1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
6 SCAP Security Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
13 The project provides practical security hardening advice and also links
14 it to compliance requirements in order to ease deployment activities,
15 such as certification and accreditation. These include requirements in
16 the U.S. government (Federal, Defense, and Intelligence Community) as
17 well as of the financial services and health care industries. For exam‐
18 ple, high-level and widely-accepted policies such as NIST 800-53 pro‐
19 vides prose stating that System Administrators must audit "privileged
20 user actions," but do not define what "privileged actions" are. The SSG
21 bridges the gap between generalized policy requirements and specific
22 implementation guidance, in SCAP formats to support automation whenever
23 possible.
24 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
31 Source Datastream: ssg-centos7-ds.xml
32 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
34 broken into 'profiles', groupings of security settings that correlate
35 to a known policy. Available profiles are:
36 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
40 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
42 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
44 plied.
45 Standard System Security Profile for Red Hat Enterprise Linux 7
48 Profile ID: xccdf_org.ssgproject.content_profile_standard
50 This profile contains rules to ensure standard security baseline
52 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
53 tem's workload all of these checks should pass.
54
60 Source Datastream: ssg-centos8-ds.xml
61 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
63 broken into 'profiles', groupings of security settings that correlate
64 to a known policy. Available profiles are:
65 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
69 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
71 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
73 plied.
74 Standard System Security Profile for Red Hat Enterprise Linux 8
77 Profile ID: xccdf_org.ssgproject.content_profile_standard
79 This profile contains rules to ensure standard security baseline
81 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
82 tem's workload all of these checks should pass.
83
89 Source Datastream: ssg-chromium-ds.xml
90 The Guide to the Secure Configuration of Chromium is broken into 'pro‐
92 files', groupings of security settings that correlate to a known pol‐
93 icy. Available profiles are:
94 Upstream STIG for Google Chromium
98 Profile ID: xccdf_org.ssgproject.content_profile_stig
100 This profile is developed under the DoD consensus model and DISA
102 FSO Vendor STIG process, serving as the upstream development en‐
103 vironment for the Google Chromium STIG.
104 As a result of the upstream/downstream relationship between the
106 SCAP Security Guide project and the official DISA FSO STIG base‐
107 line, users should expect variance between SSG and DISA FSO con‐
108 tent. For official DISA FSO STIG content, refer to https://pub‐
109 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
110 rity%2Cbrowser-guidance.
111 While this profile is packaged by Red Hat as part of the SCAP
113 Security Guide package, please note that commercial support of
114 this SCAP content is NOT available. This profile is provided as
115 example SCAP content with no endorsement for suitability or pro‐
116 duction readiness. Support for this profile is provided by the
117 upstream SCAP Security Guide community on a best-effort basis.
118 The upstream project homepage is https://www.open-scap.org/secu‐
119 rity-policies/scap-security-guide/.
120
126 Source Datastream: ssg-debian10-ds.xml
127 The Guide to the Secure Configuration of Debian 10 is broken into 'pro‐
129 files', groupings of security settings that correlate to a known pol‐
130 icy. Available profiles are:
131 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
135 Profile ID: xccdf_org.ssgproject.content_pro‐
137 file_anssi_np_nt28_average
138 This profile contains items for GNU/Linux installations already
140 protected by multiple higher level security stacks.
141 Profile for ANSSI DAT-NT28 High (Enforced) Level
144 Profile ID: xccdf_org.ssgproject.content_pro‐
146 file_anssi_np_nt28_high
147 This profile contains items for GNU/Linux installations storing
149 sensitive informations that can be accessible from unauthenti‐
150 cated or uncontroled networks.
151 Profile for ANSSI DAT-NT28 Minimal Level
154 Profile ID: xccdf_org.ssgproject.content_pro‐
156 file_anssi_np_nt28_minimal
157 This profile contains items to be applied systematically.
159 Profile for ANSSI DAT-NT28 Restrictive Level
162 Profile ID: xccdf_org.ssgproject.content_pro‐
164 file_anssi_np_nt28_restrictive
165 This profile contains items for GNU/Linux installations exposed
167 to unauthenticated flows or multiple sources.
168 Standard System Security Profile for Debian 10
171 Profile ID: xccdf_org.ssgproject.content_profile_standard
173 This profile contains rules to ensure standard security baseline
175 of a Debian 10 system. Regardless of your system's workload all
176 of these checks should pass.
177
183 Source Datastream: ssg-debian9-ds.xml
184 The Guide to the Secure Configuration of Debian 9 is broken into 'pro‐
186 files', groupings of security settings that correlate to a known pol‐
187 icy. Available profiles are:
188 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
192 Profile ID: xccdf_org.ssgproject.content_pro‐
194 file_anssi_np_nt28_average
195 This profile contains items for GNU/Linux installations already
197 protected by multiple higher level security stacks.
198 Profile for ANSSI DAT-NT28 High (Enforced) Level
201 Profile ID: xccdf_org.ssgproject.content_pro‐
203 file_anssi_np_nt28_high
204 This profile contains items for GNU/Linux installations storing
206 sensitive informations that can be accessible from unauthenti‐
207 cated or uncontroled networks.
208 Profile for ANSSI DAT-NT28 Minimal Level
211 Profile ID: xccdf_org.ssgproject.content_pro‐
213 file_anssi_np_nt28_minimal
214 This profile contains items to be applied systematically.
216 Profile for ANSSI DAT-NT28 Restrictive Level
219 Profile ID: xccdf_org.ssgproject.content_pro‐
221 file_anssi_np_nt28_restrictive
222 This profile contains items for GNU/Linux installations exposed
224 to unauthenticated flows or multiple sources.
225 Standard System Security Profile for Debian 9
228 Profile ID: xccdf_org.ssgproject.content_profile_standard
230 This profile contains rules to ensure standard security baseline
232 of a Debian 9 system. Regardless of your system's workload all
233 of these checks should pass.
234
240 Source Datastream: ssg-fedora-ds.xml
241 The Guide to the Secure Configuration of Fedora is broken into 'pro‐
243 files', groupings of security settings that correlate to a known pol‐
244 icy. Available profiles are:
245 OSPP - Protection Profile for General Purpose Operating Systems
249 Profile ID: xccdf_org.ssgproject.content_profile_ospp
251 This profile reflects mandatory configuration controls identi‐
253 fied in the NIAP Configuration Annex to the Protection Profile
254 for General Purpose Operating Systems (Protection Profile Ver‐
255 sion 4.2).
256 As Fedora OS is moving target, this profile does not guarantee
258 to provide security levels required from US National Security
259 Systems. Main goal of the profile is to provide Fedora develop‐
260 ers with hardened environment similar to the one mandated by US
261 National Security Systems.
262 PCI-DSS v3.2.1 Control Baseline for Fedora
265 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
267 Ensures PCI-DSS v3.2.1 related security configuration settings
269 are applied.
270 Standard System Security Profile for Fedora
273 Profile ID: xccdf_org.ssgproject.content_profile_standard
275 This profile contains rules to ensure standard security baseline
277 of a Fedora system. Regardless of your system's workload all of
278 these checks should pass.
279
285 Source Datastream: ssg-firefox-ds.xml
286 The Guide to the Secure Configuration of Firefox is broken into 'pro‐
288 files', groupings of security settings that correlate to a known pol‐
289 icy. Available profiles are:
290 Upstream Firefox STIG
294 Profile ID: xccdf_org.ssgproject.content_profile_stig
296 This profile is developed under the DoD consensus model and DISA
298 FSO Vendor STIG process, serving as the upstream development en‐
299 vironment for the Firefox STIG.
300 As a result of the upstream/downstream relationship between the
302 SCAP Security Guide project and the official DISA FSO STIG base‐
303 line, users should expect variance between SSG and DISA FSO con‐
304 tent. For official DISA FSO STIG content, refer to https://pub‐
305 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
306 rity%2Cbrowser-guidance.
307 While this profile is packaged by Red Hat as part of the SCAP
309 Security Guide package, please note that commercial support of
310 this SCAP content is NOT available. This profile is provided as
311 example SCAP content with no endorsement for suitability or pro‐
312 duction readiness. Support for this profile is provided by the
313 upstream SCAP Security Guide community on a best-effort basis.
314 The upstream project homepage is https://www.open-scap.org/secu‐
315 rity-policies/scap-security-guide/.
316
322 Source Datastream: ssg-fuse6-ds.xml
323 The Guide to the Secure Configuration of JBoss Fuse 6 is broken into
325 'profiles', groupings of security settings that correlate to a known
326 policy. Available profiles are:
327 STIG for Apache ActiveMQ
331 Profile ID: xccdf_org.ssgproject.content_profile_amq-stig
333 This is a *draft* profile for STIG. This profile is being devel‐
335 oped under the DoD consensus model to become a STIG in coordina‐
336 tion with DISA FSO.
337 Standard System Security Profile for JBoss
340 Profile ID: xccdf_org.ssgproject.content_profile_standard
342 This profile contains rules to ensure standard security baseline
344 of JBoss Fuse. Regardless of your system's workload all of these
345 checks should pass.
346 STIG for JBoss Fuse 6
349 Profile ID: xccdf_org.ssgproject.content_profile_stig
351 This is a *draft* profile for STIG. This profile is being devel‐
353 oped under the DoD consensus model to become a STIG in coordina‐
354 tion with DISA FSO.
355
361 Source Datastream: ssg-jre-ds.xml
362 The Guide to the Secure Configuration of Java Runtime Environment is
364 broken into 'profiles', groupings of security settings that correlate
365 to a known policy. Available profiles are:
366 Java Runtime Environment (JRE) STIG
370 Profile ID: xccdf_org.ssgproject.content_profile_stig
372 The Java Runtime Environment (JRE) is a bundle developed and of‐
374 fered by Oracle Corporation which includes the Java Virtual Ma‐
375 chine (JVM), class libraries, and other components necessary to
376 run Java applications and applets. Certain default settings
377 within the JRE pose a security risk so it is necessary to deploy
378 system wide properties to ensure a higher degree of security
379 when utilizing the JRE.
380 The IBM Corporation also develops and bundles the Java Runtime
382 Environment (JRE) as well as Red Hat with OpenJDK.
383
389 Source Datastream: ssg-macos1015-ds.xml
390 The Guide to the Secure Configuration of Apple macOS 10.15 is broken
392 into 'profiles', groupings of security settings that correlate to a
393 known policy. Available profiles are:
394 NIST 800-53 Moderate-Impact Baseline for Apple macOS 10.15 Catalina
398 Profile ID: xccdf_org.ssgproject.content_profile_moderate
400 This compliance profile reflects the core set of Moderate-Impact
402 Baseline configuration settings for deployment of Apple macOS
403 10.15 Catalina into U.S. Defense, Intelligence, and Civilian
404 agencies. Development partners and sponsors include the U.S.
