1scap-security-guide(8)      System Manager's Manual     scap-security-guide(8)
2
3
4

NAME

6       SCAP  Security Guide - Delivers security guidance, baselines, and asso‐
7       ciated validation mechanisms utilizing the Security Content  Automation
8       Protocol (SCAP).
9
10
11

DESCRIPTION

13       The project provides practical security hardening advice and also links
14       it to compliance requirements in order to ease  deployment  activities,
15       such  as certification and accreditation. These include requirements in
16       the U.S. government (Federal, Defense, and Intelligence  Community)  as
17       well as of the financial services and health care industries. For exam‐
18       ple, high-level and widely-accepted policies such as NIST  800-53  pro‐
19       vides  prose  stating that System Administrators must audit "privileged
20       user actions," but do not define what "privileged actions" are. The SSG
21       bridges  the  gap  between generalized policy requirements and specific
22       implementation guidance, in SCAP formats to support automation whenever
23       possible.
24
25       The  projects  homepage  is located at: https://www.open-scap.org/secu
26       rity-policies/scap-security-guide
27
28
29

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

31       Source Datastream:  ssg-centos7-ds.xml
32
33       The Guide to the Secure Configuration of Red Hat Enterprise Linux 7  is
34       broken  into  'profiles', groupings of security settings that correlate
35       to a known policy. Available profiles are:
36
37
38
39       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
40
41              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
42
43              Ensures PCI-DSS v3.2.1 security configuration settings  are  ap‐
44              plied.
45
46
47       Standard System Security Profile for Red Hat Enterprise Linux 7
48
49              Profile ID:  xccdf_org.ssgproject.content_profile_standard
50
51              This profile contains rules to ensure standard security baseline
52              of a Red Hat Enterprise Linux 7 system. Regardless of your  sys‐
53              tem's workload all of these checks should pass.
54
55
56
57
58

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 8

60       Source Datastream:  ssg-centos8-ds.xml
61
62       The  Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
63       broken into 'profiles', groupings of security settings  that  correlate
64       to a known policy. Available profiles are:
65
66
67
68       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
69
70              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
71
72              Ensures  PCI-DSS  v3.2.1 security configuration settings are ap‐
73              plied.
74
75
76       Standard System Security Profile for Red Hat Enterprise Linux 8
77
78              Profile ID:  xccdf_org.ssgproject.content_profile_standard
79
80              This profile contains rules to ensure standard security baseline
81              of  a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
82              tem's workload all of these checks should pass.
83
84
85
86
87

Profiles in Guide to the Secure Configuration of Chromium

89       Source Datastream:  ssg-chromium-ds.xml
90
91       The Guide to the Secure Configuration of Chromium is broken into  'pro‐
92       files',  groupings  of security settings that correlate to a known pol‐
93       icy. Available profiles are:
94
95
96
97       Upstream STIG for Google Chromium
98
99              Profile ID:  xccdf_org.ssgproject.content_profile_stig
100
101              This profile is developed under the DoD consensus model and DISA
102              FSO Vendor STIG process, serving as the upstream development en‐
103              vironment for the Google Chromium STIG.
104
105              As a result of the upstream/downstream relationship between  the
106              SCAP Security Guide project and the official DISA FSO STIG base‐
107              line, users should expect variance between SSG and DISA FSO con‐
108              tent.  For official DISA FSO STIG content, refer to https://pub
109              lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
110              rity%2Cbrowser-guidance.
111
112              While  this  profile  is packaged by Red Hat as part of the SCAP
113              Security Guide package, please note that commercial  support  of
114              this  SCAP content is NOT available. This profile is provided as
115              example SCAP content with no endorsement for suitability or pro‐
116              duction  readiness.  Support for this profile is provided by the
117              upstream SCAP Security Guide community on a  best-effort  basis.
118              The upstream project homepage is https://www.open-scap.org/secu
119              rity-policies/scap-security-guide/.
120
121
122
123
124

Profiles in Guide to the Secure Configuration of Debian 10

126       Source Datastream:  ssg-debian10-ds.xml
127
128       The Guide to the Secure Configuration of Debian 10 is broken into 'pro‐
129       files',  groupings  of security settings that correlate to a known pol‐
130       icy. Available profiles are:
131
132
133
134       Profile for ANSSI DAT-NT28 Average (Intermediate) Level
135
136              Profile          ID:           xccdf_org.ssgproject.content_pro‐
137              file_anssi_np_nt28_average
138
139              This  profile contains items for GNU/Linux installations already
140              protected by multiple higher level security stacks.
141
142
143       Profile for ANSSI DAT-NT28 High (Enforced) Level
144
145              Profile          ID:           xccdf_org.ssgproject.content_pro‐
146              file_anssi_np_nt28_high
147
148              This  profile contains items for GNU/Linux installations storing
149              sensitive informations that can be accessible  from  unauthenti‐
150              cated or uncontroled networks.
151
152
153       Profile for ANSSI DAT-NT28 Minimal Level
154
155              Profile          ID:           xccdf_org.ssgproject.content_pro‐
156              file_anssi_np_nt28_minimal
157
158              This profile contains items to be applied systematically.
159
160
161       Profile for ANSSI DAT-NT28 Restrictive Level
162
163              Profile          ID:           xccdf_org.ssgproject.content_pro‐
164              file_anssi_np_nt28_restrictive
165
166              This  profile contains items for GNU/Linux installations exposed
167              to unauthenticated flows or multiple sources.
168
169
170       Standard System Security Profile for Debian 10
171
172              Profile ID:  xccdf_org.ssgproject.content_profile_standard
173
174              This profile contains rules to ensure standard security baseline
175              of  a Debian 10 system. Regardless of your system's workload all
176              of these checks should pass.
177
178
179
180
181

Profiles in Guide to the Secure Configuration of Debian 9

183       Source Datastream:  ssg-debian9-ds.xml
184
185       The Guide to the Secure Configuration of Debian 9 is broken into  'pro‐
186       files',  groupings  of security settings that correlate to a known pol‐
187       icy. Available profiles are:
188
189
190
191       Profile for ANSSI DAT-NT28 Average (Intermediate) Level
192
193              Profile          ID:           xccdf_org.ssgproject.content_pro‐
194              file_anssi_np_nt28_average
195
196              This  profile contains items for GNU/Linux installations already
197              protected by multiple higher level security stacks.
198
199
200       Profile for ANSSI DAT-NT28 High (Enforced) Level
201
202              Profile          ID:           xccdf_org.ssgproject.content_pro‐
203              file_anssi_np_nt28_high
204
205              This  profile contains items for GNU/Linux installations storing
206              sensitive informations that can be accessible  from  unauthenti‐
207              cated or uncontroled networks.
208
209
210       Profile for ANSSI DAT-NT28 Minimal Level
211
212              Profile          ID:           xccdf_org.ssgproject.content_pro‐
213              file_anssi_np_nt28_minimal
214
215              This profile contains items to be applied systematically.
216
217
218       Profile for ANSSI DAT-NT28 Restrictive Level
219
220              Profile          ID:           xccdf_org.ssgproject.content_pro‐
221              file_anssi_np_nt28_restrictive
222
223              This  profile contains items for GNU/Linux installations exposed
224              to unauthenticated flows or multiple sources.
225
226
227       Standard System Security Profile for Debian 9
228
229              Profile ID:  xccdf_org.ssgproject.content_profile_standard
230
231              This profile contains rules to ensure standard security baseline
232              of  a  Debian 9 system. Regardless of your system's workload all
233              of these checks should pass.
234
235
236
237
238

Profiles in Guide to the Secure Configuration of Fedora

240       Source Datastream:  ssg-fedora-ds.xml
241
242       The Guide to the Secure Configuration of Fedora is  broken  into  'pro‐
243       files',  groupings  of security settings that correlate to a known pol‐
244       icy. Available profiles are:
245
246
247
248       OSPP - Protection Profile for General Purpose Operating Systems
249
250              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
251
252              This profile reflects mandatory configuration  controls  identi‐
253              fied  in  the NIAP Configuration Annex to the Protection Profile
254              for General Purpose Operating Systems (Protection  Profile  Ver‐
255              sion 4.2).
256
257              As  Fedora  OS is moving target, this profile does not guarantee
258              to provide security levels required from  US  National  Security
259              Systems.  Main goal of the profile is to provide Fedora develop‐
260              ers with hardened environment similar to the one mandated by  US
261              National Security Systems.
262
263
264       PCI-DSS v3.2.1 Control Baseline for Fedora
265
266              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
267
268              Ensures  PCI-DSS  v3.2.1 related security configuration settings
269              are applied.
270
271
272       Standard System Security Profile for Fedora
273
274              Profile ID:  xccdf_org.ssgproject.content_profile_standard
275
276              This profile contains rules to ensure standard security baseline
277              of a Fedora system.  Regardless of your system's workload all of
278              these checks should pass.
279
280
281
282
283

Profiles in Guide to the Secure Configuration of Firefox

285       Source Datastream:  ssg-firefox-ds.xml
286
287       The Guide to the Secure Configuration of Firefox is broken  into  'pro‐
288       files',  groupings  of security settings that correlate to a known pol‐
289       icy. Available profiles are:
290
291
292
293       Upstream Firefox STIG
294
295              Profile ID:  xccdf_org.ssgproject.content_profile_stig
296
297              This profile is developed under the DoD consensus model and DISA
298              FSO Vendor STIG process, serving as the upstream development en‐
299              vironment for the Firefox STIG.
300
301              As a result of the upstream/downstream relationship between  the
302              SCAP Security Guide project and the official DISA FSO STIG base‐
303              line, users should expect variance between SSG and DISA FSO con‐
304              tent.  For official DISA FSO STIG content, refer to https://pub
305              lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
306              rity%2Cbrowser-guidance.
307
308              While  this  profile  is packaged by Red Hat as part of the SCAP
309              Security Guide package, please note that commercial  support  of
310              this  SCAP content is NOT available. This profile is provided as
311              example SCAP content with no endorsement for suitability or pro‐
312              duction  readiness.  Support for this profile is provided by the
313              upstream SCAP Security Guide community on a  best-effort  basis.
314              The upstream project homepage is https://www.open-scap.org/secu
315              rity-policies/scap-security-guide/.
316
317
318
319
320

Profiles in Guide to the Secure Configuration of JBoss Fuse 6

322       Source Datastream:  ssg-fuse6-ds.xml
323
324       The Guide to the Secure Configuration of JBoss Fuse 6  is  broken  into
325       'profiles',  groupings  of  security settings that correlate to a known
326       policy. Available profiles are:
327
328
329
330       STIG for Apache ActiveMQ
331
332              Profile ID:  xccdf_org.ssgproject.content_profile_amq-stig
333
334              This is a *draft* profile for STIG. This profile is being devel‐
335              oped under the DoD consensus model to become a STIG in coordina‐
336              tion with DISA FSO.
337
338
339       Standard System Security Profile for JBoss
340
341              Profile ID:  xccdf_org.ssgproject.content_profile_standard
342
343              This profile contains rules to ensure standard security baseline
344              of JBoss Fuse. Regardless of your system's workload all of these
345              checks should pass.
346
347
348       STIG for JBoss Fuse 6
349
350              Profile ID:  xccdf_org.ssgproject.content_profile_stig
351
352              This is a *draft* profile for STIG. This profile is being devel‐
353              oped under the DoD consensus model to become a STIG in coordina‐
354              tion with DISA FSO.
355
356
357
358
359

Profiles in Guide to the Secure Configuration of Java Runtime Environment

361       Source Datastream:  ssg-jre-ds.xml
362
363       The Guide to the Secure Configuration of Java  Runtime  Environment  is
364       broken  into  'profiles', groupings of security settings that correlate
365       to a known policy. Available profiles are:
366
367
368
369       Java Runtime Environment (JRE) STIG
370
371              Profile ID:  xccdf_org.ssgproject.content_profile_stig
372
373              The Java Runtime Environment (JRE) is a bundle developed and of‐
374              fered  by Oracle Corporation which includes the Java Virtual Ma‐
375              chine (JVM), class libraries, and other components necessary  to
376              run  Java  applications  and  applets.  Certain default settings
377              within the JRE pose a security risk so it is necessary to deploy
378              system  wide  properties  to  ensure a higher degree of security
379              when utilizing the JRE.
380
381              The IBM Corporation also develops and bundles the  Java  Runtime
382              Environment (JRE) as well as Red Hat with OpenJDK.
383
384
385
386
387

