 (NIST), U.S. Department of Defense, the National Security
1429 Agency, and Red Hat.
1430 This baseline implements configuration requirements from the
1432 following sources:
1433 - Committee on National Security Systems Instruction No. 1253
1435 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
1436 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
1437 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
1438 (VPP v1.0)
1439 For any differing configuration requirements, e.g. password
1441 lengths, the stricter security setting was chosen. Security Re‐
1442 quirement Traceability Guides (RTMs) and sample System Security
1443 Configuration Guides are provided via the scap-security-guide-
1444 docs package.
1445 This profile reflects U.S. Government consensus content and is
1447 developed through the ComplianceAsCode project, championed by
1448 the National Security Agency. Except for differences in format‐
1449 ting to accommodate publishing processes, this profile mirrors
1450 ComplianceAsCode content as minor divergences, such as bugfixes,
1451 work through the consensus and release processes.
1452 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1455 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1457 This profile contains the minimum security relevant configura‐
1459 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1460 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
1461 Standard System Security Profile for Red Hat Enterprise Linux 7
1464 Profile ID: xccdf_org.ssgproject.content_profile_standard
1466 This profile contains rules to ensure standard security baseline
1468 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
1469 tem's workload all of these checks should pass.
1470 DISA STIG for Red Hat Enterprise Linux 7
1473 Profile ID: xccdf_org.ssgproject.content_profile_stig
1475 This profile contains configuration checks that align to the
1477 DISA STIG for Red Hat Enterprise Linux V3R3.
1478 In addition to being applicable to Red Hat Enterprise Linux 7,
1480 DISA recognizes this configuration baseline as applicable to the
1481 operating system tier of Red Hat technologies that are based on
1482 Red Hat Enterprise Linux 7, such as:
1483 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1485 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1486 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1487 7 image
1488 DISA STIG with GUI for Red Hat Enterprise Linux 7
1491 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
1493 This profile contains configuration checks that align to the
1495 DISA STIG with GUI for Red Hat Enterprise Linux V3R3.
1496 In addition to being applicable to Red Hat Enterprise Linux 7,
1498 DISA recognizes this configuration baseline as applicable to the
1499 operating system tier of Red Hat technologies that are based on
1500 Red Hat Enterprise Linux 7, such as:
1501 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1503 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1504 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1505 7 image
1506 Warning: The installation and use of a Graphical User Interface
1508 (GUI) increases your attack vector and decreases your overall
1509 security posture. If your Information Systems Security Officer
1510 (ISSO) lacks a documented operational requirement for a graphi‐
1511 cal user interface, please consider using the standard DISA STIG
1512 for Red Hat Enterprise Linux 7 profile.
1513
1519 Source Datastream: ssg-rhel8-ds.xml
1520 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
1522 broken into 'profiles', groupings of security settings that correlate
1523 to a known policy. Available profiles are:
1524 ANSSI-BP-028 (enhanced)
1528 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1530 hanced
1531 This profile contains configurations that align to ANSSI-BP-028
1533 at the enhanced hardening level.
1534 ANSSI is the French National Information Security Agency, and
1536 stands for Agence nationale de la sécurité des systèmes d'infor‐
1537 mation. ANSSI-BP-028 is a configuration recommendation for
1538 GNU/Linux systems.
1539 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1541 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1542 securite-relatives-a-un-systeme-gnulinux/
1543 DRAFT - ANSSI-BP-028 (high)
1546 Profile ID: xccdf_org.ssgproject.content_pro‐
1548 file_anssi_bp28_high
1549 This profile contains configurations that align to ANSSI-BP-028
1551 at the high hardening level.
1552 ANSSI is the French National Information Security Agency, and
1554 stands for Agence nationale de la sécurité des systèmes d'infor‐
1555 mation. ANSSI-BP-028 is a configuration recommendation for
1556 GNU/Linux systems.
1557 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1559 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1560 securite-relatives-a-un-systeme-gnulinux/
1561 ANSSI-BP-028 (intermediary)
1564 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1566 termediary
1567 This profile contains configurations that align to ANSSI-BP-028
1569 at the intermediary hardening level.
