1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
3
4
6 SCAP Security Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
10
11
13 The project provides practical security hardening advice and also links
14 it to compliance requirements in order to ease deployment activities,
15 such as certification and accreditation. These include requirements in
16 the U.S. government (Federal, Defense, and Intelligence Community) as
17 well as of the financial services and health care industries. For exam‐
18 ple, high-level and widely-accepted policies such as NIST 800-53 pro‐
19 vides prose stating that System Administrators must audit "privileged
20 user actions," but do not define what "privileged actions" are. The SSG
21 bridges the gap between generalized policy requirements and specific
22 implementation guidance, in SCAP formats to support automation whenever
23 possible.
24
25 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
28
29
31 Source Datastream: ssg-centos7-ds.xml
32
33 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
34 broken into 'profiles', groupings of security settings that correlate
35 to a known policy. Available profiles are:
36
37
38
39 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
40
41 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
42
43 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
44 plied.
45
46
47 Standard System Security Profile for Red Hat Enterprise Linux 7
48
49 Profile ID: xccdf_org.ssgproject.content_profile_standard
50
51 This profile contains rules to ensure standard security baseline
52 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
53 tem's workload all of these checks should pass.
54
55
56
57
58
60 Source Datastream: ssg-centos8-ds.xml
61
62 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
63 broken into 'profiles', groupings of security settings that correlate
64 to a known policy. Available profiles are:
65
66
67
68 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
69
70 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
71
72 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
73 plied.
74
75
76 Standard System Security Profile for Red Hat Enterprise Linux 8
77
78 Profile ID: xccdf_org.ssgproject.content_profile_standard
79
80 This profile contains rules to ensure standard security baseline
81 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
82 tem's workload all of these checks should pass.
83
84
85
86
87
89 Source Datastream: ssg-chromium-ds.xml
90
91 The Guide to the Secure Configuration of Chromium is broken into 'pro‐
92 files', groupings of security settings that correlate to a known pol‐
93 icy. Available profiles are:
94
95
96
97 Upstream STIG for Google Chromium
98
99 Profile ID: xccdf_org.ssgproject.content_profile_stig
100
101 This profile is developed under the DoD consensus model and DISA
102 FSO Vendor STIG process, serving as the upstream development en‐
103 vironment for the Google Chromium STIG.
104
105 As a result of the upstream/downstream relationship between the
106 SCAP Security Guide project and the official DISA FSO STIG base‐
107 line, users should expect variance between SSG and DISA FSO con‐
108 tent. For official DISA FSO STIG content, refer to https://pub‐
109 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
110 rity%2Cbrowser-guidance.
111
112 While this profile is packaged by Red Hat as part of the SCAP
113 Security Guide package, please note that commercial support of
114 this SCAP content is NOT available. This profile is provided as
115 example SCAP content with no endorsement for suitability or pro‐
116 duction readiness. Support for this profile is provided by the
117 upstream SCAP Security Guide community on a best-effort basis.
118 The upstream project homepage is https://www.open-scap.org/secu‐
119 rity-policies/scap-security-guide/.
120
121
122
123
124
126 Source Datastream: ssg-debian10-ds.xml
127
128 The Guide to the Secure Configuration of Debian 10 is broken into 'pro‐
129 files', groupings of security settings that correlate to a known pol‐
130 icy. Available profiles are:
131
132
133
134 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
135
136 Profile ID: xccdf_org.ssgproject.content_pro‐
137 file_anssi_np_nt28_average
138
139 This profile contains items for GNU/Linux installations already
140 protected by multiple higher level security stacks.
141
142
143 Profile for ANSSI DAT-NT28 High (Enforced) Level
144
145 Profile ID: xccdf_org.ssgproject.content_pro‐
146 file_anssi_np_nt28_high
147
148 This profile contains items for GNU/Linux installations storing
149 sensitive informations that can be accessible from unauthenti‐
150 cated or uncontroled networks.
151
152
153 Profile for ANSSI DAT-NT28 Minimal Level
154
155 Profile ID: xccdf_org.ssgproject.content_pro‐
156 file_anssi_np_nt28_minimal
157
158 This profile contains items to be applied systematically.
159
160
161 Profile for ANSSI DAT-NT28 Restrictive Level
162
163 Profile ID: xccdf_org.ssgproject.content_pro‐
164 file_anssi_np_nt28_restrictive
165
166 This profile contains items for GNU/Linux installations exposed
167 to unauthenticated flows or multiple sources.
168
169
170 Standard System Security Profile for Debian 10
171
172 Profile ID: xccdf_org.ssgproject.content_profile_standard
173
174 This profile contains rules to ensure standard security baseline
175 of a Debian 10 system. Regardless of your system's workload all
176 of these checks should pass.
177
178
179
180
181
183 Source Datastream: ssg-debian9-ds.xml
184
185 The Guide to the Secure Configuration of Debian 9 is broken into 'pro‐
186 files', groupings of security settings that correlate to a known pol‐
187 icy. Available profiles are:
188
189
190
191 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
192
193 Profile ID: xccdf_org.ssgproject.content_pro‐
194 file_anssi_np_nt28_average
195
196 This profile contains items for GNU/Linux installations already
197 protected by multiple higher level security stacks.
198
199
200 Profile for ANSSI DAT-NT28 High (Enforced) Level
201
202 Profile ID: xccdf_org.ssgproject.content_pro‐
203 file_anssi_np_nt28_high
204
205 This profile contains items for GNU/Linux installations storing
206 sensitive informations that can be accessible from unauthenti‐
207 cated or uncontroled networks.
208
209
210 Profile for ANSSI DAT-NT28 Minimal Level
211
212 Profile ID: xccdf_org.ssgproject.content_pro‐
213 file_anssi_np_nt28_minimal
214
215 This profile contains items to be applied systematically.
216
217
218 Profile for ANSSI DAT-NT28 Restrictive Level
219
220 Profile ID: xccdf_org.ssgproject.content_pro‐
221 file_anssi_np_nt28_restrictive
222
223 This profile contains items for GNU/Linux installations exposed
224 to unauthenticated flows or multiple sources.
225
226
227 Standard System Security Profile for Debian 9
228
229 Profile ID: xccdf_org.ssgproject.content_profile_standard
230
231 This profile contains rules to ensure standard security baseline
232 of a Debian 9 system. Regardless of your system's workload all
233 of these checks should pass.
234
235
236
237
238
240 Source Datastream: ssg-fedora-ds.xml
241
242 The Guide to the Secure Configuration of Fedora is broken into 'pro‐
243 files', groupings of security settings that correlate to a known pol‐
244 icy. Available profiles are:
245
246
247
248 OSPP - Protection Profile for General Purpose Operating Systems
249
250 Profile ID: xccdf_org.ssgproject.content_profile_ospp
251
252 This profile reflects mandatory configuration controls identi‐
253 fied in the NIAP Configuration Annex to the Protection Profile
254 for General Purpose Operating Systems (Protection Profile Ver‐
255 sion 4.2).
256
257 As Fedora OS is moving target, this profile does not guarantee
258 to provide security levels required from US National Security
259 Systems. Main goal of the profile is to provide Fedora develop‐
260 ers with hardened environment similar to the one mandated by US
261 National Security Systems.
262
263
264 PCI-DSS v3.2.1 Control Baseline for Fedora
265
266 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
267
268 Ensures PCI-DSS v3.2.1 related security configuration settings
269 are applied.
270
271
272 Standard System Security Profile for Fedora
273
274 Profile ID: xccdf_org.ssgproject.content_profile_standard
275
276 This profile contains rules to ensure standard security baseline
277 of a Fedora system. Regardless of your system's workload all of
278 these checks should pass.
279
280
281
282
283
285 Source Datastream: ssg-firefox-ds.xml
286
287 The Guide to the Secure Configuration of Firefox is broken into 'pro‐
288 files', groupings of security settings that correlate to a known pol‐
289 icy. Available profiles are:
290
291
292
293 Upstream Firefox STIG
294
295 Profile ID: xccdf_org.ssgproject.content_profile_stig
296
297 This profile is developed under the DoD consensus model and DISA
298 FSO Vendor STIG process, serving as the upstream development en‐
299 vironment for the Firefox STIG.
300
301 As a result of the upstream/downstream relationship between the
302 SCAP Security Guide project and the official DISA FSO STIG base‐
303 line, users should expect variance between SSG and DISA FSO con‐
304 tent. For official DISA FSO STIG content, refer to https://pub‐
305 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
306 rity%2Cbrowser-guidance.
307
308 While this profile is packaged by Red Hat as part of the SCAP
309 Security Guide package, please note that commercial support of
310 this SCAP content is NOT available. This profile is provided as
311 example SCAP content with no endorsement for suitability or pro‐
312 duction readiness. Support for this profile is provided by the
313 upstream SCAP Security Guide community on a best-effort basis.
314 The upstream project homepage is https://www.open-scap.org/secu‐
315 rity-policies/scap-security-guide/.
316
317
318
319
320
322 Source Datastream: ssg-fuse6-ds.xml
323
324 The Guide to the Secure Configuration of JBoss Fuse 6 is broken into
325 'profiles', groupings of security settings that correlate to a known
326 policy. Available profiles are:
327
328
329
330 STIG for Apache ActiveMQ
331
332 Profile ID: xccdf_org.ssgproject.content_profile_amq-stig
333
334 This is a *draft* profile for STIG. This profile is being devel‐
335 oped under the DoD consensus model to become a STIG in coordina‐
336 tion with DISA FSO.
337
338
339 Standard System Security Profile for JBoss
340
341 Profile ID: xccdf_org.ssgproject.content_profile_standard
342
343 This profile contains rules to ensure standard security baseline
344 of JBoss Fuse. Regardless of your system's workload all of these
345 checks should pass.
346
347
348 STIG for JBoss Fuse 6
349
350 Profile ID: xccdf_org.ssgproject.content_profile_stig
351
352 This is a *draft* profile for STIG. This profile is being devel‐
353 oped under the DoD consensus model to become a STIG in coordina‐
354 tion with DISA FSO.
355
356
357
358
359
361 Source Datastream: ssg-jre-ds.xml
362
363 The Guide to the Secure Configuration of Java Runtime Environment is
364 broken into 'profiles', groupings of security settings that correlate
365 to a known policy. Available profiles are:
366
367
368
369 Java Runtime Environment (JRE) STIG
370
371 Profile ID: xccdf_org.ssgproject.content_profile_stig
372
373 The Java Runtime Environment (JRE) is a bundle developed and of‐
374 fered by Oracle Corporation which includes the Java Virtual Ma‐
375 chine (JVM), class libraries, and other components necessary to
376 run Java applications and applets. Certain default settings
377 within the JRE pose a security risk so it is necessary to deploy
378 system wide properties to ensure a higher degree of security
379 when utilizing the JRE.
380
381 The IBM Corporation also develops and bundles the Java Runtime
382 Environment (JRE) as well as Red Hat with OpenJDK.
383
384
385
386
387
389 Source Datastream: ssg-macos1015-ds.xml
390
391 The Guide to the Secure Configuration of Apple macOS 10.15 is broken
392 into 'profiles', groupings of security settings that correlate to a
393 known policy. Available profiles are:
394
395
396
397 NIST 800-53 Moderate-Impact Baseline for Apple macOS 10.15 Catalina
398
399 Profile ID: xccdf_org.ssgproject.content_profile_moderate
400
401 This compliance profile reflects the core set of Moderate-Impact
402 Baseline configuration settings for deployment of Apple macOS
403 10.15 Catalina into U.S. Defense, Intelligence, and Civilian
404 agencies. Development partners and sponsors include the U.S.