405 National Institute of Standards and Technology (NIST), U.S. De‐
406 partment of Defense, and the the National Security Agency.
407 This baseline implements configuration requirements from the
409 following sources:
410 - NIST 800-53 control selections for Moderate-Impact systems
412 (NIST 800-53)
413 For any differing configuration requirements, e.g. password
415 lengths, the stricter security setting was chosen. Security Re‐
416 quirement Traceability Guides (RTMs) and sample System Security
417 Configuration Guides are provided via the scap-security-guide-
418 docs package.
419 This profile reflects U.S. Government consensus content and is
421 developed through the ComplianceAsCode initiative, championed by
422 the National Security Agency. Except for differences in format‐
423 ting to accommodate publishing processes, this profile mirrors
424 ComplianceAsCode content as minor divergences, such as bugfixes,
425 work through the consensus and release processes.
426
432 Platform 4
433 Source Datastream: ssg-ocp4-ds.xml
434 The Guide to the Secure Configuration of Red Hat OpenShift Container
436 Platform 4 is broken into 'profiles', groupings of security settings
437 that correlate to a known policy. Available profiles are:
438 CIS Red Hat OpenShift Container Platform 4 Benchmark
442 Profile ID: xccdf_org.ssgproject.content_profile_cis-node
444 This profile defines a baseline that aligns to the Center for
446 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
447 mark™, V1.1.
448 This profile includes Center for Internet Security® Red Hat
450 OpenShift Container Platform 4 CIS Benchmarks™ content.
451 Note that this part of the profile is meant to run on the Oper‐
453 ating System that Red Hat OpenShift Container Platform 4 runs on
454 top of.
455 This profile is applicable to OpenShift versions 4.6 and
457 greater.
458 CIS Red Hat OpenShift Container Platform 4 Benchmark
461 Profile ID: xccdf_org.ssgproject.content_profile_cis
463 This profile defines a baseline that aligns to the Center for
465 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
466 mark™, V1.1.
467 This profile includes Center for Internet Security® Red Hat
469 OpenShift Container Platform 4 CIS Benchmarks™ content.
470 Note that this part of the profile is meant to run on the Plat‐
472 form that Red Hat OpenShift Container Platform 4 runs on top of.
473 This profile is applicable to OpenShift versions 4.6 and
475 greater.
476 Australian Cyber Security Centre (ACSC) Essential Eight
479 Profile ID: xccdf_org.ssgproject.content_profile_e8
481 This profile contains configuration checks for Red Hat OpenShift
483 Container Platform that align to the Australian Cyber Security
484 Centre (ACSC) Essential Eight.
485 A copy of the Essential Eight in Linux Environments guide can be
487 found at the ACSC website:
488 https://www.cyber.gov.au/acsc/view-all-content/publica‐
490 tions/hardening-linux-workstations-and-servers
491 NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
494 Profile ID: xccdf_org.ssgproject.content_profile_moderate-node
496 This compliance profile reflects the core set of Moderate-Impact
498 Baseline configuration settings for deployment of Red Hat Open‐
499 Shift Container Platform into U.S. Defense, Intelligence, and
500 Civilian agencies. Development partners and sponsors include
501 the U.S. National Institute of Standards and Technology (NIST),
502 U.S. Department of Defense, the National Security Agency, and
503 Red Hat.
504 This baseline implements configuration requirements from the
506 following sources:
507 - NIST 800-53 control selections for Moderate-Impact systems
509 (NIST 800-53)
510 For any differing configuration requirements, e.g. password
512 lengths, the stricter security setting was chosen. Security Re‐
513 quirement Traceability Guides (RTMs) and sample System Security
514 Configuration Guides are provided via the scap-security-guide-
515 docs package.
516 This profile reflects U.S. Government consensus content and is
518 developed through the ComplianceAsCode initiative, championed by
519 the National Security Agency. Except for differences in format‐
520 ting to accommodate publishing processes, this profile mirrors
521 ComplianceAsCode content as minor divergences, such as bugfixes,
522 work through the consensus and release processes.
523 NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform
526 level
527 Profile ID: xccdf_org.ssgproject.content_profile_moderate
529 This compliance profile reflects the core set of Moderate-Impact
531 Baseline configuration settings for deployment of Red Hat Open‐
532 Shift Container Platform into U.S. Defense, Intelligence, and
533 Civilian agencies. Development partners and sponsors include
534 the U.S. National Institute of Standards and Technology (NIST),
535 U.S. Department of Defense, the National Security Agency, and
536 Red Hat.
537 This baseline implements configuration requirements from the
539 following sources:
540 - NIST 800-53 control selections for Moderate-Impact systems
542 (NIST 800-53)
543 For any differing configuration requirements, e.g. password
545 lengths, the stricter security setting was chosen. Security Re‐
546 quirement Traceability Guides (RTMs) and sample System Security
547 Configuration Guides are provided via the scap-security-guide-
548 docs package.
549 This profile reflects U.S. Government consensus content and is
551 developed through the ComplianceAsCode initiative, championed by
552 the National Security Agency. Except for differences in format‐
553 ting to accommodate publishing processes, this profile mirrors
554 ComplianceAsCode content as minor divergences, such as bugfixes,
555 work through the consensus and release processes.
556 NIST National Checklist for Red Hat OpenShift Container Platform
559 Profile ID: xccdf_org.ssgproject.content_profile_ncp
561 This compliance profile reflects the core set of security re‐
563 lated configuration settings for deployment of Red Hat OpenShift
564 Container Platform into U.S. Defense, Intelligence, and Civilian
565 agencies. Development partners and sponsors include the U.S.
566 National Institute of Standards and Technology (NIST), U.S. De‐
567 partment of Defense, the National Security Agency, and Red Hat.
568 This baseline implements configuration requirements from the
570 following sources:
571 - Committee on National Security Systems Instruction No. 1253
573 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
574 800-171) - NIST 800-53 control selections for Moderate-Impact
575 systems (NIST 800-53) - U.S. Government Configuration Baseline
576 (USGCB) - NIAP Protection Profile for General Purpose Operating
577 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
578 Requirements Guide (OS SRG)
579 For any differing configuration requirements, e.g. password
581 lengths, the stricter security setting was chosen. Security Re‐
582 quirement Traceability Guides (RTMs) and sample System Security
583 Configuration Guides are provided via the scap-security-guide-
584 docs package.
585 This profile reflects U.S. Government consensus content and is
587 developed through the ComplianceAsCode initiative, championed by
588 the National Security Agency. Except for differences in format‐
589 ting to accommodate publishing processes, this profile mirrors
590 ComplianceAsCode content as minor divergences, such as bugfixes,
591 work through the consensus and release processes.
592 PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Plat‐
595 form 4
596 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
598 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
600 plied.
601
607 Source Datastream: ssg-ol7-ds.xml
608 The Guide to the Secure Configuration of Oracle Linux 7 is broken into
610 'profiles', groupings of security settings that correlate to a known
611 policy. Available profiles are:
612 ANSSI-BP-028 (enhanced)
616 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
618 hanced
619 This profile contains configurations that align to ANSSI-BP-028
621 at the enhanced hardening level.
622 ANSSI is the French National Information Security Agency, and
624 stands for Agence nationale de la sécurité des systèmes d'infor‐
625 mation. ANSSI-BP-028 is a configuration recommendation for
626 GNU/Linux systems.
627 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
629 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
630 securite-relatives-a-un-systeme-gnulinux/
631 DRAFT - ANSSI-BP-028 (high)
634 Profile ID: xccdf_org.ssgproject.content_pro‐
636 file_anssi_nt28_high
637 This profile contains configurations that align to ANSSI-BP-028
639 at the high hardening level.
640 ANSSI is the French National Information Security Agency, and
642 stands for Agence nationale de la sécurité des systèmes d'infor‐
643 mation. ANSSI-BP-028 is a configuration recommendation for
644 GNU/Linux systems.
645 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
647 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
648 securite-relatives-a-un-systeme-gnulinux/
649 ANSSI-BP-028 (intermediary)
652 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
654 termediary
655 This profile contains configurations that align to ANSSI-BP-028
657 at the intermediary hardening level.
658 ANSSI is the French National Information Security Agency, and
660 stands for Agence nationale de la sécurité des systèmes d'infor‐
661 mation. ANSSI-BP-028 is a configuration recommendation for
662 GNU/Linux systems.
663 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
665 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
666 securite-relatives-a-un-systeme-gnulinux/
667 ANSSI-BP-028 (minimal)
670 Profile ID: xccdf_org.ssgproject.content_pro‐
672 file_anssi_nt28_minimal
673 This profile contains configurations that align to ANSSI-BP-028
675 at the minimal hardening level.
676 ANSSI is the French National Information Security Agency, and
678 stands for Agence nationale de la sécurité des systèmes d'infor‐
679 mation. ANSSI-BP-028 is a configuration recommendation for
680 GNU/Linux systems.
681 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
683 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
684 securite-relatives-a-un-systeme-gnulinux/
685 Criminal Justice Information Services (CJIS) Security Policy
688 Profile ID: xccdf_org.ssgproject.content_profile_cjis
690 This profile is derived from FBI's CJIS v5.4 Security Policy. A
692 copy of this policy can be found at the CJIS Security Policy Re‐
693 source Center:
694 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
696 center
697 Unclassified Information in Non-federal Information Systems and Organi‐
700 zations (NIST 800-171)
701 Profile ID: xccdf_org.ssgproject.content_profile_cui
703 From NIST 800-171, Section 2.2: Security requirements for pro‐
705 tecting the confidentiality of CUI in non-federal information
706 systems and organizations have a well-defined structure that
707 consists of:
708 (i) a basic security requirements section; (ii) a derived secu‐
710 rity requirements section.
711 The basic security requirements are obtained from FIPS Publica‐
713 tion 200, which provides the high-level and fundamental security
714 requirements for federal information and information systems.
715 The derived security requirements, which supplement the basic
716 security requirements, are taken from the security controls in
717 NIST Special Publication 800-53.
718 This profile configures Oracle Linux 7 to the NIST Special Pub‐
720 lication 800-53 controls identified for securing Controlled Un‐
721 classified Information (CUI).
722 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
725 Profile ID: xccdf_org.ssgproject.content_profile_e8
727 This profile contains configuration checks for Oracle Linux 7
729 that align to the Australian Cyber Security Centre (ACSC) Essen‐
730 tial Eight.