Profiles in Guide to the Secure Configuration of Apple macOS 10.15

389       Source Datastream:  ssg-macos1015-ds.xml
390
391       The  Guide  to  the Secure Configuration of Apple macOS 10.15 is broken
392       into 'profiles', groupings of security settings  that  correlate  to  a
393       known policy. Available profiles are:
394
395
396
397       NIST 800-53 Moderate-Impact Baseline for Apple macOS 10.15 Catalina
398
399              Profile ID:  xccdf_org.ssgproject.content_profile_moderate
400
401              This compliance profile reflects the core set of Moderate-Impact
402              Baseline configuration settings for deployment  of  Apple  macOS
403              10.15  Catalina  into  U.S.  Defense, Intelligence, and Civilian
404              agencies.  Development partners and sponsors  include  the  U.S.
405              National  Institute of Standards and Technology (NIST), U.S. De‐
406              partment of Defense, and the the National Security Agency.
407
408              This baseline implements  configuration  requirements  from  the
409              following sources:
410
411              -  NIST  800-53  control  selections for Moderate-Impact systems
412              (NIST 800-53)
413
414              For any  differing  configuration  requirements,  e.g.  password
415              lengths,  the stricter security setting was chosen. Security Re‐
416              quirement Traceability Guides (RTMs) and sample System  Security
417              Configuration  Guides  are provided via the scap-security-guide-
418              docs package.
419
420              This profile reflects U.S. Government consensus content  and  is
421              developed through the ComplianceAsCode initiative, championed by
422              the National Security Agency. Except for differences in  format‐
423              ting  to  accommodate publishing processes, this profile mirrors
424              ComplianceAsCode content as minor divergences, such as bugfixes,
425              work through the consensus and release processes.
426
427
428
429
430

Profiles in Guide to the Secure Configuration of Red Hat OpenShift Container

432       Platform 4
433       Source Datastream:  ssg-ocp4-ds.xml
434
435       The Guide to the Secure Configuration of Red  Hat  OpenShift  Container
436       Platform  4  is  broken into 'profiles', groupings of security settings
437       that correlate to a known policy. Available profiles are:
438
439
440
441       CIS Red Hat OpenShift Container Platform 4 Benchmark
442
443              Profile ID:  xccdf_org.ssgproject.content_profile_cis-node
444
445              This profile defines a baseline that aligns to  the  Center  for
446              Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
447              mark™, V1.1.
448
449              This profile includes Center  for  Internet  Security®  Red  Hat
450              OpenShift Container Platform 4 CIS Benchmarks™ content.
451
452              Note  that this part of the profile is meant to run on the Oper‐
453              ating System that Red Hat OpenShift Container Platform 4 runs on
454              top of.
455
456              This  profile  is  applicable  to  OpenShift  versions  4.6  and
457              greater.
458
459
460       CIS Red Hat OpenShift Container Platform 4 Benchmark
461
462              Profile ID:  xccdf_org.ssgproject.content_profile_cis
463
464              This profile defines a baseline that aligns to  the  Center  for
465              Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
466              mark™, V1.1.
467
468              This profile includes Center  for  Internet  Security®  Red  Hat
469              OpenShift Container Platform 4 CIS Benchmarks™ content.
470
471              Note  that this part of the profile is meant to run on the Plat‐
472              form that Red Hat OpenShift Container Platform 4 runs on top of.
473
474              This  profile  is  applicable  to  OpenShift  versions  4.6  and
475              greater.
476
477
478       Australian Cyber Security Centre (ACSC) Essential Eight
479
480              Profile ID:  xccdf_org.ssgproject.content_profile_e8
481
482              This profile contains configuration checks for Red Hat OpenShift
483              Container Platform that align to the Australian  Cyber  Security
484              Centre (ACSC) Essential Eight.
485
486              A copy of the Essential Eight in Linux Environments guide can be
487              found at the ACSC website:
488
489              https://www.cyber.gov.au/acsc/view-all-content/publica
490              tions/hardening-linux-workstations-and-servers
491
492
493       NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
494
495              Profile ID:  xccdf_org.ssgproject.content_profile_moderate-node
496
497              This compliance profile reflects the core set of Moderate-Impact
498              Baseline configuration settings for deployment of Red Hat  Open‐
499              Shift  Container  Platform  into U.S. Defense, Intelligence, and
500              Civilian agencies.  Development partners  and  sponsors  include
501              the  U.S. National Institute of Standards and Technology (NIST),
502              U.S. Department of Defense, the National  Security  Agency,  and
503              Red Hat.
504
505              This  baseline  implements  configuration  requirements from the
506              following sources:
507
508              - NIST 800-53 control  selections  for  Moderate-Impact  systems
509              (NIST 800-53)
510
511              For  any  differing  configuration  requirements,  e.g. password
512              lengths, the stricter security setting was chosen. Security  Re‐
513              quirement  Traceability Guides (RTMs) and sample System Security
514              Configuration Guides are provided via  the  scap-security-guide-
515              docs package.
516
517              This  profile  reflects U.S. Government consensus content and is
518              developed through the ComplianceAsCode initiative, championed by
519              the  National Security Agency. Except for differences in format‐
520              ting to accommodate publishing processes, this  profile  mirrors
521              ComplianceAsCode content as minor divergences, such as bugfixes,
522              work through the consensus and release processes.
523
524
525       NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift  -  Platform
526       level
527
528              Profile ID:  xccdf_org.ssgproject.content_profile_moderate
529
530              This compliance profile reflects the core set of Moderate-Impact
531              Baseline configuration settings for deployment of Red Hat  Open‐
532              Shift  Container  Platform  into U.S. Defense, Intelligence, and
533              Civilian agencies.  Development partners  and  sponsors  include
534              the  U.S. National Institute of Standards and Technology (NIST),
535              U.S. Department of Defense, the National  Security  Agency,  and
536              Red Hat.
537
538              This  baseline  implements  configuration  requirements from the
539              following sources:
540
541              - NIST 800-53 control  selections  for  Moderate-Impact  systems
542              (NIST 800-53)
543
544              For  any  differing  configuration  requirements,  e.g. password
545              lengths, the stricter security setting was chosen. Security  Re‐
546              quirement  Traceability Guides (RTMs) and sample System Security
547              Configuration Guides are provided via  the  scap-security-guide-
548              docs package.
549
550              This  profile  reflects U.S. Government consensus content and is
551              developed through the ComplianceAsCode initiative, championed by
552              the  National Security Agency. Except for differences in format‐
553              ting to accommodate publishing processes, this  profile  mirrors
554              ComplianceAsCode content as minor divergences, such as bugfixes,
555              work through the consensus and release processes.
556
557
558       NIST National Checklist for Red Hat OpenShift Container Platform
559
560              Profile ID:  xccdf_org.ssgproject.content_profile_ncp
561
562              This compliance profile reflects the core set  of  security  re‐
563              lated configuration settings for deployment of Red Hat OpenShift
564              Container Platform into U.S. Defense, Intelligence, and Civilian
565              agencies.   Development  partners  and sponsors include the U.S.
566              National Institute of Standards and Technology (NIST), U.S.  De‐
567              partment of Defense, the National Security Agency, and Red Hat.
568
569              This  baseline  implements  configuration  requirements from the
570              following sources:
571
572              - Committee on National Security Systems  Instruction  No.  1253
573              (CNSSI  1253)  -  NIST Controlled Unclassified Information (NIST
574              800-171) - NIST 800-53 control  selections  for  Moderate-Impact
575              systems  (NIST  800-53) - U.S. Government Configuration Baseline
576              (USGCB) - NIAP Protection Profile for General Purpose  Operating
577              Systems  v4.2.1  (OSPP  v4.2.1) - DISA Operating System Security
578              Requirements Guide (OS SRG)
579
580              For any  differing  configuration  requirements,  e.g.  password
581              lengths,  the stricter security setting was chosen. Security Re‐
582              quirement Traceability Guides (RTMs) and sample System  Security
583              Configuration  Guides  are provided via the scap-security-guide-
584              docs package.
585
586              This profile reflects U.S. Government consensus content  and  is
587              developed through the ComplianceAsCode initiative, championed by
588              the National Security Agency. Except for differences in  format‐
589              ting  to  accommodate publishing processes, this profile mirrors
590              ComplianceAsCode content as minor divergences, such as bugfixes,
591              work through the consensus and release processes.
592
593
594       PCI-DSS  v3.2.1  Control Baseline for Red Hat OpenShift Container Plat‐
595       form 4
596
597              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
598
599              Ensures PCI-DSS v3.2.1 security configuration settings  are  ap‐
600              plied.
601
602
603
604
605

Profiles in Guide to the Secure Configuration of Oracle Linux 7

607       Source Datastream:  ssg-ol7-ds.xml
608
609       The  Guide to the Secure Configuration of Oracle Linux 7 is broken into
610       'profiles', groupings of security settings that correlate  to  a  known
611       policy. Available profiles are:
612
613
614
615       ANSSI-BP-028 (enhanced)
616
617              Profile ID:  xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
618              hanced
619
620              This profile contains configurations that align to  ANSSI-BP-028
621              at the enhanced hardening level.
622
623              ANSSI  is  the  French National Information Security Agency, and
624              stands for Agence nationale de la sécurité des systèmes d'infor‐
625              mation.   ANSSI-BP-028  is  a  configuration  recommendation for
626              GNU/Linux systems.
627
628              A copy of the ANSSI-BP-028 can be found at  the  ANSSI  website:
629              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
630              securite-relatives-a-un-systeme-gnulinux/
631
632
633       DRAFT - ANSSI-BP-028 (high)
634
635              Profile          ID:           xccdf_org.ssgproject.content_pro‐
636              file_anssi_nt28_high
637
638              This  profile contains configurations that align to ANSSI-BP-028
639              at the high hardening level.
640
641              ANSSI is the French National Information  Security  Agency,  and
642              stands for Agence nationale de la sécurité des systèmes d'infor‐
643              mation.  ANSSI-BP-028  is  a  configuration  recommendation  for
644              GNU/Linux systems.
645
646              A  copy  of  the ANSSI-BP-028 can be found at the ANSSI website:
647              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
648              securite-relatives-a-un-systeme-gnulinux/
649
650
651       ANSSI-BP-028 (intermediary)
652
653              Profile ID:  xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
654              termediary
655
656              This profile contains configurations that align to  ANSSI-BP-028
657              at the intermediary hardening level.
658
659              ANSSI  is  the  French National Information Security Agency, and
660              stands for Agence nationale de la sécurité des systèmes d'infor‐
661              mation.   ANSSI-BP-028  is  a  configuration  recommendation for
662              GNU/Linux systems.
663
664              A copy of the ANSSI-BP-028 can be found at  the  ANSSI  website:
665              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
666              securite-relatives-a-un-systeme-gnulinux/
667
668
669       ANSSI-BP-028 (minimal)
670
671              Profile          ID:           xccdf_org.ssgproject.content_pro‐
672              file_anssi_nt28_minimal
673
674              This  profile contains configurations that align to ANSSI-BP-028
675              at the minimal hardening level.
676
677              ANSSI is the French National Information  Security  Agency,  and
678              stands for Agence nationale de la sécurité des systèmes d'infor‐
679              mation.  ANSSI-BP-028  is  a  configuration  recommendation  for
680              GNU/Linux systems.
681
682              A  copy  of  the ANSSI-BP-028 can be found at the ANSSI website:
683              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
684              securite-relatives-a-un-systeme-gnulinux/
685
686
687       Criminal Justice Information Services (CJIS) Security Policy
688
689              Profile ID:  xccdf_org.ssgproject.content_profile_cjis
690
691              This  profile is derived from FBI's CJIS v5.4 Security Policy. A
692              copy of this policy can be found at the CJIS Security Policy Re‐
693              source Center:
694
695              https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
696              center
697
698
699       Unclassified Information in Non-federal Information Systems and Organi‐
700       zations (NIST 800-171)
701
702              Profile ID:  xccdf_org.ssgproject.content_profile_cui
703
704              From  NIST  800-171, Section 2.2: Security requirements for pro‐
705              tecting the confidentiality of CUI  in  non-federal  information
706              systems  and  organizations  have  a well-defined structure that
707              consists of:
708
709              (i) a basic security requirements section; (ii) a derived  secu‐
710              rity requirements section.
711
712              The  basic security requirements are obtained from FIPS Publica‐
713              tion 200, which provides the high-level and fundamental security
714              requirements  for  federal  information and information systems.
715              The derived security requirements, which  supplement  the  basic
716              security  requirements,  are taken from the security controls in
717              NIST Special Publication 800-53.
718
719              This profile configures Oracle Linux 7 to the NIST Special  Pub‐
720              lication  800-53 controls identified for securing Controlled Un‐
721              classified Information (CUI).
722
723
724       [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
725
726              Profile ID:  xccdf_org.ssgproject.content_profile_e8
727
728              This profile contains configuration checks for  Oracle  Linux  7
729              that align to the Australian Cyber Security Centre (ACSC) Essen‐
730              tial Eight.
731
732              A copy of the Essential Eight in Linux Environments guide can be
733              found at the ACSC website:
734
735              https://www.cyber.gov.au/acsc/view-all-content/publica
736              tions/hardening-linux-workstations-and-servers
737
738
739       Health Insurance Portability and Accountability Act (HIPAA)
740
741              Profile ID:  xccdf_org.ssgproject.content_profile_hipaa
742
743              The HIPAA Security Rule establishes U.S. national  standards  to
744              protect individuals’ electronic personal health information that
745              is created, received, used, or maintained by a  covered  entity.
746              The  Security Rule requires appropriate administrative, physical
747              and technical safeguards to ensure the  confidentiality,  integ‐
748              rity, and security of electronic protected health information.
749
750              This  profile  configures  Oracle  Linux 7 to the HIPAA Security
751              Rule identified for securing of electronic protected health  in‐
752              formation.   Use  of  this profile in no way guarantees or makes
753              claims against  legal  compliance  against  the  HIPAA  Security
754              Rule(s).
755
756
757       [DRAFT] Protection Profile for General Purpose Operating Systems
758
759              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
760
761              This  profile  reflects mandatory configuration controls identi‐
762              fied in the NIAP Configuration Annex to the  Protection  Profile
763              for  General  Purpose Operating Systems (Protection Profile Ver‐
764              sion 4.2.1).
765
766              This configuration profile is consistent with CNSSI-1253,  which
767              requires  U.S.  National  Security  Systems to adhere to certain
768              configuration parameters. Accordingly, this  configuration  pro‐
769              file is suitable for use in U.S. National Security Systems.
770
771
772       PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7
773
774              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
775
776              Ensures  PCI-DSS  v3.2.1 related security configuration settings
777              are applied.
778
779
780       Security Profile of Oracle Linux 7 for SAP
781
782              Profile ID:  xccdf_org.ssgproject.content_profile_sap
783
784              This profile contains rules for Oracle Linux 7 Operating  System
785              in  compliance  with  SAP note 2069760 and SAP Security Baseline
786              Template version 1.9 Item I-8 and section  4.1.2.2.   Regardless
787              of your system's workload all of these checks should pass.
788
789
790       Standard System Security Profile for Oracle Linux 7
791
792              Profile ID:  xccdf_org.ssgproject.content_profile_standard
793
794              This profile contains rules to ensure standard security baseline
795              of Oracle Linux 7 system. Regardless of your  system's  workload
796              all of these checks should pass.
797
798
799       DISA STIG for Oracle Linux 7
800
801              Profile ID:  xccdf_org.ssgproject.content_profile_stig
802
803              This  profile  contains  configuration  checks that align to the
804              DISA STIG for Oracle Linux V2R4.
805
806
807
808
809