1570 ANSSI is the French National Information Security Agency, and
1572 stands for Agence nationale de la sécurité des systèmes d'infor‐
1573 mation. ANSSI-BP-028 is a configuration recommendation for
1574 GNU/Linux systems.
1575 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1577 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1578 securite-relatives-a-un-systeme-gnulinux/
1579 ANSSI-BP-028 (minimal)
1582 Profile ID: xccdf_org.ssgproject.content_pro‐
1584 file_anssi_bp28_minimal
1585 This profile contains configurations that align to ANSSI-BP-028
1587 at the minimal hardening level.
1588 ANSSI is the French National Information Security Agency, and
1590 stands for Agence nationale de la sécurité des systèmes d'infor‐
1591 mation. ANSSI-BP-028 is a configuration recommendation for
1592 GNU/Linux systems.
1593 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1595 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1596 securite-relatives-a-un-systeme-gnulinux/
1597 CIS Red Hat Enterprise Linux 8 Benchmark
1600 Profile ID: xccdf_org.ssgproject.content_profile_cis
1602 This profile defines a baseline that aligns to the Center for
1604 Internet Security® Red Hat Enterprise Linux 8 Benchmark™,
1605 v1.0.0, released 09-30-2019.
1606 This profile includes Center for Internet Security® Red Hat En‐
1608 terprise Linux 8 CIS Benchmarks™ content.
1609 Criminal Justice Information Services (CJIS) Security Policy
1612 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1614 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1616 copy of this policy can be found at the CJIS Security Policy Re‐
1617 source Center:
1618 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1620 center
1621 Unclassified Information in Non-federal Information Systems and Organi‐
1624 zations (NIST 800-171)
1625 Profile ID: xccdf_org.ssgproject.content_profile_cui
1627 From NIST 800-171, Section 2.2: Security requirements for pro‐
1629 tecting the confidentiality of CUI in nonfederal information
1630 systems and organizations have a well-defined structure that
1631 consists of:
1632 (i) a basic security requirements section; (ii) a derived secu‐
1634 rity requirements section.
1635 The basic security requirements are obtained from FIPS Publica‐
1637 tion 200, which provides the high-level and fundamental security
1638 requirements for federal information and information systems.
1639 The derived security requirements, which supplement the basic
1640 security requirements, are taken from the security controls in
1641 NIST Special Publication 800-53.
1642 This profile configures Red Hat Enterprise Linux 8 to the NIST
1644 Special Publication 800-53 controls identified for securing Con‐
1645 trolled Unclassified Information (CUI)."
1646 Australian Cyber Security Centre (ACSC) Essential Eight
1649 Profile ID: xccdf_org.ssgproject.content_profile_e8
1651 This profile contains configuration checks for Red Hat Enter‐
1653 prise Linux 8 that align to the Australian Cyber Security Centre
1654 (ACSC) Essential Eight.
1655 A copy of the Essential Eight in Linux Environments guide can be
1657 found at the ACSC website:
1658 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1660 tions/hardening-linux-workstations-and-servers
1661 Health Insurance Portability and Accountability Act (HIPAA)
1664 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1666 The HIPAA Security Rule establishes U.S. national standards to
1668 protect individuals’ electronic personal health information that
1669 is created, received, used, or maintained by a covered entity.
1670 The Security Rule requires appropriate administrative, physical
1671 and technical safeguards to ensure the confidentiality, integ‐
1672 rity, and security of electronic protected health information.
1673 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
1675 Security Rule identified for securing of electronic protected
1676 health information. Use of this profile in no way guarantees or
1677 makes claims against legal compliance against the HIPAA Security
1678 Rule(s).
1679 Australian Cyber Security Centre (ACSC) ISM Official
1682 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
1684 This profile contains configuration checks for Red Hat Enter‐
1686 prise Linux 8 that align to the Australian Cyber Security Centre
1687 (ACSC) Information Security Manual (ISM) with the applicability
1688 marking of OFFICIAL.