405 National Institute of Standards and Technology (NIST), U.S. De‐
406 partment of Defense, and the the National Security Agency.
407
408 This baseline implements configuration requirements from the
409 following sources:
410
411 - NIST 800-53 control selections for Moderate-Impact systems
412 (NIST 800-53)
413
414 For any differing configuration requirements, e.g. password
415 lengths, the stricter security setting was chosen. Security Re‐
416 quirement Traceability Guides (RTMs) and sample System Security
417 Configuration Guides are provided via the scap-security-guide-
418 docs package.
419
420 This profile reflects U.S. Government consensus content and is
421 developed through the ComplianceAsCode initiative, championed by
422 the National Security Agency. Except for differences in format‐
423 ting to accommodate publishing processes, this profile mirrors
424 ComplianceAsCode content as minor divergences, such as bugfixes,
425 work through the consensus and release processes.
426
427
428
429
430
432 Platform 4
433 Source Datastream: ssg-ocp4-ds.xml
434
435 The Guide to the Secure Configuration of Red Hat OpenShift Container
436 Platform 4 is broken into 'profiles', groupings of security settings
437 that correlate to a known policy. Available profiles are:
438
439
440
441 CIS Red Hat OpenShift Container Platform 4 Benchmark
442
443 Profile ID: xccdf_org.ssgproject.content_profile_cis-node
444
445 This profile defines a baseline that aligns to the Center for
446 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
447 mark™, V1.1.
448
449 This profile includes Center for Internet Security® Red Hat
450 OpenShift Container Platform 4 CIS Benchmarks™ content.
451
452 Note that this part of the profile is meant to run on the Oper‐
453 ating System that Red Hat OpenShift Container Platform 4 runs on
454 top of.
455
456 This profile is applicable to OpenShift versions 4.6 and
457 greater.
458
459
460 CIS Red Hat OpenShift Container Platform 4 Benchmark
461
462 Profile ID: xccdf_org.ssgproject.content_profile_cis
463
464 This profile defines a baseline that aligns to the Center for
465 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
466 mark™, V1.1.
467
468 This profile includes Center for Internet Security® Red Hat
469 OpenShift Container Platform 4 CIS Benchmarks™ content.
470
471 Note that this part of the profile is meant to run on the Plat‐
472 form that Red Hat OpenShift Container Platform 4 runs on top of.
473
474 This profile is applicable to OpenShift versions 4.6 and
475 greater.
476
477
478 Australian Cyber Security Centre (ACSC) Essential Eight
479
480 Profile ID: xccdf_org.ssgproject.content_profile_e8
481
482 This profile contains configuration checks for Red Hat OpenShift
483 Container Platform that align to the Australian Cyber Security
484 Centre (ACSC) Essential Eight.
485
486 A copy of the Essential Eight in Linux Environments guide can be
487 found at the ACSC website:
488
489 https://www.cyber.gov.au/acsc/view-all-content/publica‐
490 tions/hardening-linux-workstations-and-servers
491
492
493 NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
494
495 Profile ID: xccdf_org.ssgproject.content_profile_moderate-node
496
497 This compliance profile reflects the core set of Moderate-Impact
498 Baseline configuration settings for deployment of Red Hat Open‐
499 Shift Container Platform into U.S. Defense, Intelligence, and
500 Civilian agencies. Development partners and sponsors include
501 the U.S. National Institute of Standards and Technology (NIST),
502 U.S. Department of Defense, the National Security Agency, and
503 Red Hat.
504
505 This baseline implements configuration requirements from the
506 following sources:
507
508 - NIST 800-53 control selections for Moderate-Impact systems
509 (NIST 800-53)
510
511 For any differing configuration requirements, e.g. password
512 lengths, the stricter security setting was chosen. Security Re‐
513 quirement Traceability Guides (RTMs) and sample System Security
514 Configuration Guides are provided via the scap-security-guide-
515 docs package.
516
517 This profile reflects U.S. Government consensus content and is
518 developed through the ComplianceAsCode initiative, championed by
519 the National Security Agency. Except for differences in format‐
520 ting to accommodate publishing processes, this profile mirrors
521 ComplianceAsCode content as minor divergences, such as bugfixes,
522 work through the consensus and release processes.
523
524
525 NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform
526 level
527
528 Profile ID: xccdf_org.ssgproject.content_profile_moderate
529
530 This compliance profile reflects the core set of Moderate-Impact
531 Baseline configuration settings for deployment of Red Hat Open‐
532 Shift Container Platform into U.S. Defense, Intelligence, and
533 Civilian agencies. Development partners and sponsors include
534 the U.S. National Institute of Standards and Technology (NIST),
535 U.S. Department of Defense, the National Security Agency, and
536 Red Hat.
537
538 This baseline implements configuration requirements from the
539 following sources:
540
541 - NIST 800-53 control selections for Moderate-Impact systems
542 (NIST 800-53)
543
544 For any differing configuration requirements, e.g. password
545 lengths, the stricter security setting was chosen. Security Re‐
546 quirement Traceability Guides (RTMs) and sample System Security
547 Configuration Guides are provided via the scap-security-guide-
548 docs package.
549
550 This profile reflects U.S. Government consensus content and is
551 developed through the ComplianceAsCode initiative, championed by
552 the National Security Agency. Except for differences in format‐
553 ting to accommodate publishing processes, this profile mirrors
554 ComplianceAsCode content as minor divergences, such as bugfixes,
555 work through the consensus and release processes.
556
557
558 NIST National Checklist for Red Hat OpenShift Container Platform
559
560 Profile ID: xccdf_org.ssgproject.content_profile_ncp
561
562 This compliance profile reflects the core set of security re‐
563 lated configuration settings for deployment of Red Hat OpenShift
564 Container Platform into U.S. Defense, Intelligence, and Civilian
565 agencies. Development partners and sponsors include the U.S.
566 National Institute of Standards and Technology (NIST), U.S. De‐
567 partment of Defense, the National Security Agency, and Red Hat.
568
569 This baseline implements configuration requirements from the
570 following sources:
571
572 - Committee on National Security Systems Instruction No. 1253
573 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
574 800-171) - NIST 800-53 control selections for Moderate-Impact
575 systems (NIST 800-53) - U.S. Government Configuration Baseline
576 (USGCB) - NIAP Protection Profile for General Purpose Operating
577 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
578 Requirements Guide (OS SRG)
579
580 For any differing configuration requirements, e.g. password
581 lengths, the stricter security setting was chosen. Security Re‐
582 quirement Traceability Guides (RTMs) and sample System Security
583 Configuration Guides are provided via the scap-security-guide-
584 docs package.
585
586 This profile reflects U.S. Government consensus content and is
587 developed through the ComplianceAsCode initiative, championed by
588 the National Security Agency. Except for differences in format‐
589 ting to accommodate publishing processes, this profile mirrors
590 ComplianceAsCode content as minor divergences, such as bugfixes,
591 work through the consensus and release processes.
592
593
594 PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Plat‐
595 form 4
596
597 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
598
599 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
600 plied.
601
602
603
604
605
607 Source Datastream: ssg-ol7-ds.xml
608
609 The Guide to the Secure Configuration of Oracle Linux 7 is broken into
610 'profiles', groupings of security settings that correlate to a known
611 policy. Available profiles are:
612
613
614
615 ANSSI-BP-028 (enhanced)
616
617 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
618 hanced
619
620 This profile contains configurations that align to ANSSI-BP-028
621 at the enhanced hardening level.
622
623 ANSSI is the French National Information Security Agency, and
624 stands for Agence nationale de la sécurité des systèmes d'infor‐
625 mation. ANSSI-BP-028 is a configuration recommendation for
626 GNU/Linux systems.
627
628 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
629 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
630 securite-relatives-a-un-systeme-gnulinux/
631
632
633 DRAFT - ANSSI-BP-028 (high)
634
635 Profile ID: xccdf_org.ssgproject.content_pro‐
636 file_anssi_nt28_high
637
638 This profile contains configurations that align to ANSSI-BP-028
639 at the high hardening level.
640
641 ANSSI is the French National Information Security Agency, and
642 stands for Agence nationale de la sécurité des systèmes d'infor‐
643 mation. ANSSI-BP-028 is a configuration recommendation for
644 GNU/Linux systems.
645
646 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
647 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
648 securite-relatives-a-un-systeme-gnulinux/
649
650
651 ANSSI-BP-028 (intermediary)
652
653 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
654 termediary
655
656 This profile contains configurations that align to ANSSI-BP-028
657 at the intermediary hardening level.
658
659 ANSSI is the French National Information Security Agency, and
660 stands for Agence nationale de la sécurité des systèmes d'infor‐
661 mation. ANSSI-BP-028 is a configuration recommendation for
662 GNU/Linux systems.
663
664 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
665 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
666 securite-relatives-a-un-systeme-gnulinux/
667
668
669 ANSSI-BP-028 (minimal)
670
671 Profile ID: xccdf_org.ssgproject.content_pro‐
672 file_anssi_nt28_minimal
673
674 This profile contains configurations that align to ANSSI-BP-028
675 at the minimal hardening level.
676
677 ANSSI is the French National Information Security Agency, and
678 stands for Agence nationale de la sécurité des systèmes d'infor‐
679 mation. ANSSI-BP-028 is a configuration recommendation for
680 GNU/Linux systems.
681
682 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
683 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
684 securite-relatives-a-un-systeme-gnulinux/
685
686
687 Criminal Justice Information Services (CJIS) Security Policy
688
689 Profile ID: xccdf_org.ssgproject.content_profile_cjis
690
691 This profile is derived from FBI's CJIS v5.4 Security Policy. A
692 copy of this policy can be found at the CJIS Security Policy Re‐
693 source Center:
694
695 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
696 center
697
698
699 Unclassified Information in Non-federal Information Systems and Organi‐
700 zations (NIST 800-171)
701
702 Profile ID: xccdf_org.ssgproject.content_profile_cui
703
704 From NIST 800-171, Section 2.2: Security requirements for pro‐
705 tecting the confidentiality of CUI in non-federal information
706 systems and organizations have a well-defined structure that
707 consists of:
708
709 (i) a basic security requirements section; (ii) a derived secu‐
710 rity requirements section.
711
712 The basic security requirements are obtained from FIPS Publica‐
713 tion 200, which provides the high-level and fundamental security
714 requirements for federal information and information systems.
715 The derived security requirements, which supplement the basic
716 security requirements, are taken from the security controls in
717 NIST Special Publication 800-53.
718
719 This profile configures Oracle Linux 7 to the NIST Special Pub‐
720 lication 800-53 controls identified for securing Controlled Un‐
721 classified Information (CUI).
722
723
724 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
725
726 Profile ID: xccdf_org.ssgproject.content_profile_e8
727
728 This profile contains configuration checks for Oracle Linux 7
729 that align to the Australian Cyber Security Centre (ACSC) Essen‐
730 tial Eight.
731
732 A copy of the Essential Eight in Linux Environments guide can be
733 found at the ACSC website:
734
735 https://www.cyber.gov.au/acsc/view-all-content/publica‐
736 tions/hardening-linux-workstations-and-servers
737
738
739 Health Insurance Portability and Accountability Act (HIPAA)
740
741 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
742
743 The HIPAA Security Rule establishes U.S. national standards to
744 protect individuals’ electronic personal health information that
745 is created, received, used, or maintained by a covered entity.