731 A copy of the Essential Eight in Linux Environments guide can be
733 found at the ACSC website:
734 https://www.cyber.gov.au/acsc/view-all-content/publica‐
736 tions/hardening-linux-workstations-and-servers
737 Health Insurance Portability and Accountability Act (HIPAA)
740 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
742 The HIPAA Security Rule establishes U.S. national standards to
744 protect individuals’ electronic personal health information that
745 is created, received, used, or maintained by a covered entity.
746 The Security Rule requires appropriate administrative, physical
747 and technical safeguards to ensure the confidentiality, integ‐
748 rity, and security of electronic protected health information.
749 This profile configures Oracle Linux 7 to the HIPAA Security
751 Rule identified for securing of electronic protected health in‐
752 formation. Use of this profile in no way guarantees or makes
753 claims against legal compliance against the HIPAA Security
754 Rule(s).
755 [DRAFT] Protection Profile for General Purpose Operating Systems
758 Profile ID: xccdf_org.ssgproject.content_profile_ospp
760 This profile reflects mandatory configuration controls identi‐
762 fied in the NIAP Configuration Annex to the Protection Profile
763 for General Purpose Operating Systems (Protection Profile Ver‐
764 sion 4.2.1).
765 This configuration profile is consistent with CNSSI-1253, which
767 requires U.S. National Security Systems to adhere to certain
768 configuration parameters. Accordingly, this configuration pro‐
769 file is suitable for use in U.S. National Security Systems.
770 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7
773 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
775 Ensures PCI-DSS v3.2.1 related security configuration settings
777 are applied.
778 Security Profile of Oracle Linux 7 for SAP
781 Profile ID: xccdf_org.ssgproject.content_profile_sap
783 This profile contains rules for Oracle Linux 7 Operating System
785 in compliance with SAP note 2069760 and SAP Security Baseline
786 Template version 1.9 Item I-8 and section 4.1.2.2. Regardless
787 of your system's workload all of these checks should pass.
788 Standard System Security Profile for Oracle Linux 7
791 Profile ID: xccdf_org.ssgproject.content_profile_standard
793 This profile contains rules to ensure standard security baseline
795 of Oracle Linux 7 system. Regardless of your system's workload
796 all of these checks should pass.
797 DISA STIG for Oracle Linux 7
800 Profile ID: xccdf_org.ssgproject.content_profile_stig
802 This profile contains configuration checks that align to the
804 DISA STIG for Oracle Linux V2R4.
805
811 Source Datastream: ssg-ol8-ds.xml
812 The Guide to the Secure Configuration of Oracle Linux 8 is broken into
814 'profiles', groupings of security settings that correlate to a known
815 policy. Available profiles are:
816 ANSSI-BP-028 (enhanced)
820 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
822 hanced
823 This profile contains configurations that align to ANSSI-BP-028
825 at the enhanced hardening level.
826 ANSSI is the French National Information Security Agency, and
828 stands for Agence nationale de la sécurité des systèmes d'infor‐
829 mation. ANSSI-BP-028 is a configuration recommendation for
830 GNU/Linux systems.
831 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
833 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
834 securite-relatives-a-un-systeme-gnulinux/
835 DRAFT - ANSSI-BP-028 (high)
838 Profile ID: xccdf_org.ssgproject.content_pro‐
840 file_anssi_bp28_high
841 This profile contains configurations that align to ANSSI-BP-028
843 at the high hardening level.
844 ANSSI is the French National Information Security Agency, and
846 stands for Agence nationale de la sécurité des systèmes d'infor‐
847 mation. ANSSI-BP-028 is a configuration recommendation for
848 GNU/Linux systems.
849 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
851 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
852 securite-relatives-a-un-systeme-gnulinux/
853 ANSSI-BP-028 (intermediary)
856 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
858 termediary
859 This profile contains configurations that align to ANSSI-BP-028
861 at the intermediary hardening level.
862 ANSSI is the French National Information Security Agency, and
864 stands for Agence nationale de la sécurité des systèmes d'infor‐
865 mation. ANSSI-BP-028 is a configuration recommendation for
866 GNU/Linux systems.
867 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
869 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
870 securite-relatives-a-un-systeme-gnulinux/
871 ANSSI-BP-028 (minimal)
874 Profile ID: xccdf_org.ssgproject.content_pro‐
876 file_anssi_bp28_minimal
877 This profile contains configurations that align to ANSSI-BP-028
879 at the minimal hardening level.
880 ANSSI is the French National Information Security Agency, and
882 stands for Agence nationale de la sécurité des systèmes d'infor‐
883 mation. ANSSI-BP-028 is a configuration recommendation for
884 GNU/Linux systems.
885 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
887 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
888 securite-relatives-a-un-systeme-gnulinux/
889 Criminal Justice Information Services (CJIS) Security Policy
892 Profile ID: xccdf_org.ssgproject.content_profile_cjis
894 This profile is derived from FBI's CJIS v5.4 Security Policy. A
896 copy of this policy can be found at the CJIS Security Policy Re‐
897 source Center:
898 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
900 center
901 Unclassified Information in Non-federal Information Systems and Organi‐
904 zations (NIST 800-171)
905 Profile ID: xccdf_org.ssgproject.content_profile_cui
907 From NIST 800-171, Section 2.2: Security requirements for pro‐
909 tecting the confidentiality of CUI in non-federal information
910 systems and organizations have a well-defined structure that
911 consists of:
912 (i) a basic security requirements section; (ii) a derived secu‐
914 rity requirements section.
915 The basic security requirements are obtained from FIPS Publica‐
917 tion 200, which provides the high-level and fundamental security
918 requirements for federal information and information systems.
919 The derived security requirements, which supplement the basic
920 security requirements, are taken from the security controls in
921 NIST Special Publication 800-53.
922 This profile configures Oracle Linux 8 to the NIST Special Pub‐
924 lication 800-53 controls identified for securing Controlled Un‐
925 classified Information (CUI).
926 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
929 Profile ID: xccdf_org.ssgproject.content_profile_e8
931 This profile contains configuration checks for Oracle Linux 8
933 that align to the Australian Cyber Security Centre (ACSC) Essen‐
934 tial Eight.
935 A copy of the Essential Eight in Linux Environments guide can be
937 found at the ACSC website:
938 https://www.cyber.gov.au/acsc/view-all-content/publica‐
940 tions/hardening-linux-workstations-and-servers
941 Health Insurance Portability and Accountability Act (HIPAA)
944 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
946 The HIPAA Security Rule establishes U.S. national standards to
948 protect individuals’ electronic personal health information that
949 is created, received, used, or maintained by a covered entity.
950 The Security Rule requires appropriate administrative, physical
951 and technical safeguards to ensure the confidentiality, integ‐
952 rity, and security of electronic protected health information.
953 This profile configures Oracle Linux 8 to the HIPAA Security
955 Rule identified for securing of electronic protected health in‐
956 formation. Use of this profile in no way guarantees or makes
957 claims against legal compliance against the HIPAA Security
958 Rule(s).
959 [DRAFT] Protection Profile for General Purpose Operating Systems
962 Profile ID: xccdf_org.ssgproject.content_profile_ospp
964 This profile reflects mandatory configuration controls identi‐
966 fied in the NIAP Configuration Annex to the Protection Profile
967 for General Purpose Operating Systems (Protection Profile Ver‐
968 sion 4.2.1).
969 This configuration profile is consistent with CNSSI-1253, which
971 requires U.S. National Security Systems to adhere to certain
972 configuration parameters. Accordingly, this configuration pro‐
973 file is suitable for use in U.S. National Security Systems.
974 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8
977 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
979 Ensures PCI-DSS v3.2.1 related security configuration settings
981 are applied.
982 Standard System Security Profile for Oracle Linux 8
985 Profile ID: xccdf_org.ssgproject.content_profile_standard
987 This profile contains rules to ensure standard security baseline
989 of Oracle Linux 8 system. Regardless of your system's workload
990 all of these checks should pass.
991
997 Source Datastream: ssg-opensuse-ds.xml
998 The Guide to the Secure Configuration of openSUSE is broken into 'pro‐
1000 files', groupings of security settings that correlate to a known pol‐
1001 icy. Available profiles are:
1002 Standard System Security Profile for openSUSE
1006 Profile ID: xccdf_org.ssgproject.content_profile_standard
1008 This profile contains rules to ensure standard security baseline
1010 of an openSUSE system. Regardless of your system's workload all
1011 of these checks should pass.
1012
1018 CoreOS 4
1019 Source Datastream: ssg-rhcos4-ds.xml
1020 The Guide to the Secure Configuration of Red Hat Enterprise Linux
1022 CoreOS 4 is broken into 'profiles', groupings of security settings that
1023 correlate to a known policy. Available profiles are:
1024 DRAFT - ANSSI-BP-028 (enhanced)
1028 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1030 hanced
1031 This profile contains configurations that align to ANSSI-BP-028
1033 at the enhanced hardening level.
1034 ANSSI is the French National Information Security Agency, and
1036 stands for Agence nationale de la sécurité des systèmes d'infor‐
1037 mation. ANSSI-BP-028 is a configuration recommendation for
1038 GNU/Linux systems.
1039 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1041 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1042 securite-relatives-a-un-systeme-gnulinux/
1043 DRAFT - ANSSI-BP-028 (high)
1046 Profile ID: xccdf_org.ssgproject.content_pro‐
1048 file_anssi_bp28_high
1049 This profile contains configurations that align to ANSSI-BP-028
1051 at the high hardening level.
1052 ANSSI is the French National Information Security Agency, and
1054 stands for Agence nationale de la sécurité des systèmes d'infor‐
1055 mation. ANSSI-BP-028 is a configuration recommendation for
1056 GNU/Linux systems.
1057 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1059 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1060 securite-relatives-a-un-systeme-gnulinux/
1061 DRAFT - ANSSI-BP-028 (intermediary)
1064 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1066 termediary
1067 This profile contains configurations that align to ANSSI-BP-028
1069 at the intermediary hardening level.
1070 ANSSI is the French National Information Security Agency, and
1072 stands for Agence nationale de la sécurité des systèmes d'infor‐
1073 mation. ANSSI-BP-028 is a configuration recommendation for
1074 GNU/Linux systems.
1075 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1077 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1078 securite-relatives-a-un-systeme-gnulinux/
1079 DRAFT - ANSSI-BP-028 (minimal)
1082 Profile ID: xccdf_org.ssgproject.content_pro‐
1084 file_anssi_bp28_minimal
1085 This profile contains configurations that align to ANSSI-BP-028
1087 at the minimal hardening level.