Profiles in Guide to the Secure Configuration of Oracle Linux 8

811       Source Datastream:  ssg-ol8-ds.xml
812
813       The Guide to the Secure Configuration of Oracle Linux 8 is broken  into
814       'profiles',  groupings  of  security settings that correlate to a known
815       policy. Available profiles are:
816
817
818
819       ANSSI-BP-028 (enhanced)
820
821              Profile ID:  xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
822              hanced
823
824              This  profile contains configurations that align to ANSSI-BP-028
825              at the enhanced hardening level.
826
827              ANSSI is the French National Information  Security  Agency,  and
828              stands for Agence nationale de la sécurité des systèmes d'infor‐
829              mation.  ANSSI-BP-028  is  a  configuration  recommendation  for
830              GNU/Linux systems.
831
832              A  copy  of  the ANSSI-BP-028 can be found at the ANSSI website:
833              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
834              securite-relatives-a-un-systeme-gnulinux/
835
836
837       DRAFT - ANSSI-BP-028 (high)
838
839              Profile          ID:           xccdf_org.ssgproject.content_pro‐
840              file_anssi_bp28_high
841
842              This profile contains configurations that align to  ANSSI-BP-028
843              at the high hardening level.
844
845              ANSSI  is  the  French National Information Security Agency, and
846              stands for Agence nationale de la sécurité des systèmes d'infor‐
847              mation.   ANSSI-BP-028  is  a  configuration  recommendation for
848              GNU/Linux systems.
849
850              A copy of the ANSSI-BP-028 can be found at  the  ANSSI  website:
851              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
852              securite-relatives-a-un-systeme-gnulinux/
853
854
855       ANSSI-BP-028 (intermediary)
856
857              Profile ID:  xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
858              termediary
859
860              This  profile contains configurations that align to ANSSI-BP-028
861              at the intermediary hardening level.
862
863              ANSSI is the French National Information  Security  Agency,  and
864              stands for Agence nationale de la sécurité des systèmes d'infor‐
865              mation.  ANSSI-BP-028  is  a  configuration  recommendation  for
866              GNU/Linux systems.
867
868              A  copy  of  the ANSSI-BP-028 can be found at the ANSSI website:
869              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
870              securite-relatives-a-un-systeme-gnulinux/
871
872
873       ANSSI-BP-028 (minimal)
874
875              Profile          ID:           xccdf_org.ssgproject.content_pro‐
876              file_anssi_bp28_minimal
877
878              This profile contains configurations that align to  ANSSI-BP-028
879              at the minimal hardening level.
880
881              ANSSI  is  the  French National Information Security Agency, and
882              stands for Agence nationale de la sécurité des systèmes d'infor‐
883              mation.   ANSSI-BP-028  is  a  configuration  recommendation for
884              GNU/Linux systems.
885
886              A copy of the ANSSI-BP-028 can be found at  the  ANSSI  website:
887              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
888              securite-relatives-a-un-systeme-gnulinux/
889
890
891       Criminal Justice Information Services (CJIS) Security Policy
892
893              Profile ID:  xccdf_org.ssgproject.content_profile_cjis
894
895              This profile is derived from FBI's CJIS v5.4 Security Policy.  A
896              copy of this policy can be found at the CJIS Security Policy Re‐
897              source Center:
898
899              https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
900              center
901
902
903       Unclassified Information in Non-federal Information Systems and Organi‐
904       zations (NIST 800-171)
905
906              Profile ID:  xccdf_org.ssgproject.content_profile_cui
907
908              From NIST 800-171, Section 2.2: Security requirements  for  pro‐
909              tecting  the  confidentiality  of CUI in non-federal information
910              systems and organizations have  a  well-defined  structure  that
911              consists of:
912
913              (i)  a basic security requirements section; (ii) a derived secu‐
914              rity requirements section.
915
916              The basic security requirements are obtained from FIPS  Publica‐
917              tion 200, which provides the high-level and fundamental security
918              requirements for federal information  and  information  systems.
919              The  derived  security  requirements, which supplement the basic
920              security requirements, are taken from the security  controls  in
921              NIST Special Publication 800-53.
922
923              This  profile configures Oracle Linux 8 to the NIST Special Pub‐
924              lication 800-53 controls identified for securing Controlled  Un‐
925              classified Information (CUI).
926
927
928       [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
929
930              Profile ID:  xccdf_org.ssgproject.content_profile_e8
931
932              This  profile  contains  configuration checks for Oracle Linux 8
933              that align to the Australian Cyber Security Centre (ACSC) Essen‐
934              tial Eight.
935
936              A copy of the Essential Eight in Linux Environments guide can be
937              found at the ACSC website:
938
939              https://www.cyber.gov.au/acsc/view-all-content/publica
940              tions/hardening-linux-workstations-and-servers
941
942
943       Health Insurance Portability and Accountability Act (HIPAA)
944
945              Profile ID:  xccdf_org.ssgproject.content_profile_hipaa
946
947              The  HIPAA  Security Rule establishes U.S. national standards to
948              protect individuals’ electronic personal health information that
949              is  created,  received, used, or maintained by a covered entity.
950              The Security Rule requires appropriate administrative,  physical
951              and  technical  safeguards to ensure the confidentiality, integ‐
952              rity, and security of electronic protected health information.
953
954              This profile configures Oracle Linux 8  to  the  HIPAA  Security
955              Rule  identified for securing of electronic protected health in‐
956              formation.  Use of this profile in no way  guarantees  or  makes
957              claims  against  legal  compliance  against  the  HIPAA Security
958              Rule(s).
959
960
961       [DRAFT] Protection Profile for General Purpose Operating Systems
962
963              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
964
965              This profile reflects mandatory configuration  controls  identi‐
966              fied  in  the NIAP Configuration Annex to the Protection Profile
967              for General Purpose Operating Systems (Protection  Profile  Ver‐
968              sion 4.2.1).
969
970              This  configuration profile is consistent with CNSSI-1253, which
971              requires U.S. National Security Systems  to  adhere  to  certain
972              configuration  parameters.  Accordingly, this configuration pro‐
973              file is suitable for use in U.S. National Security Systems.
974
975
976       PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8
977
978              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
979
980              Ensures PCI-DSS v3.2.1 related security  configuration  settings
981              are applied.
982
983
984       Standard System Security Profile for Oracle Linux 8
985
986              Profile ID:  xccdf_org.ssgproject.content_profile_standard
987
988              This profile contains rules to ensure standard security baseline
989              of Oracle Linux 8 system. Regardless of your  system's  workload
990              all of these checks should pass.
991
992
993
994
995

Profiles in Guide to the Secure Configuration of openSUSE

997       Source Datastream:  ssg-opensuse-ds.xml
998
999       The  Guide to the Secure Configuration of openSUSE is broken into 'pro‐
1000       files', groupings of security settings that correlate to a  known  pol‐
1001       icy. Available profiles are:
1002
1003
1004
1005       Standard System Security Profile for openSUSE
1006
1007              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1008
1009              This profile contains rules to ensure standard security baseline
1010              of an openSUSE system. Regardless of your system's workload  all
1011              of these checks should pass.
1012
1013
1014
1015
1016

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux

1018       CoreOS 4
1019       Source Datastream:  ssg-rhcos4-ds.xml
1020
1021       The Guide to the Secure  Configuration  of  Red  Hat  Enterprise  Linux
1022       CoreOS 4 is broken into 'profiles', groupings of security settings that
1023       correlate to a known policy. Available profiles are:
1024
1025
1026
1027       DRAFT - ANSSI-BP-028 (enhanced)
1028
1029              Profile ID:  xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1030              hanced
1031
1032              This  profile contains configurations that align to ANSSI-BP-028
1033              at the enhanced hardening level.
1034
1035              ANSSI is the French National Information  Security  Agency,  and
1036              stands for Agence nationale de la sécurité des systèmes d'infor‐
1037              mation.  ANSSI-BP-028  is  a  configuration  recommendation  for
1038              GNU/Linux systems.
1039
1040              A  copy  of  the ANSSI-BP-028 can be found at the ANSSI website:
1041              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1042              securite-relatives-a-un-systeme-gnulinux/
1043
1044
1045       DRAFT - ANSSI-BP-028 (high)
1046
1047              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1048              file_anssi_bp28_high
1049
1050              This profile contains configurations that align to  ANSSI-BP-028
1051              at the high hardening level.
1052
1053              ANSSI  is  the  French National Information Security Agency, and
1054              stands for Agence nationale de la sécurité des systèmes d'infor‐
1055              mation.   ANSSI-BP-028  is  a  configuration  recommendation for
1056              GNU/Linux systems.
1057
1058              A copy of the ANSSI-BP-028 can be found at  the  ANSSI  website:
1059              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1060              securite-relatives-a-un-systeme-gnulinux/
1061
1062
1063       DRAFT - ANSSI-BP-028 (intermediary)
1064
1065              Profile ID:  xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1066              termediary
1067
1068              This  profile contains configurations that align to ANSSI-BP-028
1069              at the intermediary hardening level.
1070
1071              ANSSI is the French National Information  Security  Agency,  and
1072              stands for Agence nationale de la sécurité des systèmes d'infor‐
1073              mation.  ANSSI-BP-028  is  a  configuration  recommendation  for
1074              GNU/Linux systems.
1075
1076              A  copy  of  the ANSSI-BP-028 can be found at the ANSSI website:
1077              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1078              securite-relatives-a-un-systeme-gnulinux/
1079
1080
1081       DRAFT - ANSSI-BP-028 (minimal)
1082
1083              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1084              file_anssi_bp28_minimal
1085
1086              This profile contains configurations that align to  ANSSI-BP-028
1087              at the minimal hardening level.
1088
1089              ANSSI  is  the  French National Information Security Agency, and
1090              stands for Agence nationale de la sécurité des systèmes d'infor‐
1091              mation.   ANSSI-BP-028  is  a  configuration  recommendation for
1092              GNU/Linux systems.
1093
1094              A copy of the ANSSI-BP-028 can be found at  the  ANSSI  website:
1095              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1096              securite-relatives-a-un-systeme-gnulinux/
1097
1098
1099       Australian Cyber Security Centre (ACSC) Essential Eight
1100
1101              Profile ID:  xccdf_org.ssgproject.content_profile_e8
1102
1103              This profile contains configuration checks for  Red  Hat  Enter‐
1104              prise  Linux  CoreOS that align to the Australian Cyber Security
1105              Centre (ACSC) Essential Eight.
1106
1107              A copy of the Essential Eight in Linux Environments guide can be
1108              found at the ACSC website:
1109
1110              https://www.cyber.gov.au/acsc/view-all-content/publica
1111              tions/hardening-linux-workstations-and-servers
1112
1113
1114       NIST 800-53 Moderate-Impact  Baseline  for  Red  Hat  Enterprise  Linux
1115       CoreOS
1116
1117              Profile ID:  xccdf_org.ssgproject.content_profile_moderate
1118
1119              This compliance profile reflects the core set of Moderate-Impact
1120              Baseline configuration settings for deployment of Red Hat Enter‐
1121              prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
1122              agencies.  Development partners and sponsors  include  the  U.S.
1123              National  Institute of Standards and Technology (NIST), U.S. De‐
1124              partment of Defense, the National Security Agency, and Red Hat.
1125
1126              This baseline implements  configuration  requirements  from  the
1127              following sources:
1128
1129              -  NIST  800-53  control  selections for Moderate-Impact systems
1130              (NIST 800-53)
1131
1132              For any  differing  configuration  requirements,  e.g.  password
1133              lengths,  the stricter security setting was chosen. Security Re‐
1134              quirement Traceability Guides (RTMs) and sample System  Security
1135              Configuration  Guides  are provided via the scap-security-guide-
1136              docs package.
1137
1138              This profile reflects U.S. Government consensus content  and  is
1139              developed through the ComplianceAsCode initiative, championed by
1140              the National Security Agency. Except for differences in  format‐
1141              ting  to  accommodate publishing processes, this profile mirrors
1142              ComplianceAsCode content as minor divergences, such as bugfixes,
1143              work through the consensus and release processes.
1144
1145
1146       NIST National Checklist for Red Hat Enterprise Linux CoreOS
1147
1148              Profile ID:  xccdf_org.ssgproject.content_profile_ncp
1149
1150              This  compliance  profile  reflects the core set of security re‐
1151              lated configuration settings for deployment of  Red  Hat  Enter‐
1152              prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
1153              agencies.  Development partners and sponsors  include  the  U.S.
1154              National  Institute of Standards and Technology (NIST), U.S. De‐
1155              partment of Defense, the National Security Agency, and Red Hat.
1156
1157              This baseline implements  configuration  requirements  from  the
1158              following sources:
1159
1160              -  Committee  on  National Security Systems Instruction No. 1253
1161              (CNSSI 1253) - NIST Controlled  Unclassified  Information  (NIST
1162              800-171)  -  NIST  800-53 control selections for Moderate-Impact
1163              systems (NIST 800-53) - U.S. Government  Configuration  Baseline
1164              (USGCB)  - NIAP Protection Profile for General Purpose Operating
1165              Systems v4.2.1 (OSPP v4.2.1) - DISA  Operating  System  Security
1166              Requirements Guide (OS SRG)
1167
1168              For  any  differing  configuration  requirements,  e.g. password
1169              lengths, the stricter security setting was chosen. Security  Re‐
1170              quirement  Traceability Guides (RTMs) and sample System Security
1171              Configuration Guides are provided via  the  scap-security-guide-
1172              docs package.
1173
1174              This  profile  reflects U.S. Government consensus content and is
1175              developed through the ComplianceAsCode initiative, championed by
1176              the  National Security Agency. Except for differences in format‐
1177              ting to accommodate publishing processes, this  profile  mirrors
1178              ComplianceAsCode content as minor divergences, such as bugfixes,
1179              work through the consensus and release processes.
1180
1181
1182       Protection Profile for General Purpose Operating Systems
1183
1184              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
1185
1186              This profile reflects mandatory configuration  controls  identi‐
1187              fied  in  the NIAP Configuration Annex to the Protection Profile
1188              for General Purpose Operating Systems (Protection  Profile  Ver‐
1189              sion 4.2.1).
1190
1191              This  configuration profile is consistent with CNSSI-1253, which
1192              requires U.S. National Security Systems  to  adhere  to  certain
1193              configuration  parameters.  Accordingly, this configuration pro‐
1194              file is suitable for use in U.S. National Security Systems.
1195
1196
1197       [DRAFT] DISA STIG for Red Hat Enterprise Linux CoreOS
1198
1199              Profile ID:  xccdf_org.ssgproject.content_profile_stig
1200
1201              This profile contains configuration checks  that  align  to  the
1202              [DRAFT]  DISA  STIG for Red Hat Enterprise Linux CoreOS which is
1203              the operating system layer of Red Hat OpenShift Container  Plat‐
1204              form.
1205
1206
1207
1208
1209

