1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
6 SCAP Security Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
13 The project provides practical security hardening advice and also links
14 it to compliance requirements in order to ease deployment activities,
15 such as certification and accreditation. These include requirements in
16 the U.S. government (Federal, Defense, and Intelligence Community) as
17 well as of the financial services and health care industries. For exam‐
18 ple, high-level and widely-accepted policies such as NIST 800-53 pro‐
19 vides prose stating that System Administrators must audit "privileged
20 user actions," but do not define what "privileged actions" are. The SSG
21 bridges the gap between generalized policy requirements and specific
22 implementation guidance, in SCAP formats to support automation whenever
23 possible.
24 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
31 Source Datastream: ssg-centos7-ds.xml
32 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
34 broken into 'profiles', groupings of security settings that correlate
35 to a known policy. Available profiles are:
36 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
40 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
42 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
44 plied.
45 Standard System Security Profile for Red Hat Enterprise Linux 7
48 Profile ID: xccdf_org.ssgproject.content_profile_standard
50 This profile contains rules to ensure standard security baseline
52 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
53 tem's workload all of these checks should pass.
54
60 Source Datastream: ssg-centos8-ds.xml
61 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
63 broken into 'profiles', groupings of security settings that correlate
64 to a known policy. Available profiles are:
65 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
69 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
71 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
73 plied.
74 Standard System Security Profile for Red Hat Enterprise Linux 8
77 Profile ID: xccdf_org.ssgproject.content_profile_standard
79 This profile contains rules to ensure standard security baseline
81 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
82 tem's workload all of these checks should pass.
83
89 Source Datastream: ssg-chromium-ds.xml
90 The Guide to the Secure Configuration of Chromium is broken into 'pro‐
92 files', groupings of security settings that correlate to a known pol‐
93 icy. Available profiles are:
94 Upstream STIG for Google Chromium
98 Profile ID: xccdf_org.ssgproject.content_profile_stig
100 This profile is developed under the DoD consensus model and DISA
102 FSO Vendor STIG process, serving as the upstream development en‐
103 vironment for the Google Chromium STIG.
104 As a result of the upstream/downstream relationship between the
106 SCAP Security Guide project and the official DISA FSO STIG base‐
107 line, users should expect variance between SSG and DISA FSO con‐
108 tent. For official DISA FSO STIG content, refer to https://pub‐
109 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
110 rity%2Cbrowser-guidance.
111 While this profile is packaged by Red Hat as part of the SCAP
113 Security Guide package, please note that commercial support of
114 this SCAP content is NOT available. This profile is provided as
115 example SCAP content with no endorsement for suitability or pro‐
116 duction readiness. Support for this profile is provided by the
117 upstream SCAP Security Guide community on a best-effort basis.
118 The upstream project homepage is https://www.open-scap.org/secu‐
119 rity-policies/scap-security-guide/.
120
126 Source Datastream: ssg-cs9-ds.xml
127 The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is
129 broken into 'profiles', groupings of security settings that correlate
130 to a known policy. Available profiles are:
131 ANSSI-BP-028 (enhanced)
135 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
137 hanced
138 This profile contains configurations that align to ANSSI-BP-028
140 at the enhanced hardening level.
141 ANSSI is the French National Information Security Agency, and
143 stands for Agence nationale de la sécurité des systèmes d'infor‐
144 mation. ANSSI-BP-028 is a configuration recommendation for
145 GNU/Linux systems.
146 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
148 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
149 securite-relatives-a-un-systeme-gnulinux/
150 ANSSI-BP-028 (high)
153 Profile ID: xccdf_org.ssgproject.content_pro‐
155 file_anssi_bp28_high
156 This profile contains configurations that align to ANSSI-BP-028
158 at the high hardening level.
159 ANSSI is the French National Information Security Agency, and
161 stands for Agence nationale de la sécurité des systèmes d'infor‐
162 mation. ANSSI-BP-028 is a configuration recommendation for
163 GNU/Linux systems.
164 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
166 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
167 securite-relatives-a-un-systeme-gnulinux/
168 ANSSI-BP-028 (intermediary)
171 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
173 termediary
174 This profile contains configurations that align to ANSSI-BP-028
176 at the intermediary hardening level.
177 ANSSI is the French National Information Security Agency, and
179 stands for Agence nationale de la sécurité des systèmes d'infor‐
180 mation. ANSSI-BP-028 is a configuration recommendation for
181 GNU/Linux systems.
182 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
184 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
185 securite-relatives-a-un-systeme-gnulinux/
186 ANSSI-BP-028 (minimal)
189 Profile ID: xccdf_org.ssgproject.content_pro‐
191 file_anssi_bp28_minimal
192 This profile contains configurations that align to ANSSI-BP-028
194 at the minimal hardening level.
195 ANSSI is the French National Information Security Agency, and
197 stands for Agence nationale de la sécurité des systèmes d'infor‐
198 mation. ANSSI-BP-028 is a configuration recommendation for
199 GNU/Linux systems.
200 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
202 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
203 securite-relatives-a-un-systeme-gnulinux/
204 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
207 Profile ID: xccdf_org.ssgproject.content_profile_cis
209 This is a draft profile based on its RHEL8 version for experi‐
211 mental purposes. It is not based on the CIS benchmark for
212 RHEL9, because this one was not available at time of the re‐
213 lease.
214 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
217 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
219 This is a draft profile based on its RHEL8 version for experi‐
221 mental purposes. It is not based on the CIS benchmark for
222 RHEL9, because this one was not available at time of the re‐
223 lease.
224 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Worksta‐
227 tion
228 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
230 tion_l1
231 This is a draft profile based on its RHEL8 version for experi‐
233 mental purposes. It is not based on the CIS benchmark for
234 RHEL9, because this one was not available at time of the re‐
235 lease.
236 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Worksta‐
239 tion
240 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
242 tion_l2
243 This is a draft profile based on its RHEL8 version for experi‐
245 mental purposes. It is not based on the CIS benchmark for
246 RHEL9, because this one was not available at time of the re‐
247 lease.
248 [DRAFT] Unclassified Information in Non-federal Information Systems and
251 Organizations (NIST 800-171)
252 Profile ID: xccdf_org.ssgproject.content_profile_cui
254 From NIST 800-171, Section 2.2: Security requirements for pro‐
256 tecting the confidentiality of CUI in nonfederal information
257 systems and organizations have a well-defined structure that
258 consists of:
259 (i) a basic security requirements section; (ii) a derived secu‐
261 rity requirements section.
262 The basic security requirements are obtained from FIPS Publica‐
264 tion 200, which provides the high-level and fundamental security
265 requirements for federal information and information systems.
266 The derived security requirements, which supplement the basic
267 security requirements, are taken from the security controls in
268 NIST Special Publication 800-53.
269 This profile configures Red Hat Enterprise Linux 9 to the NIST
271 Special Publication 800-53 controls identified for securing Con‐
272 trolled Unclassified Information (CUI)."
273 Australian Cyber Security Centre (ACSC) Essential Eight
276 Profile ID: xccdf_org.ssgproject.content_profile_e8
278 This profile contains configuration checks for Red Hat Enter‐
280 prise Linux 9 that align to the Australian Cyber Security Centre
281 (ACSC) Essential Eight.
282 A copy of the Essential Eight in Linux Environments guide can be
284 found at the ACSC website:
285 https://www.cyber.gov.au/acsc/view-all-content/publica‐
287 tions/hardening-linux-workstations-and-servers
288 Health Insurance Portability and Accountability Act (HIPAA)
291 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
293 The HIPAA Security Rule establishes U.S. national standards to
295 protect individuals’ electronic personal health information that
296 is created, received, used, or maintained by a covered entity.
297 The Security Rule requires appropriate administrative, physical
298 and technical safeguards to ensure the confidentiality, integ‐
299 rity, and security of electronic protected health information.
300 This profile configures Red Hat Enterprise Linux 9 to the HIPAA
302 Security Rule identified for securing of electronic protected
303 health information. Use of this profile in no way guarantees or
304 makes claims against legal compliance against the HIPAA Security
305 Rule(s).
306 Australian Cyber Security Centre (ACSC) ISM Official
309 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
311 This profile contains configuration checks for Red Hat Enter‐
313 prise Linux 9 that align to the Australian Cyber Security Centre
314 (ACSC) Information Security Manual (ISM) with the applicability
315 marking of OFFICIAL.
316 The ISM uses a risk-based approach to cyber security. This pro‐
318 file provides a guide to aligning Red Hat Enterprise Linux secu‐
319 rity controls with the ISM, which can be used to select controls
320 specific to an organisation's security posture and risk profile.
321 A copy of the ISM can be found at the ACSC website:
323 https://www.cyber.gov.au/ism
325 [DRAFT] Protection Profile for General Purpose Operating Systems
328 Profile ID: xccdf_org.ssgproject.content_profile_ospp
330 This profile is part of Red Hat Enterprise Linux 9 Common Crite‐
332 ria Guidance documentation for Target of Evaluation based on
333 Protection Profile for General Purpose Operating Systems (OSPP)
334 version 4.2.1 and Functional Package for SSH version 1.0.
335 Where appropriate, CNSSI 1253 or DoD-specific values are used
337 for configuration, based on Configuration Annex to the OSPP.
338 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
341 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
343 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
345 plied.
346 [DRAFT] DISA STIG for Red Hat Enterprise Linux 9
349 Profile ID: xccdf_org.ssgproject.content_profile_stig
351 This is a draft profile based on its RHEL8 version for experi‐
353 mental purposes. It is not based on the DISA STIG for RHEL9,
354 because this one was not available at time of the release.
355 In addition to being applicable to Red Hat Enterprise Linux 9,
357 DISA recognizes this configuration baseline as applicable to the
358 operating system tier of Red Hat technologies that are based on
359 Red Hat Enterprise Linux 9, such as:
360 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
362 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
363 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
364 9 image
365 [DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
368 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
370 This is a draft profile based on its RHEL8 version for experi‐
372 mental purposes. It is not based on the DISA STIG for RHEL9,
373 because this one was not available at time of the release.
374 In addition to being applicable to Red Hat Enterprise Linux 9,
376 DISA recognizes this configuration baseline as applicable to the
377 operating system tier of Red Hat technologies that are based on
378 Red Hat Enterprise Linux 9, such as:
379 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
381 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
382 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
383 9 image
384 Warning: The installation and use of a Graphical User Interface
386 (GUI) increases your attack vector and decreases your overall
387 security posture. If your Information Systems Security Officer
388 (ISSO) lacks a documented operational requirement for a graphi‐
389 cal user interface, please consider using the standard DISA STIG
390 for Red Hat Enterprise Linux 9 profile.
391
397 Source Datastream: ssg-debian10-ds.xml
398 The Guide to the Secure Configuration of Debian 10 is broken into 'pro‐
400 files', groupings of security settings that correlate to a known pol‐
401 icy. Available profiles are:
402 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
406 Profile ID: xccdf_org.ssgproject.content_pro‐
408 file_anssi_np_nt28_average
409 This profile contains items for GNU/Linux installations already
411 protected by multiple higher level security stacks.
412 Profile for ANSSI DAT-NT28 High (Enforced) Level
415 Profile ID: xccdf_org.ssgproject.content_pro‐
417 file_anssi_np_nt28_high
418 This profile contains items for GNU/Linux installations storing
420 sensitive informations that can be accessible from unauthenti‐
421 cated or uncontroled networks.
422 Profile for ANSSI DAT-NT28 Minimal Level
425 Profile ID: xccdf_org.ssgproject.content_pro‐
427 file_anssi_np_nt28_minimal
428 This profile contains items to be applied systematically.
430 Profile for ANSSI DAT-NT28 Restrictive Level
433 Profile ID: xccdf_org.ssgproject.content_pro‐
435 file_anssi_np_nt28_restrictive
436 This profile contains items for GNU/Linux installations exposed
438 to unauthenticated flows or multiple sources.
439 Standard System Security Profile for Debian 10
442 Profile ID: xccdf_org.ssgproject.content_profile_standard
444 This profile contains rules to ensure standard security baseline
446 of a Debian 10 system. Regardless of your system's workload all
447 of these checks should pass.
448
454 Source Datastream: ssg-debian11-ds.xml
455 The Guide to the Secure Configuration of Debian 11 is broken into 'pro‐
457 files', groupings of security settings that correlate to a known pol‐
458 icy. Available profiles are:
459 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
463 Profile ID: xccdf_org.ssgproject.content_pro‐
465 file_anssi_np_nt28_average
466 This profile contains items for GNU/Linux installations already
468 protected by multiple higher level security stacks.