1689 The ISM uses a risk-based approach to cyber security. This pro‐
1691 file provides a guide to aligning Red Hat Enterprise Linux secu‐
1692 rity controls with the ISM, which can be used to select controls
1693 specific to an organisation's security posture and risk profile.
1694 A copy of the ISM can be found at the ACSC website:
1696 https://www.cyber.gov.au/ism
1698 Protection Profile for General Purpose Operating Systems
1701 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1703 This profile reflects mandatory configuration controls identi‐
1705 fied in the NIAP Configuration Annex to the Protection Profile
1706 for General Purpose Operating Systems (Protection Profile Ver‐
1707 sion 4.2.1).
1708 This configuration profile is consistent with CNSSI-1253, which
1710 requires U.S. National Security Systems to adhere to certain
1711 configuration parameters. Accordingly, this configuration pro‐
1712 file is suitable for use in U.S. National Security Systems.
1713 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
1716 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1718 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1720 plied.
1721 [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host
1724 (RHELH)
1725 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
1727 This *draft* profile contains configuration checks that align to
1729 the DISA STIG for Red Hat Enterprise Linux Virtualization Host
1730 (RHELH).
1731 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enter‐
1734 prise Linux Hypervisor (RHELH)
1735 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
1737 This compliance profile reflects the core set of security re‐
1739 lated configuration settings for deployment of Red Hat Enter‐
1740 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
1741 gence, and Civilian agencies. Development partners and sponsors
1742 include the U.S. National Institute of Standards and Technology
1743 (NIST), U.S. Department of Defense, the National Security
1744 Agency, and Red Hat.
1745 This baseline implements configuration requirements from the
1747 following sources:
1748 - Committee on National Security Systems Instruction No. 1253
1750 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
1751 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
1752 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
1753 (VPP v1.0)
1754 For any differing configuration requirements, e.g. password
1756 lengths, the stricter security setting was chosen. Security Re‐
1757 quirement Traceability Guides (RTMs) and sample System Security
1758 Configuration Guides are provided via the scap-security-guide-
1759 docs package.
1760 This profile reflects U.S. Government consensus content and is
1762 developed through the ComplianceAsCode project, championed by
1763 the National Security Agency. Except for differences in format‐
1764 ting to accommodate publishing processes, this profile mirrors
1765 ComplianceAsCode content as minor divergences, such as bugfixes,
1766 work through the consensus and release processes.
1767 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1770 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1772 This profile contains the minimum security relevant configura‐
1774 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1775 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
1776 Standard System Security Profile for Red Hat Enterprise Linux 8
1779 Profile ID: xccdf_org.ssgproject.content_profile_standard
1781 This profile contains rules to ensure standard security baseline
1783 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
1784 tem's workload all of these checks should pass.
1785 DISA STIG for Red Hat Enterprise Linux 8
1788 Profile ID: xccdf_org.ssgproject.content_profile_stig
1790 This profile contains configuration checks that align to the
1792 DISA STIG for Red Hat Enterprise Linux 8 V1R2.
1793 In addition to being applicable to Red Hat Enterprise Linux 8,
1795 DISA recognizes this configuration baseline as applicable to the
1796 operating system tier of Red Hat technologies that are based on
1797 Red Hat Enterprise Linux 8, such as:
1798 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1800 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1801 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1802 8 image
1803 DISA STIG with GUI for Red Hat Enterprise Linux 8
1806 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
1808 This profile contains configuration checks that align to the
1810 DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R2.
1811 In addition to being applicable to Red Hat Enterprise Linux 8,
1813 DISA recognizes this configuration baseline as applicable to the
1814 operating system tier of Red Hat technologies that are based on
1815 Red Hat Enterprise Linux 8, such as:
1816 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1818 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1819 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1820 8 image
1821 Warning: The installation and use of a Graphical User Interface
1823 (GUI) increases your attack vector and decreases your overall
1824 security posture. If your Information Systems Security Officer
1825 (ISSO) lacks a documented operational requirement for a graphi‐
1826 cal user interface, please consider using the standard DISA STIG
1827 for Red Hat Enterprise Linux 8 profile.