746 The Security Rule requires appropriate administrative, physical
747 and technical safeguards to ensure the confidentiality, integ‐
748 rity, and security of electronic protected health information.
749
750 This profile configures Oracle Linux 7 to the HIPAA Security
751 Rule identified for securing of electronic protected health in‐
752 formation. Use of this profile in no way guarantees or makes
753 claims against legal compliance against the HIPAA Security
754 Rule(s).
755
756
757 [DRAFT] Protection Profile for General Purpose Operating Systems
758
759 Profile ID: xccdf_org.ssgproject.content_profile_ospp
760
761 This profile reflects mandatory configuration controls identi‐
762 fied in the NIAP Configuration Annex to the Protection Profile
763 for General Purpose Operating Systems (Protection Profile Ver‐
764 sion 4.2.1).
765
766 This configuration profile is consistent with CNSSI-1253, which
767 requires U.S. National Security Systems to adhere to certain
768 configuration parameters. Accordingly, this configuration pro‐
769 file is suitable for use in U.S. National Security Systems.
770
771
772 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7
773
774 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
775
776 Ensures PCI-DSS v3.2.1 related security configuration settings
777 are applied.
778
779
780 Security Profile of Oracle Linux 7 for SAP
781
782 Profile ID: xccdf_org.ssgproject.content_profile_sap
783
784 This profile contains rules for Oracle Linux 7 Operating System
785 in compliance with SAP note 2069760 and SAP Security Baseline
786 Template version 1.9 Item I-8 and section 4.1.2.2. Regardless
787 of your system's workload all of these checks should pass.
788
789
790 Standard System Security Profile for Oracle Linux 7
791
792 Profile ID: xccdf_org.ssgproject.content_profile_standard
793
794 This profile contains rules to ensure standard security baseline
795 of Oracle Linux 7 system. Regardless of your system's workload
796 all of these checks should pass.
797
798
799 DISA STIG for Oracle Linux 7
800
801 Profile ID: xccdf_org.ssgproject.content_profile_stig
802
803 This profile contains configuration checks that align to the
804 DISA STIG for Oracle Linux V2R4.
805
806
807
808
809
811 Source Datastream: ssg-ol8-ds.xml
812
813 The Guide to the Secure Configuration of Oracle Linux 8 is broken into
814 'profiles', groupings of security settings that correlate to a known
815 policy. Available profiles are:
816
817
818
819 ANSSI-BP-028 (enhanced)
820
821 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
822 hanced
823
824 This profile contains configurations that align to ANSSI-BP-028
825 at the enhanced hardening level.
826
827 ANSSI is the French National Information Security Agency, and
828 stands for Agence nationale de la sécurité des systèmes d'infor‐
829 mation. ANSSI-BP-028 is a configuration recommendation for
830 GNU/Linux systems.
831
832 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
833 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
834 securite-relatives-a-un-systeme-gnulinux/
835
836
837 DRAFT - ANSSI-BP-028 (high)
838
839 Profile ID: xccdf_org.ssgproject.content_pro‐
840 file_anssi_bp28_high
841
842 This profile contains configurations that align to ANSSI-BP-028
843 at the high hardening level.
844
845 ANSSI is the French National Information Security Agency, and
846 stands for Agence nationale de la sécurité des systèmes d'infor‐
847 mation. ANSSI-BP-028 is a configuration recommendation for
848 GNU/Linux systems.
849
850 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
851 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
852 securite-relatives-a-un-systeme-gnulinux/
853
854
855 ANSSI-BP-028 (intermediary)
856
857 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
858 termediary
859
860 This profile contains configurations that align to ANSSI-BP-028
861 at the intermediary hardening level.
862
863 ANSSI is the French National Information Security Agency, and
864 stands for Agence nationale de la sécurité des systèmes d'infor‐
865 mation. ANSSI-BP-028 is a configuration recommendation for
866 GNU/Linux systems.
867
868 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
869 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
870 securite-relatives-a-un-systeme-gnulinux/
871
872
873 ANSSI-BP-028 (minimal)
874
875 Profile ID: xccdf_org.ssgproject.content_pro‐
876 file_anssi_bp28_minimal
877
878 This profile contains configurations that align to ANSSI-BP-028
879 at the minimal hardening level.
880
881 ANSSI is the French National Information Security Agency, and
882 stands for Agence nationale de la sécurité des systèmes d'infor‐
883 mation. ANSSI-BP-028 is a configuration recommendation for
884 GNU/Linux systems.
885
886 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
887 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
888 securite-relatives-a-un-systeme-gnulinux/
889
890
891 Criminal Justice Information Services (CJIS) Security Policy
892
893 Profile ID: xccdf_org.ssgproject.content_profile_cjis
894
895 This profile is derived from FBI's CJIS v5.4 Security Policy. A
896 copy of this policy can be found at the CJIS Security Policy Re‐
897 source Center:
898
899 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
900 center
901
902
903 Unclassified Information in Non-federal Information Systems and Organi‐
904 zations (NIST 800-171)
905
906 Profile ID: xccdf_org.ssgproject.content_profile_cui
907
908 From NIST 800-171, Section 2.2: Security requirements for pro‐
909 tecting the confidentiality of CUI in non-federal information
910 systems and organizations have a well-defined structure that
911 consists of:
912
913 (i) a basic security requirements section; (ii) a derived secu‐
914 rity requirements section.
915
916 The basic security requirements are obtained from FIPS Publica‐
917 tion 200, which provides the high-level and fundamental security
918 requirements for federal information and information systems.
919 The derived security requirements, which supplement the basic
920 security requirements, are taken from the security controls in
921 NIST Special Publication 800-53.
922
923 This profile configures Oracle Linux 8 to the NIST Special Pub‐
924 lication 800-53 controls identified for securing Controlled Un‐
925 classified Information (CUI).
926
927
928 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
929
930 Profile ID: xccdf_org.ssgproject.content_profile_e8
931
932 This profile contains configuration checks for Oracle Linux 8
933 that align to the Australian Cyber Security Centre (ACSC) Essen‐
934 tial Eight.
935
936 A copy of the Essential Eight in Linux Environments guide can be
937 found at the ACSC website:
938
939 https://www.cyber.gov.au/acsc/view-all-content/publica‐
940 tions/hardening-linux-workstations-and-servers
941
942
943 Health Insurance Portability and Accountability Act (HIPAA)
944
945 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
946
947 The HIPAA Security Rule establishes U.S. national standards to
948 protect individuals’ electronic personal health information that
949 is created, received, used, or maintained by a covered entity.
950 The Security Rule requires appropriate administrative, physical
951 and technical safeguards to ensure the confidentiality, integ‐
952 rity, and security of electronic protected health information.
953
954 This profile configures Oracle Linux 8 to the HIPAA Security
955 Rule identified for securing of electronic protected health in‐
956 formation. Use of this profile in no way guarantees or makes
957 claims against legal compliance against the HIPAA Security
958 Rule(s).
959
960
961 [DRAFT] Protection Profile for General Purpose Operating Systems
962
963 Profile ID: xccdf_org.ssgproject.content_profile_ospp
964
965 This profile reflects mandatory configuration controls identi‐
966 fied in the NIAP Configuration Annex to the Protection Profile
967 for General Purpose Operating Systems (Protection Profile Ver‐
968 sion 4.2.1).
969
970 This configuration profile is consistent with CNSSI-1253, which
971 requires U.S. National Security Systems to adhere to certain
972 configuration parameters. Accordingly, this configuration pro‐
973 file is suitable for use in U.S. National Security Systems.
974
975
976 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8
977
978 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
979
980 Ensures PCI-DSS v3.2.1 related security configuration settings
981 are applied.
982
983
984 Standard System Security Profile for Oracle Linux 8
985
986 Profile ID: xccdf_org.ssgproject.content_profile_standard
987
988 This profile contains rules to ensure standard security baseline
989 of Oracle Linux 8 system. Regardless of your system's workload
990 all of these checks should pass.
991
992
993
994
995
997 Source Datastream: ssg-opensuse-ds.xml
998
999 The Guide to the Secure Configuration of openSUSE is broken into 'pro‐
1000 files', groupings of security settings that correlate to a known pol‐
1001 icy. Available profiles are:
1002
1003
1004
1005 Standard System Security Profile for openSUSE
1006
1007 Profile ID: xccdf_org.ssgproject.content_profile_standard
1008
1009 This profile contains rules to ensure standard security baseline
1010 of an openSUSE system. Regardless of your system's workload all
1011 of these checks should pass.
1012
1013
1014
1015
1016
1018 CoreOS 4
1019 Source Datastream: ssg-rhcos4-ds.xml
1020
1021 The Guide to the Secure Configuration of Red Hat Enterprise Linux
1022 CoreOS 4 is broken into 'profiles', groupings of security settings that
1023 correlate to a known policy. Available profiles are:
1024
1025
1026
1027 DRAFT - ANSSI-BP-028 (enhanced)
1028
1029 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1030 hanced
1031
1032 This profile contains configurations that align to ANSSI-BP-028
1033 at the enhanced hardening level.
1034
1035 ANSSI is the French National Information Security Agency, and
1036 stands for Agence nationale de la sécurité des systèmes d'infor‐
1037 mation. ANSSI-BP-028 is a configuration recommendation for
1038 GNU/Linux systems.
1039
1040 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1041 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1042 securite-relatives-a-un-systeme-gnulinux/
1043
1044
1045 DRAFT - ANSSI-BP-028 (high)
1046
1047 Profile ID: xccdf_org.ssgproject.content_pro‐
1048 file_anssi_bp28_high
1049
1050 This profile contains configurations that align to ANSSI-BP-028
1051 at the high hardening level.
1052
1053 ANSSI is the French National Information Security Agency, and
1054 stands for Agence nationale de la sécurité des systèmes d'infor‐
1055 mation. ANSSI-BP-028 is a configuration recommendation for
1056 GNU/Linux systems.
1057
1058 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1059 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1060 securite-relatives-a-un-systeme-gnulinux/
1061
1062
1063 DRAFT - ANSSI-BP-028 (intermediary)
1064
1065 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1066 termediary
1067
1068 This profile contains configurations that align to ANSSI-BP-028
1069 at the intermediary hardening level.
1070
1071 ANSSI is the French National Information Security Agency, and
1072 stands for Agence nationale de la sécurité des systèmes d'infor‐
1073 mation. ANSSI-BP-028 is a configuration recommendation for
1074 GNU/Linux systems.
1075
1076 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1077 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1078 securite-relatives-a-un-systeme-gnulinux/
1079
1080
1081 DRAFT - ANSSI-BP-028 (minimal)
1082
1083 Profile ID: xccdf_org.ssgproject.content_pro‐
1084 file_anssi_bp28_minimal
1085
1086 This profile contains configurations that align to ANSSI-BP-028
1087 at the minimal hardening level.