469 Profile for ANSSI DAT-NT28 High (Enforced) Level
472 Profile ID: xccdf_org.ssgproject.content_pro‐
474 file_anssi_np_nt28_high
475 This profile contains items for GNU/Linux installations storing
477 sensitive informations that can be accessible from unauthenti‐
478 cated or uncontroled networks.
479 Profile for ANSSI DAT-NT28 Minimal Level
482 Profile ID: xccdf_org.ssgproject.content_pro‐
484 file_anssi_np_nt28_minimal
485 This profile contains items to be applied systematically.
487 Profile for ANSSI DAT-NT28 Restrictive Level
490 Profile ID: xccdf_org.ssgproject.content_pro‐
492 file_anssi_np_nt28_restrictive
493 This profile contains items for GNU/Linux installations exposed
495 to unauthenticated flows or multiple sources.
496 Standard System Security Profile for Debian 11
499 Profile ID: xccdf_org.ssgproject.content_profile_standard
501 This profile contains rules to ensure standard security baseline
503 of a Debian 11 system. Regardless of your system's workload all
504 of these checks should pass.
505
511 Source Datastream: ssg-debian9-ds.xml
512 The Guide to the Secure Configuration of Debian 9 is broken into 'pro‐
514 files', groupings of security settings that correlate to a known pol‐
515 icy. Available profiles are:
516 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
520 Profile ID: xccdf_org.ssgproject.content_pro‐
522 file_anssi_np_nt28_average
523 This profile contains items for GNU/Linux installations already
525 protected by multiple higher level security stacks.
526 Profile for ANSSI DAT-NT28 High (Enforced) Level
529 Profile ID: xccdf_org.ssgproject.content_pro‐
531 file_anssi_np_nt28_high
532 This profile contains items for GNU/Linux installations storing
534 sensitive informations that can be accessible from unauthenti‐
535 cated or uncontroled networks.
536 Profile for ANSSI DAT-NT28 Minimal Level
539 Profile ID: xccdf_org.ssgproject.content_pro‐
541 file_anssi_np_nt28_minimal
542 This profile contains items to be applied systematically.
544 Profile for ANSSI DAT-NT28 Restrictive Level
547 Profile ID: xccdf_org.ssgproject.content_pro‐
549 file_anssi_np_nt28_restrictive
550 This profile contains items for GNU/Linux installations exposed
552 to unauthenticated flows or multiple sources.
553 Standard System Security Profile for Debian 9
556 Profile ID: xccdf_org.ssgproject.content_profile_standard
558 This profile contains rules to ensure standard security baseline
560 of a Debian 9 system. Regardless of your system's workload all
561 of these checks should pass.
562
568 Service
569 Source Datastream: ssg-eks-ds.xml
570 The Guide to the Secure Configuration of Amazon Elastic Kubernetes Ser‐
572 vice is broken into 'profiles', groupings of security settings that
573 correlate to a known policy. Available profiles are:
574 CIS Amazon Elastic Kubernetes Service (EKS) Benchmark - Node
578 Profile ID: xccdf_org.ssgproject.content_profile_cis-node
580 This profile defines a baseline that aligns to the Center for
582 Internet Security® Amazon Elastic Kubernetes Service (EKS)
583 Benchmark™, V1.0.1.
584 This profile includes Center for Internet Security® Amazon Elas‐
586 tic Kubernetes Service (EKS)™ content.
587 This profile is applicable to EKS 1.21 and greater.
589 CIS Amazon Elastic Kubernetes Service Benchmark - Platform
592 Profile ID: xccdf_org.ssgproject.content_profile_cis
594 This profile defines a baseline that aligns to the Center for
596 Internet Security® Amazon Elastic Kubernetes Service (EKS)
597 Benchmark™, V1.0.1.
598 This profile includes Center for Internet Security® Amazon Elas‐
600 tic Kubernetes Service (EKS)™ content.
601 This profile is applicable to EKS 1.21 and greater.
603
609 Source Datastream: ssg-fedora-ds.xml
610 The Guide to the Secure Configuration of Fedora is broken into 'pro‐
612 files', groupings of security settings that correlate to a known pol‐
613 icy. Available profiles are:
614 OSPP - Protection Profile for General Purpose Operating Systems
618 Profile ID: xccdf_org.ssgproject.content_profile_ospp
620 This profile reflects mandatory configuration controls identi‐
622 fied in the NIAP Configuration Annex to the Protection Profile
623 for General Purpose Operating Systems (Protection Profile Ver‐
624 sion 4.2).
625 As Fedora OS is moving target, this profile does not guarantee
627 to provide security levels required from US National Security
628 Systems. Main goal of the profile is to provide Fedora develop‐
629 ers with hardened environment similar to the one mandated by US
630 National Security Systems.
631 PCI-DSS v3.2.1 Control Baseline for Fedora
634 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
636 Ensures PCI-DSS v3.2.1 related security configuration settings
638 are applied.
639 Standard System Security Profile for Fedora
642 Profile ID: xccdf_org.ssgproject.content_profile_standard
644 This profile contains rules to ensure standard security baseline
646 of a Fedora system. Regardless of your system's workload all of
647 these checks should pass.
648
654 Source Datastream: ssg-firefox-ds.xml
655 The Guide to the Secure Configuration of Firefox is broken into 'pro‐
657 files', groupings of security settings that correlate to a known pol‐
658 icy. Available profiles are:
659 Upstream Firefox STIG
663 Profile ID: xccdf_org.ssgproject.content_profile_stig
665 This profile is developed under the DoD consensus model and DISA
667 FSO Vendor STIG process, serving as the upstream development en‐
668 vironment for the Firefox STIG.
669 As a result of the upstream/downstream relationship between the
671 SCAP Security Guide project and the official DISA FSO STIG base‐
672 line, users should expect variance between SSG and DISA FSO con‐
673 tent. For official DISA FSO STIG content, refer to https://pub‐
674 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
675 rity%2Cbrowser-guidance.
676 While this profile is packaged by Red Hat as part of the SCAP
678 Security Guide package, please note that commercial support of
679 this SCAP content is NOT available. This profile is provided as
680 example SCAP content with no endorsement for suitability or pro‐
681 duction readiness. Support for this profile is provided by the
682 upstream SCAP Security Guide community on a best-effort basis.
683 The upstream project homepage is https://www.open-scap.org/secu‐
684 rity-policies/scap-security-guide/.
685
691 Source Datastream: ssg-fuse6-ds.xml
692 The Guide to the Secure Configuration of JBoss Fuse 6 is broken into
694 'profiles', groupings of security settings that correlate to a known
695 policy. Available profiles are:
696 STIG for Apache ActiveMQ
700 Profile ID: xccdf_org.ssgproject.content_profile_amq-stig
702 This is a *draft* profile for STIG. This profile is being devel‐
704 oped under the DoD consensus model to become a STIG in coordina‐
705 tion with DISA FSO.
706 Standard System Security Profile for JBoss
709 Profile ID: xccdf_org.ssgproject.content_profile_standard
711 This profile contains rules to ensure standard security baseline
713 of JBoss Fuse. Regardless of your system's workload all of these
714 checks should pass.
715 STIG for JBoss Fuse 6
718 Profile ID: xccdf_org.ssgproject.content_profile_stig
720 This is a *draft* profile for STIG. This profile is being devel‐
722 oped under the DoD consensus model to become a STIG in coordina‐
723 tion with DISA FSO.
724
730 Source Datastream: ssg-jre-ds.xml
731 The Guide to the Secure Configuration of Java Runtime Environment is
733 broken into 'profiles', groupings of security settings that correlate
734 to a known policy. Available profiles are:
735 Java Runtime Environment (JRE) STIG
739 Profile ID: xccdf_org.ssgproject.content_profile_stig
741 The Java Runtime Environment (JRE) is a bundle developed and of‐
743 fered by Oracle Corporation which includes the Java Virtual Ma‐
744 chine (JVM), class libraries, and other components necessary to
745 run Java applications and applets. Certain default settings
746 within the JRE pose a security risk so it is necessary to deploy
747 system wide properties to ensure a higher degree of security
748 when utilizing the JRE.
749 The IBM Corporation also develops and bundles the Java Runtime
751 Environment (JRE) as well as Red Hat with OpenJDK.
752
758 Source Datastream: ssg-macos1015-ds.xml
759 The Guide to the Secure Configuration of Apple macOS 10.15 is broken
761 into 'profiles', groupings of security settings that correlate to a
762 known policy. Available profiles are:
763 NIST 800-53 Moderate-Impact Baseline for Apple macOS 10.15 Catalina
767 Profile ID: xccdf_org.ssgproject.content_profile_moderate
769 This compliance profile reflects the core set of Moderate-Impact
771 Baseline configuration settings for deployment of Apple macOS
772 10.15 Catalina into U.S. Defense, Intelligence, and Civilian
773 agencies. Development partners and sponsors include the U.S.
774 National Institute of Standards and Technology (NIST), U.S. De‐
775 partment of Defense, and the the National Security Agency.
776 This baseline implements configuration requirements from the
778 following sources:
779 - NIST 800-53 control selections for Moderate-Impact systems
781 (NIST 800-53)
782 For any differing configuration requirements, e.g. password
784 lengths, the stricter security setting was chosen. Security Re‐
785 quirement Traceability Guides (RTMs) and sample System Security
786 Configuration Guides are provided via the scap-security-guide-
787 docs package.
788 This profile reflects U.S. Government consensus content and is
790 developed through the ComplianceAsCode initiative, championed by
791 the National Security Agency. Except for differences in format‐
792 ting to accommodate publishing processes, this profile mirrors
793 ComplianceAsCode content as minor divergences, such as bugfixes,
794 work through the consensus and release processes.
795
801 Platform 4
802 Source Datastream: ssg-ocp4-ds.xml
803 The Guide to the Secure Configuration of Red Hat OpenShift Container
805 Platform 4 is broken into 'profiles', groupings of security settings
806 that correlate to a known policy. Available profiles are:
807 CIS Red Hat OpenShift Container Platform 4 Benchmark
811 Profile ID: xccdf_org.ssgproject.content_profile_cis-node
813 This profile defines a baseline that aligns to the Center for
815 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
816 mark™, V1.1.
817 This profile includes Center for Internet Security® Red Hat
819 OpenShift Container Platform 4 CIS Benchmarks™ content.
820 Note that this part of the profile is meant to run on the Oper‐
822 ating System that Red Hat OpenShift Container Platform 4 runs on
823 top of.
824 This profile is applicable to OpenShift versions 4.6 and
826 greater.
827 CIS Red Hat OpenShift Container Platform 4 Benchmark
830 Profile ID: xccdf_org.ssgproject.content_profile_cis
832 This profile defines a baseline that aligns to the Center for
834 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
835 mark™, V1.1.
836 This profile includes Center for Internet Security® Red Hat
838 OpenShift Container Platform 4 CIS Benchmarks™ content.
839 Note that this part of the profile is meant to run on the Plat‐
841 form that Red Hat OpenShift Container Platform 4 runs on top of.
842 This profile is applicable to OpenShift versions 4.6 and
844 greater.
845 Australian Cyber Security Centre (ACSC) Essential Eight
848 Profile ID: xccdf_org.ssgproject.content_profile_e8
850 This profile contains configuration checks for Red Hat OpenShift
852 Container Platform that align to the Australian Cyber Security
853 Centre (ACSC) Essential Eight.
854 A copy of the Essential Eight in Linux Environments guide can be
856 found at the ACSC website:
857 https://www.cyber.gov.au/acsc/view-all-content/publica‐
859 tions/hardening-linux-workstations-and-servers
860 NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level
863 Profile ID: xccdf_org.ssgproject.content_profile_high-node
865 This compliance profile reflects the core set of High-Impact
867 Baseline configuration settings for deployment of Red Hat Open‐
868 Shift Container Platform into U.S. Defense, Intelligence, and
869 Civilian agencies. Development partners and sponsors include
870 the U.S. National Institute of Standards and Technology (NIST),
871 U.S. Department of Defense, the National Security Agency, and
872 Red Hat.
873 This baseline implements configuration requirements from the
875 following sources:
876 - NIST 800-53 control selections for High-Impact systems (NIST
878 800-53)
879 For any differing configuration requirements, e.g. password
881 lengths, the stricter security setting was chosen. Security Re‐
882 quirement Traceability Guides (RTMs) and sample System Security
883 Configuration Guides are provided via the scap-security-guide-
884 docs package.