1088 ANSSI is the French National Information Security Agency, and
1090 stands for Agence nationale de la sécurité des systèmes d'infor‐
1091 mation. ANSSI-BP-028 is a configuration recommendation for
1092 GNU/Linux systems.
1093 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1095 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1096 securite-relatives-a-un-systeme-gnulinux/
1097 Australian Cyber Security Centre (ACSC) Essential Eight
1100 Profile ID: xccdf_org.ssgproject.content_profile_e8
1102 This profile contains configuration checks for Red Hat Enter‐
1104 prise Linux CoreOS that align to the Australian Cyber Security
1105 Centre (ACSC) Essential Eight.
1106 A copy of the Essential Eight in Linux Environments guide can be
1108 found at the ACSC website:
1109 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1111 tions/hardening-linux-workstations-and-servers
1112 NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux
1115 CoreOS
1116 Profile ID: xccdf_org.ssgproject.content_profile_moderate
1118 This compliance profile reflects the core set of Moderate-Impact
1120 Baseline configuration settings for deployment of Red Hat Enter‐
1121 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
1122 agencies. Development partners and sponsors include the U.S.
1123 National Institute of Standards and Technology (NIST), U.S. De‐
1124 partment of Defense, the National Security Agency, and Red Hat.
1125 This baseline implements configuration requirements from the
1127 following sources:
1128 - NIST 800-53 control selections for Moderate-Impact systems
1130 (NIST 800-53)
1131 For any differing configuration requirements, e.g. password
1133 lengths, the stricter security setting was chosen. Security Re‐
1134 quirement Traceability Guides (RTMs) and sample System Security
1135 Configuration Guides are provided via the scap-security-guide-
1136 docs package.
1137 This profile reflects U.S. Government consensus content and is
1139 developed through the ComplianceAsCode initiative, championed by
1140 the National Security Agency. Except for differences in format‐
1141 ting to accommodate publishing processes, this profile mirrors
1142 ComplianceAsCode content as minor divergences, such as bugfixes,
1143 work through the consensus and release processes.
1144 NIST National Checklist for Red Hat Enterprise Linux CoreOS
1147 Profile ID: xccdf_org.ssgproject.content_profile_ncp
1149 This compliance profile reflects the core set of security re‐
1151 lated configuration settings for deployment of Red Hat Enter‐
1152 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
1153 agencies. Development partners and sponsors include the U.S.
1154 National Institute of Standards and Technology (NIST), U.S. De‐
1155 partment of Defense, the National Security Agency, and Red Hat.
1156 This baseline implements configuration requirements from the
1158 following sources:
1159 - Committee on National Security Systems Instruction No. 1253
1161 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
1162 800-171) - NIST 800-53 control selections for Moderate-Impact
1163 systems (NIST 800-53) - U.S. Government Configuration Baseline
1164 (USGCB) - NIAP Protection Profile for General Purpose Operating
1165 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
1166 Requirements Guide (OS SRG)
1167 For any differing configuration requirements, e.g. password
1169 lengths, the stricter security setting was chosen. Security Re‐
1170 quirement Traceability Guides (RTMs) and sample System Security
1171 Configuration Guides are provided via the scap-security-guide-
1172 docs package.
1173 This profile reflects U.S. Government consensus content and is
1175 developed through the ComplianceAsCode initiative, championed by
1176 the National Security Agency. Except for differences in format‐
1177 ting to accommodate publishing processes, this profile mirrors
1178 ComplianceAsCode content as minor divergences, such as bugfixes,
1179 work through the consensus and release processes.
1180 Protection Profile for General Purpose Operating Systems
1183 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1185 This profile reflects mandatory configuration controls identi‐
1187 fied in the NIAP Configuration Annex to the Protection Profile
1188 for General Purpose Operating Systems (Protection Profile Ver‐
1189 sion 4.2.1).
1190 This configuration profile is consistent with CNSSI-1253, which
1192 requires U.S. National Security Systems to adhere to certain
1193 configuration parameters. Accordingly, this configuration pro‐
1194 file is suitable for use in U.S. National Security Systems.
1195 [DRAFT] DISA STIG for Red Hat Enterprise Linux CoreOS
1198 Profile ID: xccdf_org.ssgproject.content_profile_stig
1200 This profile contains configuration checks that align to the
1202 [DRAFT] DISA STIG for Red Hat Enterprise Linux CoreOS which is
1203 the operating system layer of Red Hat OpenShift Container Plat‐
1204 form.
1205
1211 Source Datastream: ssg-rhel7-ds.xml
1212 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
1214 broken into 'profiles', groupings of security settings that correlate
1215 to a known policy. Available profiles are:
1216 C2S for Red Hat Enterprise Linux 7
1220 Profile ID: xccdf_org.ssgproject.content_profile_C2S
1222 This profile demonstrates compliance against the U.S. Government
1224 Commercial Cloud Services (C2S) baseline.
1225 This baseline was inspired by the Center for Internet Security
1227 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
1228 For the SCAP Security Guide project to remain in compliance with
1230 CIS' terms and conditions, specifically Restrictions(8), note
1231 there is no representation or claim that the C2S profile will
1232 ensure a system is in compliance or consistency with the CIS
1233 baseline.
1234 ANSSI-BP-028 (enhanced)
1237 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
1239 hanced
1240 This profile contains configurations that align to ANSSI-BP-028
1242 v1.2 at the enhanced hardening level.
1243 ANSSI is the French National Information Security Agency, and
1245 stands for Agence nationale de la sécurité des systèmes d'infor‐
1246 mation. ANSSI-BP-028 is a configuration recommendation for
1247 GNU/Linux systems.
1248 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1250 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1251 securite-relatives-a-un-systeme-gnulinux/
1252 ANSSI-BP-028 (high)
1255 Profile ID: xccdf_org.ssgproject.content_pro‐
1257 file_anssi_nt28_high
1258 This profile contains configurations that align to ANSSI-BP-028
1260 v1.2 at the high hardening level.
1261 ANSSI is the French National Information Security Agency, and
1263 stands for Agence nationale de la sécurité des systèmes d'infor‐
1264 mation. ANSSI-BP-028 is a configuration recommendation for
1265 GNU/Linux systems.
1266 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1268 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1269 securite-relatives-a-un-systeme-gnulinux/
1270 ANSSI-BP-028 (intermediary)
1273 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
1275 termediary
1276 This profile contains configurations that align to ANSSI-BP-028
1278 v1.2 at the intermediary hardening level.
1279 ANSSI is the French National Information Security Agency, and
1281 stands for Agence nationale de la sécurité des systèmes d'infor‐
1282 mation. ANSSI-BP-028 is a configuration recommendation for
1283 GNU/Linux systems.
1284 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1286 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1287 securite-relatives-a-un-systeme-gnulinux/
1288 ANSSI-BP-028 (minimal)
1291 Profile ID: xccdf_org.ssgproject.content_pro‐
1293 file_anssi_nt28_minimal
1294 This profile contains configurations that align to ANSSI-BP-028
1296 v1.2 at the minimal hardening level.
1297 ANSSI is the French National Information Security Agency, and
1299 stands for Agence nationale de la sécurité des systèmes d'infor‐
1300 mation. ANSSI-BP-028 is a configuration recommendation for
1301 GNU/Linux systems.
1302 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1304 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1305 securite-relatives-a-un-systeme-gnulinux/
1306 CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
1309 Profile ID: xccdf_org.ssgproject.content_profile_cis
1311 This profile defines a baseline that aligns to the "Level 2 -
1313 Server" configuration from the Center for Internet Security® Red
1314 Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
1315 This profile includes Center for Internet Security® Red Hat En‐
1317 terprise Linux 7 CIS Benchmarks™ content.
1318 CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
1321 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
1323 This profile defines a baseline that aligns to the "Level 1 -
1325 Server" configuration from the Center for Internet Security® Red
1326 Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
1327 This profile includes Center for Internet Security® Red Hat En‐
1329 terprise Linux 7 CIS Benchmarks™ content.
1330 CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation
1333 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
1335 tion_l1
1336 This profile defines a baseline that aligns to the "Level 1 -
1338 Workstation" configuration from the Center for Internet Secu‐
1339 rity® Red Hat Enterprise Linux 7 Benchmark™, v3.1.1, released
1340 05-21-2021.
1341 This profile includes Center for Internet Security® Red Hat En‐
1343 terprise Linux 7 CIS Benchmarks™ content.
1344 CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation
1347 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
1349 tion_l2
1350 This profile defines a baseline that aligns to the "Level 2 -
1352 Workstation" configuration from the Center for Internet Secu‐
1353 rity® Red Hat Enterprise Linux 7 Benchmark™, v3.1.1, released
1354 05-21-2021.
1355 This profile includes Center for Internet Security® Red Hat En‐
1357 terprise Linux 7 CIS Benchmarks™ content.
1358 Criminal Justice Information Services (CJIS) Security Policy
1361 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1363 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1365 copy of this policy can be found at the CJIS Security Policy Re‐
1366 source Center:
1367 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1369 center
1370 Unclassified Information in Non-federal Information Systems and Organi‐
1373 zations (NIST 800-171)
1374 Profile ID: xccdf_org.ssgproject.content_profile_cui
1376 From NIST 800-171, Section 2.2: Security requirements for pro‐
1378 tecting the confidentiality of CUI in non-federal information
1379 systems and organizations have a well-defined structure that
1380 consists of:
1381 (i) a basic security requirements section; (ii) a derived secu‐
1383 rity requirements section.
1384 The basic security requirements are obtained from FIPS Publica‐
1386 tion 200, which provides the high-level and fundamental security
1387 requirements for federal information and information systems.
1388 The derived security requirements, which supplement the basic
1389 security requirements, are taken from the security controls in
1390 NIST Special Publication 800-53.
1391 This profile configures Red Hat Enterprise Linux 7 to the NIST
1393 Special Publication 800-53 controls identified for securing Con‐
1394 trolled Unclassified Information (CUI).
1395 Australian Cyber Security Centre (ACSC) Essential Eight
1398 Profile ID: xccdf_org.ssgproject.content_profile_e8
1400 This profile contains configuration checks for Red Hat Enter‐
1402 prise Linux 7 that align to the Australian Cyber Security Centre
1403 (ACSC) Essential Eight.
1404 A copy of the Essential Eight in Linux Environments guide can be
1406 found at the ACSC website:
1407 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1409 tions/hardening-linux-workstations-and-servers
1410 Health Insurance Portability and Accountability Act (HIPAA)
1413 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1415 The HIPAA Security Rule establishes U.S. national standards to
1417 protect individuals’ electronic personal health information that
1418 is created, received, used, or maintained by a covered entity.