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

1211       Source Datastream:  ssg-rhel7-ds.xml
1212
1213       The  Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
1214       broken into 'profiles', groupings of security settings  that  correlate
1215       to a known policy. Available profiles are:
1216
1217
1218
1219       C2S for Red Hat Enterprise Linux 7
1220
1221              Profile ID:  xccdf_org.ssgproject.content_profile_C2S
1222
1223              This profile demonstrates compliance against the U.S. Government
1224              Commercial Cloud Services (C2S) baseline.
1225
1226              This baseline was inspired by the Center for  Internet  Security
1227              (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
1228
1229              For the SCAP Security Guide project to remain in compliance with
1230              CIS' terms and conditions,  specifically  Restrictions(8),  note
1231              there  is  no  representation or claim that the C2S profile will
1232              ensure a system is in compliance or  consistency  with  the  CIS
1233              baseline.
1234
1235
1236       ANSSI-BP-028 (enhanced)
1237
1238              Profile ID:  xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
1239              hanced
1240
1241              This profile contains configurations that align to  ANSSI-BP-028
1242              v1.2 at the enhanced hardening level.
1243
1244              ANSSI  is  the  French National Information Security Agency, and
1245              stands for Agence nationale de la sécurité des systèmes d'infor‐
1246              mation.   ANSSI-BP-028  is  a  configuration  recommendation for
1247              GNU/Linux systems.
1248
1249              A copy of the ANSSI-BP-028 can be found at  the  ANSSI  website:
1250              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1251              securite-relatives-a-un-systeme-gnulinux/
1252
1253
1254       ANSSI-BP-028 (high)
1255
1256              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1257              file_anssi_nt28_high
1258
1259              This  profile contains configurations that align to ANSSI-BP-028
1260              v1.2 at the high hardening level.
1261
1262              ANSSI is the French National Information  Security  Agency,  and
1263              stands for Agence nationale de la sécurité des systèmes d'infor‐
1264              mation.  ANSSI-BP-028  is  a  configuration  recommendation  for
1265              GNU/Linux systems.
1266
1267              A  copy  of  the ANSSI-BP-028 can be found at the ANSSI website:
1268              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1269              securite-relatives-a-un-systeme-gnulinux/
1270
1271
1272       ANSSI-BP-028 (intermediary)
1273
1274              Profile ID:  xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
1275              termediary
1276
1277              This profile contains configurations that align to  ANSSI-BP-028
1278              v1.2 at the intermediary hardening level.
1279
1280              ANSSI  is  the  French National Information Security Agency, and
1281              stands for Agence nationale de la sécurité des systèmes d'infor‐
1282              mation.   ANSSI-BP-028  is  a  configuration  recommendation for
1283              GNU/Linux systems.
1284
1285              A copy of the ANSSI-BP-028 can be found at  the  ANSSI  website:
1286              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1287              securite-relatives-a-un-systeme-gnulinux/
1288
1289
1290       ANSSI-BP-028 (minimal)
1291
1292              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1293              file_anssi_nt28_minimal
1294
1295              This  profile contains configurations that align to ANSSI-BP-028
1296              v1.2 at the minimal hardening level.
1297
1298              ANSSI is the French National Information  Security  Agency,  and
1299              stands for Agence nationale de la sécurité des systèmes d'infor‐
1300              mation.  ANSSI-BP-028  is  a  configuration  recommendation  for
1301              GNU/Linux systems.
1302
1303              A  copy  of  the ANSSI-BP-028 can be found at the ANSSI website:
1304              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1305              securite-relatives-a-un-systeme-gnulinux/
1306
1307
1308       CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
1309
1310              Profile ID:  xccdf_org.ssgproject.content_profile_cis
1311
1312              This  profile  defines  a baseline that aligns to the "Level 2 -
1313              Server" configuration from the Center for Internet Security® Red
1314              Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
1315
1316              This  profile includes Center for Internet Security® Red Hat En‐
1317              terprise Linux 7 CIS Benchmarks™ content.
1318
1319
1320       CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
1321
1322              Profile ID:  xccdf_org.ssgproject.content_profile_cis_server_l1
1323
1324              This profile defines a baseline that aligns to the  "Level  1  -
1325              Server" configuration from the Center for Internet Security® Red
1326              Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
1327
1328              This profile includes Center for Internet Security® Red Hat  En‐
1329              terprise Linux 7 CIS Benchmarks™ content.
1330
1331
1332       CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation
1333
1334              Profile  ID:   xccdf_org.ssgproject.content_profile_cis_worksta‐
1335              tion_l1
1336
1337              This profile defines a baseline that aligns to the  "Level  1  -
1338              Workstation"  configuration  from  the Center for Internet Secu‐
1339              rity® Red Hat Enterprise Linux 7  Benchmark™,  v3.1.1,  released
1340              05-21-2021.
1341
1342              This  profile includes Center for Internet Security® Red Hat En‐
1343              terprise Linux 7 CIS Benchmarks™ content.
1344
1345
1346       CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation
1347
1348              Profile  ID:   xccdf_org.ssgproject.content_profile_cis_worksta‐
1349              tion_l2
1350
1351              This  profile  defines  a baseline that aligns to the "Level 2 -
1352              Workstation" configuration from the Center  for  Internet  Secu‐
1353              rity®  Red  Hat  Enterprise Linux 7 Benchmark™, v3.1.1, released
1354              05-21-2021.
1355
1356              This profile includes Center for Internet Security® Red Hat  En‐
1357              terprise Linux 7 CIS Benchmarks™ content.
1358
1359
1360       Criminal Justice Information Services (CJIS) Security Policy
1361
1362              Profile ID:  xccdf_org.ssgproject.content_profile_cjis
1363
1364              This  profile is derived from FBI's CJIS v5.4 Security Policy. A
1365              copy of this policy can be found at the CJIS Security Policy Re‐
1366              source Center:
1367
1368              https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1369              center
1370
1371
1372       Unclassified Information in Non-federal Information Systems and Organi‐
1373       zations (NIST 800-171)
1374
1375              Profile ID:  xccdf_org.ssgproject.content_profile_cui
1376
1377              From  NIST  800-171, Section 2.2: Security requirements for pro‐
1378              tecting the confidentiality of CUI  in  non-federal  information
1379              systems  and  organizations  have  a well-defined structure that
1380              consists of:
1381
1382              (i) a basic security requirements section; (ii) a derived  secu‐
1383              rity requirements section.
1384
1385              The  basic security requirements are obtained from FIPS Publica‐
1386              tion 200, which provides the high-level and fundamental security
1387              requirements  for  federal  information and information systems.
1388              The derived security requirements, which  supplement  the  basic
1389              security  requirements,  are taken from the security controls in
1390              NIST Special Publication 800-53.
1391
1392              This profile configures Red Hat Enterprise Linux 7 to  the  NIST
1393              Special Publication 800-53 controls identified for securing Con‐
1394              trolled Unclassified Information (CUI).
1395
1396
1397       Australian Cyber Security Centre (ACSC) Essential Eight
1398
1399              Profile ID:  xccdf_org.ssgproject.content_profile_e8
1400
1401              This profile contains configuration checks for  Red  Hat  Enter‐
1402              prise Linux 7 that align to the Australian Cyber Security Centre
1403              (ACSC) Essential Eight.
1404
1405              A copy of the Essential Eight in Linux Environments guide can be
1406              found at the ACSC website:
1407
1408              https://www.cyber.gov.au/acsc/view-all-content/publica
1409              tions/hardening-linux-workstations-and-servers
1410
1411
1412       Health Insurance Portability and Accountability Act (HIPAA)
1413
1414              Profile ID:  xccdf_org.ssgproject.content_profile_hipaa
1415
1416              The HIPAA Security Rule establishes U.S. national  standards  to
1417              protect individuals’ electronic personal health information that
1418              is created, received, used, or maintained by a  covered  entity.
1419              The  Security Rule requires appropriate administrative, physical
1420              and technical safeguards to ensure the  confidentiality,  integ‐
1421              rity, and security of electronic protected health information.
1422
1423              This  profile configures Red Hat Enterprise Linux 7 to the HIPAA
1424              Security Rule identified for securing  of  electronic  protected
1425              health information.  Use of this profile in no way guarantees or
1426              makes claims against legal compliance against the HIPAA Security
1427              Rule(s).
1428
1429
1430       NIST National Checklist Program Security Guide
1431
1432              Profile ID:  xccdf_org.ssgproject.content_profile_ncp
1433
1434              This  compliance  profile  reflects the core set of security re‐
1435              lated configuration settings for deployment of  Red  Hat  Enter‐
1436              prise  Linux  7.x  into U.S. Defense, Intelligence, and Civilian
1437              agencies.  Development partners and sponsors  include  the  U.S.
1438              National  Institute of Standards and Technology (NIST), U.S. De‐
1439              partment of Defense, the National Security Agency, and Red Hat.
1440
1441              This baseline implements  configuration  requirements  from  the
1442              following sources:
1443
1444              -  Committee  on  National Security Systems Instruction No. 1253
1445              (CNSSI 1253) - NIST Controlled  Unclassified  Information  (NIST
1446              800-171)  -  NIST  800-53 control selections for MODERATE impact
1447              systems (NIST 800-53) - U.S. Government  Configuration  Baseline
1448              (USGCB)  - NIAP Protection Profile for General Purpose Operating
1449              Systems v4.2.1 (OSPP v4.2.1) - DISA  Operating  System  Security
1450              Requirements Guide (OS SRG)
1451
1452              For  any  differing  configuration  requirements,  e.g. password
1453              lengths, the stricter security setting was chosen. Security  Re‐
1454              quirement  Traceability Guides (RTMs) and sample System Security
1455              Configuration Guides are provided via  the  scap-security-guide-
1456              docs package.
1457
1458              This  profile  reflects U.S. Government consensus content and is
1459              developed through the OpenSCAP/SCAP Security  Guide  initiative,
1460              championed  by  the National Security Agency. Except for differ‐
1461              ences in formatting to accommodate  publishing  processes,  this
1462              profile  mirrors  OpenSCAP/SCAP  Security Guide content as minor
1463              divergences, such as bugfixes, work through  the  consensus  and
1464              release processes.
1465
1466
1467       OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
1468
1469              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
1470
1471              This  profile  reflects mandatory configuration controls identi‐
1472              fied in the NIAP Configuration Annex to the  Protection  Profile
1473              for  General  Purpose Operating Systems (Protection Profile Ver‐
1474              sion 4.2.1).
1475
1476              This configuration profile is consistent with CNSSI-1253,  which
1477              requires  U.S.  National  Security  Systems to adhere to certain
1478              configuration parameters. Accordingly, this  configuration  pro‐
1479              file is suitable for use in U.S. National Security Systems.
1480
1481
1482       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1483
1484              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
1485
1486              Ensures  PCI-DSS  v3.2.1 security configuration settings are ap‐
1487              plied.
1488
1489
1490       RHV hardening based on STIG for Red Hat Enterprise Linux 7
1491
1492              Profile ID:  xccdf_org.ssgproject.content_profile_rhelh-stig
1493
1494              This profile contains configuration checks for Red Hat  Virtual‐
1495              ization  based on the the DISA STIG for Red Hat Enterprise Linux
1496              7.
1497
1498
1499       VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
1500       ization
1501
1502              Profile ID:  xccdf_org.ssgproject.content_profile_rhelh-vpp
1503
1504              This  compliance  profile  reflects the core set of security re‐
1505              lated configuration settings for deployment of  Red  Hat  Enter‐
1506              prise  Linux  Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
1507              gence, and Civilian agencies.  Development partners and sponsors
1508              include  the U.S. National Institute of Standards and Technology
1509              (NIST),  U.S.  Department  of  Defense,  the  National  Security
1510              Agency, and Red Hat.
1511
1512              This  baseline  implements  configuration  requirements from the
1513              following sources:
1514
1515              - Committee on National Security Systems  Instruction  No.  1253
1516              (CNSSI  1253)  - NIST 800-53 control selections for MODERATE im‐
1517              pact systems (NIST 800-53) - U.S. Government Configuration Base‐
1518              line  (USGCB)  - NIAP Protection Profile for Virtualization v1.0
1519              (VPP v1.0)
1520
1521              For any  differing  configuration  requirements,  e.g.  password
1522              lengths,  the stricter security setting was chosen. Security Re‐
1523              quirement Traceability Guides (RTMs) and sample System  Security
1524              Configuration  Guides  are provided via the scap-security-guide-
1525              docs package.
1526
1527              This profile reflects U.S. Government consensus content  and  is
1528              developed  through  the  ComplianceAsCode project, championed by
1529              the National Security Agency. Except for differences in  format‐
1530              ting  to  accommodate publishing processes, this profile mirrors
1531              ComplianceAsCode content as minor divergences, such as bugfixes,
1532              work through the consensus and release processes.
1533
1534
1535       Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1536
1537              Profile ID:  xccdf_org.ssgproject.content_profile_rht-ccp
1538
1539              This  profile  contains the minimum security relevant configura‐
1540              tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1541              Linux 7 instances deployed by Red Hat Certified Cloud Providers.
1542
1543
1544       Standard System Security Profile for Red Hat Enterprise Linux 7
1545
1546              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1547
1548              This profile contains rules to ensure standard security baseline
1549              of a Red Hat Enterprise Linux 7 system. Regardless of your  sys‐
1550              tem's workload all of these checks should pass.
1551
1552
1553       DISA STIG for Red Hat Enterprise Linux 7
1554
1555              Profile ID:  xccdf_org.ssgproject.content_profile_stig
1556
1557              This  profile  contains  configuration  checks that align to the
1558              DISA STIG for Red Hat Enterprise Linux V3R4.
1559
1560              In addition to being applicable to Red Hat Enterprise  Linux  7,
1561              DISA recognizes this configuration baseline as applicable to the
1562              operating system tier of Red Hat technologies that are based  on
1563              Red Hat Enterprise Linux 7, such as:
1564
1565              -  Red  Hat  Enterprise  Linux Server - Red Hat Enterprise Linux
1566              Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1567              Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1568              7 image
1569
1570
1571       DISA STIG with GUI for Red Hat Enterprise Linux 7
1572
1573              Profile ID:  xccdf_org.ssgproject.content_profile_stig_gui
1574
1575              This profile contains configuration checks  that  align  to  the
1576              DISA STIG with GUI for Red Hat Enterprise Linux V3R4.
1577
1578              In  addition  to being applicable to Red Hat Enterprise Linux 7,
1579              DISA recognizes this configuration baseline as applicable to the
1580              operating  system tier of Red Hat technologies that are based on
1581              Red Hat Enterprise Linux 7, such as:
1582
1583              - Red Hat Enterprise Linux Server -  Red  Hat  Enterprise  Linux
1584              Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1585              Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1586              7 image
1587
1588              Warning:  The installation and use of a Graphical User Interface
1589              (GUI) increases your attack vector and  decreases  your  overall
1590              security  posture.  If your Information Systems Security Officer
1591              (ISSO) lacks a documented operational requirement for a  graphi‐
1592              cal user interface, please consider using the standard DISA STIG
1593              for Red Hat Enterprise Linux 7 profile.
1594
1595
1596
1597
1598