885 This profile reflects U.S. Government consensus content and is
887 developed through the ComplianceAsCode initiative, championed by
888 the National Security Agency. Except for differences in format‐
889 ting to accommodate publishing processes, this profile mirrors
890 ComplianceAsCode content as minor divergences, such as bugfixes,
891 work through the consensus and release processes.
892 NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level
895 Profile ID: xccdf_org.ssgproject.content_profile_high
897 This compliance profile reflects the core set of High-Impact
899 Baseline configuration settings for deployment of Red Hat Open‐
900 Shift Container Platform into U.S. Defense, Intelligence, and
901 Civilian agencies. Development partners and sponsors include
902 the U.S. National Institute of Standards and Technology (NIST),
903 U.S. Department of Defense, the National Security Agency, and
904 Red Hat.
905 This baseline implements configuration requirements from the
907 following sources:
908 - NIST 800-53 control selections for High-Impact systems (NIST
910 800-53)
911 For any differing configuration requirements, e.g. password
913 lengths, the stricter security setting was chosen. Security Re‐
914 quirement Traceability Guides (RTMs) and sample System Security
915 Configuration Guides are provided via the scap-security-guide-
916 docs package.
917 This profile reflects U.S. Government consensus content and is
919 developed through the ComplianceAsCode initiative, championed by
920 the National Security Agency. Except for differences in format‐
921 ting to accommodate publishing processes, this profile mirrors
922 ComplianceAsCode content as minor divergences, such as bugfixes,
923 work through the consensus and release processes.
924 NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
927 Profile ID: xccdf_org.ssgproject.content_profile_moderate-node
929 This compliance profile reflects the core set of Moderate-Impact
931 Baseline configuration settings for deployment of Red Hat Open‐
932 Shift Container Platform into U.S. Defense, Intelligence, and
933 Civilian agencies. Development partners and sponsors include
934 the U.S. National Institute of Standards and Technology (NIST),
935 U.S. Department of Defense, the National Security Agency, and
936 Red Hat.
937 This baseline implements configuration requirements from the
939 following sources:
940 - NIST 800-53 control selections for Moderate-Impact systems
942 (NIST 800-53)
943 For any differing configuration requirements, e.g. password
945 lengths, the stricter security setting was chosen. Security Re‐
946 quirement Traceability Guides (RTMs) and sample System Security
947 Configuration Guides are provided via the scap-security-guide-
948 docs package.
949 This profile reflects U.S. Government consensus content and is
951 developed through the ComplianceAsCode initiative, championed by
952 the National Security Agency. Except for differences in format‐
953 ting to accommodate publishing processes, this profile mirrors
954 ComplianceAsCode content as minor divergences, such as bugfixes,
955 work through the consensus and release processes.
956 NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform
959 level
960 Profile ID: xccdf_org.ssgproject.content_profile_moderate
962 This compliance profile reflects the core set of Moderate-Impact
964 Baseline configuration settings for deployment of Red Hat Open‐
965 Shift Container Platform into U.S. Defense, Intelligence, and
966 Civilian agencies. Development partners and sponsors include
967 the U.S. National Institute of Standards and Technology (NIST),
968 U.S. Department of Defense, the National Security Agency, and
969 Red Hat.
970 This baseline implements configuration requirements from the
972 following sources:
973 - NIST 800-53 control selections for Moderate-Impact systems
975 (NIST 800-53)
976 For any differing configuration requirements, e.g. password
978 lengths, the stricter security setting was chosen. Security Re‐
979 quirement Traceability Guides (RTMs) and sample System Security
980 Configuration Guides are provided via the scap-security-guide-
981 docs package.
982 This profile reflects U.S. Government consensus content and is
984 developed through the ComplianceAsCode initiative, championed by
985 the National Security Agency. Except for differences in format‐
986 ting to accommodate publishing processes, this profile mirrors
987 ComplianceAsCode content as minor divergences, such as bugfixes,
988 work through the consensus and release processes.
989 North American Electric Reliability Corporation (NERC) Critical Infra‐
992 structure Protection (CIP) cybersecurity standards profile for the Red
993 Hat OpenShift Container Platform - Node level
994 Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip-node
996 This compliance profile reflects a set of security recommenda‐
998 tions for the usage of Red Hat OpenShift Container Platform in
999 critical infrastructure in the energy sector. This follows the
1000 recommendations coming from the following CIP standards:
1001 - CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 -
1003 CIP-007-6 - CIP-009-6
1004 North American Electric Reliability Corporation (NERC) Critical Infra‐
1007 structure Protection (CIP) cybersecurity standards profile for the Red
1008 Hat OpenShift Container Platform - Platform level
1009 Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip
1011 This compliance profile reflects a set of security recommenda‐
1013 tions for the usage of Red Hat OpenShift Container Platform in
1014 critical infrastructure in the energy sector. This follows the
1015 recommendations coming from the following CIP standards:
1016 - CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 -
1018 CIP-007-6 - CIP-009-6
1019 PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Plat‐
1022 form 4
1023 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-node
1025 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1027 plied.
1028 PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Plat‐
1031 form 4
1032 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1034 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1036 plied.
1037
1043 Source Datastream: ssg-ol7-ds.xml
1044 The Guide to the Secure Configuration of Oracle Linux 7 is broken into
1046 'profiles', groupings of security settings that correlate to a known
1047 policy. Available profiles are:
1048 ANSSI-BP-028 (enhanced)
1052 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
1054 hanced
1055 This profile contains configurations that align to ANSSI-BP-028
1057 at the enhanced hardening level.
1058 ANSSI is the French National Information Security Agency, and
1060 stands for Agence nationale de la sécurité des systèmes d'infor‐
1061 mation. ANSSI-BP-028 is a configuration recommendation for
1062 GNU/Linux systems.
1063 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1065 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1066 securite-relatives-a-un-systeme-gnulinux/
1067 DRAFT - ANSSI-BP-028 (high)
1070 Profile ID: xccdf_org.ssgproject.content_pro‐
1072 file_anssi_nt28_high
1073 This profile contains configurations that align to ANSSI-BP-028
1075 at the high hardening level.
1076 ANSSI is the French National Information Security Agency, and
1078 stands for Agence nationale de la sécurité des systèmes d'infor‐
1079 mation. ANSSI-BP-028 is a configuration recommendation for
1080 GNU/Linux systems.
1081 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1083 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1084 securite-relatives-a-un-systeme-gnulinux/
1085 ANSSI-BP-028 (intermediary)
1088 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
1090 termediary
1091 This profile contains configurations that align to ANSSI-BP-028
1093 at the intermediary hardening level.
1094 ANSSI is the French National Information Security Agency, and
1096 stands for Agence nationale de la sécurité des systèmes d'infor‐
1097 mation. ANSSI-BP-028 is a configuration recommendation for
1098 GNU/Linux systems.
1099 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1101 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1102 securite-relatives-a-un-systeme-gnulinux/
1103 ANSSI-BP-028 (minimal)
1106 Profile ID: xccdf_org.ssgproject.content_pro‐
1108 file_anssi_nt28_minimal
1109 This profile contains configurations that align to ANSSI-BP-028
1111 at the minimal hardening level.
1112 ANSSI is the French National Information Security Agency, and
1114 stands for Agence nationale de la sécurité des systèmes d'infor‐
1115 mation. ANSSI-BP-028 is a configuration recommendation for
1116 GNU/Linux systems.
1117 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1119 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1120 securite-relatives-a-un-systeme-gnulinux/
1121 Criminal Justice Information Services (CJIS) Security Policy
1124 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1126 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1128 copy of this policy can be found at the CJIS Security Policy Re‐
1129 source Center:
1130 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1132 center
1133 Unclassified Information in Non-federal Information Systems and Organi‐
1136 zations (NIST 800-171)
1137 Profile ID: xccdf_org.ssgproject.content_profile_cui
1139 From NIST 800-171, Section 2.2: Security requirements for pro‐
1141 tecting the confidentiality of CUI in non-federal information
1142 systems and organizations have a well-defined structure that
1143 consists of:
1144 (i) a basic security requirements section; (ii) a derived secu‐
1146 rity requirements section.
1147 The basic security requirements are obtained from FIPS Publica‐
1149 tion 200, which provides the high-level and fundamental security
1150 requirements for federal information and information systems.
1151 The derived security requirements, which supplement the basic
1152 security requirements, are taken from the security controls in
1153 NIST Special Publication 800-53.
1154 This profile configures Oracle Linux 7 to the NIST Special Pub‐
1156 lication 800-53 controls identified for securing Controlled Un‐
1157 classified Information (CUI).
1158 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
1161 Profile ID: xccdf_org.ssgproject.content_profile_e8
1163 This profile contains configuration checks for Oracle Linux 7
1165 that align to the Australian Cyber Security Centre (ACSC) Essen‐
1166 tial Eight.
1167 A copy of the Essential Eight in Linux Environments guide can be
1169 found at the ACSC website:
1170 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1172 tions/hardening-linux-workstations-and-servers
1173 Health Insurance Portability and Accountability Act (HIPAA)
1176 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1178 The HIPAA Security Rule establishes U.S. national standards to
1180 protect individuals’ electronic personal health information that
1181 is created, received, used, or maintained by a covered entity.
1182 The Security Rule requires appropriate administrative, physical
1183 and technical safeguards to ensure the confidentiality, integ‐
1184 rity, and security of electronic protected health information.
1185 This profile configures Oracle Linux 7 to the HIPAA Security
1187 Rule identified for securing of electronic protected health in‐
1188 formation. Use of this profile in no way guarantees or makes
1189 claims against legal compliance against the HIPAA Security
1190 Rule(s).
1191 [DRAFT] Protection Profile for General Purpose Operating Systems
1194 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1196 This profile reflects mandatory configuration controls identi‐
1198 fied in the NIAP Configuration Annex to the Protection Profile
1199 for General Purpose Operating Systems (Protection Profile Ver‐
1200 sion 4.2.1).
1201 This configuration profile is consistent with CNSSI-1253, which
1203 requires U.S. National Security Systems to adhere to certain
1204 configuration parameters. Accordingly, this configuration pro‐
1205 file is suitable for use in U.S. National Security Systems.
1206 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7
1209 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1211 Ensures PCI-DSS v3.2.1 related security configuration settings
1213 are applied.
1214 Security Profile of Oracle Linux 7 for SAP
1217 Profile ID: xccdf_org.ssgproject.content_profile_sap
1219 This profile contains rules for Oracle Linux 7 Operating System
1221 in compliance with SAP note 2069760 and SAP Security Baseline
1222 Template version 1.9 Item I-8 and section 4.1.2.2. Regardless
1223 of your system's workload all of these checks should pass.
1224 Standard System Security Profile for Oracle Linux 7
1227 Profile ID: xccdf_org.ssgproject.content_profile_standard
1229 This profile contains rules to ensure standard security baseline
1231 of Oracle Linux 7 system. Regardless of your system's workload
1232 all of these checks should pass.
1233 DISA STIG for Oracle Linux 7
1236 Profile ID: xccdf_org.ssgproject.content_profile_stig
1238 This profile contains configuration checks that align to the
1240 DISA STIG for Oracle Linux V2R7.
1241 DISA STIG with GUI for Oracle Linux 7
1244 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
1246 This profile contains configuration checks that align to the
1248 DISA STIG with GUI for Oracle Linux V2R6.
1249 Warning: The installation and use of a Graphical User Interface
1251 (GUI) increases your attack vector and decreases your overall
1252 security posture. If your Information Systems Security Officer
1253 (ISSO) lacks a documented operational requirement for a graphi‐
1254 cal user interface, please consider using the standard DISA STIG
1255 for Oracle Linux 7 profile.
1256
1262 Source Datastream: ssg-ol8-ds.xml
1263 The Guide to the Secure Configuration of Oracle Linux 8 is broken into
1265 'profiles', groupings of security settings that correlate to a known
1266 policy. Available profiles are:
1267 ANSSI-BP-028 (enhanced)
1271 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1273 hanced
1274 This profile contains configurations that align to ANSSI-BP-028
1276 v1.2 at the enhanced hardening level.