1419 The Security Rule requires appropriate administrative, physical
1420 and technical safeguards to ensure the confidentiality, integ‐
1421 rity, and security of electronic protected health information.
1422 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
1424 Security Rule identified for securing of electronic protected
1425 health information. Use of this profile in no way guarantees or
1426 makes claims against legal compliance against the HIPAA Security
1427 Rule(s).
1428 NIST National Checklist Program Security Guide
1431 Profile ID: xccdf_org.ssgproject.content_profile_ncp
1433 This compliance profile reflects the core set of security re‐
1435 lated configuration settings for deployment of Red Hat Enter‐
1436 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
1437 agencies. Development partners and sponsors include the U.S.
1438 National Institute of Standards and Technology (NIST), U.S. De‐
1439 partment of Defense, the National Security Agency, and Red Hat.
1440 This baseline implements configuration requirements from the
1442 following sources:
1443 - Committee on National Security Systems Instruction No. 1253
1445 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
1446 800-171) - NIST 800-53 control selections for MODERATE impact
1447 systems (NIST 800-53) - U.S. Government Configuration Baseline
1448 (USGCB) - NIAP Protection Profile for General Purpose Operating
1449 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
1450 Requirements Guide (OS SRG)
1451 For any differing configuration requirements, e.g. password
1453 lengths, the stricter security setting was chosen. Security Re‐
1454 quirement Traceability Guides (RTMs) and sample System Security
1455 Configuration Guides are provided via the scap-security-guide-
1456 docs package.
1457 This profile reflects U.S. Government consensus content and is
1459 developed through the OpenSCAP/SCAP Security Guide initiative,
1460 championed by the National Security Agency. Except for differ‐
1461 ences in formatting to accommodate publishing processes, this
1462 profile mirrors OpenSCAP/SCAP Security Guide content as minor
1463 divergences, such as bugfixes, work through the consensus and
1464 release processes.
1465 OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
1468 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1470 This profile reflects mandatory configuration controls identi‐
1472 fied in the NIAP Configuration Annex to the Protection Profile
1473 for General Purpose Operating Systems (Protection Profile Ver‐
1474 sion 4.2.1).
1475 This configuration profile is consistent with CNSSI-1253, which
1477 requires U.S. National Security Systems to adhere to certain
1478 configuration parameters. Accordingly, this configuration pro‐
1479 file is suitable for use in U.S. National Security Systems.
1480 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1483 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1485 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1487 plied.
1488 RHV hardening based on STIG for Red Hat Enterprise Linux 7
1491 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
1493 This profile contains configuration checks for Red Hat Virtual‐
1495 ization based on the the DISA STIG for Red Hat Enterprise Linux
1496 7.
1497 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
1500 ization
1501 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
1503 This compliance profile reflects the core set of security re‐
1505 lated configuration settings for deployment of Red Hat Enter‐
1506 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
1507 gence, and Civilian agencies. Development partners and sponsors
1508 include the U.S. National Institute of Standards and Technology
1509 (NIST), U.S. Department of Defense, the National Security
1510 Agency, and Red Hat.
1511 This baseline implements configuration requirements from the
1513 following sources:
1514 - Committee on National Security Systems Instruction No. 1253
1516 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
1517 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
1518 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
1519 (VPP v1.0)
1520 For any differing configuration requirements, e.g. password
1522 lengths, the stricter security setting was chosen. Security Re‐
1523 quirement Traceability Guides (RTMs) and sample System Security
1524 Configuration Guides are provided via the scap-security-guide-
1525 docs package.
1526 This profile reflects U.S. Government consensus content and is
1528 developed through the ComplianceAsCode project, championed by
1529 the National Security Agency. Except for differences in format‐
1530 ting to accommodate publishing processes, this profile mirrors
1531 ComplianceAsCode content as minor divergences, such as bugfixes,
1532 work through the consensus and release processes.
1533 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1536 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1538 This profile contains the minimum security relevant configura‐
1540 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1541 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
1542 Standard System Security Profile for Red Hat Enterprise Linux 7
1545 Profile ID: xccdf_org.ssgproject.content_profile_standard
1547 This profile contains rules to ensure standard security baseline
1549 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
1550 tem's workload all of these checks should pass.
1551 DISA STIG for Red Hat Enterprise Linux 7
1554 Profile ID: xccdf_org.ssgproject.content_profile_stig
1556 This profile contains configuration checks that align to the
1558 DISA STIG for Red Hat Enterprise Linux V3R4.
1559 In addition to being applicable to Red Hat Enterprise Linux 7,
1561 DISA recognizes this configuration baseline as applicable to the
1562 operating system tier of Red Hat technologies that are based on
1563 Red Hat Enterprise Linux 7, such as:
1564 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1566 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1567 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1568 7 image
1569 DISA STIG with GUI for Red Hat Enterprise Linux 7
1572 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
1574 This profile contains configuration checks that align to the
1576 DISA STIG with GUI for Red Hat Enterprise Linux V3R4.
1577 In addition to being applicable to Red Hat Enterprise Linux 7,
1579 DISA recognizes this configuration baseline as applicable to the
1580 operating system tier of Red Hat technologies that are based on
1581 Red Hat Enterprise Linux 7, such as:
1582 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1584 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1585 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1586 7 image
1587 Warning: The installation and use of a Graphical User Interface
1589 (GUI) increases your attack vector and decreases your overall
1590 security posture. If your Information Systems Security Officer
1591 (ISSO) lacks a documented operational requirement for a graphi‐
1592 cal user interface, please consider using the standard DISA STIG
1593 for Red Hat Enterprise Linux 7 profile.
1594
1600 Source Datastream: ssg-rhel8-ds.xml
1601 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
1603 broken into 'profiles', groupings of security settings that correlate
1604 to a known policy. Available profiles are:
1605 ANSSI-BP-028 (enhanced)
1609 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1611 hanced
1612 This profile contains configurations that align to ANSSI-BP-028
1614 v1.2 at the enhanced hardening level.
1615 ANSSI is the French National Information Security Agency, and
1617 stands for Agence nationale de la sécurité des systèmes d'infor‐
1618 mation. ANSSI-BP-028 is a configuration recommendation for
1619 GNU/Linux systems.
1620 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1622 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1623 securite-relatives-a-un-systeme-gnulinux/
1624 ANSSI-BP-028 (high)
1627 Profile ID: xccdf_org.ssgproject.content_pro‐
1629 file_anssi_bp28_high
1630 This profile contains configurations that align to ANSSI-BP-028
1632 v1.2 at the high hardening level.
1633 ANSSI is the French National Information Security Agency, and
1635 stands for Agence nationale de la sécurité des systèmes d'infor‐
1636 mation. ANSSI-BP-028 is a configuration recommendation for
1637 GNU/Linux systems.
1638 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1640 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1641 securite-relatives-a-un-systeme-gnulinux/
1642 ANSSI-BP-028 (intermediary)
1645 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1647 termediary
1648 This profile contains configurations that align to ANSSI-BP-028
1650 v1.2 at the intermediary hardening level.
1651 ANSSI is the French National Information Security Agency, and
1653 stands for Agence nationale de la sécurité des systèmes d'infor‐
1654 mation. ANSSI-BP-028 is a configuration recommendation for
1655 GNU/Linux systems.
1656 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1658 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1659 securite-relatives-a-un-systeme-gnulinux/
1660 ANSSI-BP-028 (minimal)
1663 Profile ID: xccdf_org.ssgproject.content_pro‐
1665 file_anssi_bp28_minimal
1666 This profile contains configurations that align to ANSSI-BP-028
1668 v1.2 at the minimal hardening level.
1669 ANSSI is the French National Information Security Agency, and
1671 stands for Agence nationale de la sécurité des systèmes d'infor‐
1672 mation. ANSSI-BP-028 is a configuration recommendation for
1673 GNU/Linux systems.
1674 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1676 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1677 securite-relatives-a-un-systeme-gnulinux/
1678 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
1681 Profile ID: xccdf_org.ssgproject.content_profile_cis
1683 This profile defines a baseline that aligns to the "Level 2 -
1685 Server" configuration from the Center for Internet Security® Red
1686 Hat Enterprise Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
1687 This profile includes Center for Internet Security® Red Hat En‐
1689 terprise Linux 8 CIS Benchmarks™ content.
1690 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
1693 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
1695 This profile defines a baseline that aligns to the "Level 1 -
1697 Server" configuration from the Center for Internet Security® Red
1698 Hat Enterprise Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
1699 This profile includes Center for Internet Security® Red Hat En‐
1701 terprise Linux 8 CIS Benchmarks™ content.
1702 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation
1705 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
1707 tion_l1
1708 This profile defines a baseline that aligns to the "Level 1 -
1710 Workstation" configuration from the Center for Internet Secu‐
1711 rity® Red Hat Enterprise Linux 8 Benchmark™, v1.0.1, released
1712 2021-05-19.
1713 This profile includes Center for Internet Security® Red Hat En‐
1715 terprise Linux 8 CIS Benchmarks™ content.
1716 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation
1719 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
1721 tion_l2
1722 This profile defines a baseline that aligns to the "Level 2 -
1724 Workstation" configuration from the Center for Internet Secu‐
1725 rity® Red Hat Enterprise Linux 8 Benchmark™, v1.0.1, released
1726 2021-05-19.
1727 This profile includes Center for Internet Security® Red Hat En‐
1729 terprise Linux 8 CIS Benchmarks™ content.
1730 Criminal Justice Information Services (CJIS) Security Policy
1733 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1735 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1737 copy of this policy can be found at the CJIS Security Policy Re‐
1738 source Center:
1739 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1741 center
1742 Unclassified Information in Non-federal Information Systems and Organi‐
1745 zations (NIST 800-171)
1746 Profile ID: xccdf_org.ssgproject.content_profile_cui
1748 From NIST 800-171, Section 2.2: Security requirements for pro‐
1750 tecting the confidentiality of CUI in nonfederal information
1751 systems and organizations have a well-defined structure that
1752 consists of:
1753 (i) a basic security requirements section; (ii) a derived secu‐
1755 rity requirements section.
1756 The basic security requirements are obtained from FIPS Publica‐
1758 tion 200, which provides the high-level and fundamental security
1759 requirements for federal information and information systems.
1760 The derived security requirements, which supplement the basic
1761 security requirements, are taken from the security controls in
1762 NIST Special Publication 800-53.
1763 This profile configures Red Hat Enterprise Linux 8 to the NIST
1765 Special Publication 800-53 controls identified for securing Con‐
1766 trolled Unclassified Information (CUI)."