1828
1834 Source Datastream: ssg-rhel9-ds.xml
1835 The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is
1837 broken into 'profiles', groupings of security settings that correlate
1838 to a known policy. Available profiles are:
1839 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
1843 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1845 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1847 plied.
1848
1854 Source Datastream: ssg-rhosp10-ds.xml
1856 The Guide to the Secure Configuration of Red Hat OpenStack Platform 10
1858 is broken into 'profiles', groupings of security settings that corre‐
1859 late to a known policy. Available profiles are:
1860 [DRAFT] Controlled Unclassified Infomration (CUI) Profile for Red Hat
1864 OpenStack Plaform 10
1865 Profile ID: xccdf_org.ssgproject.content_profile_cui
1867 These are the controls for scanning against CUI for rhosp10
1869 [DRAFT] STIG for Red Hat OpenStack Plaform 10
1872 Profile ID: xccdf_org.ssgproject.content_profile_stig
1874 Controls for scanning against classified STIG for rhosp10
1876
1882 Source Datastream: ssg-rhosp13-ds.xml
1884 The Guide to the Secure Configuration of Red Hat OpenStack Platform 13
1886 is broken into 'profiles', groupings of security settings that corre‐
1887 late to a known policy. Available profiles are:
1888 RHOSP STIG
1892 Profile ID: xccdf_org.ssgproject.content_profile_stig
1894 Sample profile description.
1896
1902 Source Datastream: ssg-rhv4-ds.xml
1903 The Guide to the Secure Configuration of Red Hat Virtualization 4 is
1905 broken into 'profiles', groupings of security settings that correlate
1906 to a known policy. Available profiles are:
1907 PCI-DSS v3.2.1 Control Baseline for Red Hat Virtualization Host (RHVH)
1911 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1913 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1915 plied.
1916 [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
1919 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
1921 This *draft* profile contains configuration checks that align to
1923 the DISA STIG for Red Hat Virtualization Host (RHVH).
1924 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
1927 ization Host (RHVH)
1928 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
1930 This compliance profile reflects the core set of security re‐
1932 lated configuration settings for deployment of Red Hat Virtual‐
1933 ization Host (RHVH) 4.x into U.S. Defense, Intelligence, and
1934 Civilian agencies. Development partners and sponsors include
1935 the U.S. National Institute of Standards and Technology (NIST),
1936 U.S. Department of Defense, the National Security Agency, and
1937 Red Hat.
1938 This baseline implements configuration requirements from the
1940 following sources:
1941 - Committee on National Security Systems Instruction No. 1253
1943 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
1944 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
1945 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
1946 (VPP v1.0)
1947 For any differing configuration requirements, e.g. password
1949 lengths, the stricter security setting was chosen. Security Re‐
1950 quirement Traceability Guides (RTMs) and sample System Security
1951 Configuration Guides are provided via the scap-security-guide-
1952 docs package.
1953 This profile reflects U.S. Government consensus content and is
1955 developed through the ComplianceAsCode project, championed by
1956 the National Security Agency. Except for differences in format‐
1957 ting to accommodate publishing processes, this profile mirrors
1958 ComplianceAsCode content as minor divergences, such as bugfixes,
1959 work through the consensus and release processes.
1960
1966 Source Datastream: ssg-sl7-ds.xml
1967 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
1969 broken into 'profiles', groupings of security settings that correlate
1970 to a known policy. Available profiles are:
1971 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1975 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1977 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1979 plied.
1980 Standard System Security Profile for Red Hat Enterprise Linux 7
1983 Profile ID: xccdf_org.ssgproject.content_profile_standard
1985 This profile contains rules to ensure standard security baseline
1987 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
1988 tem's workload all of these checks should pass.