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 8

1600       Source Datastream:  ssg-rhel8-ds.xml
1601
1602       The Guide to the Secure Configuration of Red Hat Enterprise Linux 8  is
1603       broken  into  'profiles', groupings of security settings that correlate
1604       to a known policy. Available profiles are:
1605
1606
1607
1608       ANSSI-BP-028 (enhanced)
1609
1610              Profile ID:  xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1611              hanced
1612
1613              This  profile contains configurations that align to ANSSI-BP-028
1614              v1.2 at the enhanced hardening level.
1615
1616              ANSSI is the French National Information  Security  Agency,  and
1617              stands for Agence nationale de la sécurité des systèmes d'infor‐
1618              mation.  ANSSI-BP-028  is  a  configuration  recommendation  for
1619              GNU/Linux systems.
1620
1621              A  copy  of  the ANSSI-BP-028 can be found at the ANSSI website:
1622              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1623              securite-relatives-a-un-systeme-gnulinux/
1624
1625
1626       ANSSI-BP-028 (high)
1627
1628              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1629              file_anssi_bp28_high
1630
1631              This profile contains configurations that align to  ANSSI-BP-028
1632              v1.2 at the high hardening level.
1633
1634              ANSSI  is  the  French National Information Security Agency, and
1635              stands for Agence nationale de la sécurité des systèmes d'infor‐
1636              mation.   ANSSI-BP-028  is  a  configuration  recommendation for
1637              GNU/Linux systems.
1638
1639              A copy of the ANSSI-BP-028 can be found at  the  ANSSI  website:
1640              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1641              securite-relatives-a-un-systeme-gnulinux/
1642
1643
1644       ANSSI-BP-028 (intermediary)
1645
1646              Profile ID:  xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1647              termediary
1648
1649              This  profile contains configurations that align to ANSSI-BP-028
1650              v1.2 at the intermediary hardening level.
1651
1652              ANSSI is the French National Information  Security  Agency,  and
1653              stands for Agence nationale de la sécurité des systèmes d'infor‐
1654              mation.  ANSSI-BP-028  is  a  configuration  recommendation  for
1655              GNU/Linux systems.
1656
1657              A  copy  of  the ANSSI-BP-028 can be found at the ANSSI website:
1658              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1659              securite-relatives-a-un-systeme-gnulinux/
1660
1661
1662       ANSSI-BP-028 (minimal)
1663
1664              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1665              file_anssi_bp28_minimal
1666
1667              This profile contains configurations that align to  ANSSI-BP-028
1668              v1.2 at the minimal hardening level.
1669
1670              ANSSI  is  the  French National Information Security Agency, and
1671              stands for Agence nationale de la sécurité des systèmes d'infor‐
1672              mation.   ANSSI-BP-028  is  a  configuration  recommendation for
1673              GNU/Linux systems.
1674
1675              A copy of the ANSSI-BP-028 can be found at  the  ANSSI  website:
1676              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1677              securite-relatives-a-un-systeme-gnulinux/
1678
1679
1680       CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
1681
1682              Profile ID:  xccdf_org.ssgproject.content_profile_cis
1683
1684              This profile defines a baseline that aligns to the  "Level  2  -
1685              Server" configuration from the Center for Internet Security® Red
1686              Hat Enterprise Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
1687
1688              This profile includes Center for Internet Security® Red Hat  En‐
1689              terprise Linux 8 CIS Benchmarks™ content.
1690
1691
1692       CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
1693
1694              Profile ID:  xccdf_org.ssgproject.content_profile_cis_server_l1
1695
1696              This  profile  defines  a baseline that aligns to the "Level 1 -
1697              Server" configuration from the Center for Internet Security® Red
1698              Hat Enterprise Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
1699
1700              This  profile includes Center for Internet Security® Red Hat En‐
1701              terprise Linux 8 CIS Benchmarks™ content.
1702
1703
1704       CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation
1705
1706              Profile  ID:   xccdf_org.ssgproject.content_profile_cis_worksta‐
1707              tion_l1
1708
1709              This  profile  defines  a baseline that aligns to the "Level 1 -
1710              Workstation" configuration from the Center  for  Internet  Secu‐
1711              rity®  Red  Hat  Enterprise Linux 8 Benchmark™, v1.0.1, released
1712              2021-05-19.
1713
1714              This profile includes Center for Internet Security® Red Hat  En‐
1715              terprise Linux 8 CIS Benchmarks™ content.
1716
1717
1718       CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation
1719
1720              Profile  ID:   xccdf_org.ssgproject.content_profile_cis_worksta‐
1721              tion_l2
1722
1723              This profile defines a baseline that aligns to the  "Level  2  -
1724              Workstation"  configuration  from  the Center for Internet Secu‐
1725              rity® Red Hat Enterprise Linux 8  Benchmark™,  v1.0.1,  released
1726              2021-05-19.
1727
1728              This  profile includes Center for Internet Security® Red Hat En‐
1729              terprise Linux 8 CIS Benchmarks™ content.
1730
1731
1732       Criminal Justice Information Services (CJIS) Security Policy
1733
1734              Profile ID:  xccdf_org.ssgproject.content_profile_cjis
1735
1736              This profile is derived from FBI's CJIS v5.4 Security Policy.  A
1737              copy of this policy can be found at the CJIS Security Policy Re‐
1738              source Center:
1739
1740              https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1741              center
1742
1743
1744       Unclassified Information in Non-federal Information Systems and Organi‐
1745       zations (NIST 800-171)
1746
1747              Profile ID:  xccdf_org.ssgproject.content_profile_cui
1748
1749              From NIST 800-171, Section 2.2: Security requirements  for  pro‐
1750              tecting  the  confidentiality  of  CUI in nonfederal information
1751              systems and organizations have  a  well-defined  structure  that
1752              consists of:
1753
1754              (i)  a basic security requirements section; (ii) a derived secu‐
1755              rity requirements section.
1756
1757              The basic security requirements are obtained from FIPS  Publica‐
1758              tion 200, which provides the high-level and fundamental security
1759              requirements for federal information  and  information  systems.
1760              The  derived  security  requirements, which supplement the basic
1761              security requirements, are taken from the security  controls  in
1762              NIST Special Publication 800-53.
1763
1764              This  profile  configures Red Hat Enterprise Linux 8 to the NIST
1765              Special Publication 800-53 controls identified for securing Con‐
1766              trolled Unclassified Information (CUI)."
1767
1768
1769       Australian Cyber Security Centre (ACSC) Essential Eight
1770
1771              Profile ID:  xccdf_org.ssgproject.content_profile_e8
1772
1773              This  profile  contains  configuration checks for Red Hat Enter‐
1774              prise Linux 8 that align to the Australian Cyber Security Centre
1775              (ACSC) Essential Eight.
1776
1777              A copy of the Essential Eight in Linux Environments guide can be
1778              found at the ACSC website:
1779
1780              https://www.cyber.gov.au/acsc/view-all-content/publica
1781              tions/hardening-linux-workstations-and-servers
1782
1783
1784       Health Insurance Portability and Accountability Act (HIPAA)
1785
1786              Profile ID:  xccdf_org.ssgproject.content_profile_hipaa
1787
1788              The  HIPAA  Security Rule establishes U.S. national standards to
1789              protect individuals’ electronic personal health information that
1790              is  created,  received, used, or maintained by a covered entity.
1791              The Security Rule requires appropriate administrative,  physical
1792              and  technical  safeguards to ensure the confidentiality, integ‐
1793              rity, and security of electronic protected health information.
1794
1795              This profile configures Red Hat Enterprise Linux 8 to the  HIPAA
1796              Security  Rule  identified  for securing of electronic protected
1797              health information.  Use of this profile in no way guarantees or
1798              makes claims against legal compliance against the HIPAA Security
1799              Rule(s).
1800
1801
1802       Australian Cyber Security Centre (ACSC) ISM Official
1803
1804              Profile ID:  xccdf_org.ssgproject.content_profile_ism_o
1805
1806              This profile contains configuration checks for  Red  Hat  Enter‐
1807              prise Linux 8 that align to the Australian Cyber Security Centre
1808              (ACSC) Information Security Manual (ISM) with the  applicability
1809              marking of OFFICIAL.
1810
1811              The  ISM uses a risk-based approach to cyber security. This pro‐
1812              file provides a guide to aligning Red Hat Enterprise Linux secu‐
1813              rity controls with the ISM, which can be used to select controls
1814              specific to an organisation's security posture and risk profile.
1815
1816              A copy of the ISM can be found at the ACSC website:
1817
1818              https://www.cyber.gov.au/ism
1819
1820
1821       Protection Profile for General Purpose Operating Systems
1822
1823              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
1824
1825              This profile reflects mandatory configuration  controls  identi‐
1826              fied  in  the NIAP Configuration Annex to the Protection Profile
1827              for General Purpose Operating Systems (Protection  Profile  Ver‐
1828              sion 4.2.1).
1829
1830              This  configuration profile is consistent with CNSSI-1253, which
1831              requires U.S. National Security Systems  to  adhere  to  certain
1832              configuration  parameters.  Accordingly, this configuration pro‐
1833              file is suitable for use in U.S. National Security Systems.
1834
1835
1836       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
1837
1838              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
1839
1840              Ensures PCI-DSS v3.2.1 security configuration settings  are  ap‐
1841              plied.
1842
1843
1844       Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1845
1846              Profile ID:  xccdf_org.ssgproject.content_profile_rht-ccp
1847
1848              This  profile  contains the minimum security relevant configura‐
1849              tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1850              Linux 8 instances deployed by Red Hat Certified Cloud Providers.
1851
1852
1853       Standard System Security Profile for Red Hat Enterprise Linux 8
1854
1855              Profile ID:  xccdf_org.ssgproject.content_profile_standard
1856
1857              This profile contains rules to ensure standard security baseline
1858              of a Red Hat Enterprise Linux 8 system. Regardless of your  sys‐
1859              tem's workload all of these checks should pass.
1860
1861
1862       DISA STIG for Red Hat Enterprise Linux 8
1863
1864              Profile ID:  xccdf_org.ssgproject.content_profile_stig
1865
1866              This  profile  contains  configuration  checks that align to the
1867              DISA STIG for Red Hat Enterprise Linux 8 V1R3.
1868
1869              In addition to being applicable to Red Hat Enterprise  Linux  8,
1870              DISA recognizes this configuration baseline as applicable to the
1871              operating system tier of Red Hat technologies that are based  on
1872              Red Hat Enterprise Linux 8, such as:
1873
1874              -  Red  Hat  Enterprise  Linux Server - Red Hat Enterprise Linux
1875              Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1876              Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1877              8 image
1878
1879
1880       DISA STIG with GUI for Red Hat Enterprise Linux 8
1881
1882              Profile ID:  xccdf_org.ssgproject.content_profile_stig_gui
1883
1884              This profile contains configuration checks  that  align  to  the
1885              DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R3.
1886
1887              In  addition  to being applicable to Red Hat Enterprise Linux 8,
1888              DISA recognizes this configuration baseline as applicable to the
1889              operating  system tier of Red Hat technologies that are based on
1890              Red Hat Enterprise Linux 8, such as:
1891
1892              - Red Hat Enterprise Linux Server -  Red  Hat  Enterprise  Linux
1893              Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1894              Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1895              8 image
1896
1897              Warning:  The installation and use of a Graphical User Interface
1898              (GUI) increases your attack vector and  decreases  your  overall
1899              security  posture.  If your Information Systems Security Officer
1900              (ISSO) lacks a documented operational requirement for a  graphi‐
1901              cal user interface, please consider using the standard DISA STIG
1902              for Red Hat Enterprise Linux 8 profile.
1903
1904
1905
1906
1907