1767 Australian Cyber Security Centre (ACSC) Essential Eight
1770 Profile ID: xccdf_org.ssgproject.content_profile_e8
1772 This profile contains configuration checks for Red Hat Enter‐
1774 prise Linux 8 that align to the Australian Cyber Security Centre
1775 (ACSC) Essential Eight.
1776 A copy of the Essential Eight in Linux Environments guide can be
1778 found at the ACSC website:
1779 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1781 tions/hardening-linux-workstations-and-servers
1782 Health Insurance Portability and Accountability Act (HIPAA)
1785 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1787 The HIPAA Security Rule establishes U.S. national standards to
1789 protect individuals’ electronic personal health information that
1790 is created, received, used, or maintained by a covered entity.
1791 The Security Rule requires appropriate administrative, physical
1792 and technical safeguards to ensure the confidentiality, integ‐
1793 rity, and security of electronic protected health information.
1794 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
1796 Security Rule identified for securing of electronic protected
1797 health information. Use of this profile in no way guarantees or
1798 makes claims against legal compliance against the HIPAA Security
1799 Rule(s).
1800 Australian Cyber Security Centre (ACSC) ISM Official
1803 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
1805 This profile contains configuration checks for Red Hat Enter‐
1807 prise Linux 8 that align to the Australian Cyber Security Centre
1808 (ACSC) Information Security Manual (ISM) with the applicability
1809 marking of OFFICIAL.
1810 The ISM uses a risk-based approach to cyber security. This pro‐
1812 file provides a guide to aligning Red Hat Enterprise Linux secu‐
1813 rity controls with the ISM, which can be used to select controls
1814 specific to an organisation's security posture and risk profile.
1815 A copy of the ISM can be found at the ACSC website:
1817 https://www.cyber.gov.au/ism
1819 Protection Profile for General Purpose Operating Systems
1822 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1824 This profile reflects mandatory configuration controls identi‐
1826 fied in the NIAP Configuration Annex to the Protection Profile
1827 for General Purpose Operating Systems (Protection Profile Ver‐
1828 sion 4.2.1).
1829 This configuration profile is consistent with CNSSI-1253, which
1831 requires U.S. National Security Systems to adhere to certain
1832 configuration parameters. Accordingly, this configuration pro‐
1833 file is suitable for use in U.S. National Security Systems.
1834 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
1837 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1839 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1841 plied.
1842 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1845 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1847 This profile contains the minimum security relevant configura‐
1849 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1850 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
1851 Standard System Security Profile for Red Hat Enterprise Linux 8
1854 Profile ID: xccdf_org.ssgproject.content_profile_standard
1856 This profile contains rules to ensure standard security baseline
1858 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
1859 tem's workload all of these checks should pass.
1860 DISA STIG for Red Hat Enterprise Linux 8
1863 Profile ID: xccdf_org.ssgproject.content_profile_stig
1865 This profile contains configuration checks that align to the
1867 DISA STIG for Red Hat Enterprise Linux 8 V1R3.
1868 In addition to being applicable to Red Hat Enterprise Linux 8,
1870 DISA recognizes this configuration baseline as applicable to the
1871 operating system tier of Red Hat technologies that are based on
1872 Red Hat Enterprise Linux 8, such as:
1873 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1875 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1876 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1877 8 image
1878 DISA STIG with GUI for Red Hat Enterprise Linux 8
1881 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
1883 This profile contains configuration checks that align to the
1885 DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R3.
1886 In addition to being applicable to Red Hat Enterprise Linux 8,
1888 DISA recognizes this configuration baseline as applicable to the
1889 operating system tier of Red Hat technologies that are based on
1890 Red Hat Enterprise Linux 8, such as:
1891 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
1893 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
1894 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
1895 8 image
1896 Warning: The installation and use of a Graphical User Interface
1898 (GUI) increases your attack vector and decreases your overall
1899 security posture. If your Information Systems Security Officer
1900 (ISSO) lacks a documented operational requirement for a graphi‐
1901 cal user interface, please consider using the standard DISA STIG
1902 for Red Hat Enterprise Linux 8 profile.
1903
1909 Source Datastream: ssg-rhel9-ds.xml
1910 The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is
1912 broken into 'profiles', groupings of security settings that correlate
1913 to a known policy. Available profiles are:
1914 ANSSI-BP-028 (enhanced)
1918 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1920 hanced
1921 This profile contains configurations that align to ANSSI-BP-028
1923 at the enhanced hardening level.
1924 ANSSI is the French National Information Security Agency, and
1926 stands for Agence nationale de la sécurité des systèmes d'infor‐
1927 mation. ANSSI-BP-028 is a configuration recommendation for
1928 GNU/Linux systems.
1929 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1931 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1932 securite-relatives-a-un-systeme-gnulinux/
1933 ANSSI-BP-028 (high)
1936 Profile ID: xccdf_org.ssgproject.content_pro‐
1938 file_anssi_bp28_high
1939 This profile contains configurations that align to ANSSI-BP-028
1941 at the high hardening level.
1942 ANSSI is the French National Information Security Agency, and
1944 stands for Agence nationale de la sécurité des systèmes d'infor‐
1945 mation. ANSSI-BP-028 is a configuration recommendation for
1946 GNU/Linux systems.
1947 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1949 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1950 securite-relatives-a-un-systeme-gnulinux/
1951 ANSSI-BP-028 (intermediary)
1954 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1956 termediary
1957 This profile contains configurations that align to ANSSI-BP-028
1959 at the intermediary hardening level.
1960 ANSSI is the French National Information Security Agency, and
1962 stands for Agence nationale de la sécurité des systèmes d'infor‐
1963 mation. ANSSI-BP-028 is a configuration recommendation for
1964 GNU/Linux systems.
1965 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1967 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1968 securite-relatives-a-un-systeme-gnulinux/
1969 ANSSI-BP-028 (minimal)
1972 Profile ID: xccdf_org.ssgproject.content_pro‐
1974 file_anssi_bp28_minimal
1975 This profile contains configurations that align to ANSSI-BP-028
1977 at the minimal hardening level.
1978 ANSSI is the French National Information Security Agency, and
1980 stands for Agence nationale de la sécurité des systèmes d'infor‐
1981 mation. ANSSI-BP-028 is a configuration recommendation for
1982 GNU/Linux systems.
1983 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1985 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1986 securite-relatives-a-un-systeme-gnulinux/
1987 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
1990 Profile ID: xccdf_org.ssgproject.content_profile_cis
1992 This is a draft profile based on its RHEL8 version for experi‐
1994 mental purposes. It is not based on the CIS benchmark for
1995 RHEL9, because this one was not available at time of the re‐
1996 lease.
1997 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
2000 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
2002 This is a draft profile based on its RHEL8 version for experi‐
2004 mental purposes. It is not based on the CIS benchmark for
2005 RHEL9, because this one was not available at time of the re‐
2006 lease.
2007 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Worksta‐
2010 tion
2011 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2013 tion_l1
2014 This is a draft profile based on its RHEL8 version for experi‐
2016 mental purposes. It is not based on the CIS benchmark for
2017 RHEL9, because this one was not available at time of the re‐
2018 lease.
2019 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Worksta‐
2022 tion
2023 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2025 tion_l2
2026 This is a draft profile based on its RHEL8 version for experi‐
2028 mental purposes. It is not based on the CIS benchmark for
2029 RHEL9, because this one was not available at time of the re‐
2030 lease.
2031 [RHEL9 DRAFT] Criminal Justice Information Services (CJIS) Security
2034 Policy
2035 Profile ID: xccdf_org.ssgproject.content_profile_cjis
2037 This profile is derived from FBI's CJIS v5.4 Security Policy. A
2039 copy of this policy can be found at the CJIS Security Policy Re‐
2040 source Center:
2041 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
2043 center
2044 Unclassified Information in Non-federal Information Systems and Organi‐
2047 zations (NIST 800-171)
2048 Profile ID: xccdf_org.ssgproject.content_profile_cui
2050 From NIST 800-171, Section 2.2: Security requirements for pro‐
2052 tecting the confidentiality of CUI in nonfederal information
2053 systems and organizations have a well-defined structure that
2054 consists of:
2055 (i) a basic security requirements section; (ii) a derived secu‐
2057 rity requirements section.
2058 The basic security requirements are obtained from FIPS Publica‐
2060 tion 200, which provides the high-level and fundamental security
2061 requirements for federal information and information systems.
2062 The derived security requirements, which supplement the basic
2063 security requirements, are taken from the security controls in
2064 NIST Special Publication 800-53.
2065 This profile configures Red Hat Enterprise Linux 8 to the NIST
2067 Special Publication 800-53 controls identified for securing Con‐
2068 trolled Unclassified Information (CUI)."
2069 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
2072 Profile ID: xccdf_org.ssgproject.content_profile_e8
2074 This profile contains configuration checks for Red Hat Enter‐
2076 prise Linux 9 that align to the Australian Cyber Security Centre
2077 (ACSC) Essential Eight.
2078 A copy of the Essential Eight in Linux Environments guide can be
2080 found at the ACSC website:
2081 https://www.cyber.gov.au/acsc/view-all-content/publica‐
2083 tions/hardening-linux-workstations-and-servers
2084 [RHEL9 DRAFT] Health Insurance Portability and Accountability Act
2087 (HIPAA)
2088 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
2090 The HIPAA Security Rule establishes U.S. national standards to
2092 protect individuals’ electronic personal health information that
2093 is created, received, used, or maintained by a covered entity.
2094 The Security Rule requires appropriate administrative, physical
2095 and technical safeguards to ensure the confidentiality, integ‐
2096 rity, and security of electronic protected health information.
2097 This profile configures Red Hat Enterprise Linux 9 to the HIPAA
2099 Security Rule identified for securing of electronic protected
2100 health information. Use of this profile in no way guarantees or
2101 makes claims against legal compliance against the HIPAA Security
2102 Rule(s).
2103 [RHEL9 DRAFT] Australian Cyber Security Centre (ACSC) ISM Official
2106 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
2108 This profile contains configuration checks for Red Hat Enter‐
2110 prise Linux 9 that align to the Australian Cyber Security Centre
2111 (ACSC) Information Security Manual (ISM) with the applicability
2112 marking of OFFICIAL.
2113 The ISM uses a risk-based approach to cyber security. This pro‐
2115 file provides a guide to aligning Red Hat Enterprise Linux secu‐
2116 rity controls with the ISM, which can be used to select controls
2117 specific to an organisation's security posture and risk profile.