1088
1089 ANSSI is the French National Information Security Agency, and
1090 stands for Agence nationale de la sécurité des systèmes d'infor‐
1091 mation. ANSSI-BP-028 is a configuration recommendation for
1092 GNU/Linux systems.
1093
1094 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1095 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1096 securite-relatives-a-un-systeme-gnulinux/
1097
1098
1099 Australian Cyber Security Centre (ACSC) Essential Eight
1100
1101 Profile ID: xccdf_org.ssgproject.content_profile_e8
1102
1103 This profile contains configuration checks for Red Hat Enter‐
1104 prise Linux CoreOS that align to the Australian Cyber Security
1105 Centre (ACSC) Essential Eight.
1106
1107 A copy of the Essential Eight in Linux Environments guide can be
1108 found at the ACSC website:
1109
1110 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1111 tions/hardening-linux-workstations-and-servers
1112
1113
1114 NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux
1115 CoreOS
1116
1117 Profile ID: xccdf_org.ssgproject.content_profile_moderate
1118
1119 This compliance profile reflects the core set of Moderate-Impact
1120 Baseline configuration settings for deployment of Red Hat Enter‐
1121 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
1122 agencies. Development partners and sponsors include the U.S.
1123 National Institute of Standards and Technology (NIST), U.S. De‐
1124 partment of Defense, the National Security Agency, and Red Hat.
1125
1126 This baseline implements configuration requirements from the
1127 following sources:
1128
1129 - NIST 800-53 control selections for Moderate-Impact systems
1130 (NIST 800-53)
1131
1132 For any differing configuration requirements, e.g. password
1133 lengths, the stricter security setting was chosen. Security Re‐
1134 quirement Traceability Guides (RTMs) and sample System Security
1135 Configuration Guides are provided via the scap-security-guide-
1136 docs package.
1137
1138 This profile reflects U.S. Government consensus content and is
1139 developed through the ComplianceAsCode initiative, championed by
1140 the National Security Agency. Except for differences in format‐
1141 ting to accommodate publishing processes, this profile mirrors
1142 ComplianceAsCode content as minor divergences, such as bugfixes,
1143 work through the consensus and release processes.
1144
1145
1146 NIST National Checklist for Red Hat Enterprise Linux CoreOS
1147
1148 Profile ID: xccdf_org.ssgproject.content_profile_ncp
1149
1150 This compliance profile reflects the core set of security re‐
1151 lated configuration settings for deployment of Red Hat Enter‐
1152 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
1153 agencies. Development partners and sponsors include the U.S.
1154 National Institute of Standards and Technology (NIST), U.S. De‐
1155 partment of Defense, the National Security Agency, and Red Hat.
1156
1157 This baseline implements configuration requirements from the
1158 following sources:
1159
1160 - Committee on National Security Systems Instruction No. 1253
1161 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
1162 800-171) - NIST 800-53 control selections for Moderate-Impact
1163 systems (NIST 800-53) - U.S. Government Configuration Baseline
1164 (USGCB) - NIAP Protection Profile for General Purpose Operating
1165 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
1166 Requirements Guide (OS SRG)
1167
1168 For any differing configuration requirements, e.g. password
1169 lengths, the stricter security setting was chosen. Security Re‐
1170 quirement Traceability Guides (RTMs) and sample System Security
1171 Configuration Guides are provided via the scap-security-guide-
1172 docs package.
1173
1174 This profile reflects U.S. Government consensus content and is
1175 developed through the ComplianceAsCode initiative, championed by
1176 the National Security Agency. Except for differences in format‐
1177 ting to accommodate publishing processes, this profile mirrors
1178 ComplianceAsCode content as minor divergences, such as bugfixes,
1179 work through the consensus and release processes.
1180
1181
1182 Protection Profile for General Purpose Operating Systems
1183
1184 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1185
1186 This profile reflects mandatory configuration controls identi‐
1187 fied in the NIAP Configuration Annex to the Protection Profile
1188 for General Purpose Operating Systems (Protection Profile Ver‐
1189 sion 4.2.1).
1190
1191 This configuration profile is consistent with CNSSI-1253, which
1192 requires U.S. National Security Systems to adhere to certain
1193 configuration parameters. Accordingly, this configuration pro‐
1194 file is suitable for use in U.S. National Security Systems.
1195
1196
1197 [DRAFT] DISA STIG for Red Hat Enterprise Linux CoreOS
1198
1199 Profile ID: xccdf_org.ssgproject.content_profile_stig
1200
1201 This profile contains configuration checks that align to the
1202 [DRAFT] DISA STIG for Red Hat Enterprise Linux CoreOS which is
1203 the operating system layer of Red Hat OpenShift Container Plat‐
1204 form.
1205
1206
1207
1208
1209
1211 Source Datastream: ssg-rhel7-ds.xml
1212
1213 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
1214 broken into 'profiles', groupings of security settings that correlate
1215 to a known policy. Available profiles are:
1216
1217
1218
1219 C2S for Red Hat Enterprise Linux 7
1220
1221 Profile ID: xccdf_org.ssgproject.content_profile_C2S
1222
1223 This profile demonstrates compliance against the U.S. Government
1224 Commercial Cloud Services (C2S) baseline.
1225
1226 This baseline was inspired by the Center for Internet Security
1227 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
1228
1229 For the SCAP Security Guide project to remain in compliance with
1230 CIS' terms and conditions, specifically Restrictions(8), note
1231 there is no representation or claim that the C2S profile will
1232 ensure a system is in compliance or consistency with the CIS
1233 baseline.
1234
1235
1236 ANSSI-BP-028 (enhanced)
1237
1238 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
1239 hanced
1240
1241 This profile contains configurations that align to ANSSI-BP-028
1242 v1.2 at the enhanced hardening level.
1243
1244 ANSSI is the French National Information Security Agency, and
1245 stands for Agence nationale de la sécurité des systèmes d'infor‐
1246 mation. ANSSI-BP-028 is a configuration recommendation for
1247 GNU/Linux systems.
1248
1249 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1250 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1251 securite-relatives-a-un-systeme-gnulinux/
1252
1253
1254 ANSSI-BP-028 (high)
1255
1256 Profile ID: xccdf_org.ssgproject.content_pro‐
1257 file_anssi_nt28_high
1258
1259 This profile contains configurations that align to ANSSI-BP-028
1260 v1.2 at the high hardening level.
1261
1262 ANSSI is the French National Information Security Agency, and
1263 stands for Agence nationale de la sécurité des systèmes d'infor‐
1264 mation. ANSSI-BP-028 is a configuration recommendation for
1265 GNU/Linux systems.
1266
1267 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1268 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1269 securite-relatives-a-un-systeme-gnulinux/
1270
1271
1272 ANSSI-BP-028 (intermediary)
1273
1274 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
1275 termediary
1276
1277 This profile contains configurations that align to ANSSI-BP-028
1278 v1.2 at the intermediary hardening level.
1279
1280 ANSSI is the French National Information Security Agency, and
1281 stands for Agence nationale de la sécurité des systèmes d'infor‐
1282 mation. ANSSI-BP-028 is a configuration recommendation for
1283 GNU/Linux systems.
1284
1285 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1286 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1287 securite-relatives-a-un-systeme-gnulinux/
1288
1289
1290 ANSSI-BP-028 (minimal)
1291
1292 Profile ID: xccdf_org.ssgproject.content_pro‐
1293 file_anssi_nt28_minimal
1294
1295 This profile contains configurations that align to ANSSI-BP-028
1296 v1.2 at the minimal hardening level.
1297
1298 ANSSI is the French National Information Security Agency, and
1299 stands for Agence nationale de la sécurité des systèmes d'infor‐
1300 mation. ANSSI-BP-028 is a configuration recommendation for
1301 GNU/Linux systems.
1302
1303 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1304 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1305 securite-relatives-a-un-systeme-gnulinux/
1306
1307
1308 CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
1309
1310 Profile ID: xccdf_org.ssgproject.content_profile_cis
1311
1312 This profile defines a baseline that aligns to the "Level 2 -
1313 Server" configuration from the Center for Internet Security® Red
1314 Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
1315
1316 This profile includes Center for Internet Security® Red Hat En‐
1317 terprise Linux 7 CIS Benchmarks™ content.
1318
1319
1320 CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
1321
1322 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
1323
1324 This profile defines a baseline that aligns to the "Level 1 -
1325 Server" configuration from the Center for Internet Security® Red
1326 Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
1327
1328 This profile includes Center for Internet Security® Red Hat En‐
1329 terprise Linux 7 CIS Benchmarks™ content.
1330
1331
1332 CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation
1333
1334 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
1335 tion_l1
1336
1337 This profile defines a baseline that aligns to the "Level 1 -
1338 Workstation" configuration from the Center for Internet Secu‐
1339 rity® Red Hat Enterprise Linux 7 Benchmark™, v3.1.1, released
1340 05-21-2021.
1341
1342 This profile includes Center for Internet Security® Red Hat En‐
1343 terprise Linux 7 CIS Benchmarks™ content.
1344
1345
1346 CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation
1347
1348 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
1349 tion_l2
1350
1351 This profile defines a baseline that aligns to the "Level 2 -
1352 Workstation" configuration from the Center for Internet Secu‐
1353 rity® Red Hat Enterprise Linux 7 Benchmark™, v3.1.1, released
1354 05-21-2021.
1355
1356 This profile includes Center for Internet Security® Red Hat En‐
1357 terprise Linux 7 CIS Benchmarks™ content.
1358
1359
1360 Criminal Justice Information Services (CJIS) Security Policy
1361
1362 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1363
1364 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1365 copy of this policy can be found at the CJIS Security Policy Re‐
1366 source Center:
1367
1368 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1369 center
1370
1371
1372 Unclassified Information in Non-federal Information Systems and Organi‐
1373 zations (NIST 800-171)
1374
1375 Profile ID: xccdf_org.ssgproject.content_profile_cui
1376
1377 From NIST 800-171, Section 2.2: Security requirements for pro‐
1378 tecting the confidentiality of CUI in non-federal information
1379 systems and organizations have a well-defined structure that
1380 consists of:
1381
1382 (i) a basic security requirements section; (ii) a derived secu‐
1383 rity requirements section.
1384
1385 The basic security requirements are obtained from FIPS Publica‐
1386 tion 200, which provides the high-level and fundamental security
1387 requirements for federal information and information systems.
1388 The derived security requirements, which supplement the basic
1389 security requirements, are taken from the security controls in
1390 NIST Special Publication 800-53.
1391
1392 This profile configures Red Hat Enterprise Linux 7 to the NIST
1393 Special Publication 800-53 controls identified for securing Con‐
1394 trolled Unclassified Information (CUI).
1395
1396
1397 Australian Cyber Security Centre (ACSC) Essential Eight
1398
1399 Profile ID: xccdf_org.ssgproject.content_profile_e8
1400
1401 This profile contains configuration checks for Red Hat Enter‐
1402 prise Linux 7 that align to the Australian Cyber Security Centre
1403 (ACSC) Essential Eight.
1404
1405 A copy of the Essential Eight in Linux Environments guide can be
1406 found at the ACSC website:
1407
1408 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1409 tions/hardening-linux-workstations-and-servers
1410
1411
1412 Health Insurance Portability and Accountability Act (HIPAA)
1413
1414 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1415
1416 The HIPAA Security Rule establishes U.S. national standards to
1417 protect individuals’ electronic personal health information that
1418 is created, received, used, or maintained by a covered entity.
1419 The Security Rule requires appropriate administrative, physical
1420 and technical safeguards to ensure the confidentiality, integ‐
1421 rity, and security of electronic protected health information.