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 9

1909       Source Datastream:  ssg-rhel9-ds.xml
1910
1911       The Guide to the Secure Configuration of Red Hat Enterprise Linux 9  is
1912       broken  into  'profiles', groupings of security settings that correlate
1913       to a known policy. Available profiles are:
1914
1915
1916
1917       ANSSI-BP-028 (enhanced)
1918
1919              Profile ID:  xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1920              hanced
1921
1922              This  profile contains configurations that align to ANSSI-BP-028
1923              at the enhanced hardening level.
1924
1925              ANSSI is the French National Information  Security  Agency,  and
1926              stands for Agence nationale de la sécurité des systèmes d'infor‐
1927              mation.  ANSSI-BP-028  is  a  configuration  recommendation  for
1928              GNU/Linux systems.
1929
1930              A  copy  of  the ANSSI-BP-028 can be found at the ANSSI website:
1931              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1932              securite-relatives-a-un-systeme-gnulinux/
1933
1934
1935       ANSSI-BP-028 (high)
1936
1937              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1938              file_anssi_bp28_high
1939
1940              This profile contains configurations that align to  ANSSI-BP-028
1941              at the high hardening level.
1942
1943              ANSSI  is  the  French National Information Security Agency, and
1944              stands for Agence nationale de la sécurité des systèmes d'infor‐
1945              mation.   ANSSI-BP-028  is  a  configuration  recommendation for
1946              GNU/Linux systems.
1947
1948              A copy of the ANSSI-BP-028 can be found at  the  ANSSI  website:
1949              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1950              securite-relatives-a-un-systeme-gnulinux/
1951
1952
1953       ANSSI-BP-028 (intermediary)
1954
1955              Profile ID:  xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1956              termediary
1957
1958              This  profile contains configurations that align to ANSSI-BP-028
1959              at the intermediary hardening level.
1960
1961              ANSSI is the French National Information  Security  Agency,  and
1962              stands for Agence nationale de la sécurité des systèmes d'infor‐
1963              mation.  ANSSI-BP-028  is  a  configuration  recommendation  for
1964              GNU/Linux systems.
1965
1966              A  copy  of  the ANSSI-BP-028 can be found at the ANSSI website:
1967              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1968              securite-relatives-a-un-systeme-gnulinux/
1969
1970
1971       ANSSI-BP-028 (minimal)
1972
1973              Profile          ID:           xccdf_org.ssgproject.content_pro‐
1974              file_anssi_bp28_minimal
1975
1976              This profile contains configurations that align to  ANSSI-BP-028
1977              at the minimal hardening level.
1978
1979              ANSSI  is  the  French National Information Security Agency, and
1980              stands for Agence nationale de la sécurité des systèmes d'infor‐
1981              mation.   ANSSI-BP-028  is  a  configuration  recommendation for
1982              GNU/Linux systems.
1983
1984              A copy of the ANSSI-BP-028 can be found at  the  ANSSI  website:
1985              https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1986              securite-relatives-a-un-systeme-gnulinux/
1987
1988
1989       [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
1990
1991              Profile ID:  xccdf_org.ssgproject.content_profile_cis
1992
1993              This is a draft profile based on its RHEL8 version  for  experi‐
1994              mental  purposes.   It  is  not  based  on the CIS benchmark for
1995              RHEL9, because this one was not available at  time  of  the  re‐
1996              lease.
1997
1998
1999       [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
2000
2001              Profile ID:  xccdf_org.ssgproject.content_profile_cis_server_l1
2002
2003              This  is  a draft profile based on its RHEL8 version for experi‐
2004              mental purposes.  It is not  based  on  the  CIS  benchmark  for
2005              RHEL9,  because  this  one  was not available at time of the re‐
2006              lease.
2007
2008
2009       [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Worksta‐
2010       tion
2011
2012              Profile  ID:   xccdf_org.ssgproject.content_profile_cis_worksta‐
2013              tion_l1
2014
2015              This is a draft profile based on its RHEL8 version  for  experi‐
2016              mental  purposes.   It  is  not  based  on the CIS benchmark for
2017              RHEL9, because this one was not available at  time  of  the  re‐
2018              lease.
2019
2020
2021       [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Worksta‐
2022       tion
2023
2024              Profile  ID:   xccdf_org.ssgproject.content_profile_cis_worksta‐
2025              tion_l2
2026
2027              This  is  a draft profile based on its RHEL8 version for experi‐
2028              mental purposes.  It is not  based  on  the  CIS  benchmark  for
2029              RHEL9,  because  this  one  was not available at time of the re‐
2030              lease.
2031
2032
2033       [RHEL9 DRAFT] Criminal Justice  Information  Services  (CJIS)  Security
2034       Policy
2035
2036              Profile ID:  xccdf_org.ssgproject.content_profile_cjis
2037
2038              This  profile is derived from FBI's CJIS v5.4 Security Policy. A
2039              copy of this policy can be found at the CJIS Security Policy Re‐
2040              source Center:
2041
2042              https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
2043              center
2044
2045
2046       Unclassified Information in Non-federal Information Systems and Organi‐
2047       zations (NIST 800-171)
2048
2049              Profile ID:  xccdf_org.ssgproject.content_profile_cui
2050
2051              From  NIST  800-171, Section 2.2: Security requirements for pro‐
2052              tecting the confidentiality of  CUI  in  nonfederal  information
2053              systems  and  organizations  have  a well-defined structure that
2054              consists of:
2055
2056              (i) a basic security requirements section; (ii) a derived  secu‐
2057              rity requirements section.
2058
2059              The  basic security requirements are obtained from FIPS Publica‐
2060              tion 200, which provides the high-level and fundamental security
2061              requirements  for  federal  information and information systems.
2062              The derived security requirements, which  supplement  the  basic
2063              security  requirements,  are taken from the security controls in
2064              NIST Special Publication 800-53.
2065
2066              This profile configures Red Hat Enterprise Linux 8 to  the  NIST
2067              Special Publication 800-53 controls identified for securing Con‐
2068              trolled Unclassified Information (CUI)."
2069
2070
2071       [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
2072
2073              Profile ID:  xccdf_org.ssgproject.content_profile_e8
2074
2075              This profile contains configuration checks for  Red  Hat  Enter‐
2076              prise Linux 9 that align to the Australian Cyber Security Centre
2077              (ACSC) Essential Eight.
2078
2079              A copy of the Essential Eight in Linux Environments guide can be
2080              found at the ACSC website:
2081
2082              https://www.cyber.gov.au/acsc/view-all-content/publica
2083              tions/hardening-linux-workstations-and-servers
2084
2085
2086       [RHEL9 DRAFT]  Health  Insurance  Portability  and  Accountability  Act
2087       (HIPAA)
2088
2089              Profile ID:  xccdf_org.ssgproject.content_profile_hipaa
2090
2091              The  HIPAA  Security Rule establishes U.S. national standards to
2092              protect individuals’ electronic personal health information that
2093              is  created,  received, used, or maintained by a covered entity.
2094              The Security Rule requires appropriate administrative,  physical
2095              and  technical  safeguards to ensure the confidentiality, integ‐
2096              rity, and security of electronic protected health information.
2097
2098              This profile configures Red Hat Enterprise Linux 9 to the  HIPAA
2099              Security  Rule  identified  for securing of electronic protected
2100              health information.  Use of this profile in no way guarantees or
2101              makes claims against legal compliance against the HIPAA Security
2102              Rule(s).
2103
2104
2105       [RHEL9 DRAFT] Australian Cyber Security Centre (ACSC) ISM Official
2106
2107              Profile ID:  xccdf_org.ssgproject.content_profile_ism_o
2108
2109              This profile contains configuration checks for  Red  Hat  Enter‐
2110              prise Linux 9 that align to the Australian Cyber Security Centre
2111              (ACSC) Information Security Manual (ISM) with the  applicability
2112              marking of OFFICIAL.
2113
2114              The  ISM uses a risk-based approach to cyber security. This pro‐
2115              file provides a guide to aligning Red Hat Enterprise Linux secu‐
2116              rity controls with the ISM, which can be used to select controls
2117              specific to an organisation's security posture and risk profile.
2118
2119              A copy of the ISM can be found at the ACSC website:
2120
2121              https://www.cyber.gov.au/ism
2122
2123
2124       [RHEL9 DRAFT] Protection Profile for General Purpose Operating Systems
2125
2126              Profile ID:  xccdf_org.ssgproject.content_profile_ospp
2127
2128              This profile reflects mandatory configuration  controls  identi‐
2129              fied  in  the NIAP Configuration Annex to the Protection Profile
2130              for General Purpose Operating Systems (Protection  Profile  Ver‐
2131              sion 4.2.1).
2132
2133              This  configuration profile is consistent with CNSSI-1253, which
2134              requires U.S. National Security Systems  to  adhere  to  certain
2135              configuration  parameters.  Accordingly, this configuration pro‐
2136              file is suitable for use in U.S. National Security Systems.
2137
2138
2139       [RHEL9 DRAFT] PCI-DSS v3.2.1 Control Baseline for  Red  Hat  Enterprise
2140       Linux 9
2141
2142              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
2143
2144              Ensures  PCI-DSS  v3.2.1 security configuration settings are ap‐
2145              plied.
2146
2147
2148       [RHEL9 DRAFT] Red Hat Corporate Profile for Certified  Cloud  Providers
2149       (RH CCP)
2150
2151              Profile ID:  xccdf_org.ssgproject.content_profile_rht-ccp
2152
2153              This  profile  contains the minimum security relevant configura‐
2154              tion settings recommended by Red Hat, Inc for Red Hat Enterprise
2155              Linux 9 instances deployed by Red Hat Certified Cloud Providers.
2156
2157
2158       Standard System Security Profile for Red Hat Enterprise Linux 9
2159
2160              Profile ID:  xccdf_org.ssgproject.content_profile_standard
2161
2162              This profile contains rules to ensure standard security baseline
2163              of a Red Hat Enterprise Linux 8 system. Regardless of your  sys‐
2164              tem's workload all of these checks should pass.
2165
2166
2167       [DRAFT] DISA STIG for Red Hat Enterprise Linux 9
2168
2169              Profile ID:  xccdf_org.ssgproject.content_profile_stig
2170
2171              This profile contains configuration checks that are based on the
2172              RHEL8 STIG
2173
2174              In addition to being applicable to Red Hat Enterprise  Linux  8,
2175              DISA recognizes this configuration baseline as applicable to the
2176              operating system tier of Red Hat technologies that are based  on
2177              Red Hat Enterprise Linux 8, such as:
2178
2179              -  Red  Hat  Enterprise  Linux Server - Red Hat Enterprise Linux
2180              Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2181              Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2182              8 image
2183
2184
2185       [DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
2186
2187              Profile ID:  xccdf_org.ssgproject.content_profile_stig_gui
2188
2189              This profile contains configuration checks that are based on the
2190              RHEL8 STIG
2191
2192              In  addition  to being applicable to Red Hat Enterprise Linux 9,
2193              DISA recognizes this configuration baseline as applicable to the
2194              operating  system tier of Red Hat technologies that are based on
2195              Red Hat Enterprise Linux 8, such as:
2196
2197              - Red Hat Enterprise Linux Server -  Red  Hat  Enterprise  Linux
2198              Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2199              Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2200              9 image
2201
2202              Warning:  The installation and use of a Graphical User Interface
2203              (GUI) increases your attack vector and  decreases  your  overall
2204              security  posture.  If your Information Systems Security Officer
2205              (ISSO) lacks a documented operational requirement for a  graphi‐
2206              cal user interface, please consider using the standard DISA STIG
2207              for Red Hat Enterprise Linux 9 profile.
2208
2209
2210
2211
2212