1277 ANSSI is the French National Information Security Agency, and
1279 stands for Agence nationale de la sécurité des systèmes d'infor‐
1280 mation. ANSSI-BP-028 is a configuration recommendation for
1281 GNU/Linux systems.
1282 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1284 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1285 securite-relatives-a-un-systeme-gnulinux/
1286 ANSSI-BP-028 (high)
1289 Profile ID: xccdf_org.ssgproject.content_pro‐
1291 file_anssi_bp28_high
1292 This profile contains configurations that align to ANSSI-BP-028
1294 v1.2 at the high hardening level.
1295 ANSSI is the French National Information Security Agency, and
1297 stands for Agence nationale de la sécurité des systèmes d'infor‐
1298 mation. ANSSI-BP-028 is a configuration recommendation for
1299 GNU/Linux systems.
1300 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1302 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1303 securite-relatives-a-un-systeme-gnulinux/
1304 ANSSI-BP-028 (intermediary)
1307 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1309 termediary
1310 This profile contains configurations that align to ANSSI-BP-028
1312 v1.2 at the intermediary hardening level.
1313 ANSSI is the French National Information Security Agency, and
1315 stands for Agence nationale de la sécurité des systèmes d'infor‐
1316 mation. ANSSI-BP-028 is a configuration recommendation for
1317 GNU/Linux systems.
1318 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1320 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1321 securite-relatives-a-un-systeme-gnulinux/
1322 ANSSI-BP-028 (minimal)
1325 Profile ID: xccdf_org.ssgproject.content_pro‐
1327 file_anssi_bp28_minimal
1328 This profile contains configurations that align to ANSSI-BP-028
1330 v1.2 at the minimal hardening level.
1331 ANSSI is the French National Information Security Agency, and
1333 stands for Agence nationale de la sécurité des systèmes d'infor‐
1334 mation. ANSSI-BP-028 is a configuration recommendation for
1335 GNU/Linux systems.
1336 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1338 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1339 securite-relatives-a-un-systeme-gnulinux/
1340 Criminal Justice Information Services (CJIS) Security Policy
1343 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1345 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1347 copy of this policy can be found at the CJIS Security Policy Re‐
1348 source Center:
1349 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1351 center
1352 Unclassified Information in Non-federal Information Systems and Organi‐
1355 zations (NIST 800-171)
1356 Profile ID: xccdf_org.ssgproject.content_profile_cui
1358 From NIST 800-171, Section 2.2: Security requirements for pro‐
1360 tecting the confidentiality of CUI in non-federal information
1361 systems and organizations have a well-defined structure that
1362 consists of:
1363 (i) a basic security requirements section; (ii) a derived secu‐
1365 rity requirements section.
1366 The basic security requirements are obtained from FIPS Publica‐
1368 tion 200, which provides the high-level and fundamental security
1369 requirements for federal information and information systems.
1370 The derived security requirements, which supplement the basic
1371 security requirements, are taken from the security controls in
1372 NIST Special Publication 800-53.
1373 This profile configures Oracle Linux 8 to the NIST Special Pub‐
1375 lication 800-53 controls identified for securing Controlled Un‐
1376 classified Information (CUI).
1377 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
1380 Profile ID: xccdf_org.ssgproject.content_profile_e8
1382 This profile contains configuration checks for Oracle Linux 8
1384 that align to the Australian Cyber Security Centre (ACSC) Essen‐
1385 tial Eight.
1386 A copy of the Essential Eight in Linux Environments guide can be
1388 found at the ACSC website:
1389 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1391 tions/hardening-linux-workstations-and-servers
1392 Health Insurance Portability and Accountability Act (HIPAA)
1395 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1397 The HIPAA Security Rule establishes U.S. national standards to
1399 protect individuals’ electronic personal health information that
1400 is created, received, used, or maintained by a covered entity.
1401 The Security Rule requires appropriate administrative, physical
1402 and technical safeguards to ensure the confidentiality, integ‐
1403 rity, and security of electronic protected health information.
1404 This profile configures Oracle Linux 8 to the HIPAA Security
1406 Rule identified for securing of electronic protected health in‐
1407 formation. Use of this profile in no way guarantees or makes
1408 claims against legal compliance against the HIPAA Security
1409 Rule(s).
1410 [DRAFT] Protection Profile for General Purpose Operating Systems
1413 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1415 This profile reflects mandatory configuration controls identi‐
1417 fied in the NIAP Configuration Annex to the Protection Profile
1418 for General Purpose Operating Systems (Protection Profile Ver‐
1419 sion 4.2.1).
1420 This configuration profile is consistent with CNSSI-1253, which
1422 requires U.S. National Security Systems to adhere to certain
1423 configuration parameters. Accordingly, this configuration pro‐
1424 file is suitable for use in U.S. National Security Systems.
1425 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8
1428 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1430 Ensures PCI-DSS v3.2.1 related security configuration settings
1432 are applied.
1433 Standard System Security Profile for Oracle Linux 8
1436 Profile ID: xccdf_org.ssgproject.content_profile_standard
1438 This profile contains rules to ensure standard security baseline
1440 of Oracle Linux 8 system. Regardless of your system's workload
1441 all of these checks should pass.
1442 DISA STIG for Oracle Linux 8
1445 Profile ID: xccdf_org.ssgproject.content_profile_stig
1447 This profile contains configuration checks that align to the
1449 DISA STIG for Oracle Linux 8 V1R1.
1450 DISA STIG with GUI for Oracle Linux 8
1453 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
1455 This profile contains configuration checks that align to the
1457 DISA STIG with GUI for Oracle Linux V1R1.
1458 Warning: The installation and use of a Graphical User Interface
1460 (GUI) increases your attack vector and decreases your overall
1461 security posture. If your Information Systems Security Officer
1462 (ISSO) lacks a documented operational requirement for a graphi‐
1463 cal user interface, please consider using the standard DISA STIG
1464 for Oracle Linux 8 profile.
1465
1471 Source Datastream: ssg-ol9-ds.xml
1472 The Guide to the Secure Configuration of Oracle Linux 9 is broken into
1474 'profiles', groupings of security settings that correlate to a known
1475 policy. Available profiles are:
1476 Standard System Security Profile for Oracle Linux 9
1480 Profile ID: xccdf_org.ssgproject.content_profile_standard
1482 This profile contains rules to ensure standard security baseline
1484 of Oracle Linux 9 system. Regardless of your system's workload
1485 all of these checks should pass.
1486
1492 Source Datastream: ssg-opensuse-ds.xml
1493 The Guide to the Secure Configuration of openSUSE is broken into 'pro‐
1495 files', groupings of security settings that correlate to a known pol‐
1496 icy. Available profiles are:
1497 Standard System Security Profile for openSUSE
1501 Profile ID: xccdf_org.ssgproject.content_profile_standard
1503 This profile contains rules to ensure standard security baseline
1505 of an openSUSE system. Regardless of your system's workload all
1506 of these checks should pass.
1507
1513 CoreOS 4
1514 Source Datastream: ssg-rhcos4-ds.xml
1515 The Guide to the Secure Configuration of Red Hat Enterprise Linux
1517 CoreOS 4 is broken into 'profiles', groupings of security settings that
1518 correlate to a known policy. Available profiles are:
1519 DRAFT - ANSSI-BP-028 (enhanced)
1523 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1525 hanced
1526 This profile contains configurations that align to ANSSI-BP-028
1528 at the enhanced hardening level.
1529 ANSSI is the French National Information Security Agency, and
1531 stands for Agence nationale de la sécurité des systèmes d'infor‐
1532 mation. ANSSI-BP-028 is a configuration recommendation for
1533 GNU/Linux systems.
1534 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1536 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1537 securite-relatives-a-un-systeme-gnulinux/
1538 DRAFT - ANSSI-BP-028 (high)
1541 Profile ID: xccdf_org.ssgproject.content_pro‐
1543 file_anssi_bp28_high
1544 This profile contains configurations that align to ANSSI-BP-028
1546 at the high hardening level.
1547 ANSSI is the French National Information Security Agency, and
1549 stands for Agence nationale de la sécurité des systèmes d'infor‐
1550 mation. ANSSI-BP-028 is a configuration recommendation for
1551 GNU/Linux systems.
1552 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1554 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1555 securite-relatives-a-un-systeme-gnulinux/
1556 DRAFT - ANSSI-BP-028 (intermediary)
1559 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1561 termediary
1562 This profile contains configurations that align to ANSSI-BP-028
1564 at the intermediary hardening level.
1565 ANSSI is the French National Information Security Agency, and
1567 stands for Agence nationale de la sécurité des systèmes d'infor‐
1568 mation. ANSSI-BP-028 is a configuration recommendation for
1569 GNU/Linux systems.
1570 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1572 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1573 securite-relatives-a-un-systeme-gnulinux/
1574 DRAFT - ANSSI-BP-028 (minimal)
1577 Profile ID: xccdf_org.ssgproject.content_pro‐
1579 file_anssi_bp28_minimal
1580 This profile contains configurations that align to ANSSI-BP-028
1582 at the minimal hardening level.
1583 ANSSI is the French National Information Security Agency, and
1585 stands for Agence nationale de la sécurité des systèmes d'infor‐
1586 mation. ANSSI-BP-028 is a configuration recommendation for
1587 GNU/Linux systems.
1588 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1590 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1591 securite-relatives-a-un-systeme-gnulinux/
1592 Australian Cyber Security Centre (ACSC) Essential Eight
1595 Profile ID: xccdf_org.ssgproject.content_profile_e8
1597 This profile contains configuration checks for Red Hat Enter‐
1599 prise Linux CoreOS that align to the Australian Cyber Security
1600 Centre (ACSC) Essential Eight.
1601 A copy of the Essential Eight in Linux Environments guide can be
1603 found at the ACSC website:
1604 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1606 tions/hardening-linux-workstations-and-servers
1607 NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS
1610 Profile ID: xccdf_org.ssgproject.content_profile_high
1612 This compliance profile reflects the core set of High-Impact
1614 Baseline configuration settings for deployment of Red Hat Enter‐
1615 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
1616 agencies. Development partners and sponsors include the U.S.
1617 National Institute of Standards and Technology (NIST), U.S. De‐
1618 partment of Defense, the National Security Agency, and Red Hat.
1619 This baseline implements configuration requirements from the
1621 following sources:
1622 - NIST 800-53 control selections for High-Impact systems (NIST
1624 800-53)
1625 For any differing configuration requirements, e.g. password
1627 lengths, the stricter security setting was chosen. Security Re‐
1628 quirement Traceability Guides (RTMs) and sample System Security
1629 Configuration Guides are provided via the scap-security-guide-
1630 docs package.
1631 This profile reflects U.S. Government consensus content and is
1633 developed through the ComplianceAsCode initiative, championed by
1634 the National Security Agency. Except for differences in format‐
1635 ting to accommodate publishing processes, this profile mirrors
1636 ComplianceAsCode content as minor divergences, such as bugfixes,
1637 work through the consensus and release processes.
1638 NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux
1641 CoreOS
1642 Profile ID: xccdf_org.ssgproject.content_profile_moderate
1644 This compliance profile reflects the core set of Moderate-Impact
1646 Baseline configuration settings for deployment of Red Hat Enter‐
1647 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
1648 agencies. Development partners and sponsors include the U.S.
1649 National Institute of Standards and Technology (NIST), U.S. De‐
1650 partment of Defense, the National Security Agency, and Red Hat.
1651 This baseline implements configuration requirements from the
1653 following sources:
1654 - NIST 800-53 control selections for Moderate-Impact systems
1656 (NIST 800-53)
1657 For any differing configuration requirements, e.g. password
1659 lengths, the stricter security setting was chosen. Security Re‐
1660 quirement Traceability Guides (RTMs) and sample System Security
1661 Configuration Guides are provided via the scap-security-guide-
1662 docs package.
1663 This profile reflects U.S. Government consensus content and is
1665 developed through the ComplianceAsCode initiative, championed by
1666 the National Security Agency. Except for differences in format‐
1667 ting to accommodate publishing processes, this profile mirrors
1668 ComplianceAsCode content as minor divergences, such as bugfixes,
1669 work through the consensus and release processes.
1670 North American Electric Reliability Corporation (NERC) Critical Infra‐
1673 structure Protection (CIP) cybersecurity standards profile for Red Hat
1674 Enterprise Linux CoreOS
1675 Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip
1677 This compliance profile reflects a set of security recommenda‐
1679 tions for the usage of Red Hat Enterprise Linux CoreOS in criti‐
1680 cal infrastructure in the energy sector. This follows the recom‐
1681 mendations coming from the following CIP standards:
1682 - CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 -
1684 CIP-007-6 - CIP-009-6
1685 Protection Profile for General Purpose Operating Systems
1688 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1690 This profile reflects mandatory configuration controls identi‐
1692 fied in the NIAP Configuration Annex to the Protection Profile
1693 for General Purpose Operating Systems (Protection Profile Ver‐
1694 sion 4.2.1).