1422
1423 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
1424 Security Rule identified for securing of electronic protected
1425 health information. Use of this profile in no way guarantees or
1426 makes claims against legal compliance against the HIPAA Security
1427 Rule(s).
1428
1429
1430 NIST National Checklist Program Security Guide
1431
1432 Profile ID: xccdf_org.ssgproject.content_profile_ncp
1433
1434 This compliance profile reflects the core set of security re‐
1435 lated configuration settings for deployment of Red Hat Enter‐
1436 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
1437 agencies. Development partners and sponsors include the U.S.
1438 National Institute of Standards and Technology (NIST), U.S. De‐
1439 partment of Defense, the National Security Agency, and Red Hat.
1440
1441 This baseline implements configuration requirements from the
1442 following sources:
1443
1444 - Committee on National Security Systems Instruction No. 1253
1445 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
1446 800-171) - NIST 800-53 control selections for MODERATE impact
1447 systems (NIST 800-53) - U.S. Government Configuration Baseline
1448 (USGCB) - NIAP Protection Profile for General Purpose Operating
1449 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
1450 Requirements Guide (OS SRG)
1451
1452 For any differing configuration requirements, e.g. password
1453 lengths, the stricter security setting was chosen. Security Re‐
1454 quirement Traceability Guides (RTMs) and sample System Security
1455 Configuration Guides are provided via the scap-security-guide-
1456 docs package.
1457
1458 This profile reflects U.S. Government consensus content and is
1459 developed through the OpenSCAP/SCAP Security Guide initiative,
1460 championed by the National Security Agency. Except for differ‐
1461 ences in formatting to accommodate publishing processes, this
1462 profile mirrors OpenSCAP/SCAP Security Guide content as minor
1463 divergences, such as bugfixes, work through the consensus and
1464 release processes.
1465
1466
1467 OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
1468
1469 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1470
1471 This profile reflects mandatory configuration controls identi‐
1472 fied in the NIAP Configuration Annex to the Protection Profile
1473 for General Purpose Operating Systems (Protection Profile Ver‐
1474 sion 4.2.1).
1475
1476 This configuration profile is consistent with CNSSI-1253, which
1477 requires U.S. National Security Systems to adhere to certain
1478 configuration parameters. Accordingly, this configuration pro‐
1479 file is suitable for use in U.S. National Security Systems.
1480
1481
1482 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1483
1484 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1485
1486 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1487 plied.
1488
1489
1490 RHV hardening based on STIG for Red Hat Enterprise Linux 7
1491
1492 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
1493
1494 This profile contains configuration checks for Red Hat Virtual‐
1495 ization based on the the DISA STIG for Red Hat Enterprise Linux
1496 7.
1497
1498
1499 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
1500 ization
1501
1502 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
1503
1504 This compliance profile reflects the core set of security re‐
1505 lated configuration settings for deployment of Red Hat Enter‐
1506 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
1507 gence, and Civilian agencies. Development partners and sponsors
1508 include the U.S. National Institute of Standards and Technology
1509 (NIST), U.S. Department of Defense, the National Security
1510 Agency, and Red Hat.
1511
1512 This baseline implements configuration requirements from the
1513 following sources:
1514
1515 - Committee on National Security Systems Instruction No. 1253
1516 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
1517 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
1518 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
1519 (VPP v1.0)
1520
1521 For any differing configuration requirements, e.g. password
1522 lengths, the stricter security setting was chosen. Security Re‐
1523 quirement Traceability Guides (RTMs) and sample System Security
1524 Configuration Guides are provided via the scap-security-guide-
1525 docs package.
1526
1527 This profile reflects U.S. Government consensus content and is
1528 developed through the ComplianceAsCode project, championed by
1529 the National Security Agency. Except for differences in format‐
1530 ting to accommodate publishing processes, this profile mirrors
1531 ComplianceAsCode content as minor divergences, such as bugfixes,
1532 work through the consensus and release processes.
1533
1534
1535 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1536
1537 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1538
1539 This profile contains the minimum security relevant configura‐
1540 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1541 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
1542
1543
1544 Standard System Security Profile for Red Hat Enterprise Linux 7
1545
1546 Profile ID: xccdf_org.ssgproject.content_profile_standard
1547
1548 This profile contains rules to ensure standard security baseline
1549 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
1550 tem's workload all of these checks should pass.
1551
1552
1553 DISA STIG for Red Hat Enterprise Linux 7
1554
1555 Profile ID: xccdf_org.ssgproject.content_profile_stig
1556
1557 This profile contains configuration checks that align to the
1558 DISA STIG for Red Hat Enterprise Linux V3R4.
1559
1560 In addition to being applicable to Red Hat Enterprise Linux 7,
1561 DISA recognizes this configuration baseline as applicable to the
1562 operating system tier of Red Hat technologies that are based on
1563 Red Hat Enterprise Linux 7, such as:
1564
1565 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1566 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1567 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1568 7 image
1569
1570
1571 DISA STIG with GUI for Red Hat Enterprise Linux 7
1572
1573 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
1574
1575 This profile contains configuration checks that align to the
1576 DISA STIG with GUI for Red Hat Enterprise Linux V3R4.
1577
1578 In addition to being applicable to Red Hat Enterprise Linux 7,
1579 DISA recognizes this configuration baseline as applicable to the
1580 operating system tier of Red Hat technologies that are based on
1581 Red Hat Enterprise Linux 7, such as:
1582
1583 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1584 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1585 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1586 7 image
1587
1588 Warning: The installation and use of a Graphical User Interface
1589 (GUI) increases your attack vector and decreases your overall
1590 security posture. If your Information Systems Security Officer
1591 (ISSO) lacks a documented operational requirement for a graphi‐
1592 cal user interface, please consider using the standard DISA STIG
1593 for Red Hat Enterprise Linux 7 profile.
1594
1595
1596
1597
1598
1600 Source Datastream: ssg-rhel8-ds.xml
1601
1602 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
1603 broken into 'profiles', groupings of security settings that correlate
1604 to a known policy. Available profiles are:
1605
1606
1607
1608 ANSSI-BP-028 (enhanced)
1609
1610 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1611 hanced
1612
1613 This profile contains configurations that align to ANSSI-BP-028
1614 v1.2 at the enhanced hardening level.
1615
1616 ANSSI is the French National Information Security Agency, and
1617 stands for Agence nationale de la sécurité des systèmes d'infor‐
1618 mation. ANSSI-BP-028 is a configuration recommendation for
1619 GNU/Linux systems.
1620
1621 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1622 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1623 securite-relatives-a-un-systeme-gnulinux/
1624
1625
1626 ANSSI-BP-028 (high)
1627
1628 Profile ID: xccdf_org.ssgproject.content_pro‐
1629 file_anssi_bp28_high
1630
1631 This profile contains configurations that align to ANSSI-BP-028
1632 v1.2 at the high hardening level.
1633
1634 ANSSI is the French National Information Security Agency, and
1635 stands for Agence nationale de la sécurité des systèmes d'infor‐
1636 mation. ANSSI-BP-028 is a configuration recommendation for
1637 GNU/Linux systems.
1638
1639 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1640 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1641 securite-relatives-a-un-systeme-gnulinux/
1642
1643
1644 ANSSI-BP-028 (intermediary)
1645
1646 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1647 termediary
1648
1649 This profile contains configurations that align to ANSSI-BP-028
1650 v1.2 at the intermediary hardening level.
1651
1652 ANSSI is the French National Information Security Agency, and
1653 stands for Agence nationale de la sécurité des systèmes d'infor‐
1654 mation. ANSSI-BP-028 is a configuration recommendation for
1655 GNU/Linux systems.
1656
1657 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1658 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1659 securite-relatives-a-un-systeme-gnulinux/
1660
1661
1662 ANSSI-BP-028 (minimal)
1663
1664 Profile ID: xccdf_org.ssgproject.content_pro‐
1665 file_anssi_bp28_minimal
1666
1667 This profile contains configurations that align to ANSSI-BP-028
1668 v1.2 at the minimal hardening level.
1669
1670 ANSSI is the French National Information Security Agency, and
1671 stands for Agence nationale de la sécurité des systèmes d'infor‐
1672 mation. ANSSI-BP-028 is a configuration recommendation for
1673 GNU/Linux systems.
1674
1675 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1676 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1677 securite-relatives-a-un-systeme-gnulinux/
1678
1679
1680 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
1681
1682 Profile ID: xccdf_org.ssgproject.content_profile_cis
1683
1684 This profile defines a baseline that aligns to the "Level 2 -
1685 Server" configuration from the Center for Internet Security® Red
1686 Hat Enterprise Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
1687
1688 This profile includes Center for Internet Security® Red Hat En‐
1689 terprise Linux 8 CIS Benchmarks™ content.
1690
1691
1692 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
1693
1694 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
1695
1696 This profile defines a baseline that aligns to the "Level 1 -
1697 Server" configuration from the Center for Internet Security® Red
1698 Hat Enterprise Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
1699
1700 This profile includes Center for Internet Security® Red Hat En‐
1701 terprise Linux 8 CIS Benchmarks™ content.
1702
1703
1704 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation
1705
1706 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
1707 tion_l1
1708
1709 This profile defines a baseline that aligns to the "Level 1 -
1710 Workstation" configuration from the Center for Internet Secu‐
1711 rity® Red Hat Enterprise Linux 8 Benchmark™, v1.0.1, released
1712 2021-05-19.
1713
1714 This profile includes Center for Internet Security® Red Hat En‐
1715 terprise Linux 8 CIS Benchmarks™ content.
1716
1717
1718 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation
1719
1720 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
1721 tion_l2
1722
1723 This profile defines a baseline that aligns to the "Level 2 -
1724 Workstation" configuration from the Center for Internet Secu‐
1725 rity® Red Hat Enterprise Linux 8 Benchmark™, v1.0.1, released
1726 2021-05-19.
1727
1728 This profile includes Center for Internet Security® Red Hat En‐
1729 terprise Linux 8 CIS Benchmarks™ content.
1730
1731
1732 Criminal Justice Information Services (CJIS) Security Policy
1733
1734 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1735
1736 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1737 copy of this policy can be found at the CJIS Security Policy Re‐
1738 source Center:
1739
1740 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1741 center
1742
1743
1744 Unclassified Information in Non-federal Information Systems and Organi‐
1745 zations (NIST 800-171)
1746
1747 Profile ID: xccdf_org.ssgproject.content_profile_cui
1748
1749 From NIST 800-171, Section 2.2: Security requirements for pro‐
1750 tecting the confidentiality of CUI in nonfederal information
1751 systems and organizations have a well-defined structure that
1752 consists of:
1753
1754 (i) a basic security requirements section; (ii) a derived secu‐
1755 rity requirements section.
1756
1757 The basic security requirements are obtained from FIPS Publica‐
1758 tion 200, which provides the high-level and fundamental security
1759 requirements for federal information and information systems.
1760 The derived security requirements, which supplement the basic
1761 security requirements, are taken from the security controls in
1762 NIST Special Publication 800-53.
1763
1764 This profile configures Red Hat Enterprise Linux 8 to the NIST
1765 Special Publication 800-53 controls identified for securing Con‐
1766 trolled Unclassified Information (CUI)."
1767
1768
1769 Australian Cyber Security Centre (ACSC) Essential Eight
1770
1771 Profile ID: xccdf_org.ssgproject.content_profile_e8
1772
1773 This profile contains configuration checks for Red Hat Enter‐
1774 prise Linux 8 that align to the Australian Cyber Security Centre
1775 (ACSC) Essential Eight.