1989
1995 Source Datastream: ssg-sle12-ds.xml
1996 The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is
1998 broken into 'profiles', groupings of security settings that correlate
1999 to a known policy. Available profiles are:
2000 Standard System Security Profile for SUSE Linux Enterprise 12
2004 Profile ID: xccdf_org.ssgproject.content_profile_standard
2006 This profile contains rules to ensure standard security baseline
2008 of a SUSE Linux Enterprise 12 system. Regardless of your sys‐
2009 tem's workload all of these checks should pass.
2010 DISA STIG for SUSE Linux Enterprise 12
2013 Profile ID: xccdf_org.ssgproject.content_profile_stig
2015 This profile contains configuration checks that align to the
2017 DISA STIG for SUSE Linux Enterprise 12 V2R3.
2018
2024 Source Datastream: ssg-sle15-ds.xml
2025 The Guide to the Secure Configuration of SUSE Linux Enterprise 15 is
2027 broken into 'profiles', groupings of security settings that correlate
2028 to a known policy. Available profiles are:
2029 CIS SUSE Linux Enterprise 15 Benchmark
2033 Profile ID: xccdf_org.ssgproject.content_profile_cis
2035 This baseline aligns to the Center for Internet Security SUSE
2037 Linux Enterprise 15 Benchmark, v1.0.0, currently in draft.
2038 Standard System Security Profile for SUSE Linux Enterprise 15
2041 Profile ID: xccdf_org.ssgproject.content_profile_standard
2043 This profile contains rules to ensure standard security baseline
2045 of a SUSE Linux Enterprise 15 system based off of the SUSE Hard‐
2046 ening Guide. Regardless of your system's workload all of these
2047 checks should pass.
2048 DISA STIG for SUSE Linux Enterprise 15
2051 Profile ID: xccdf_org.ssgproject.content_profile_stig
2053 This profile contains configuration checks that align to the
2055 DISA STIG for SUSE Linux Enterprise 15 V1R2.
2056
2062 Source Datastream: ssg-ubuntu1604-ds.xml
2063 The Guide to the Secure Configuration of Ubuntu 16.04 is broken into
2065 'profiles', groupings of security settings that correlate to a known
2066 policy. Available profiles are:
2067 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
2071 Profile ID: xccdf_org.ssgproject.content_pro‐
2073 file_anssi_np_nt28_average
2074 This profile contains items for GNU/Linux installations already
2076 protected by multiple higher level security stacks.
2077 Profile for ANSSI DAT-NT28 High (Enforced) Level
2080 Profile ID: xccdf_org.ssgproject.content_pro‐
2082 file_anssi_np_nt28_high
2083 This profile contains items for GNU/Linux installations storing
2085 sensitive informations that can be accessible from unauthenti‐
2086 cated or uncontroled networks.
2087 Profile for ANSSI DAT-NT28 Minimal Level
2090 Profile ID: xccdf_org.ssgproject.content_pro‐
2092 file_anssi_np_nt28_minimal
2093 This profile contains items to be applied systematically.
2095 Profile for ANSSI DAT-NT28 Restrictive Level
2098 Profile ID: xccdf_org.ssgproject.content_pro‐
2100 file_anssi_np_nt28_restrictive
2101 This profile contains items for GNU/Linux installations exposed
2103 to unauthenticated flows or multiple sources.
2104 Standard System Security Profile for Ubuntu 16.04
2107 Profile ID: xccdf_org.ssgproject.content_profile_standard
2109 This profile contains rules to ensure standard security baseline
2111 of an Ubuntu 16.04 system. Regardless of your system's workload
2112 all of these checks should pass.
2113
2119 Source Datastream: ssg-ubuntu1804-ds.xml
2120 The Guide to the Secure Configuration of Ubuntu 18.04 is broken into
2122 'profiles', groupings of security settings that correlate to a known
2123 policy. Available profiles are:
2124 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
2128 Profile ID: xccdf_org.ssgproject.content_pro‐
2130 file_anssi_np_nt28_average
2131 This profile contains items for GNU/Linux installations already
2133 protected by multiple higher level security stacks.