1695 This configuration profile is consistent with CNSSI-1253, which
1697 requires U.S. National Security Systems to adhere to certain
1698 configuration parameters. Accordingly, this configuration pro‐
1699 file is suitable for use in U.S. National Security Systems.
1700
1706 Source Datastream: ssg-rhel7-ds.xml
1707 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
1709 broken into 'profiles', groupings of security settings that correlate
1710 to a known policy. Available profiles are:
1711 C2S for Red Hat Enterprise Linux 7
1715 Profile ID: xccdf_org.ssgproject.content_profile_C2S
1717 This profile demonstrates compliance against the U.S. Government
1719 Commercial Cloud Services (C2S) baseline.
1720 This baseline was inspired by the Center for Internet Security
1722 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
1723 For the SCAP Security Guide project to remain in compliance with
1725 CIS' terms and conditions, specifically Restrictions(8), note
1726 there is no representation or claim that the C2S profile will
1727 ensure a system is in compliance or consistency with the CIS
1728 baseline.
1729 ANSSI-BP-028 (enhanced)
1732 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
1734 hanced
1735 This profile contains configurations that align to ANSSI-BP-028
1737 v1.2 at the enhanced hardening level.
1738 ANSSI is the French National Information Security Agency, and
1740 stands for Agence nationale de la sécurité des systèmes d'infor‐
1741 mation. ANSSI-BP-028 is a configuration recommendation for
1742 GNU/Linux systems.
1743 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1745 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1746 securite-relatives-a-un-systeme-gnulinux/
1747 ANSSI-BP-028 (high)
1750 Profile ID: xccdf_org.ssgproject.content_pro‐
1752 file_anssi_nt28_high
1753 This profile contains configurations that align to ANSSI-BP-028
1755 v1.2 at the high hardening level.
1756 ANSSI is the French National Information Security Agency, and
1758 stands for Agence nationale de la sécurité des systèmes d'infor‐
1759 mation. ANSSI-BP-028 is a configuration recommendation for
1760 GNU/Linux systems.
1761 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1763 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1764 securite-relatives-a-un-systeme-gnulinux/
1765 ANSSI-BP-028 (intermediary)
1768 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
1770 termediary
1771 This profile contains configurations that align to ANSSI-BP-028
1773 v1.2 at the intermediary hardening level.
1774 ANSSI is the French National Information Security Agency, and
1776 stands for Agence nationale de la sécurité des systèmes d'infor‐
1777 mation. ANSSI-BP-028 is a configuration recommendation for
1778 GNU/Linux systems.
1779 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1781 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1782 securite-relatives-a-un-systeme-gnulinux/
1783 ANSSI-BP-028 (minimal)
1786 Profile ID: xccdf_org.ssgproject.content_pro‐
1788 file_anssi_nt28_minimal
1789 This profile contains configurations that align to ANSSI-BP-028
1791 v1.2 at the minimal hardening level.
1792 ANSSI is the French National Information Security Agency, and
1794 stands for Agence nationale de la sécurité des systèmes d'infor‐
1795 mation. ANSSI-BP-028 is a configuration recommendation for
1796 GNU/Linux systems.
1797 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1799 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1800 securite-relatives-a-un-systeme-gnulinux/
1801 CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
1804 Profile ID: xccdf_org.ssgproject.content_profile_cis
1806 This profile defines a baseline that aligns to the "Level 2 -
1808 Server" configuration from the Center for Internet Security® Red
1809 Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
1810 This profile includes Center for Internet Security® Red Hat En‐
1812 terprise Linux 7 CIS Benchmarks™ content.
1813 CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
1816 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
1818 This profile defines a baseline that aligns to the "Level 1 -
1820 Server" configuration from the Center for Internet Security® Red
1821 Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
1822 This profile includes Center for Internet Security® Red Hat En‐
1824 terprise Linux 7 CIS Benchmarks™ content.
1825 CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation
1828 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
1830 tion_l1
1831 This profile defines a baseline that aligns to the "Level 1 -
1833 Workstation" configuration from the Center for Internet Secu‐
1834 rity® Red Hat Enterprise Linux 7 Benchmark™, v3.1.1, released
1835 05-21-2021.
1836 This profile includes Center for Internet Security® Red Hat En‐
1838 terprise Linux 7 CIS Benchmarks™ content.
1839 CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation
1842 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
1844 tion_l2
1845 This profile defines a baseline that aligns to the "Level 2 -
1847 Workstation" configuration from the Center for Internet Secu‐
1848 rity® Red Hat Enterprise Linux 7 Benchmark™, v3.1.1, released
1849 05-21-2021.
1850 This profile includes Center for Internet Security® Red Hat En‐
1852 terprise Linux 7 CIS Benchmarks™ content.
1853 Criminal Justice Information Services (CJIS) Security Policy
1856 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1858 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1860 copy of this policy can be found at the CJIS Security Policy Re‐
1861 source Center:
1862 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1864 center
1865 Unclassified Information in Non-federal Information Systems and Organi‐
1868 zations (NIST 800-171)
1869 Profile ID: xccdf_org.ssgproject.content_profile_cui
1871 From NIST 800-171, Section 2.2: Security requirements for pro‐
1873 tecting the confidentiality of CUI in non-federal information
1874 systems and organizations have a well-defined structure that
1875 consists of:
1876 (i) a basic security requirements section; (ii) a derived secu‐
1878 rity requirements section.
1879 The basic security requirements are obtained from FIPS Publica‐
1881 tion 200, which provides the high-level and fundamental security
1882 requirements for federal information and information systems.
1883 The derived security requirements, which supplement the basic
1884 security requirements, are taken from the security controls in
1885 NIST Special Publication 800-53.
1886 This profile configures Red Hat Enterprise Linux 7 to the NIST
1888 Special Publication 800-53 controls identified for securing Con‐
1889 trolled Unclassified Information (CUI).
1890 Australian Cyber Security Centre (ACSC) Essential Eight
1893 Profile ID: xccdf_org.ssgproject.content_profile_e8
1895 This profile contains configuration checks for Red Hat Enter‐
1897 prise Linux 7 that align to the Australian Cyber Security Centre
1898 (ACSC) Essential Eight.
1899 A copy of the Essential Eight in Linux Environments guide can be
1901 found at the ACSC website:
1902 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1904 tions/hardening-linux-workstations-and-servers
1905 Health Insurance Portability and Accountability Act (HIPAA)
1908 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1910 The HIPAA Security Rule establishes U.S. national standards to
1912 protect individuals’ electronic personal health information that
1913 is created, received, used, or maintained by a covered entity.
1914 The Security Rule requires appropriate administrative, physical
1915 and technical safeguards to ensure the confidentiality, integ‐
1916 rity, and security of electronic protected health information.
1917 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
1919 Security Rule identified for securing of electronic protected
1920 health information. Use of this profile in no way guarantees or
1921 makes claims against legal compliance against the HIPAA Security
1922 Rule(s).
1923 NIST National Checklist Program Security Guide
1926 Profile ID: xccdf_org.ssgproject.content_profile_ncp
1928 This compliance profile reflects the core set of security re‐
1930 lated configuration settings for deployment of Red Hat Enter‐
1931 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
1932 agencies. Development partners and sponsors include the U.S.
1933 National Institute of Standards and Technology (NIST), U.S. De‐
1934 partment of Defense, the National Security Agency, and Red Hat.
1935 This baseline implements configuration requirements from the
1937 following sources:
1938 - Committee on National Security Systems Instruction No. 1253
1940 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
1941 800-171) - NIST 800-53 control selections for MODERATE impact
1942 systems (NIST 800-53) - U.S. Government Configuration Baseline
1943 (USGCB) - NIAP Protection Profile for General Purpose Operating
1944 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
1945 Requirements Guide (OS SRG)
1946 For any differing configuration requirements, e.g. password
1948 lengths, the stricter security setting was chosen. Security Re‐
1949 quirement Traceability Guides (RTMs) and sample System Security
1950 Configuration Guides are provided via the scap-security-guide-
1951 docs package.
1952 This profile reflects U.S. Government consensus content and is
1954 developed through the OpenSCAP/SCAP Security Guide initiative,
1955 championed by the National Security Agency. Except for differ‐
1956 ences in formatting to accommodate publishing processes, this
1957 profile mirrors OpenSCAP/SCAP Security Guide content as minor
1958 divergences, such as bugfixes, work through the consensus and
1959 release processes.
1960 OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
1963 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1965 This profile reflects mandatory configuration controls identi‐
1967 fied in the NIAP Configuration Annex to the Protection Profile
1968 for General Purpose Operating Systems (Protection Profile Ver‐
1969 sion 4.2.1).
1970 This configuration profile is consistent with CNSSI-1253, which
1972 requires U.S. National Security Systems to adhere to certain
1973 configuration parameters. Accordingly, this configuration pro‐
1974 file is suitable for use in U.S. National Security Systems.
1975 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1978 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1980 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1982 plied.
1983 RHV hardening based on STIG for Red Hat Enterprise Linux 7
1986 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
1988 This profile contains configuration checks for Red Hat Virtual‐
1990 ization based on the the DISA STIG for Red Hat Enterprise Linux
1991 7.
1992 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
1995 ization
1996 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
1998 This compliance profile reflects the core set of security re‐
2000 lated configuration settings for deployment of Red Hat Enter‐
2001 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
2002 gence, and Civilian agencies. Development partners and sponsors
2003 include the U.S. National Institute of Standards and Technology
2004 (NIST), U.S. Department of Defense, the National Security
2005 Agency, and Red Hat.
2006 This baseline implements configuration requirements from the
2008 following sources:
2009 - Committee on National Security Systems Instruction No. 1253
2011 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
2012 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
2013 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
2014 (VPP v1.0)
2015 For any differing configuration requirements, e.g. password
2017 lengths, the stricter security setting was chosen. Security Re‐
2018 quirement Traceability Guides (RTMs) and sample System Security
2019 Configuration Guides are provided via the scap-security-guide-
2020 docs package.
2021 This profile reflects U.S. Government consensus content and is
2023 developed through the ComplianceAsCode project, championed by
2024 the National Security Agency. Except for differences in format‐
2025 ting to accommodate publishing processes, this profile mirrors
2026 ComplianceAsCode content as minor divergences, such as bugfixes,
2027 work through the consensus and release processes.
2028 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
2031 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
2033 This profile contains the minimum security relevant configura‐
2035 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
2036 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
2037 Standard System Security Profile for Red Hat Enterprise Linux 7
2040 Profile ID: xccdf_org.ssgproject.content_profile_standard
2042 This profile contains rules to ensure standard security baseline
2044 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
2045 tem's workload all of these checks should pass.
2046 DISA STIG for Red Hat Enterprise Linux 7
2049 Profile ID: xccdf_org.ssgproject.content_profile_stig
2051 This profile contains configuration checks that align to the
2053 DISA STIG for Red Hat Enterprise Linux V3R7.
2054 In addition to being applicable to Red Hat Enterprise Linux 7,
2056 DISA recognizes this configuration baseline as applicable to the
2057 operating system tier of Red Hat technologies that are based on
2058 Red Hat Enterprise Linux 7, such as:
2059 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2061 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2062 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2063 7 image
2064 DISA STIG with GUI for Red Hat Enterprise Linux 7
2067 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
2069 This profile contains configuration checks that align to the
2071 DISA STIG with GUI for Red Hat Enterprise Linux V3R7.
2072 In addition to being applicable to Red Hat Enterprise Linux 7,
2074 DISA recognizes this configuration baseline as applicable to the
2075 operating system tier of Red Hat technologies that are based on
2076 Red Hat Enterprise Linux 7, such as:
2077 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2079 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2080 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2081 7 image
2082 Warning: The installation and use of a Graphical User Interface
2084 (GUI) increases your attack vector and decreases your overall
2085 security posture. If your Information Systems Security Officer
2086 (ISSO) lacks a documented operational requirement for a graphi‐
2087 cal user interface, please consider using the standard DISA STIG
2088 for Red Hat Enterprise Linux 7 profile.
2089
2095 Source Datastream: ssg-rhel8-ds.xml
2096 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
2098 broken into 'profiles', groupings of security settings that correlate
2099 to a known policy. Available profiles are:
2100 ANSSI-BP-028 (enhanced)
2104 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
2106 hanced
2107 This profile contains configurations that align to ANSSI-BP-028
2109 v1.2 at the enhanced hardening level.