1776
1777 A copy of the Essential Eight in Linux Environments guide can be
1778 found at the ACSC website:
1779
1780 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1781 tions/hardening-linux-workstations-and-servers
1782
1783
1784 Health Insurance Portability and Accountability Act (HIPAA)
1785
1786 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1787
1788 The HIPAA Security Rule establishes U.S. national standards to
1789 protect individuals’ electronic personal health information that
1790 is created, received, used, or maintained by a covered entity.
1791 The Security Rule requires appropriate administrative, physical
1792 and technical safeguards to ensure the confidentiality, integ‐
1793 rity, and security of electronic protected health information.
1794
1795 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
1796 Security Rule identified for securing of electronic protected
1797 health information. Use of this profile in no way guarantees or
1798 makes claims against legal compliance against the HIPAA Security
1799 Rule(s).
1800
1801
1802 Australian Cyber Security Centre (ACSC) ISM Official
1803
1804 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
1805
1806 This profile contains configuration checks for Red Hat Enter‐
1807 prise Linux 8 that align to the Australian Cyber Security Centre
1808 (ACSC) Information Security Manual (ISM) with the applicability
1809 marking of OFFICIAL.
1810
1811 The ISM uses a risk-based approach to cyber security. This pro‐
1812 file provides a guide to aligning Red Hat Enterprise Linux secu‐
1813 rity controls with the ISM, which can be used to select controls
1814 specific to an organisation's security posture and risk profile.
1815
1816 A copy of the ISM can be found at the ACSC website:
1817
1818 https://www.cyber.gov.au/ism
1819
1820
1821 Protection Profile for General Purpose Operating Systems
1822
1823 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1824
1825 This profile reflects mandatory configuration controls identi‐
1826 fied in the NIAP Configuration Annex to the Protection Profile
1827 for General Purpose Operating Systems (Protection Profile Ver‐
1828 sion 4.2.1).
1829
1830 This configuration profile is consistent with CNSSI-1253, which
1831 requires U.S. National Security Systems to adhere to certain
1832 configuration parameters. Accordingly, this configuration pro‐
1833 file is suitable for use in U.S. National Security Systems.
1834
1835
1836 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
1837
1838 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1839
1840 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1841 plied.
1842
1843
1844 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1845
1846 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1847
1848 This profile contains the minimum security relevant configura‐
1849 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1850 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
1851
1852
1853 Standard System Security Profile for Red Hat Enterprise Linux 8
1854
1855 Profile ID: xccdf_org.ssgproject.content_profile_standard
1856
1857 This profile contains rules to ensure standard security baseline
1858 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
1859 tem's workload all of these checks should pass.
1860
1861
1862 DISA STIG for Red Hat Enterprise Linux 8
1863
1864 Profile ID: xccdf_org.ssgproject.content_profile_stig
1865
1866 This profile contains configuration checks that align to the
1867 DISA STIG for Red Hat Enterprise Linux 8 V1R3.
1868
1869 In addition to being applicable to Red Hat Enterprise Linux 8,
1870 DISA recognizes this configuration baseline as applicable to the
1871 operating system tier of Red Hat technologies that are based on
1872 Red Hat Enterprise Linux 8, such as:
1873
1874 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1875 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1876 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1877 8 image
1878
1879
1880 DISA STIG with GUI for Red Hat Enterprise Linux 8
1881
1882 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
1883
1884 This profile contains configuration checks that align to the
1885 DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R3.
1886
1887 In addition to being applicable to Red Hat Enterprise Linux 8,
1888 DISA recognizes this configuration baseline as applicable to the
1889 operating system tier of Red Hat technologies that are based on
1890 Red Hat Enterprise Linux 8, such as:
1891
1892 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1893 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1894 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1895 8 image
1896
1897 Warning: The installation and use of a Graphical User Interface
1898 (GUI) increases your attack vector and decreases your overall
1899 security posture. If your Information Systems Security Officer
1900 (ISSO) lacks a documented operational requirement for a graphi‐
1901 cal user interface, please consider using the standard DISA STIG
1902 for Red Hat Enterprise Linux 8 profile.
1903
1904
1905
1906
1907
1909 Source Datastream: ssg-rhel9-ds.xml
1910
1911 The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is
1912 broken into 'profiles', groupings of security settings that correlate
1913 to a known policy. Available profiles are:
1914
1915
1916
1917 ANSSI-BP-028 (enhanced)
1918
1919 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1920 hanced
1921
1922 This profile contains configurations that align to ANSSI-BP-028
1923 at the enhanced hardening level.
1924
1925 ANSSI is the French National Information Security Agency, and
1926 stands for Agence nationale de la sécurité des systèmes d'infor‐
1927 mation. ANSSI-BP-028 is a configuration recommendation for
1928 GNU/Linux systems.
1929
1930 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1931 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1932 securite-relatives-a-un-systeme-gnulinux/
1933
1934
1935 ANSSI-BP-028 (high)
1936
1937 Profile ID: xccdf_org.ssgproject.content_pro‐
1938 file_anssi_bp28_high
1939
1940 This profile contains configurations that align to ANSSI-BP-028
1941 at the high hardening level.
1942
1943 ANSSI is the French National Information Security Agency, and
1944 stands for Agence nationale de la sécurité des systèmes d'infor‐
1945 mation. ANSSI-BP-028 is a configuration recommendation for
1946 GNU/Linux systems.
1947
1948 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1949 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1950 securite-relatives-a-un-systeme-gnulinux/
1951
1952
1953 ANSSI-BP-028 (intermediary)
1954
1955 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1956 termediary
1957
1958 This profile contains configurations that align to ANSSI-BP-028
1959 at the intermediary hardening level.
1960
1961 ANSSI is the French National Information Security Agency, and
1962 stands for Agence nationale de la sécurité des systèmes d'infor‐
1963 mation. ANSSI-BP-028 is a configuration recommendation for
1964 GNU/Linux systems.
1965
1966 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1967 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1968 securite-relatives-a-un-systeme-gnulinux/
1969
1970
1971 ANSSI-BP-028 (minimal)
1972
1973 Profile ID: xccdf_org.ssgproject.content_pro‐
1974 file_anssi_bp28_minimal
1975
1976 This profile contains configurations that align to ANSSI-BP-028
1977 at the minimal hardening level.
1978
1979 ANSSI is the French National Information Security Agency, and
1980 stands for Agence nationale de la sécurité des systèmes d'infor‐
1981 mation. ANSSI-BP-028 is a configuration recommendation for
1982 GNU/Linux systems.
1983
1984 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1985 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1986 securite-relatives-a-un-systeme-gnulinux/
1987
1988
1989 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
1990
1991 Profile ID: xccdf_org.ssgproject.content_profile_cis
1992
1993 This is a draft profile based on its RHEL8 version for experi‐
1994 mental purposes. It is not based on the CIS benchmark for
1995 RHEL9, because this one was not available at time of the re‐
1996 lease.
1997
1998
1999 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
2000
2001 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
2002
2003 This is a draft profile based on its RHEL8 version for experi‐
2004 mental purposes. It is not based on the CIS benchmark for
2005 RHEL9, because this one was not available at time of the re‐
2006 lease.
2007
2008
2009 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Worksta‐
2010 tion
2011
2012 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2013 tion_l1
2014
2015 This is a draft profile based on its RHEL8 version for experi‐
2016 mental purposes. It is not based on the CIS benchmark for
2017 RHEL9, because this one was not available at time of the re‐
2018 lease.
2019
2020
2021 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Worksta‐
2022 tion
2023
2024 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2025 tion_l2
2026
2027 This is a draft profile based on its RHEL8 version for experi‐
2028 mental purposes. It is not based on the CIS benchmark for
2029 RHEL9, because this one was not available at time of the re‐
2030 lease.
2031
2032
2033 [RHEL9 DRAFT] Criminal Justice Information Services (CJIS) Security
2034 Policy
2035
2036 Profile ID: xccdf_org.ssgproject.content_profile_cjis
2037
2038 This profile is derived from FBI's CJIS v5.4 Security Policy. A
2039 copy of this policy can be found at the CJIS Security Policy Re‐
2040 source Center:
2041
2042 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
2043 center
2044
2045
2046 Unclassified Information in Non-federal Information Systems and Organi‐
2047 zations (NIST 800-171)
2048
2049 Profile ID: xccdf_org.ssgproject.content_profile_cui
2050
2051 From NIST 800-171, Section 2.2: Security requirements for pro‐
2052 tecting the confidentiality of CUI in nonfederal information
2053 systems and organizations have a well-defined structure that
2054 consists of:
2055
2056 (i) a basic security requirements section; (ii) a derived secu‐
2057 rity requirements section.
2058
2059 The basic security requirements are obtained from FIPS Publica‐
2060 tion 200, which provides the high-level and fundamental security
2061 requirements for federal information and information systems.
2062 The derived security requirements, which supplement the basic
2063 security requirements, are taken from the security controls in
2064 NIST Special Publication 800-53.
2065
2066 This profile configures Red Hat Enterprise Linux 8 to the NIST
2067 Special Publication 800-53 controls identified for securing Con‐
2068 trolled Unclassified Information (CUI)."
2069
2070
2071 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
2072
2073 Profile ID: xccdf_org.ssgproject.content_profile_e8
2074
2075 This profile contains configuration checks for Red Hat Enter‐
2076 prise Linux 9 that align to the Australian Cyber Security Centre
2077 (ACSC) Essential Eight.
2078
2079 A copy of the Essential Eight in Linux Environments guide can be
2080 found at the ACSC website:
2081
2082 https://www.cyber.gov.au/acsc/view-all-content/publica‐
2083 tions/hardening-linux-workstations-and-servers
2084
2085
2086 [RHEL9 DRAFT] Health Insurance Portability and Accountability Act
2087 (HIPAA)
2088
2089 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
2090
2091 The HIPAA Security Rule establishes U.S. national standards to
2092 protect individuals’ electronic personal health information that
2093 is created, received, used, or maintained by a covered entity.
2094 The Security Rule requires appropriate administrative, physical
2095 and technical safeguards to ensure the confidentiality, integ‐
2096 rity, and security of electronic protected health information.
2097
2098 This profile configures Red Hat Enterprise Linux 9 to the HIPAA
2099 Security Rule identified for securing of electronic protected
2100 health information. Use of this profile in no way guarantees or
2101 makes claims against legal compliance against the HIPAA Security
2102 Rule(s).
2103
2104
2105 [RHEL9 DRAFT] Australian Cyber Security Centre (ACSC) ISM Official
2106
2107 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
2108
2109 This profile contains configuration checks for Red Hat Enter‐
2110 prise Linux 9 that align to the Australian Cyber Security Centre
2111 (ACSC) Information Security Manual (ISM) with the applicability
2112 marking of OFFICIAL.
2113
2114 The ISM uses a risk-based approach to cyber security. This pro‐
2115 file provides a guide to aligning Red Hat Enterprise Linux secu‐
2116 rity controls with the ISM, which can be used to select controls
2117 specific to an organisation's security posture and risk profile.
2118
2119 A copy of the ISM can be found at the ACSC website:
2120
2121 https://www.cyber.gov.au/ism
2122
2123
2124 [RHEL9 DRAFT] Protection Profile for General Purpose Operating Systems
2125
2126 Profile ID: xccdf_org.ssgproject.content_profile_ospp
2127
2128 This profile reflects mandatory configuration controls identi‐
2129 fied in the NIAP Configuration Annex to the Protection Profile
2130 for General Purpose Operating Systems (Protection Profile Ver‐
2131 sion 4.2.1).