Profiles in Guide to the Secure Configuration of Red Hat OpenStack Platform 10

2214
2215       Source Datastream:  ssg-rhosp10-ds.xml
2216
2217       The  Guide to the Secure Configuration of Red Hat OpenStack Platform 10
2218       is broken into 'profiles', groupings of security settings  that  corre‐
2219       late to a known policy. Available profiles are:
2220
2221
2222
2223       [DRAFT]  Controlled  Unclassified Infomration (CUI) Profile for Red Hat
2224       OpenStack Plaform 10
2225
2226              Profile ID:  xccdf_org.ssgproject.content_profile_cui
2227
2228              These are the controls for scanning against CUI for rhosp10
2229
2230
2231       [DRAFT] STIG for Red Hat OpenStack Plaform 10
2232
2233              Profile ID:  xccdf_org.ssgproject.content_profile_stig
2234
2235              Controls for scanning against classified STIG for rhosp10
2236
2237
2238
2239
2240

Profiles in Guide to the Secure Configuration of Red Hat OpenStack Platform 13

2242
2243       Source Datastream:  ssg-rhosp13-ds.xml
2244
2245       The  Guide to the Secure Configuration of Red Hat OpenStack Platform 13
2246       is broken into 'profiles', groupings of security settings  that  corre‐
2247       late to a known policy. Available profiles are:
2248
2249
2250
2251       RHOSP STIG
2252
2253              Profile ID:  xccdf_org.ssgproject.content_profile_stig
2254
2255              Sample profile description.
2256
2257
2258
2259
2260

Profiles in Guide to the Secure Configuration of Red Hat Virtualization 4

2262       Source Datastream:  ssg-rhv4-ds.xml
2263
2264       The  Guide  to  the Secure Configuration of Red Hat Virtualization 4 is
2265       broken into 'profiles', groupings of security settings  that  correlate
2266       to a known policy. Available profiles are:
2267
2268
2269
2270       PCI-DSS v3.2.1 Control Baseline for Red Hat Virtualization Host (RHVH)
2271
2272              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
2273
2274              Ensures  PCI-DSS  v3.2.1 security configuration settings are ap‐
2275              plied.
2276
2277
2278       [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
2279
2280              Profile ID:  xccdf_org.ssgproject.content_profile_rhvh-stig
2281
2282              This *draft* profile contains configuration checks that align to
2283              the DISA STIG for Red Hat Virtualization Host (RHVH).
2284
2285
2286       VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
2287       ization Host (RHVH)
2288
2289              Profile ID:  xccdf_org.ssgproject.content_profile_rhvh-vpp
2290
2291              This compliance profile reflects the core set  of  security  re‐
2292              lated  configuration settings for deployment of Red Hat Virtual‐
2293              ization Host (RHVH) 4.x into  U.S.  Defense,  Intelligence,  and
2294              Civilian  agencies.   Development  partners and sponsors include
2295              the U.S. National Institute of Standards and Technology  (NIST),
2296              U.S.  Department  of  Defense, the National Security Agency, and
2297              Red Hat.
2298
2299              This baseline implements  configuration  requirements  from  the
2300              following sources:
2301
2302              -  Committee  on  National Security Systems Instruction No. 1253
2303              (CNSSI 1253) - NIST 800-53 control selections for  MODERATE  im‐
2304              pact systems (NIST 800-53) - U.S. Government Configuration Base‐
2305              line (USGCB) - NIAP Protection Profile for  Virtualization  v1.0
2306              (VPP v1.0)
2307
2308              For  any  differing  configuration  requirements,  e.g. password
2309              lengths, the stricter security setting was chosen. Security  Re‐
2310              quirement  Traceability Guides (RTMs) and sample System Security
2311              Configuration Guides are provided via  the  scap-security-guide-
2312              docs package.
2313
2314              This  profile  reflects U.S. Government consensus content and is
2315              developed through the ComplianceAsCode  project,  championed  by
2316              the  National Security Agency. Except for differences in format‐
2317              ting to accommodate publishing processes, this  profile  mirrors
2318              ComplianceAsCode content as minor divergences, such as bugfixes,
2319              work through the consensus and release processes.
2320
2321
2322
2323
2324

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

2326       Source Datastream:  ssg-sl7-ds.xml
2327
2328       The Guide to the Secure Configuration of Red Hat Enterprise Linux 7  is
2329       broken  into  'profiles', groupings of security settings that correlate
2330       to a known policy. Available profiles are:
2331
2332
2333
2334       PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
2335
2336              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
2337
2338              Ensures PCI-DSS v3.2.1 security configuration settings  are  ap‐
2339              plied.
2340
2341
2342       Standard System Security Profile for Red Hat Enterprise Linux 7
2343
2344              Profile ID:  xccdf_org.ssgproject.content_profile_standard
2345
2346              This profile contains rules to ensure standard security baseline
2347              of a Red Hat Enterprise Linux 7 system. Regardless of your  sys‐
2348              tem's workload all of these checks should pass.
2349
2350
2351
2352
2353

Profiles in Guide to the Secure Configuration of SUSE Linux Enterprise 12

2355       Source Datastream:  ssg-sle12-ds.xml
2356
2357       The  Guide  to  the Secure Configuration of SUSE Linux Enterprise 12 is
2358       broken into 'profiles', groupings of security settings  that  correlate
2359       to a known policy. Available profiles are:
2360
2361
2362
2363       CIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server
2364
2365              Profile ID:  xccdf_org.ssgproject.content_profile_cis
2366
2367              This  profile  defines  a baseline that aligns to the "Level 2 -
2368              Server" configuration from the  Center  for  Internet  Security®
2369              SUSE   Linux   Enterprise   12   Benchmark™,   v3.0.0,  released
2370              04-27-2021.
2371
2372              This profile includes Center for Internet Security®  SUSE  Linux
2373              Enterprise 12 CIS Benchmarks™ content.
2374
2375
2376       CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server
2377
2378              Profile ID:  xccdf_org.ssgproject.content_profile_cis_server_l1
2379
2380              This  profile  defines  a baseline that aligns to the "Level 1 -
2381              Server" configuration from the  Center  for  Internet  Security®
2382              SUSE   Linux   Enterprise   12   Benchmark™,   v3.0.0,  released
2383              04-27-2021.
2384
2385              This profile includes Center for Internet Security®  SUSE  Linux
2386              Enterprise 12 CIS Benchmarks™ content.
2387
2388
2389       CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation
2390
2391              Profile  ID:   xccdf_org.ssgproject.content_profile_cis_worksta‐
2392              tion_l1
2393
2394              This profile defines a baseline that aligns to the  "Level  1  -
2395              Workstation"  configuration  from  the Center for Internet Secu‐
2396              rity® SUSE Linux  Enterprise  12  Benchmark™,  v3.0.0,  released
2397              04-27-2021.
2398
2399              This  profile  includes Center for Internet Security® SUSE Linux
2400              Enterprise 12 CIS Benchmarks™ content.
2401
2402
2403       CIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation
2404
2405              Profile  ID:   xccdf_org.ssgproject.content_profile_cis_worksta‐
2406              tion_l2
2407
2408              This  profile  defines  a baseline that aligns to the "Level 2 -
2409              Workstation" configuration from the Center  for  Internet  Secu‐
2410              rity®  SUSE  Linux  Enterprise  12  Benchmark™, v3.0.0, released
2411              04-27-2021.
2412
2413              This profile includes Center for Internet Security®  SUSE  Linux
2414              Enterprise 12 CIS Benchmarks™ content.
2415
2416
2417       Standard System Security Profile for SUSE Linux Enterprise 12
2418
2419              Profile ID:  xccdf_org.ssgproject.content_profile_standard
2420
2421              This profile contains rules to ensure standard security baseline
2422              of a SUSE Linux Enterprise 12 system. Regardless  of  your  sys‐
2423              tem's workload all of these checks should pass.
2424
2425
2426       DISA STIG for SUSE Linux Enterprise 12
2427
2428              Profile ID:  xccdf_org.ssgproject.content_profile_stig
2429
2430              This  profile  contains  configuration  checks that align to the
2431              DISA STIG for SUSE Linux Enterprise 12 V2R3.
2432
2433
2434
2435
2436

Profiles in Guide to the Secure Configuration of SUSE Linux Enterprise 15

2438       Source Datastream:  ssg-sle15-ds.xml
2439
2440       The Guide to the Secure Configuration of SUSE Linux  Enterprise  15  is
2441       broken  into  'profiles', groupings of security settings that correlate
2442       to a known policy. Available profiles are:
2443
2444
2445
2446       CIS SUSE Linux Enterprise 15 Benchmark
2447
2448              Profile ID:  xccdf_org.ssgproject.content_profile_cis
2449
2450              This profile defines a baseline that aligns to  the  Center  for
2451              Internet  Security® SUSE Linux Enterprise 15 Benchmark™, v1.0.0,
2452              released 06-30-2020.
2453
2454              This profile includes Center for Internet Security®  SUSE  Linux
2455              Enterprise 15 CIS Benchmarks™ content.
2456
2457
2458       PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 15
2459
2460              Profile ID:  xccdf_org.ssgproject.content_profile_pci-dss
2461
2462              Ensures  PCI-DSS  v3.2.1 security configuration settings are ap‐
2463              plied.
2464
2465
2466       Standard System Security Profile for SUSE Linux Enterprise 15
2467
2468              Profile ID:  xccdf_org.ssgproject.content_profile_standard
2469
2470              This profile contains rules to ensure standard security baseline
2471              of a SUSE Linux Enterprise 15 system based off of the SUSE Hard‐
2472              ening Guide. Regardless of your system's workload all  of  these
2473              checks should pass.
2474
2475
2476       DISA STIG for SUSE Linux Enterprise 15
2477
2478              Profile ID:  xccdf_org.ssgproject.content_profile_stig
2479
2480              This  profile  contains  configuration  checks that align to the
2481              DISA STIG for SUSE Linux Enterprise 15 V1R2.
2482
2483
2484
2485
2486

Profiles in Guide to the Secure Configuration of Ubuntu 16.04

2488       Source Datastream:  ssg-ubuntu1604-ds.xml
2489
2490       The Guide to the Secure Configuration of Ubuntu 16.04  is  broken  into
2491       'profiles',  groupings  of  security settings that correlate to a known
2492       policy. Available profiles are:
2493
2494
2495
2496       Profile for ANSSI DAT-NT28 Average (Intermediate) Level
2497
2498              Profile          ID:           xccdf_org.ssgproject.content_pro‐
2499              file_anssi_np_nt28_average
2500
2501              This  profile contains items for GNU/Linux installations already
2502              protected by multiple higher level security stacks.
2503
2504
2505       Profile for ANSSI DAT-NT28 High (Enforced) Level
2506
2507              Profile          ID:           xccdf_org.ssgproject.content_pro‐
2508              file_anssi_np_nt28_high
2509
2510              This  profile contains items for GNU/Linux installations storing
2511              sensitive informations that can be accessible  from  unauthenti‐
2512              cated or uncontroled networks.
2513
2514
2515       Profile for ANSSI DAT-NT28 Minimal Level
2516
2517              Profile          ID:           xccdf_org.ssgproject.content_pro‐
2518              file_anssi_np_nt28_minimal
2519
2520              This profile contains items to be applied systematically.
2521
2522
2523       Profile for ANSSI DAT-NT28 Restrictive Level
2524
2525              Profile          ID:           xccdf_org.ssgproject.content_pro‐
2526              file_anssi_np_nt28_restrictive
2527
2528              This  profile contains items for GNU/Linux installations exposed
2529              to unauthenticated flows or multiple sources.
2530
2531
2532       Standard System Security Profile for Ubuntu 16.04
2533
2534              Profile ID:  xccdf_org.ssgproject.content_profile_standard
2535
2536              This profile contains rules to ensure standard security baseline
2537              of  an Ubuntu 16.04 system. Regardless of your system's workload
2538              all of these checks should pass.
2539
2540
2541
2542
2543