2110 ANSSI is the French National Information Security Agency, and
2112 stands for Agence nationale de la sécurité des systèmes d'infor‐
2113 mation. ANSSI-BP-028 is a configuration recommendation for
2114 GNU/Linux systems.
2115 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2117 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2118 securite-relatives-a-un-systeme-gnulinux/
2119 ANSSI-BP-028 (high)
2122 Profile ID: xccdf_org.ssgproject.content_pro‐
2124 file_anssi_bp28_high
2125 This profile contains configurations that align to ANSSI-BP-028
2127 v1.2 at the high hardening level.
2128 ANSSI is the French National Information Security Agency, and
2130 stands for Agence nationale de la sécurité des systèmes d'infor‐
2131 mation. ANSSI-BP-028 is a configuration recommendation for
2132 GNU/Linux systems.
2133 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2135 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2136 securite-relatives-a-un-systeme-gnulinux/
2137 ANSSI-BP-028 (intermediary)
2140 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
2142 termediary
2143 This profile contains configurations that align to ANSSI-BP-028
2145 v1.2 at the intermediary hardening level.
2146 ANSSI is the French National Information Security Agency, and
2148 stands for Agence nationale de la sécurité des systèmes d'infor‐
2149 mation. ANSSI-BP-028 is a configuration recommendation for
2150 GNU/Linux systems.
2151 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2153 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2154 securite-relatives-a-un-systeme-gnulinux/
2155 ANSSI-BP-028 (minimal)
2158 Profile ID: xccdf_org.ssgproject.content_pro‐
2160 file_anssi_bp28_minimal
2161 This profile contains configurations that align to ANSSI-BP-028
2163 v1.2 at the minimal hardening level.
2164 ANSSI is the French National Information Security Agency, and
2166 stands for Agence nationale de la sécurité des systèmes d'infor‐
2167 mation. ANSSI-BP-028 is a configuration recommendation for
2168 GNU/Linux systems.
2169 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2171 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2172 securite-relatives-a-un-systeme-gnulinux/
2173 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
2176 Profile ID: xccdf_org.ssgproject.content_profile_cis
2178 This profile defines a baseline that aligns to the "Level 2 -
2180 Server" configuration from the Center for Internet Security® Red
2181 Hat Enterprise Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
2182 This profile includes Center for Internet Security® Red Hat En‐
2184 terprise Linux 8 CIS Benchmarks™ content.
2185 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
2188 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
2190 This profile defines a baseline that aligns to the "Level 1 -
2192 Server" configuration from the Center for Internet Security® Red
2193 Hat Enterprise Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
2194 This profile includes Center for Internet Security® Red Hat En‐
2196 terprise Linux 8 CIS Benchmarks™ content.
2197 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation
2200 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2202 tion_l1
2203 This profile defines a baseline that aligns to the "Level 1 -
2205 Workstation" configuration from the Center for Internet Secu‐
2206 rity® Red Hat Enterprise Linux 8 Benchmark™, v1.0.1, released
2207 2021-05-19.
2208 This profile includes Center for Internet Security® Red Hat En‐
2210 terprise Linux 8 CIS Benchmarks™ content.
2211 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation
2214 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2216 tion_l2
2217 This profile defines a baseline that aligns to the "Level 2 -
2219 Workstation" configuration from the Center for Internet Secu‐
2220 rity® Red Hat Enterprise Linux 8 Benchmark™, v1.0.1, released
2221 2021-05-19.
2222 This profile includes Center for Internet Security® Red Hat En‐
2224 terprise Linux 8 CIS Benchmarks™ content.
2225 Criminal Justice Information Services (CJIS) Security Policy
2228 Profile ID: xccdf_org.ssgproject.content_profile_cjis
2230 This profile is derived from FBI's CJIS v5.4 Security Policy. A
2232 copy of this policy can be found at the CJIS Security Policy Re‐
2233 source Center:
2234 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
2236 center
2237 Unclassified Information in Non-federal Information Systems and Organi‐
2240 zations (NIST 800-171)
2241 Profile ID: xccdf_org.ssgproject.content_profile_cui
2243 From NIST 800-171, Section 2.2: Security requirements for pro‐
2245 tecting the confidentiality of CUI in nonfederal information
2246 systems and organizations have a well-defined structure that
2247 consists of:
2248 (i) a basic security requirements section; (ii) a derived secu‐
2250 rity requirements section.
2251 The basic security requirements are obtained from FIPS Publica‐
2253 tion 200, which provides the high-level and fundamental security
2254 requirements for federal information and information systems.
2255 The derived security requirements, which supplement the basic
2256 security requirements, are taken from the security controls in
2257 NIST Special Publication 800-53.
2258 This profile configures Red Hat Enterprise Linux 8 to the NIST
2260 Special Publication 800-53 controls identified for securing Con‐
2261 trolled Unclassified Information (CUI)."
2262 Australian Cyber Security Centre (ACSC) Essential Eight
2265 Profile ID: xccdf_org.ssgproject.content_profile_e8
2267 This profile contains configuration checks for Red Hat Enter‐
2269 prise Linux 8 that align to the Australian Cyber Security Centre
2270 (ACSC) Essential Eight.
2271 A copy of the Essential Eight in Linux Environments guide can be
2273 found at the ACSC website:
2274 https://www.cyber.gov.au/acsc/view-all-content/publica‐
2276 tions/hardening-linux-workstations-and-servers
2277 Health Insurance Portability and Accountability Act (HIPAA)
2280 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
2282 The HIPAA Security Rule establishes U.S. national standards to
2284 protect individuals’ electronic personal health information that
2285 is created, received, used, or maintained by a covered entity.
2286 The Security Rule requires appropriate administrative, physical
2287 and technical safeguards to ensure the confidentiality, integ‐
2288 rity, and security of electronic protected health information.
2289 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
2291 Security Rule identified for securing of electronic protected
2292 health information. Use of this profile in no way guarantees or
2293 makes claims against legal compliance against the HIPAA Security
2294 Rule(s).
2295 Australian Cyber Security Centre (ACSC) ISM Official
2298 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
2300 This profile contains configuration checks for Red Hat Enter‐
2302 prise Linux 8 that align to the Australian Cyber Security Centre
2303 (ACSC) Information Security Manual (ISM) with the applicability
2304 marking of OFFICIAL.
2305 The ISM uses a risk-based approach to cyber security. This pro‐
2307 file provides a guide to aligning Red Hat Enterprise Linux secu‐
2308 rity controls with the ISM, which can be used to select controls
2309 specific to an organisation's security posture and risk profile.
2310 A copy of the ISM can be found at the ACSC website:
2312 https://www.cyber.gov.au/ism
2314 Protection Profile for General Purpose Operating Systems
2317 Profile ID: xccdf_org.ssgproject.content_profile_ospp
2319 This profile reflects mandatory configuration controls identi‐
2321 fied in the NIAP Configuration Annex to the Protection Profile
2322 for General Purpose Operating Systems (Protection Profile Ver‐
2323 sion 4.2.1).
2324 This configuration profile is consistent with CNSSI-1253, which
2326 requires U.S. National Security Systems to adhere to certain
2327 configuration parameters. Accordingly, this configuration pro‐
2328 file is suitable for use in U.S. National Security Systems.
2329 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
2332 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2334 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2336 plied.
2337 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
2340 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
2342 This profile contains the minimum security relevant configura‐
2344 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
2345 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
2346 Standard System Security Profile for Red Hat Enterprise Linux 8
2349 Profile ID: xccdf_org.ssgproject.content_profile_standard
2351 This profile contains rules to ensure standard security baseline
2353 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
2354 tem's workload all of these checks should pass.
2355 DISA STIG for Red Hat Enterprise Linux 8
2358 Profile ID: xccdf_org.ssgproject.content_profile_stig
2360 This profile contains configuration checks that align to the
2362 DISA STIG for Red Hat Enterprise Linux 8 V1R6.
2363 In addition to being applicable to Red Hat Enterprise Linux 8,
2365 DISA recognizes this configuration baseline as applicable to the
2366 operating system tier of Red Hat technologies that are based on
2367 Red Hat Enterprise Linux 8, such as:
2368 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2370 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2371 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2372 8 image
2373 DISA STIG with GUI for Red Hat Enterprise Linux 8
2376 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
2378 This profile contains configuration checks that align to the
2380 DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6.
2381 In addition to being applicable to Red Hat Enterprise Linux 8,
2383 DISA recognizes this configuration baseline as applicable to the
2384 operating system tier of Red Hat technologies that are based on
2385 Red Hat Enterprise Linux 8, such as:
2386 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2388 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2389 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2390 8 image
2391 Warning: The installation and use of a Graphical User Interface
2393 (GUI) increases your attack vector and decreases your overall
2394 security posture. If your Information Systems Security Officer
2395 (ISSO) lacks a documented operational requirement for a graphi‐
2396 cal user interface, please consider using the standard DISA STIG
2397 for Red Hat Enterprise Linux 8 profile.
2398
2404 Source Datastream: ssg-rhel9-ds.xml
2405 The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is
2407 broken into 'profiles', groupings of security settings that correlate
2408 to a known policy. Available profiles are:
2409 ANSSI-BP-028 (enhanced)
2413 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
2415 hanced
2416 This profile contains configurations that align to ANSSI-BP-028
2418 at the enhanced hardening level.
2419 ANSSI is the French National Information Security Agency, and
2421 stands for Agence nationale de la sécurité des systèmes d'infor‐
2422 mation. ANSSI-BP-028 is a configuration recommendation for
2423 GNU/Linux systems.
2424 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2426 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2427 securite-relatives-a-un-systeme-gnulinux/
2428 ANSSI-BP-028 (high)
2431 Profile ID: xccdf_org.ssgproject.content_pro‐
2433 file_anssi_bp28_high
2434 This profile contains configurations that align to ANSSI-BP-028
2436 at the high hardening level.
2437 ANSSI is the French National Information Security Agency, and
2439 stands for Agence nationale de la sécurité des systèmes d'infor‐
2440 mation. ANSSI-BP-028 is a configuration recommendation for
2441 GNU/Linux systems.
2442 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2444 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2445 securite-relatives-a-un-systeme-gnulinux/
2446 ANSSI-BP-028 (intermediary)
2449 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
2451 termediary
2452 This profile contains configurations that align to ANSSI-BP-028
2454 at the intermediary hardening level.
2455 ANSSI is the French National Information Security Agency, and
2457 stands for Agence nationale de la sécurité des systèmes d'infor‐
2458 mation. ANSSI-BP-028 is a configuration recommendation for
2459 GNU/Linux systems.
2460 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2462 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2463 securite-relatives-a-un-systeme-gnulinux/
2464 ANSSI-BP-028 (minimal)
2467 Profile ID: xccdf_org.ssgproject.content_pro‐
2469 file_anssi_bp28_minimal
2470 This profile contains configurations that align to ANSSI-BP-028
2472 at the minimal hardening level.
2473 ANSSI is the French National Information Security Agency, and
2475 stands for Agence nationale de la sécurité des systèmes d'infor‐
2476 mation. ANSSI-BP-028 is a configuration recommendation for
2477 GNU/Linux systems.
2478 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2480 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2481 securite-relatives-a-un-systeme-gnulinux/
2482 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
2485 Profile ID: xccdf_org.ssgproject.content_profile_cis
2487 This is a draft profile based on its RHEL8 version for experi‐
2489 mental purposes. It is not based on the CIS benchmark for
2490 RHEL9, because this one was not available at time of the re‐
2491 lease.
2492 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
2495 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
2497 This is a draft profile based on its RHEL8 version for experi‐
2499 mental purposes. It is not based on the CIS benchmark for
2500 RHEL9, because this one was not available at time of the re‐
2501 lease.
2502 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Worksta‐
2505 tion
2506 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2508 tion_l1
2509 This is a draft profile based on its RHEL8 version for experi‐
2511 mental purposes. It is not based on the CIS benchmark for
2512 RHEL9, because this one was not available at time of the re‐
2513 lease.
2514 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Worksta‐
2517 tion
2518 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2520 tion_l2
2521 This is a draft profile based on its RHEL8 version for experi‐
2523 mental purposes. It is not based on the CIS benchmark for
2524 RHEL9, because this one was not available at time of the re‐
2525 lease.