2132
2133 This configuration profile is consistent with CNSSI-1253, which
2134 requires U.S. National Security Systems to adhere to certain
2135 configuration parameters. Accordingly, this configuration pro‐
2136 file is suitable for use in U.S. National Security Systems.
2137
2138
2139 [RHEL9 DRAFT] PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise
2140 Linux 9
2141
2142 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2143
2144 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2145 plied.
2146
2147
2148 [RHEL9 DRAFT] Red Hat Corporate Profile for Certified Cloud Providers
2149 (RH CCP)
2150
2151 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
2152
2153 This profile contains the minimum security relevant configura‐
2154 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
2155 Linux 9 instances deployed by Red Hat Certified Cloud Providers.
2156
2157
2158 Standard System Security Profile for Red Hat Enterprise Linux 9
2159
2160 Profile ID: xccdf_org.ssgproject.content_profile_standard
2161
2162 This profile contains rules to ensure standard security baseline
2163 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
2164 tem's workload all of these checks should pass.
2165
2166
2167 [DRAFT] DISA STIG for Red Hat Enterprise Linux 9
2168
2169 Profile ID: xccdf_org.ssgproject.content_profile_stig
2170
2171 This profile contains configuration checks that are based on the
2172 RHEL8 STIG
2173
2174 In addition to being applicable to Red Hat Enterprise Linux 8,
2175 DISA recognizes this configuration baseline as applicable to the
2176 operating system tier of Red Hat technologies that are based on
2177 Red Hat Enterprise Linux 8, such as:
2178
2179 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2180 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2181 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2182 8 image
2183
2184
2185 [DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
2186
2187 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
2188
2189 This profile contains configuration checks that are based on the
2190 RHEL8 STIG
2191
2192 In addition to being applicable to Red Hat Enterprise Linux 9,
2193 DISA recognizes this configuration baseline as applicable to the
2194 operating system tier of Red Hat technologies that are based on
2195 Red Hat Enterprise Linux 8, such as:
2196
2197 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2198 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2199 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2200 9 image
2201
2202 Warning: The installation and use of a Graphical User Interface
2203 (GUI) increases your attack vector and decreases your overall
2204 security posture. If your Information Systems Security Officer
2205 (ISSO) lacks a documented operational requirement for a graphi‐
2206 cal user interface, please consider using the standard DISA STIG
2207 for Red Hat Enterprise Linux 9 profile.
2208
2209
2210
2211
2212
2214
2215 Source Datastream: ssg-rhosp10-ds.xml
2216
2217 The Guide to the Secure Configuration of Red Hat OpenStack Platform 10
2218 is broken into 'profiles', groupings of security settings that corre‐
2219 late to a known policy. Available profiles are:
2220
2221
2222
2223 [DRAFT] Controlled Unclassified Infomration (CUI) Profile for Red Hat
2224 OpenStack Plaform 10
2225
2226 Profile ID: xccdf_org.ssgproject.content_profile_cui
2227
2228 These are the controls for scanning against CUI for rhosp10
2229
2230
2231 [DRAFT] STIG for Red Hat OpenStack Plaform 10
2232
2233 Profile ID: xccdf_org.ssgproject.content_profile_stig
2234
2235 Controls for scanning against classified STIG for rhosp10
2236
2237
2238
2239
2240
2242
2243 Source Datastream: ssg-rhosp13-ds.xml
2244
2245 The Guide to the Secure Configuration of Red Hat OpenStack Platform 13
2246 is broken into 'profiles', groupings of security settings that corre‐
2247 late to a known policy. Available profiles are:
2248
2249
2250
2251 RHOSP STIG
2252
2253 Profile ID: xccdf_org.ssgproject.content_profile_stig
2254
2255 Sample profile description.
2256
2257
2258
2259
2260
2262 Source Datastream: ssg-rhv4-ds.xml
2263
2264 The Guide to the Secure Configuration of Red Hat Virtualization 4 is
2265 broken into 'profiles', groupings of security settings that correlate
2266 to a known policy. Available profiles are:
2267
2268
2269
2270 PCI-DSS v3.2.1 Control Baseline for Red Hat Virtualization Host (RHVH)
2271
2272 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2273
2274 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2275 plied.
2276
2277
2278 [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
2279
2280 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
2281
2282 This *draft* profile contains configuration checks that align to
2283 the DISA STIG for Red Hat Virtualization Host (RHVH).
2284
2285
2286 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
2287 ization Host (RHVH)
2288
2289 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
2290
2291 This compliance profile reflects the core set of security re‐
2292 lated configuration settings for deployment of Red Hat Virtual‐
2293 ization Host (RHVH) 4.x into U.S. Defense, Intelligence, and
2294 Civilian agencies. Development partners and sponsors include
2295 the U.S. National Institute of Standards and Technology (NIST),
2296 U.S. Department of Defense, the National Security Agency, and
2297 Red Hat.
2298
2299 This baseline implements configuration requirements from the
2300 following sources:
2301
2302 - Committee on National Security Systems Instruction No. 1253
2303 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
2304 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
2305 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
2306 (VPP v1.0)
2307
2308 For any differing configuration requirements, e.g. password
2309 lengths, the stricter security setting was chosen. Security Re‐
2310 quirement Traceability Guides (RTMs) and sample System Security
2311 Configuration Guides are provided via the scap-security-guide-
2312 docs package.
2313
2314 This profile reflects U.S. Government consensus content and is
2315 developed through the ComplianceAsCode project, championed by
2316 the National Security Agency. Except for differences in format‐
2317 ting to accommodate publishing processes, this profile mirrors
2318 ComplianceAsCode content as minor divergences, such as bugfixes,
2319 work through the consensus and release processes.
2320
2321
2322
2323
2324
2326 Source Datastream: ssg-sl7-ds.xml
2327
2328 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
2329 broken into 'profiles', groupings of security settings that correlate
2330 to a known policy. Available profiles are:
2331
2332
2333
2334 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
2335
2336 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2337
2338 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2339 plied.
2340
2341
2342 Standard System Security Profile for Red Hat Enterprise Linux 7
2343
2344 Profile ID: xccdf_org.ssgproject.content_profile_standard
2345
2346 This profile contains rules to ensure standard security baseline
2347 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
2348 tem's workload all of these checks should pass.
2349
2350
2351
2352
2353
2355 Source Datastream: ssg-sle12-ds.xml
2356
2357 The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is
2358 broken into 'profiles', groupings of security settings that correlate
2359 to a known policy. Available profiles are:
2360
2361
2362
2363 CIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server
2364
2365 Profile ID: xccdf_org.ssgproject.content_profile_cis
2366
2367 This profile defines a baseline that aligns to the "Level 2 -
2368 Server" configuration from the Center for Internet Security®
2369 SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
2370 04-27-2021.
2371
2372 This profile includes Center for Internet Security® SUSE Linux
2373 Enterprise 12 CIS Benchmarks™ content.
2374
2375
2376 CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server
2377
2378 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
2379
2380 This profile defines a baseline that aligns to the "Level 1 -
2381 Server" configuration from the Center for Internet Security®
2382 SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
2383 04-27-2021.
2384
2385 This profile includes Center for Internet Security® SUSE Linux
2386 Enterprise 12 CIS Benchmarks™ content.
2387
2388
2389 CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation
2390
2391 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2392 tion_l1
2393
2394 This profile defines a baseline that aligns to the "Level 1 -
2395 Workstation" configuration from the Center for Internet Secu‐
2396 rity® SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
2397 04-27-2021.
2398
2399 This profile includes Center for Internet Security® SUSE Linux
2400 Enterprise 12 CIS Benchmarks™ content.
2401
2402
2403 CIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation
2404
2405 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2406 tion_l2
2407
2408 This profile defines a baseline that aligns to the "Level 2 -
2409 Workstation" configuration from the Center for Internet Secu‐
2410 rity® SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
2411 04-27-2021.
2412
2413 This profile includes Center for Internet Security® SUSE Linux
2414 Enterprise 12 CIS Benchmarks™ content.
2415
2416
2417 Standard System Security Profile for SUSE Linux Enterprise 12
2418
2419 Profile ID: xccdf_org.ssgproject.content_profile_standard
2420
2421 This profile contains rules to ensure standard security baseline
2422 of a SUSE Linux Enterprise 12 system. Regardless of your sys‐
2423 tem's workload all of these checks should pass.
2424
2425
2426 DISA STIG for SUSE Linux Enterprise 12
2427
2428 Profile ID: xccdf_org.ssgproject.content_profile_stig
2429
2430 This profile contains configuration checks that align to the
2431 DISA STIG for SUSE Linux Enterprise 12 V2R3.
2432
2433
2434
2435
2436
2438 Source Datastream: ssg-sle15-ds.xml
2439
2440 The Guide to the Secure Configuration of SUSE Linux Enterprise 15 is
2441 broken into 'profiles', groupings of security settings that correlate
2442 to a known policy. Available profiles are:
2443
2444
2445
2446 CIS SUSE Linux Enterprise 15 Benchmark
2447
2448 Profile ID: xccdf_org.ssgproject.content_profile_cis
2449
2450 This profile defines a baseline that aligns to the Center for
2451 Internet Security® SUSE Linux Enterprise 15 Benchmark™, v1.0.0,
2452 released 06-30-2020.
2453
2454 This profile includes Center for Internet Security® SUSE Linux
2455 Enterprise 15 CIS Benchmarks™ content.
2456
2457
2458 PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 15
2459
2460 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2461
2462 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2463 plied.
2464
2465
2466 Standard System Security Profile for SUSE Linux Enterprise 15
2467
2468 Profile ID: xccdf_org.ssgproject.content_profile_standard
2469
2470 This profile contains rules to ensure standard security baseline
2471 of a SUSE Linux Enterprise 15 system based off of the SUSE Hard‐
2472 ening Guide. Regardless of your system's workload all of these
2473 checks should pass.
2474
2475
2476 DISA STIG for SUSE Linux Enterprise 15
2477
2478 Profile ID: xccdf_org.ssgproject.content_profile_stig
2479
2480 This profile contains configuration checks that align to the
2481 DISA STIG for SUSE Linux Enterprise 15 V1R2.
2482
2483
2484
2485
2486
2488 Source Datastream: ssg-ubuntu1604-ds.xml
2489
2490 The Guide to the Secure Configuration of Ubuntu 16.04 is broken into
2491 'profiles', groupings of security settings that correlate to a known
2492 policy. Available profiles are:
2493
2494
2495
2496 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
2497
2498 Profile ID: xccdf_org.ssgproject.content_pro‐
2499 file_anssi_np_nt28_average
2500
2501 This profile contains items for GNU/Linux installations already
2502 protected by multiple higher level security stacks.
2503
2504
2505 Profile for ANSSI DAT-NT28 High (Enforced) Level
2506
2507 Profile ID: xccdf_org.ssgproject.content_pro‐
2508 file_anssi_np_nt28_high
2509
2510 This profile contains items for GNU/Linux installations storing
2511 sensitive informations that can be accessible from unauthenti‐
2512 cated or uncontroled networks.
2513
2514
2515 Profile for ANSSI DAT-NT28 Minimal Level
2516
2517 Profile ID: xccdf_org.ssgproject.content_pro‐
2518 file_anssi_np_nt28_minimal
2519
2520 This profile contains items to be applied systematically.
2521
2522
2523 Profile for ANSSI DAT-NT28 Restrictive Level
2524
2525 Profile ID: xccdf_org.ssgproject.content_pro‐
2526 file_anssi_np_nt28_restrictive
2527
2528 This profile contains items for GNU/Linux installations exposed
2529 to unauthenticated flows or multiple sources.