2134 Profile for ANSSI DAT-NT28 High (Enforced) Level
2137 Profile ID: xccdf_org.ssgproject.content_pro‐
2139 file_anssi_np_nt28_high
2140 This profile contains items for GNU/Linux installations storing
2142 sensitive informations that can be accessible from unauthenti‐
2143 cated or uncontroled networks.
2144 Profile for ANSSI DAT-NT28 Minimal Level
2147 Profile ID: xccdf_org.ssgproject.content_pro‐
2149 file_anssi_np_nt28_minimal
2150 This profile contains items to be applied systematically.
2152 Profile for ANSSI DAT-NT28 Restrictive Level
2155 Profile ID: xccdf_org.ssgproject.content_pro‐
2157 file_anssi_np_nt28_restrictive
2158 This profile contains items for GNU/Linux installations exposed
2160 to unauthenticated flows or multiple sources.
2161 CIS Ubuntu 18.04 LTS Benchmark
2164 Profile ID: xccdf_org.ssgproject.content_profile_cis
2166 This baseline aligns to the Center for Internet Security Ubuntu
2168 18.04 LTS Benchmark, v1.0.0, released 08-13-2018.
2169 Standard System Security Profile for Ubuntu 18.04
2172 Profile ID: xccdf_org.ssgproject.content_profile_standard
2174 This profile contains rules to ensure standard security baseline
2176 of an Ubuntu 18.04 system. Regardless of your system's workload
2177 all of these checks should pass.
2178
2184 Source Datastream: ssg-ubuntu2004-ds.xml
2185 The Guide to the Secure Configuration of Ubuntu 20.04 is broken into
2187 'profiles', groupings of security settings that correlate to a known
2188 policy. Available profiles are:
2189 Standard System Security Profile for Ubuntu 20.04
2193 Profile ID: xccdf_org.ssgproject.content_profile_standard
2195 This profile contains rules to ensure standard security baseline
2197 of an Ubuntu 20.04 system. Regardless of your system's workload
2198 all of these checks should pass.
2199
2205 for Linux
2206 Source Datastream: ssg-vsel-ds.xml
2207 The Guide to the Secure Configuration of McAfee VirusScan Enterprise
2209 for Linux is broken into 'profiles', groupings of security settings
2210 that correlate to a known policy. Available profiles are:
2211 McAfee VirusScan Enterprise for Linux (VSEL) STIG
2215 Profile ID: xccdf_org.ssgproject.content_profile_stig
2217 The McAfee VirusScan Enterprise for Linux software provides a
2219 realtime virus scanner for Linux systems.
2220
2226 Source Datastream: ssg-wrlinux1019-ds.xml
2227 The Guide to the Secure Configuration of WRLinux 1019 is broken into
2229 'profiles', groupings of security settings that correlate to a known
2230 policy. Available profiles are:
2231 Basic Profile for Embedded Systems
2235 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
2237 This profile contains items common to many embedded Linux in‐
2239 stallations. Regardless of your system's deployment objective,
2240 all of these checks should pass.
2241 DRAFT DISA STIG for Wind River Linux
2244 Profile ID: xccdf_org.ssgproject.content_profile_draft_stig_wr‐
2246 linux_disa
2247 This profile contains configuration checks that align to the
2249 DISA STIG for Wind River Linux. This profile is being developed
2250 under the DoD consensus model to become a STIG in coordination
2251 with DISA FSO. What is the status of the Wind River Linux STIG?
2252 The Wind River Linux STIG is in development under the DoD con‐
2253 sensus model and Wind River has started the process to get ap‐
2254 proval from DISA. However, in the absence of an approved SRG or
2255 STIG, vendor recommendations may be used instead. The current
2256 contents constitute the vendor recommendations at the time of
2257 the product release containing these contents. Note that
2258 changes are expected before approval is granted, and those
2259 changes will be made available in future Wind River Linux Secu‐
2260 rity Profile 1019 RCPL releases. More information, including
2261 the following, is available from the DISA FAQs at https://pub‐
2262 lic.cyber.mil/stigs/faqs/
2263
2269 Source Datastream: ssg-wrlinux8-ds.xml
2270 The Guide to the Secure Configuration of WRLinux 8 is broken into 'pro‐
2272 files', groupings of security settings that correlate to a known pol‐
2273 icy. Available profiles are:
2274 Basic Profile for Embedded Systems
2278 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
2280 This profile contains items common to many embedded Linux in‐
2282 stallations. Regardless of your system's deployment objective,
2283 all of these checks should pass.