2526 [DRAFT] Unclassified Information in Non-federal Information Systems and
2529 Organizations (NIST 800-171)
2530 Profile ID: xccdf_org.ssgproject.content_profile_cui
2532 From NIST 800-171, Section 2.2: Security requirements for pro‐
2534 tecting the confidentiality of CUI in nonfederal information
2535 systems and organizations have a well-defined structure that
2536 consists of:
2537 (i) a basic security requirements section; (ii) a derived secu‐
2539 rity requirements section.
2540 The basic security requirements are obtained from FIPS Publica‐
2542 tion 200, which provides the high-level and fundamental security
2543 requirements for federal information and information systems.
2544 The derived security requirements, which supplement the basic
2545 security requirements, are taken from the security controls in
2546 NIST Special Publication 800-53.
2547 This profile configures Red Hat Enterprise Linux 9 to the NIST
2549 Special Publication 800-53 controls identified for securing Con‐
2550 trolled Unclassified Information (CUI)."
2551 Australian Cyber Security Centre (ACSC) Essential Eight
2554 Profile ID: xccdf_org.ssgproject.content_profile_e8
2556 This profile contains configuration checks for Red Hat Enter‐
2558 prise Linux 9 that align to the Australian Cyber Security Centre
2559 (ACSC) Essential Eight.
2560 A copy of the Essential Eight in Linux Environments guide can be
2562 found at the ACSC website:
2563 https://www.cyber.gov.au/acsc/view-all-content/publica‐
2565 tions/hardening-linux-workstations-and-servers
2566 Health Insurance Portability and Accountability Act (HIPAA)
2569 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
2571 The HIPAA Security Rule establishes U.S. national standards to
2573 protect individuals’ electronic personal health information that
2574 is created, received, used, or maintained by a covered entity.
2575 The Security Rule requires appropriate administrative, physical
2576 and technical safeguards to ensure the confidentiality, integ‐
2577 rity, and security of electronic protected health information.
2578 This profile configures Red Hat Enterprise Linux 9 to the HIPAA
2580 Security Rule identified for securing of electronic protected
2581 health information. Use of this profile in no way guarantees or
2582 makes claims against legal compliance against the HIPAA Security
2583 Rule(s).
2584 Australian Cyber Security Centre (ACSC) ISM Official
2587 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
2589 This profile contains configuration checks for Red Hat Enter‐
2591 prise Linux 9 that align to the Australian Cyber Security Centre
2592 (ACSC) Information Security Manual (ISM) with the applicability
2593 marking of OFFICIAL.
2594 The ISM uses a risk-based approach to cyber security. This pro‐
2596 file provides a guide to aligning Red Hat Enterprise Linux secu‐
2597 rity controls with the ISM, which can be used to select controls
2598 specific to an organisation's security posture and risk profile.
2599 A copy of the ISM can be found at the ACSC website:
2601 https://www.cyber.gov.au/ism
2603 [DRAFT] Protection Profile for General Purpose Operating Systems
2606 Profile ID: xccdf_org.ssgproject.content_profile_ospp
2608 This profile is part of Red Hat Enterprise Linux 9 Common Crite‐
2610 ria Guidance documentation for Target of Evaluation based on
2611 Protection Profile for General Purpose Operating Systems (OSPP)
2612 version 4.2.1 and Functional Package for SSH version 1.0.
2613 Where appropriate, CNSSI 1253 or DoD-specific values are used
2615 for configuration, based on Configuration Annex to the OSPP.
2616 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
2619 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2621 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2623 plied.
2624 [DRAFT] DISA STIG for Red Hat Enterprise Linux 9
2627 Profile ID: xccdf_org.ssgproject.content_profile_stig
2629 This is a draft profile based on its RHEL8 version for experi‐
2631 mental purposes. It is not based on the DISA STIG for RHEL9,
2632 because this one was not available at time of the release.
2633 In addition to being applicable to Red Hat Enterprise Linux 9,
2635 DISA recognizes this configuration baseline as applicable to the
2636 operating system tier of Red Hat technologies that are based on
2637 Red Hat Enterprise Linux 9, such as:
2638 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2640 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2641 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2642 9 image
2643 [DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
2646 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
2648 This is a draft profile based on its RHEL8 version for experi‐
2650 mental purposes. It is not based on the DISA STIG for RHEL9,
2651 because this one was not available at time of the release.
2652 In addition to being applicable to Red Hat Enterprise Linux 9,
2654 DISA recognizes this configuration baseline as applicable to the
2655 operating system tier of Red Hat technologies that are based on
2656 Red Hat Enterprise Linux 9, such as:
2657 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2659 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2660 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2661 9 image
2662 Warning: The installation and use of a Graphical User Interface
2664 (GUI) increases your attack vector and decreases your overall
2665 security posture. If your Information Systems Security Officer
2666 (ISSO) lacks a documented operational requirement for a graphi‐
2667 cal user interface, please consider using the standard DISA STIG
2668 for Red Hat Enterprise Linux 9 profile.
2669
2675 Source Datastream: ssg-rhv4-ds.xml
2676 The Guide to the Secure Configuration of Red Hat Virtualization 4 is
2678 broken into 'profiles', groupings of security settings that correlate
2679 to a known policy. Available profiles are:
2680 PCI-DSS v3.2.1 Control Baseline for Red Hat Virtualization Host (RHVH)
2684 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2686 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2688 plied.
2689 [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
2692 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
2694 This *draft* profile contains configuration checks that align to
2696 the DISA STIG for Red Hat Virtualization Host (RHVH).
2697 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
2700 ization Host (RHVH)
2701 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
2703 This compliance profile reflects the core set of security re‐
2705 lated configuration settings for deployment of Red Hat Virtual‐
2706 ization Host (RHVH) 4.x into U.S. Defense, Intelligence, and
2707 Civilian agencies. Development partners and sponsors include
2708 the U.S. National Institute of Standards and Technology (NIST),
2709 U.S. Department of Defense, the National Security Agency, and
2710 Red Hat.
2711 This baseline implements configuration requirements from the
2713 following sources:
2714 - Committee on National Security Systems Instruction No. 1253
2716 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
2717 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
2718 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
2719 (VPP v1.0)
2720 For any differing configuration requirements, e.g. password
2722 lengths, the stricter security setting was chosen. Security Re‐
2723 quirement Traceability Guides (RTMs) and sample System Security
2724 Configuration Guides are provided via the scap-security-guide-
2725 docs package.
2726 This profile reflects U.S. Government consensus content and is
2728 developed through the ComplianceAsCode project, championed by
2729 the National Security Agency. Except for differences in format‐
2730 ting to accommodate publishing processes, this profile mirrors
2731 ComplianceAsCode content as minor divergences, such as bugfixes,
2732 work through the consensus and release processes.
2733
2739 Source Datastream: ssg-sl7-ds.xml
2740 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
2742 broken into 'profiles', groupings of security settings that correlate
2743 to a known policy. Available profiles are:
2744 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
2748 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2750 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2752 plied.
2753 Standard System Security Profile for Red Hat Enterprise Linux 7
2756 Profile ID: xccdf_org.ssgproject.content_profile_standard
2758 This profile contains rules to ensure standard security baseline
2760 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
2761 tem's workload all of these checks should pass.
2762
2768 Source Datastream: ssg-sle12-ds.xml
2769 The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is
2771 broken into 'profiles', groupings of security settings that correlate
2772 to a known policy. Available profiles are:
2773 CIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server
2777 Profile ID: xccdf_org.ssgproject.content_profile_cis
2779 This profile defines a baseline that aligns to the "Level 2 -
2781 Server" configuration from the Center for Internet Security®
2782 SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
2783 04-27-2021.
2784 This profile includes Center for Internet Security® SUSE Linux
2786 Enterprise 12 CIS Benchmarks™ content.
2787 CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server
2790 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
2792 This profile defines a baseline that aligns to the "Level 1 -
2794 Server" configuration from the Center for Internet Security®
2795 SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
2796 04-27-2021.
2797 This profile includes Center for Internet Security® SUSE Linux
2799 Enterprise 12 CIS Benchmarks™ content.
2800 CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation
2803 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2805 tion_l1
2806 This profile defines a baseline that aligns to the "Level 1 -
2808 Workstation" configuration from the Center for Internet Secu‐
2809 rity® SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
2810 04-27-2021.
2811 This profile includes Center for Internet Security® SUSE Linux
2813 Enterprise 12 CIS Benchmarks™ content.
2814 CIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation
2817 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2819 tion_l2
2820 This profile defines a baseline that aligns to the "Level 2 -
2822 Workstation" configuration from the Center for Internet Secu‐
2823 rity® SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
2824 04-27-2021.
2825 This profile includes Center for Internet Security® SUSE Linux
2827 Enterprise 12 CIS Benchmarks™ content.
2828 Standard System Security Profile for SUSE Linux Enterprise 12
2831 Profile ID: xccdf_org.ssgproject.content_profile_standard
2833 This profile contains rules to ensure standard security baseline
2835 of a SUSE Linux Enterprise 12 system. Regardless of your sys‐
2836 tem's workload all of these checks should pass.
2837 DISA STIG for SUSE Linux Enterprise 12
2840 Profile ID: xccdf_org.ssgproject.content_profile_stig
2842 This profile contains configuration checks that align to the
2844 DISA STIG for SUSE Linux Enterprise 12 V2R5.
2845
2851 Source Datastream: ssg-sle15-ds.xml
2852 The Guide to the Secure Configuration of SUSE Linux Enterprise 15 is
2854 broken into 'profiles', groupings of security settings that correlate
2855 to a known policy. Available profiles are:
2856 ANSSI-BP-028 (minimal)
2860 Profile ID: xccdf_org.ssgproject.content_pro‐
2862 file_anssi_bp28_minmal
2863 This profile contains configurations that align to ANSSI-BP-028
2865 v1.2 at the minimal hardening level.
2866 ANSSI is the French National Information Security Agency, and
2868 stands for Agence nationale de la sécurité des systèmes d'infor‐
2869 mation. ANSSI-BP-028 is a configuration recommendation for
2870 GNU/Linux systems.
2871 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2873 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2874 securite-relatives-a-un-systeme-gnulinux/
2875 Only the components strictly necessary to the service provided
2877 by the system should be installed. Those whose presence can not
2878 be justified should be disabled, removed or deleted. Performing
2879 a minimal install is a good starting point, but doesn't provide
2880 any assurance over any package installed later. Manual review
2881 is required to assess if the installed services are minimal.
2882 CIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server
2885 Profile ID: xccdf_org.ssgproject.content_profile_cis
2887 This profile defines a baseline that aligns to the "Level 2 -
2889 Server" configuration from the Center for Internet Security®
2890 SUSE Linux Enterprise 15 Benchmark™, v1.1.0, released
2891 09-17-2021.
2892 This profile includes Center for Internet Security® SUSE Linux
2894 Enterprise 15 CIS Benchmarks™ content.
2895 CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server
2898 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
2900 This profile defines a baseline that aligns to the "Level 1 -
2902 Server" configuration from the Center for Internet Security®
2903 SUSE Linux Enterprise 15 Benchmark™, v1.1.0, released
2904 09-17-2021.
2905 This profile includes Center for Internet Security® SUSE Linux
2907 Enterprise 15 CIS Benchmarks™ content.
2908 CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation
2911 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2913 tion_l1
2914 This profile defines a baseline that aligns to the "Level 1 -
2916 Workstation" configuration from the Center for Internet Secu‐
2917 rity® SUSE Linux Enterprise 15 Benchmark™, v1.1.0, released
2918 09-17-2021.
2919 This profile includes Center for Internet Security® SUSE Linux
2921 Enterprise 15 CIS Benchmarks™ content.
2922 CIS SUSE Linux Enterprise 15 Benchmark Level 2 - Workstation
2925 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2927 tion_l2
2928 This profile defines a baseline that aligns to the "Level 2 -
2930 Workstation" configuration from the Center for Internet Secu‐
2931 rity® SUSE Linux Enterprise 15 Benchmark™, v1.1.0, released
2932 09-17-2021.
2933 This profile includes Center for Internet Security® SUSE Linux
2935 Enterprise 15 CIS Benchmarks™ content.
2936 Health Insurance Portability and Accountability Act (HIPAA)
2939 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
2941 The HIPAA Security Rule establishes U.S. national standards to
2943 protect individuals’ electronic personal health information that
2944 is created, received, used, or maintained by a covered entity.