2530
2531
2532 Standard System Security Profile for Ubuntu 16.04
2533
2534 Profile ID: xccdf_org.ssgproject.content_profile_standard
2535
2536 This profile contains rules to ensure standard security baseline
2537 of an Ubuntu 16.04 system. Regardless of your system's workload
2538 all of these checks should pass.
2539
2540
2541
2542
2543
2545 Source Datastream: ssg-ubuntu1804-ds.xml
2546
2547 The Guide to the Secure Configuration of Ubuntu 18.04 is broken into
2548 'profiles', groupings of security settings that correlate to a known
2549 policy. Available profiles are:
2550
2551
2552
2553 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
2554
2555 Profile ID: xccdf_org.ssgproject.content_pro‐
2556 file_anssi_np_nt28_average
2557
2558 This profile contains items for GNU/Linux installations already
2559 protected by multiple higher level security stacks.
2560
2561
2562 Profile for ANSSI DAT-NT28 High (Enforced) Level
2563
2564 Profile ID: xccdf_org.ssgproject.content_pro‐
2565 file_anssi_np_nt28_high
2566
2567 This profile contains items for GNU/Linux installations storing
2568 sensitive informations that can be accessible from unauthenti‐
2569 cated or uncontroled networks.
2570
2571
2572 Profile for ANSSI DAT-NT28 Minimal Level
2573
2574 Profile ID: xccdf_org.ssgproject.content_pro‐
2575 file_anssi_np_nt28_minimal
2576
2577 This profile contains items to be applied systematically.
2578
2579
2580 Profile for ANSSI DAT-NT28 Restrictive Level
2581
2582 Profile ID: xccdf_org.ssgproject.content_pro‐
2583 file_anssi_np_nt28_restrictive
2584
2585 This profile contains items for GNU/Linux installations exposed
2586 to unauthenticated flows or multiple sources.
2587
2588
2589 CIS Ubuntu 18.04 LTS Benchmark
2590
2591 Profile ID: xccdf_org.ssgproject.content_profile_cis
2592
2593 This baseline aligns to the Center for Internet Security Ubuntu
2594 18.04 LTS Benchmark, v1.0.0, released 08-13-2018.
2595
2596
2597 Standard System Security Profile for Ubuntu 18.04
2598
2599 Profile ID: xccdf_org.ssgproject.content_profile_standard
2600
2601 This profile contains rules to ensure standard security baseline
2602 of an Ubuntu 18.04 system. Regardless of your system's workload
2603 all of these checks should pass.
2604
2605
2606
2607
2608
2610 Source Datastream: ssg-ubuntu2004-ds.xml
2611
2612 The Guide to the Secure Configuration of Ubuntu 20.04 is broken into
2613 'profiles', groupings of security settings that correlate to a known
2614 policy. Available profiles are:
2615
2616
2617
2618 CIS Ubuntu 20.04 Level 1 Server Benchmark
2619
2620 Profile ID: xccdf_org.ssgproject.content_pro‐
2621 file_cis_level1_server
2622
2623 This baseline aligns to the Center for Internet Security Ubuntu
2624 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
2625
2626
2627 CIS Ubuntu 20.04 Level 1 Workstation Benchmark
2628
2629 Profile ID: xccdf_org.ssgproject.content_pro‐
2630 file_cis_level1_workstation
2631
2632 This baseline aligns to the Center for Internet Security Ubuntu
2633 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
2634
2635
2636 CIS Ubuntu 20.04 Level 2 Server Benchmark
2637
2638 Profile ID: xccdf_org.ssgproject.content_pro‐
2639 file_cis_level2_server
2640
2641 This baseline aligns to the Center for Internet Security Ubuntu
2642 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
2643
2644
2645 CIS Ubuntu 20.04 Level 2 Workstation Benchmark
2646
2647 Profile ID: xccdf_org.ssgproject.content_pro‐
2648 file_cis_level2_workstation
2649
2650 This baseline aligns to the Center for Internet Security Ubuntu
2651 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
2652
2653
2654 Standard System Security Profile for Ubuntu 20.04
2655
2656 Profile ID: xccdf_org.ssgproject.content_profile_standard
2657
2658 This profile contains rules to ensure standard security baseline
2659 of an Ubuntu 20.04 system. Regardless of your system's workload
2660 all of these checks should pass.
2661
2662
2663 Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide
2664 (STIG) V1R1
2665
2666 Profile ID: xccdf_org.ssgproject.content_profile_stig
2667
2668 This Security Technical Implementation Guide is published as a
2669 tool to improve the security of Department of Defense (DoD) in‐
2670 formation systems. The requirements are derived from the Na‐
2671 tional Institute of Standards and Technology (NIST) 800-53 and
2672 related documents.
2673
2674
2675
2676
2677
2679 for Linux
2680 Source Datastream: ssg-vsel-ds.xml
2681
2682 The Guide to the Secure Configuration of McAfee VirusScan Enterprise
2683 for Linux is broken into 'profiles', groupings of security settings
2684 that correlate to a known policy. Available profiles are:
2685
2686
2687
2688 McAfee VirusScan Enterprise for Linux (VSEL) STIG
2689
2690 Profile ID: xccdf_org.ssgproject.content_profile_stig
2691
2692 The McAfee VirusScan Enterprise for Linux software provides a
2693 realtime virus scanner for Linux systems.
2694
2695
2696
2697
2698
2700 Source Datastream: ssg-wrlinux1019-ds.xml
2701
2702 The Guide to the Secure Configuration of WRLinux 1019 is broken into
2703 'profiles', groupings of security settings that correlate to a known
2704 policy. Available profiles are:
2705
2706
2707
2708 Basic Profile for Embedded Systems
2709
2710 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
2711
2712 This profile contains items common to many embedded Linux in‐
2713 stallations. Regardless of your system's deployment objective,
2714 all of these checks should pass.
2715
2716
2717 DRAFT DISA STIG for Wind River Linux
2718
2719 Profile ID: xccdf_org.ssgproject.content_profile_draft_stig_wr‐
2720 linux_disa
2721
2722 This profile contains configuration checks that align to the
2723 DISA STIG for Wind River Linux. This profile is being developed
2724 under the DoD consensus model to become a STIG in coordination
2725 with DISA FSO. What is the status of the Wind River Linux STIG?
2726 The Wind River Linux STIG is in development under the DoD con‐
2727 sensus model and Wind River has started the process to get ap‐
2728 proval from DISA. However, in the absence of an approved SRG or
2729 STIG, vendor recommendations may be used instead. The current
2730 contents constitute the vendor recommendations at the time of
2731 the product release containing these contents. Note that
2732 changes are expected before approval is granted, and those
2733 changes will be made available in future Wind River Linux Secu‐
2734 rity Profile 1019 RCPL releases. More information, including
2735 the following, is available from the DISA FAQs at https://pub‐
2736 lic.cyber.mil/stigs/faqs/
2737
2738
2739
2740
2741
2743 Source Datastream: ssg-wrlinux8-ds.xml
2744
2745 The Guide to the Secure Configuration of WRLinux 8 is broken into 'pro‐
2746 files', groupings of security settings that correlate to a known pol‐
2747 icy. Available profiles are:
2748
2749
2750
2751 Basic Profile for Embedded Systems
2752
2753 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
2754
2755 This profile contains items common to many embedded Linux in‐
2756 stallations. Regardless of your system's deployment objective,
2757 all of these checks should pass.
2758
2759
2760
2761
2762
2763
2765 To scan your system utilizing the OpenSCAP utility against the ospp
2766 profile:
2767
2768 oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-re‐
2769 sults.xml --report /tmp/`hostname`-ssg-results.html --oval-results
2770 /usr/share/xml/scap/ssg/content/ssg-{product}-xccdf.xml
2771
2772 Additional details can be found on the projects wiki page:
2773 https://www.github.com/ComplianceAsCode/content/wiki
2774
2775
2776
2778 /usr/share/xml/scap/ssg/content
2779 Houses SCAP content utilizing the following naming conventions:
2780
2781 SCAP Source Datastreams: ssg-{product}-ds.xml
2782
2783 CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
2784
2785 CPE OVAL Content: ssg-{product}-cpe-oval.xml
2786
2787 OVAL Content: ssg-{product}-oval.xml
2788
2789 XCCDF Content: ssg-{product}-xccdf.xml
2790
2791 /usr/share/doc/scap-security-guide/guides/
2792 HTML versions of SSG profiles.
2793
2794 /usr/share/scap-security-guide/ansible/
2795 Contains Ansible Playbooks for SSG profiles.
2796
2797 /usr/share/scap-security-guide/bash/
2798 Contains Bash remediation scripts for SSG profiles.
2799
2800
2801
2803 SCAP Security Guide content is considered vendor (Red Hat) provided
2804 content. Per guidance from the U.S. National Institute of Standards
2805 and Technology (NIST), U.S. Government programs are allowed to use Ven‐
2806 dor produced SCAP content in absence of "Governmental Authority" check‐
2807 lists. The specific NIST verbage:
2808 http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
2809
2810
2811
2813 DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT
2814 products incorporated into DoD information systems shall be configured
2815 in accordance with DoD-approved security configuration guidelines" and
2816 tasks Defense Information Systems Agency (DISA) to "develop and provide
2817 security configuration guidance for IA and IA-enabled IT products in
2818 coordination with Director, NSA." The output of this authority is the
2819 DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
2820 the process of moving the STIGs towards the use of the NIST Security
2821 Content Automation Protocol (SCAP) in order to "automate" compliance
2822 reporting of the STIGs.
2823
2824 Through a common, shared vision, the SCAP Security Guide community en‐
2825 joys close collaboration directly with NSA, NIST, and DISA FSO. As
2826 stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
2827 Version 1, Release 2, issued on 03-JUNE-2013:
2828
2829 "The consensus content was developed using an open-source project
2830 called SCAP Security Guide. The project's website is https://www.open-
2831 scap.org/security-policies/scap-security-guide. Except for differences
2832 in formatting to accomodate the DISA STIG publishing process, the con‐
2833 tent of the Red Hat Enterprise Linux 6 STIG should mirror the SCAP Se‐
2834 curity Guide content with only minor divergence as updates from multi‐
2835 ple sources work through the consensus process."
2836
2837 The DoD STIG for Red Hat Enterprise Linux 7, revision V2R4, was re‐
2838 leased in July 2019 Currently, the DoD Red Hat Enterprise Linux 7 STIG
2839 contains only XCCDF content and is available online: https://public.cy‐
2840 ber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
2841
2842 Content published against the public.cyber.mil website is authoritative
2843 STIG content. The SCAP Security Guide project, as noted in the STIG
2844 overview, is considered upstream content. Unlike DISA FSO, the SCAP Se‐
2845 curity Guide project does publish OVAL automation content. Individual
2846 programs and C&A evaluators make program-level determinations on the
2847 direct usage of the SCAP Security Guide. Currently there is no blanket
2848 approval.
2849
2850
2851
2853 oscap(8)
2854
2855
2856
2858 Please direct all questions to the SSG mailing list: https://lists.fe‐
2859 dorahosted.org/mailman/listinfo/scap-security-guide
2860
2861
2862
2863version 1 26 Jan 2013 scap-security-guide(8)