Profiles in Guide to the Secure Configuration of Ubuntu 18.04

2545       Source Datastream:  ssg-ubuntu1804-ds.xml
2546
2547       The Guide to the Secure Configuration of Ubuntu 18.04  is  broken  into
2548       'profiles',  groupings  of  security settings that correlate to a known
2549       policy. Available profiles are:
2550
2551
2552
2553       Profile for ANSSI DAT-NT28 Average (Intermediate) Level
2554
2555              Profile          ID:           xccdf_org.ssgproject.content_pro‐
2556              file_anssi_np_nt28_average
2557
2558              This  profile contains items for GNU/Linux installations already
2559              protected by multiple higher level security stacks.
2560
2561
2562       Profile for ANSSI DAT-NT28 High (Enforced) Level
2563
2564              Profile          ID:           xccdf_org.ssgproject.content_pro‐
2565              file_anssi_np_nt28_high
2566
2567              This  profile contains items for GNU/Linux installations storing
2568              sensitive informations that can be accessible  from  unauthenti‐
2569              cated or uncontroled networks.
2570
2571
2572       Profile for ANSSI DAT-NT28 Minimal Level
2573
2574              Profile          ID:           xccdf_org.ssgproject.content_pro‐
2575              file_anssi_np_nt28_minimal
2576
2577              This profile contains items to be applied systematically.
2578
2579
2580       Profile for ANSSI DAT-NT28 Restrictive Level
2581
2582              Profile          ID:           xccdf_org.ssgproject.content_pro‐
2583              file_anssi_np_nt28_restrictive
2584
2585              This  profile contains items for GNU/Linux installations exposed
2586              to unauthenticated flows or multiple sources.
2587
2588
2589       CIS Ubuntu 18.04 LTS Benchmark
2590
2591              Profile ID:  xccdf_org.ssgproject.content_profile_cis
2592
2593              This baseline aligns to the Center for Internet Security  Ubuntu
2594              18.04 LTS Benchmark, v1.0.0, released 08-13-2018.
2595
2596
2597       Standard System Security Profile for Ubuntu 18.04
2598
2599              Profile ID:  xccdf_org.ssgproject.content_profile_standard
2600
2601              This profile contains rules to ensure standard security baseline
2602              of an Ubuntu 18.04 system. Regardless of your system's  workload
2603              all of these checks should pass.
2604
2605
2606
2607
2608

Profiles in Guide to the Secure Configuration of Ubuntu 20.04

2610       Source Datastream:  ssg-ubuntu2004-ds.xml
2611
2612       The  Guide  to  the Secure Configuration of Ubuntu 20.04 is broken into
2613       'profiles', groupings of security settings that correlate  to  a  known
2614       policy. Available profiles are:
2615
2616
2617
2618       CIS Ubuntu 20.04 Level 1 Server Benchmark
2619
2620              Profile          ID:           xccdf_org.ssgproject.content_pro‐
2621              file_cis_level1_server
2622
2623              This baseline aligns to the Center for Internet Security  Ubuntu
2624              20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
2625
2626
2627       CIS Ubuntu 20.04 Level 1 Workstation Benchmark
2628
2629              Profile          ID:           xccdf_org.ssgproject.content_pro‐
2630              file_cis_level1_workstation
2631
2632              This baseline aligns to the Center for Internet Security  Ubuntu
2633              20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
2634
2635
2636       CIS Ubuntu 20.04 Level 2 Server Benchmark
2637
2638              Profile          ID:           xccdf_org.ssgproject.content_pro‐
2639              file_cis_level2_server
2640
2641              This baseline aligns to the Center for Internet Security  Ubuntu
2642              20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
2643
2644
2645       CIS Ubuntu 20.04 Level 2 Workstation Benchmark
2646
2647              Profile          ID:           xccdf_org.ssgproject.content_pro‐
2648              file_cis_level2_workstation
2649
2650              This baseline aligns to the Center for Internet Security  Ubuntu
2651              20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
2652
2653
2654       Standard System Security Profile for Ubuntu 20.04
2655
2656              Profile ID:  xccdf_org.ssgproject.content_profile_standard
2657
2658              This profile contains rules to ensure standard security baseline
2659              of an Ubuntu 20.04 system. Regardless of your system's  workload
2660              all of these checks should pass.
2661
2662
2663       Canonical  Ubuntu  20.04  LTS  Security  Technical Implementation Guide
2664       (STIG) V1R1
2665
2666              Profile ID:  xccdf_org.ssgproject.content_profile_stig
2667
2668              This Security Technical Implementation Guide is published  as  a
2669              tool  to improve the security of Department of Defense (DoD) in‐
2670              formation systems.  The requirements are derived  from  the  Na‐
2671              tional  Institute  of Standards and Technology (NIST) 800-53 and
2672              related documents.
2673
2674
2675
2676
2677

Profiles in Guide to the Secure Configuration of McAfee VirusScan Enterprise

2679       for Linux
2680       Source Datastream:  ssg-vsel-ds.xml
2681
2682       The  Guide  to  the Secure Configuration of McAfee VirusScan Enterprise
2683       for Linux is broken into 'profiles',  groupings  of  security  settings
2684       that correlate to a known policy. Available profiles are:
2685
2686
2687
2688       McAfee VirusScan Enterprise for Linux (VSEL) STIG
2689
2690              Profile ID:  xccdf_org.ssgproject.content_profile_stig
2691
2692              The  McAfee  VirusScan  Enterprise for Linux software provides a
2693              realtime virus scanner for Linux systems.
2694
2695
2696
2697
2698

Profiles in Guide to the Secure Configuration of WRLinux 1019

2700       Source Datastream:  ssg-wrlinux1019-ds.xml
2701
2702       The Guide to the Secure Configuration of WRLinux 1019  is  broken  into
2703       'profiles',  groupings  of  security settings that correlate to a known
2704       policy. Available profiles are:
2705
2706
2707
2708       Basic Profile for Embedded Systems
2709
2710              Profile ID:  xccdf_org.ssgproject.content_profile_basic-embedded
2711
2712              This profile contains items common to many  embedded  Linux  in‐
2713              stallations.   Regardless of your system's deployment objective,
2714              all of these checks should pass.
2715
2716
2717       DRAFT DISA STIG for Wind River Linux
2718
2719              Profile ID:  xccdf_org.ssgproject.content_profile_draft_stig_wr‐
2720              linux_disa
2721
2722              This  profile  contains  configuration  checks that align to the
2723              DISA STIG for Wind River Linux.  This profile is being developed
2724              under  the  DoD consensus model to become a STIG in coordination
2725              with DISA FSO.  What is the status of the Wind River Linux STIG?
2726              The  Wind  River Linux STIG is in development under the DoD con‐
2727              sensus model and Wind River has started the process to  get  ap‐
2728              proval  from DISA. However, in the absence of an approved SRG or
2729              STIG, vendor recommendations may be used  instead.  The  current
2730              contents  constitute  the  vendor recommendations at the time of
2731              the  product  release  containing  these  contents.   Note  that
2732              changes  are  expected  before  approval  is  granted, and those
2733              changes will be made available in future Wind River Linux  Secu‐
2734              rity  Profile  1019  RCPL releases.  More information, including
2735              the following, is available from the DISA FAQs  at  https://pub
2736              lic.cyber.mil/stigs/faqs/
2737
2738
2739
2740
2741

Profiles in Guide to the Secure Configuration of WRLinux 8

2743       Source Datastream:  ssg-wrlinux8-ds.xml
2744
2745       The Guide to the Secure Configuration of WRLinux 8 is broken into 'pro‐
2746       files', groupings of security settings that correlate to a  known  pol‐
2747       icy. Available profiles are:
2748
2749
2750
2751       Basic Profile for Embedded Systems
2752
2753              Profile ID:  xccdf_org.ssgproject.content_profile_basic-embedded
2754
2755              This  profile  contains  items common to many embedded Linux in‐
2756              stallations.  Regardless of your system's deployment  objective,
2757              all of these checks should pass.
2758
2759
2760
2761
2762
2763

EXAMPLES

2765       To  scan  your  system  utilizing the OpenSCAP utility against the ospp
2766       profile:
2767
2768       oscap  xccdf  eval  --profile  ospp  --results  /tmp/`hostname`-ssg-re‐
2769       sults.xml   --report   /tmp/`hostname`-ssg-results.html  --oval-results
2770       /usr/share/xml/scap/ssg/content/ssg-{product}-xccdf.xml
2771
2772       Additional  details  can  be  found  on   the   projects   wiki   page:
2773       https://www.github.com/ComplianceAsCode/content/wiki
2774
2775
2776

FILES

2778       /usr/share/xml/scap/ssg/content
2779              Houses SCAP content utilizing the following naming conventions:
2780
2781              SCAP Source Datastreams: ssg-{product}-ds.xml
2782
2783              CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
2784
2785              CPE OVAL Content: ssg-{product}-cpe-oval.xml
2786
2787              OVAL Content: ssg-{product}-oval.xml
2788
2789              XCCDF Content: ssg-{product}-xccdf.xml
2790
2791       /usr/share/doc/scap-security-guide/guides/
2792              HTML versions of SSG profiles.
2793
2794       /usr/share/scap-security-guide/ansible/
2795              Contains Ansible Playbooks for SSG profiles.
2796
2797       /usr/share/scap-security-guide/bash/
2798              Contains Bash remediation scripts for SSG profiles.
2799
2800
2801

DEPLOYMENT TO U.S. CIVILIAN GOVERNMENT SYSTEMS

2803       SCAP  Security  Guide  content  is considered vendor (Red Hat) provided
2804       content.  Per guidance from the U.S. National  Institute  of  Standards
2805       and Technology (NIST), U.S. Government programs are allowed to use Ven‐
2806       dor produced SCAP content in absence of "Governmental Authority" check‐
2807       lists.           The           specific          NIST          verbage:
2808       http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
2809
2810
2811

DEPLOYMENT TO U.S. MILITARY SYSTEMS

2813       DoD Directive (DoDD) 8500.1 requires that "all  IA  and  IA-enabled  IT
2814       products  incorporated into DoD information systems shall be configured
2815       in accordance with DoD-approved security configuration guidelines"  and
2816       tasks Defense Information Systems Agency (DISA) to "develop and provide
2817       security configuration guidance for IA and IA-enabled  IT  products  in
2818       coordination  with Director, NSA."  The output of this authority is the
2819       DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
2820       the  process  of  moving the STIGs towards the use of the NIST Security
2821       Content Automation Protocol (SCAP) in order  to  "automate"  compliance
2822       reporting of the STIGs.
2823
2824       Through  a common, shared vision, the SCAP Security Guide community en‐
2825       joys close collaboration directly with NSA,  NIST,  and  DISA  FSO.  As
2826       stated  in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
2827       Version 1, Release 2, issued on 03-JUNE-2013:
2828
2829       "The consensus content  was  developed  using  an  open-source  project
2830       called  SCAP Security Guide. The project's website is https://www.open-
2831       scap.org/security-policies/scap-security-guide.  Except for differences
2832       in  formatting to accomodate the DISA STIG publishing process, the con‐
2833       tent of the Red Hat Enterprise Linux 6 STIG should mirror the SCAP  Se‐
2834       curity  Guide content with only minor divergence as updates from multi‐
2835       ple sources work through the consensus process."
2836
2837       The DoD STIG for Red Hat Enterprise Linux 7,  revision  V2R4,  was  re‐
2838       leased  in July 2019 Currently, the DoD Red Hat Enterprise Linux 7 STIG
2839       contains only XCCDF content and is available online: https://public.cy
2840       ber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
2841
2842       Content published against the public.cyber.mil website is authoritative
2843       STIG content. The SCAP Security Guide project, as  noted  in  the  STIG
2844       overview, is considered upstream content. Unlike DISA FSO, the SCAP Se‐
2845       curity Guide project does publish OVAL automation  content.  Individual
2846       programs  and  C&A  evaluators make program-level determinations on the
2847       direct usage of the SCAP Security Guide.  Currently there is no blanket
2848       approval.
2849
2850
2851

SEE ALSO

2853       oscap(8)
2854
2855
2856

AUTHOR

2858       Please  direct all questions to the SSG mailing list: https://lists.fe
2859       dorahosted.org/mailman/listinfo/scap-security-guide
2860
2861
2862
2863version 1                         26 Jan 2013           scap-security-guide(8)
Impressum