2118 A copy of the ISM can be found at the ACSC website:
2120 https://www.cyber.gov.au/ism
2122 [RHEL9 DRAFT] Protection Profile for General Purpose Operating Systems
2125 Profile ID: xccdf_org.ssgproject.content_profile_ospp
2127 This profile reflects mandatory configuration controls identi‐
2129 fied in the NIAP Configuration Annex to the Protection Profile
2130 for General Purpose Operating Systems (Protection Profile Ver‐
2131 sion 4.2.1).
2132 This configuration profile is consistent with CNSSI-1253, which
2134 requires U.S. National Security Systems to adhere to certain
2135 configuration parameters. Accordingly, this configuration pro‐
2136 file is suitable for use in U.S. National Security Systems.
2137 [RHEL9 DRAFT] PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise
2140 Linux 9
2141 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2143 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2145 plied.
2146 [RHEL9 DRAFT] Red Hat Corporate Profile for Certified Cloud Providers
2149 (RH CCP)
2150 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
2152 This profile contains the minimum security relevant configura‐
2154 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
2155 Linux 9 instances deployed by Red Hat Certified Cloud Providers.
2156 Standard System Security Profile for Red Hat Enterprise Linux 9
2159 Profile ID: xccdf_org.ssgproject.content_profile_standard
2161 This profile contains rules to ensure standard security baseline
2163 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
2164 tem's workload all of these checks should pass.
2165 [DRAFT] DISA STIG for Red Hat Enterprise Linux 9
2168 Profile ID: xccdf_org.ssgproject.content_profile_stig
2170 This profile contains configuration checks that are based on the
2172 RHEL8 STIG
2173 In addition to being applicable to Red Hat Enterprise Linux 8,
2175 DISA recognizes this configuration baseline as applicable to the
2176 operating system tier of Red Hat technologies that are based on
2177 Red Hat Enterprise Linux 8, such as:
2178 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2180 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2181 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2182 8 image
2183 [DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
2186 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
2188 This profile contains configuration checks that are based on the
2190 RHEL8 STIG
2191 In addition to being applicable to Red Hat Enterprise Linux 9,
2193 DISA recognizes this configuration baseline as applicable to the
2194 operating system tier of Red Hat technologies that are based on
2195 Red Hat Enterprise Linux 8, such as:
2196 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2198 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2199 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2200 9 image
2201 Warning: The installation and use of a Graphical User Interface
2203 (GUI) increases your attack vector and decreases your overall
2204 security posture. If your Information Systems Security Officer
2205 (ISSO) lacks a documented operational requirement for a graphi‐
2206 cal user interface, please consider using the standard DISA STIG
2207 for Red Hat Enterprise Linux 9 profile.
2208
2214 Source Datastream: ssg-rhosp10-ds.xml
2216 The Guide to the Secure Configuration of Red Hat OpenStack Platform 10
2218 is broken into 'profiles', groupings of security settings that corre‐
2219 late to a known policy. Available profiles are:
2220 [DRAFT] Controlled Unclassified Infomration (CUI) Profile for Red Hat
2224 OpenStack Plaform 10
2225 Profile ID: xccdf_org.ssgproject.content_profile_cui
2227 These are the controls for scanning against CUI for rhosp10
2229 [DRAFT] STIG for Red Hat OpenStack Plaform 10
2232 Profile ID: xccdf_org.ssgproject.content_profile_stig
2234 Controls for scanning against classified STIG for rhosp10
2236
2242 Source Datastream: ssg-rhosp13-ds.xml
2244 The Guide to the Secure Configuration of Red Hat OpenStack Platform 13
2246 is broken into 'profiles', groupings of security settings that corre‐
2247 late to a known policy. Available profiles are:
2248 RHOSP STIG
2252 Profile ID: xccdf_org.ssgproject.content_profile_stig
2254 Sample profile description.
2256
2262 Source Datastream: ssg-rhv4-ds.xml
2263 The Guide to the Secure Configuration of Red Hat Virtualization 4 is
2265 broken into 'profiles', groupings of security settings that correlate
2266 to a known policy. Available profiles are:
2267 PCI-DSS v3.2.1 Control Baseline for Red Hat Virtualization Host (RHVH)
2271 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2273 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2275 plied.
2276 [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
2279 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
2281 This *draft* profile contains configuration checks that align to
2283 the DISA STIG for Red Hat Virtualization Host (RHVH).
2284 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
2287 ization Host (RHVH)
2288 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
2290 This compliance profile reflects the core set of security re‐
2292 lated configuration settings for deployment of Red Hat Virtual‐
2293 ization Host (RHVH) 4.x into U.S. Defense, Intelligence, and
2294 Civilian agencies. Development partners and sponsors include
2295 the U.S. National Institute of Standards and Technology (NIST),
2296 U.S. Department of Defense, the National Security Agency, and
2297 Red Hat.
2298 This baseline implements configuration requirements from the
2300 following sources:
2301 - Committee on National Security Systems Instruction No. 1253
2303 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
2304 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
2305 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
2306 (VPP v1.0)
2307 For any differing configuration requirements, e.g. password
2309 lengths, the stricter security setting was chosen. Security Re‐
2310 quirement Traceability Guides (RTMs) and sample System Security
2311 Configuration Guides are provided via the scap-security-guide-
2312 docs package.
2313 This profile reflects U.S. Government consensus content and is
2315 developed through the ComplianceAsCode project, championed by
2316 the National Security Agency. Except for differences in format‐
2317 ting to accommodate publishing processes, this profile mirrors
2318 ComplianceAsCode content as minor divergences, such as bugfixes,
2319 work through the consensus and release processes.
2320
2326 Source Datastream: ssg-sl7-ds.xml
2327 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
2329 broken into 'profiles', groupings of security settings that correlate
2330 to a known policy. Available profiles are:
2331 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
2335 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2337 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2339 plied.
2340 Standard System Security Profile for Red Hat Enterprise Linux 7
2343 Profile ID: xccdf_org.ssgproject.content_profile_standard
2345 This profile contains rules to ensure standard security baseline
2347 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
2348 tem's workload all of these checks should pass.
2349
2355 Source Datastream: ssg-sle12-ds.xml
2356 The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is
2358 broken into 'profiles', groupings of security settings that correlate
2359 to a known policy. Available profiles are:
2360 CIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server
2364 Profile ID: xccdf_org.ssgproject.content_profile_cis
2366 This profile defines a baseline that aligns to the "Level 2 -
2368 Server" configuration from the Center for Internet Security®
2369 SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
2370 04-27-2021.
2371 This profile includes Center for Internet Security® SUSE Linux
2373 Enterprise 12 CIS Benchmarks™ content.
2374 CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server
2377 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
2379 This profile defines a baseline that aligns to the "Level 1 -
2381 Server" configuration from the Center for Internet Security®
2382 SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
2383 04-27-2021.
2384 This profile includes Center for Internet Security® SUSE Linux
2386 Enterprise 12 CIS Benchmarks™ content.
2387 CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation
2390 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2392 tion_l1
2393 This profile defines a baseline that aligns to the "Level 1 -
2395 Workstation" configuration from the Center for Internet Secu‐
2396 rity® SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
2397 04-27-2021.
2398 This profile includes Center for Internet Security® SUSE Linux
2400 Enterprise 12 CIS Benchmarks™ content.
2401 CIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation
2404 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2406 tion_l2
2407 This profile defines a baseline that aligns to the "Level 2 -
2409 Workstation" configuration from the Center for Internet Secu‐
2410 rity® SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
2411 04-27-2021.
2412 This profile includes Center for Internet Security® SUSE Linux
2414 Enterprise 12 CIS Benchmarks™ content.
2415 Standard System Security Profile for SUSE Linux Enterprise 12
2418 Profile ID: xccdf_org.ssgproject.content_profile_standard
2420 This profile contains rules to ensure standard security baseline
2422 of a SUSE Linux Enterprise 12 system. Regardless of your sys‐
2423 tem's workload all of these checks should pass.
2424 DISA STIG for SUSE Linux Enterprise 12
2427 Profile ID: xccdf_org.ssgproject.content_profile_stig
2429 This profile contains configuration checks that align to the
2431 DISA STIG for SUSE Linux Enterprise 12 V2R3.
2432
2438 Source Datastream: ssg-sle15-ds.xml
2439 The Guide to the Secure Configuration of SUSE Linux Enterprise 15 is
2441 broken into 'profiles', groupings of security settings that correlate
2442 to a known policy. Available profiles are:
2443 CIS SUSE Linux Enterprise 15 Benchmark
2447 Profile ID: xccdf_org.ssgproject.content_profile_cis
2449 This profile defines a baseline that aligns to the Center for
2451 Internet Security® SUSE Linux Enterprise 15 Benchmark™, v1.0.0,
2452 released 06-30-2020.
2453 This profile includes Center for Internet Security® SUSE Linux
2455 Enterprise 15 CIS Benchmarks™ content.
2456 PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 15
2459 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2461 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2463 plied.
2464 Standard System Security Profile for SUSE Linux Enterprise 15
2467 Profile ID: xccdf_org.ssgproject.content_profile_standard
2469 This profile contains rules to ensure standard security baseline
2471 of a SUSE Linux Enterprise 15 system based off of the SUSE Hard‐
2472 ening Guide. Regardless of your system's workload all of these
2473 checks should pass.
2474 DISA STIG for SUSE Linux Enterprise 15
2477 Profile ID: xccdf_org.ssgproject.content_profile_stig
2479 This profile contains configuration checks that align to the
2481 DISA STIG for SUSE Linux Enterprise 15 V1R2.
2482
2488 Source Datastream: ssg-ubuntu1604-ds.xml
2489 The Guide to the Secure Configuration of Ubuntu 16.04 is broken into
2491 'profiles', groupings of security settings that correlate to a known
2492 policy. Available profiles are:
2493 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
2497 Profile ID: xccdf_org.ssgproject.content_pro‐
2499 file_anssi_np_nt28_average
2500 This profile contains items for GNU/Linux installations already
2502 protected by multiple higher level security stacks.
2503 Profile for ANSSI DAT-NT28 High (Enforced) Level
2506 Profile ID: xccdf_org.ssgproject.content_pro‐
2508 file_anssi_np_nt28_high
2509 This profile contains items for GNU/Linux installations storing
2511 sensitive informations that can be accessible from unauthenti‐
2512 cated or uncontroled networks.