2284
2291 To scan your system utilizing the OpenSCAP utility against the ospp
2292 profile:
2293 oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-re‐
2295 sults.xml --report /tmp/`hostname`-ssg-results.html --oval-results
2296 /usr/share/xml/scap/ssg/content/ssg-{product}-xccdf.xml
2297 Additional details can be found on the projects wiki page:
2299 https://www.github.com/OpenSCAP/scap-security-guide/wiki
2300
2304 /usr/share/xml/scap/ssg/content
2305 Houses SCAP content utilizing the following naming conventions:
2306 SCAP Source Datastreams: ssg-{product}-ds.xml
2308 CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
2310 CPE OVAL Content: ssg-{product}-cpe-oval.xml
2312 OVAL Content: ssg-{product}-oval.xml
2314 XCCDF Content: ssg-{product}-xccdf.xml
2316 /usr/share/doc/scap-security-guide/guides/
2318 HTML versions of SSG profiles.
2319 /usr/share/scap-security-guide/ansible/
2321 Contains Ansible Playbooks for SSG profiles.
2322 /usr/share/scap-security-guide/bash/
2324 Contains Bash remediation scripts for SSG profiles.
2325
2329 SCAP Security Guide content is considered vendor (Red Hat) provided
2330 content. Per guidance from the U.S. National Institute of Standards
2331 and Technology (NIST), U.S. Government programs are allowed to use Ven‐
2332 dor produced SCAP content in absence of "Governmental Authority" check‐
2333 lists. The specific NIST verbage:
2334 http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
2335
2339 DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT
2340 products incorporated into DoD information systems shall be configured
2341 in accordance with DoD-approved security configuration guidelines" and
2342 tasks Defense Information Systems Agency (DISA) to "develop and provide
2343 security configuration guidance for IA and IA-enabled IT products in
2344 coordination with Director, NSA." The output of this authority is the
2345 DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
2346 the process of moving the STIGs towards the use of the NIST Security
2347 Content Automation Protocol (SCAP) in order to "automate" compliance
2348 reporting of the STIGs.
2349 Through a common, shared vision, the SCAP Security Guide community en‐
2351 joys close collaboration directly with NSA, NIST, and DISA FSO. As
2352 stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
2353 Version 1, Release 2, issued on 03-JUNE-2013:
2354 "The consensus content was developed using an open-source project
2356 called SCAP Security Guide. The project's website is https://www.open-
2357 scap.org/security-policies/scap-security-guide. Except for differences
2358 in formatting to accomodate the DISA STIG publishing process, the con‐
2359 tent of the Red Hat Enterprise Linux 6 STIG should mirror the SCAP Se‐
2360 curity Guide content with only minor divergence as updates from multi‐
2361 ple sources work through the consensus process."
2362 The DoD STIG for Red Hat Enterprise Linux 7, revision V2R4, was re‐
2364 leased in July 2019 Currently, the DoD Red Hat Enterprise Linux 7 STIG
2365 contains only XCCDF content and is available online: https://public.cy‐
2366 ber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
2367 Content published against the public.cyber.mil website is authoritative
2369 STIG content. The SCAP Security Guide project, as noted in the STIG
2370 overview, is considered upstream content. Unlike DISA FSO, the SCAP Se‐
2371 curity Guide project does publish OVAL automation content. Individual
2372 programs and C&A evaluators make program-level determinations on the
2373 direct usage of the SCAP Security Guide. Currently there is no blanket
2374 approval.
2375
2379 oscap(8)
2380
2384 Please direct all questions to the SSG mailing list: https://lists.fe‐
2385 dorahosted.org/mailman/listinfo/scap-security-guide
2386version 1 26 Jan 2013 scap-security-guide(8)