2945 The Security Rule requires appropriate administrative, physical
2946 and technical safeguards to ensure the confidentiality, integ‐
2947 rity, and security of electronic protected health information.
2948 This profile contains configuration checks that align to the
2950 HIPPA Security Rule for SUSE Linux Enterprise 15 V1R3.
2951 PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 15
2954 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2956 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2958 plied.
2959 Standard System Security Profile for SUSE Linux Enterprise 15
2962 Profile ID: xccdf_org.ssgproject.content_profile_standard
2964 This profile contains rules to ensure standard security baseline
2966 of a SUSE Linux Enterprise 15 system based off of the SUSE Hard‐
2967 ening Guide. Regardless of your system's workload all of these
2968 checks should pass.
2969 DISA STIG for SUSE Linux Enterprise 15
2972 Profile ID: xccdf_org.ssgproject.content_profile_stig
2974 This profile contains configuration checks that align to the
2976 DISA STIG for SUSE Linux Enterprise 15 V1R4.
2977
2983 Source Datastream: ssg-ubuntu1604-ds.xml
2984 The Guide to the Secure Configuration of Ubuntu 16.04 is broken into
2986 'profiles', groupings of security settings that correlate to a known
2987 policy. Available profiles are:
2988 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
2992 Profile ID: xccdf_org.ssgproject.content_pro‐
2994 file_anssi_np_nt28_average
2995 This profile contains items for GNU/Linux installations already
2997 protected by multiple higher level security stacks.
2998 Profile for ANSSI DAT-NT28 High (Enforced) Level
3001 Profile ID: xccdf_org.ssgproject.content_pro‐
3003 file_anssi_np_nt28_high
3004 This profile contains items for GNU/Linux installations storing
3006 sensitive informations that can be accessible from unauthenti‐
3007 cated or uncontroled networks.
3008 Profile for ANSSI DAT-NT28 Minimal Level
3011 Profile ID: xccdf_org.ssgproject.content_pro‐
3013 file_anssi_np_nt28_minimal
3014 This profile contains items to be applied systematically.
3016 Profile for ANSSI DAT-NT28 Restrictive Level
3019 Profile ID: xccdf_org.ssgproject.content_pro‐
3021 file_anssi_np_nt28_restrictive
3022 This profile contains items for GNU/Linux installations exposed
3024 to unauthenticated flows or multiple sources.
3025 Standard System Security Profile for Ubuntu 16.04
3028 Profile ID: xccdf_org.ssgproject.content_profile_standard
3030 This profile contains rules to ensure standard security baseline
3032 of an Ubuntu 16.04 system. Regardless of your system's workload
3033 all of these checks should pass.
3034
3040 Source Datastream: ssg-ubuntu1804-ds.xml
3041 The Guide to the Secure Configuration of Ubuntu 18.04 is broken into
3043 'profiles', groupings of security settings that correlate to a known
3044 policy. Available profiles are:
3045 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
3049 Profile ID: xccdf_org.ssgproject.content_pro‐
3051 file_anssi_np_nt28_average
3052 This profile contains items for GNU/Linux installations already
3054 protected by multiple higher level security stacks.
3055 Profile for ANSSI DAT-NT28 High (Enforced) Level
3058 Profile ID: xccdf_org.ssgproject.content_pro‐
3060 file_anssi_np_nt28_high
3061 This profile contains items for GNU/Linux installations storing
3063 sensitive informations that can be accessible from unauthenti‐
3064 cated or uncontroled networks.
3065 Profile for ANSSI DAT-NT28 Minimal Level
3068 Profile ID: xccdf_org.ssgproject.content_pro‐
3070 file_anssi_np_nt28_minimal
3071 This profile contains items to be applied systematically.
3073 Profile for ANSSI DAT-NT28 Restrictive Level
3076 Profile ID: xccdf_org.ssgproject.content_pro‐
3078 file_anssi_np_nt28_restrictive
3079 This profile contains items for GNU/Linux installations exposed
3081 to unauthenticated flows or multiple sources.
3082 CIS Ubuntu 18.04 LTS Benchmark
3085 Profile ID: xccdf_org.ssgproject.content_profile_cis
3087 This baseline aligns to the Center for Internet Security Ubuntu
3089 18.04 LTS Benchmark, v1.0.0, released 08-13-2018.
3090 Standard System Security Profile for Ubuntu 18.04
3093 Profile ID: xccdf_org.ssgproject.content_profile_standard
3095 This profile contains rules to ensure standard security baseline
3097 of an Ubuntu 18.04 system. Regardless of your system's workload
3098 all of these checks should pass.
3099
3105 Source Datastream: ssg-ubuntu2004-ds.xml
3106 The Guide to the Secure Configuration of Ubuntu 20.04 is broken into
3108 'profiles', groupings of security settings that correlate to a known
3109 policy. Available profiles are:
3110 CIS Ubuntu 20.04 Level 1 Server Benchmark
3114 Profile ID: xccdf_org.ssgproject.content_pro‐
3116 file_cis_level1_server
3117 This baseline aligns to the Center for Internet Security Ubuntu
3119 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
3120 CIS Ubuntu 20.04 Level 1 Workstation Benchmark
3123 Profile ID: xccdf_org.ssgproject.content_pro‐
3125 file_cis_level1_workstation
3126 This baseline aligns to the Center for Internet Security Ubuntu
3128 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
3129 CIS Ubuntu 20.04 Level 2 Server Benchmark
3132 Profile ID: xccdf_org.ssgproject.content_pro‐
3134 file_cis_level2_server
3135 This baseline aligns to the Center for Internet Security Ubuntu
3137 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
3138 CIS Ubuntu 20.04 Level 2 Workstation Benchmark
3141 Profile ID: xccdf_org.ssgproject.content_pro‐
3143 file_cis_level2_workstation
3144 This baseline aligns to the Center for Internet Security Ubuntu
3146 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
3147 Standard System Security Profile for Ubuntu 20.04
3150 Profile ID: xccdf_org.ssgproject.content_profile_standard
3152 This profile contains rules to ensure standard security baseline
3154 of an Ubuntu 20.04 system. Regardless of your system's workload
3155 all of these checks should pass.
3156 Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide
3159 (STIG) V1R1
3160 Profile ID: xccdf_org.ssgproject.content_profile_stig
3162 This Security Technical Implementation Guide is published as a
3164 tool to improve the security of Department of Defense (DoD) in‐
3165 formation systems. The requirements are derived from the Na‐
3166 tional Institute of Standards and Technology (NIST) 800-53 and
3167 related documents.
3168
3174 for Linux
3175 Source Datastream: ssg-vsel-ds.xml
3176 The Guide to the Secure Configuration of McAfee VirusScan Enterprise
3178 for Linux is broken into 'profiles', groupings of security settings
3179 that correlate to a known policy. Available profiles are:
3180 McAfee VirusScan Enterprise for Linux (VSEL) STIG
3184 Profile ID: xccdf_org.ssgproject.content_profile_stig
3186 The McAfee VirusScan Enterprise for Linux software provides a
3188 realtime virus scanner for Linux systems.
3189
3195 Source Datastream: ssg-wrlinux1019-ds.xml
3196 The Guide to the Secure Configuration of WRLinux 1019 is broken into
3198 'profiles', groupings of security settings that correlate to a known
3199 policy. Available profiles are:
3200 Basic Profile for Embedded Systems
3204 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
3206 This profile contains items common to many embedded Linux in‐
3208 stallations. Regardless of your system's deployment objective,
3209 all of these checks should pass.
3210 DRAFT DISA STIG for Wind River Linux
3213 Profile ID: xccdf_org.ssgproject.content_profile_draft_stig_wr‐
3215 linux_disa
3216 This profile contains configuration checks that align to the
3218 DISA STIG for Wind River Linux. This profile is being developed
3219 under the DoD consensus model to become a STIG in coordination
3220 with DISA FSO. What is the status of the Wind River Linux STIG?
3221 The Wind River Linux STIG is in development under the DoD con‐
3222 sensus model and Wind River has started the process to get ap‐
3223 proval from DISA. However, in the absence of an approved SRG or
3224 STIG, vendor recommendations may be used instead. The current
3225 contents constitute the vendor recommendations at the time of
3226 the product release containing these contents. Note that
3227 changes are expected before approval is granted, and those
3228 changes will be made available in future Wind River Linux Secu‐
3229 rity Profile 1019 RCPL releases. More information, including
3230 the following, is available from the DISA FAQs at https://pub‐
3231 lic.cyber.mil/stigs/faqs/
3232
3238 Source Datastream: ssg-wrlinux8-ds.xml
3239 The Guide to the Secure Configuration of WRLinux 8 is broken into 'pro‐
3241 files', groupings of security settings that correlate to a known pol‐
3242 icy. Available profiles are:
3243 Basic Profile for Embedded Systems
3247 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
3249 This profile contains items common to many embedded Linux in‐
3251 stallations. Regardless of your system's deployment objective,
3252 all of these checks should pass.
3253
3260 To scan your system utilizing the OpenSCAP utility against the ospp
3261 profile:
3262 oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-re‐
3264 sults.xml --report /tmp/`hostname`-ssg-results.html --oval-results
3265 /usr/share/xml/scap/ssg/content/ssg-{product}-xccdf.xml
3266 Additional details can be found on the projects wiki page:
3268 https://www.github.com/ComplianceAsCode/content/wiki
3269
3273 /usr/share/xml/scap/ssg/content
3274 Houses SCAP content utilizing the following naming conventions:
3275 SCAP Source Datastreams: ssg-{product}-ds.xml
3277 CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
3279 CPE OVAL Content: ssg-{product}-cpe-oval.xml
3281 OVAL Content: ssg-{product}-oval.xml
3283 XCCDF Content: ssg-{product}-xccdf.xml
3285 /usr/share/doc/scap-security-guide/guides/
3287 HTML versions of SSG profiles.
3288 /usr/share/scap-security-guide/ansible/
3290 Contains Ansible Playbooks for SSG profiles.
3291 /usr/share/scap-security-guide/bash/
3293 Contains Bash remediation scripts for SSG profiles.
3294
3298 SCAP Security Guide content is considered vendor (Red Hat) provided
3299 content. Per guidance from the U.S. National Institute of Standards
3300 and Technology (NIST), U.S. Government programs are allowed to use Ven‐
3301 dor produced SCAP content in absence of "Governmental Authority" check‐
3302 lists. The specific NIST verbage:
3303 http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
3304
3308 DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT
3309 products incorporated into DoD information systems shall be configured
3310 in accordance with DoD-approved security configuration guidelines" and
3311 tasks Defense Information Systems Agency (DISA) to "develop and provide
3312 security configuration guidance for IA and IA-enabled IT products in
3313 coordination with Director, NSA." The output of this authority is the
3314 DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
3315 the process of moving the STIGs towards the use of the NIST Security
3316 Content Automation Protocol (SCAP) in order to "automate" compliance
3317 reporting of the STIGs.
3318 Through a common, shared vision, the SCAP Security Guide community en‐
3320 joys close collaboration directly with NSA, NIST, and DISA FSO. As
3321 stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
3322 Version 1, Release 2, issued on 03-JUNE-2013:
3323 "The consensus content was developed using an open-source project
3325 called SCAP Security Guide. The project's website is https://www.open-
3326 scap.org/security-policies/scap-security-guide. Except for differences
3327 in formatting to accomodate the DISA STIG publishing process, the con‐
3328 tent of the Red Hat Enterprise Linux 6 STIG should mirror the SCAP Se‐
3329 curity Guide content with only minor divergence as updates from multi‐
3330 ple sources work through the consensus process."
3331 The DoD STIG for Red Hat Enterprise Linux 7, revision V2R4, was re‐
3333 leased in July 2019 Currently, the DoD Red Hat Enterprise Linux 7 STIG
3334 contains only XCCDF content and is available online: https://public.cy‐
3335 ber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
3336 Content published against the public.cyber.mil website is authoritative
3338 STIG content. The SCAP Security Guide project, as noted in the STIG
3339 overview, is considered upstream content. Unlike DISA FSO, the SCAP Se‐
3340 curity Guide project does publish OVAL automation content. Individual
3341 programs and C&A evaluators make program-level determinations on the
3342 direct usage of the SCAP Security Guide. Currently there is no blanket
3343 approval.
3344
3348 oscap(8)
3349
3353 Please direct all questions to the SSG mailing list: https://lists.fe‐
3354 dorahosted.org/mailman/listinfo/scap-security-guide
3355version 1 26 Jan 2013 scap-security-guide(8)