2513 Profile for ANSSI DAT-NT28 Minimal Level
2516 Profile ID: xccdf_org.ssgproject.content_pro‐
2518 file_anssi_np_nt28_minimal
2519 This profile contains items to be applied systematically.
2521 Profile for ANSSI DAT-NT28 Restrictive Level
2524 Profile ID: xccdf_org.ssgproject.content_pro‐
2526 file_anssi_np_nt28_restrictive
2527 This profile contains items for GNU/Linux installations exposed
2529 to unauthenticated flows or multiple sources.
2530 Standard System Security Profile for Ubuntu 16.04
2533 Profile ID: xccdf_org.ssgproject.content_profile_standard
2535 This profile contains rules to ensure standard security baseline
2537 of an Ubuntu 16.04 system. Regardless of your system's workload
2538 all of these checks should pass.
2539
2545 Source Datastream: ssg-ubuntu1804-ds.xml
2546 The Guide to the Secure Configuration of Ubuntu 18.04 is broken into
2548 'profiles', groupings of security settings that correlate to a known
2549 policy. Available profiles are:
2550 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
2554 Profile ID: xccdf_org.ssgproject.content_pro‐
2556 file_anssi_np_nt28_average
2557 This profile contains items for GNU/Linux installations already
2559 protected by multiple higher level security stacks.
2560 Profile for ANSSI DAT-NT28 High (Enforced) Level
2563 Profile ID: xccdf_org.ssgproject.content_pro‐
2565 file_anssi_np_nt28_high
2566 This profile contains items for GNU/Linux installations storing
2568 sensitive informations that can be accessible from unauthenti‐
2569 cated or uncontroled networks.
2570 Profile for ANSSI DAT-NT28 Minimal Level
2573 Profile ID: xccdf_org.ssgproject.content_pro‐
2575 file_anssi_np_nt28_minimal
2576 This profile contains items to be applied systematically.
2578 Profile for ANSSI DAT-NT28 Restrictive Level
2581 Profile ID: xccdf_org.ssgproject.content_pro‐
2583 file_anssi_np_nt28_restrictive
2584 This profile contains items for GNU/Linux installations exposed
2586 to unauthenticated flows or multiple sources.
2587 CIS Ubuntu 18.04 LTS Benchmark
2590 Profile ID: xccdf_org.ssgproject.content_profile_cis
2592 This baseline aligns to the Center for Internet Security Ubuntu
2594 18.04 LTS Benchmark, v1.0.0, released 08-13-2018.
2595 Standard System Security Profile for Ubuntu 18.04
2598 Profile ID: xccdf_org.ssgproject.content_profile_standard
2600 This profile contains rules to ensure standard security baseline
2602 of an Ubuntu 18.04 system. Regardless of your system's workload
2603 all of these checks should pass.
2604
2610 Source Datastream: ssg-ubuntu2004-ds.xml
2611 The Guide to the Secure Configuration of Ubuntu 20.04 is broken into
2613 'profiles', groupings of security settings that correlate to a known
2614 policy. Available profiles are:
2615 CIS Ubuntu 20.04 Level 1 Server Benchmark
2619 Profile ID: xccdf_org.ssgproject.content_pro‐
2621 file_cis_level1_server
2622 This baseline aligns to the Center for Internet Security Ubuntu
2624 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
2625 CIS Ubuntu 20.04 Level 1 Workstation Benchmark
2628 Profile ID: xccdf_org.ssgproject.content_pro‐
2630 file_cis_level1_workstation
2631 This baseline aligns to the Center for Internet Security Ubuntu
2633 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
2634 CIS Ubuntu 20.04 Level 2 Server Benchmark
2637 Profile ID: xccdf_org.ssgproject.content_pro‐
2639 file_cis_level2_server
2640 This baseline aligns to the Center for Internet Security Ubuntu
2642 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
2643 CIS Ubuntu 20.04 Level 2 Workstation Benchmark
2646 Profile ID: xccdf_org.ssgproject.content_pro‐
2648 file_cis_level2_workstation
2649 This baseline aligns to the Center for Internet Security Ubuntu
2651 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
2652 Standard System Security Profile for Ubuntu 20.04
2655 Profile ID: xccdf_org.ssgproject.content_profile_standard
2657 This profile contains rules to ensure standard security baseline
2659 of an Ubuntu 20.04 system. Regardless of your system's workload
2660 all of these checks should pass.
2661 Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide
2664 (STIG) V1R1
2665 Profile ID: xccdf_org.ssgproject.content_profile_stig
2667 This Security Technical Implementation Guide is published as a
2669 tool to improve the security of Department of Defense (DoD) in‐
2670 formation systems. The requirements are derived from the Na‐
2671 tional Institute of Standards and Technology (NIST) 800-53 and
2672 related documents.
2673
2679 for Linux
2680 Source Datastream: ssg-vsel-ds.xml
2681 The Guide to the Secure Configuration of McAfee VirusScan Enterprise
2683 for Linux is broken into 'profiles', groupings of security settings
2684 that correlate to a known policy. Available profiles are:
2685 McAfee VirusScan Enterprise for Linux (VSEL) STIG
2689 Profile ID: xccdf_org.ssgproject.content_profile_stig
2691 The McAfee VirusScan Enterprise for Linux software provides a
2693 realtime virus scanner for Linux systems.
2694
2700 Source Datastream: ssg-wrlinux1019-ds.xml
2701 The Guide to the Secure Configuration of WRLinux 1019 is broken into
2703 'profiles', groupings of security settings that correlate to a known
2704 policy. Available profiles are:
2705 Basic Profile for Embedded Systems
2709 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
2711 This profile contains items common to many embedded Linux in‐
2713 stallations. Regardless of your system's deployment objective,
2714 all of these checks should pass.
2715 DRAFT DISA STIG for Wind River Linux
2718 Profile ID: xccdf_org.ssgproject.content_profile_draft_stig_wr‐
2720 linux_disa
2721 This profile contains configuration checks that align to the
2723 DISA STIG for Wind River Linux. This profile is being developed
2724 under the DoD consensus model to become a STIG in coordination
2725 with DISA FSO. What is the status of the Wind River Linux STIG?
2726 The Wind River Linux STIG is in development under the DoD con‐
2727 sensus model and Wind River has started the process to get ap‐
2728 proval from DISA. However, in the absence of an approved SRG or
2729 STIG, vendor recommendations may be used instead. The current
2730 contents constitute the vendor recommendations at the time of
2731 the product release containing these contents. Note that
2732 changes are expected before approval is granted, and those
2733 changes will be made available in future Wind River Linux Secu‐
2734 rity Profile 1019 RCPL releases. More information, including
2735 the following, is available from the DISA FAQs at https://pub‐
2736 lic.cyber.mil/stigs/faqs/
2737
2743 Source Datastream: ssg-wrlinux8-ds.xml
2744 The Guide to the Secure Configuration of WRLinux 8 is broken into 'pro‐
2746 files', groupings of security settings that correlate to a known pol‐
2747 icy. Available profiles are:
2748 Basic Profile for Embedded Systems
2752 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
2754 This profile contains items common to many embedded Linux in‐
2756 stallations. Regardless of your system's deployment objective,
2757 all of these checks should pass.
2758
2765 To scan your system utilizing the OpenSCAP utility against the ospp
2766 profile:
2767 oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-re‐
2769 sults.xml --report /tmp/`hostname`-ssg-results.html --oval-results
2770 /usr/share/xml/scap/ssg/content/ssg-{product}-xccdf.xml
2771 Additional details can be found on the projects wiki page:
2773 https://www.github.com/ComplianceAsCode/content/wiki
2774
2778 /usr/share/xml/scap/ssg/content
2779 Houses SCAP content utilizing the following naming conventions:
2780 SCAP Source Datastreams: ssg-{product}-ds.xml
2782 CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
2784 CPE OVAL Content: ssg-{product}-cpe-oval.xml
2786 OVAL Content: ssg-{product}-oval.xml
2788 XCCDF Content: ssg-{product}-xccdf.xml
2790 /usr/share/doc/scap-security-guide/guides/
2792 HTML versions of SSG profiles.
2793 /usr/share/scap-security-guide/ansible/
2795 Contains Ansible Playbooks for SSG profiles.
2796 /usr/share/scap-security-guide/bash/
2798 Contains Bash remediation scripts for SSG profiles.
2799
2803 SCAP Security Guide content is considered vendor (Red Hat) provided
2804 content. Per guidance from the U.S. National Institute of Standards
2805 and Technology (NIST), U.S. Government programs are allowed to use Ven‐
2806 dor produced SCAP content in absence of "Governmental Authority" check‐
2807 lists. The specific NIST verbage:
2808 http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
2809
2813 DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT
2814 products incorporated into DoD information systems shall be configured
2815 in accordance with DoD-approved security configuration guidelines" and
2816 tasks Defense Information Systems Agency (DISA) to "develop and provide
2817 security configuration guidance for IA and IA-enabled IT products in
2818 coordination with Director, NSA." The output of this authority is the
2819 DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
2820 the process of moving the STIGs towards the use of the NIST Security
2821 Content Automation Protocol (SCAP) in order to "automate" compliance
2822 reporting of the STIGs.
2823 Through a common, shared vision, the SCAP Security Guide community en‐
2825 joys close collaboration directly with NSA, NIST, and DISA FSO. As
2826 stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
2827 Version 1, Release 2, issued on 03-JUNE-2013:
2828 "The consensus content was developed using an open-source project
2830 called SCAP Security Guide. The project's website is https://www.open-
2831 scap.org/security-policies/scap-security-guide. Except for differences
2832 in formatting to accomodate the DISA STIG publishing process, the con‐
2833 tent of the Red Hat Enterprise Linux 6 STIG should mirror the SCAP Se‐
2834 curity Guide content with only minor divergence as updates from multi‐
2835 ple sources work through the consensus process."
2836 The DoD STIG for Red Hat Enterprise Linux 7, revision V2R4, was re‐
2838 leased in July 2019 Currently, the DoD Red Hat Enterprise Linux 7 STIG
2839 contains only XCCDF content and is available online: https://public.cy‐
2840 ber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
2841 Content published against the public.cyber.mil website is authoritative
2843 STIG content. The SCAP Security Guide project, as noted in the STIG
2844 overview, is considered upstream content. Unlike DISA FSO, the SCAP Se‐
2845 curity Guide project does publish OVAL automation content. Individual
2846 programs and C&A evaluators make program-level determinations on the
2847 direct usage of the SCAP Security Guide. Currently there is no blanket
2848 approval.
2849
2853 oscap(8)
2854
2858 Please direct all questions to the SSG mailing list: https://lists.fe‐
2859 dorahosted.org/mailman/listinfo/scap-security-guide
2860version 1 26 Jan 2013 scap-security-guide(8)