1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
6 SCAP-Security-Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
13 The project provides practical security hardening advice and also links
14 it to compliance requirements in order to ease deployment activities,
15 such as certification and accreditation. These include requirements in
16 the U.S. government (Federal, Defense, and Intelligence Community) as
17 well as of the financial services and health care industries. For exam‐
18 ple, high-level and widely-accepted policies such as NIST 800-53 pro‐
19 vides prose stating that System Administrators must audit "privileged
20 user actions," but do not define what "privileged actions" are. The SSG
21 bridges the gap between generalized policy requirements and specific
22 implementation guidance, in SCAP formats to support automation whenever
23 possible.
24 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
31 Source Datastream: ssg-alinux2-ds.xml
32 The Guide to the Secure Configuration of Alibaba Cloud Linux 2 is bro‐
34 ken into 'profiles', groupings of security settings that correlate to a
35 known policy. Available profiles are:
36 CIS Aliyun Linux 2 Benchmark for Level 2
40 Profile ID: xccdf_org.ssgproject.content_profile_cis
42 This profile defines a baseline that aligns to the "Level 2"
44 configuration from the Center for Internet Security® Aliyun
45 Linux 2 Benchmark™, v1.0.0, released 08-16-2019.
46 This profile includes Center for Internet Security® Aliyun Linux
48 2 CIS Benchmarks™ content.
49 CIS Aliyun Linux 2 Benchmark for Level 1
52 Profile ID: xccdf_org.ssgproject.content_profile_cis_l1
54 This profile defines a baseline that aligns to the "Level 1"
56 configuration from the Center for Internet Security® Aliyun
57 Linux 2 Benchmark™, v1.0.0, released 08-16-2019.
58 This profile includes Center for Internet Security® Aliyun Linux
60 2 CIS Benchmarks™ content.
61 Standard System Security Profile for Alibaba Cloud Linux 2
64 Profile ID: xccdf_org.ssgproject.content_profile_standard
66 This profile contains rules to ensure standard security baseline
68 of a Alibaba Cloud Linux 2 system. Regardless of your system's
69 workload all of these checks should pass.
70
76 Source Datastream: ssg-alinux3-ds.xml
77 The Guide to the Secure Configuration of Alibaba Cloud Linux 3 is bro‐
79 ken into 'profiles', groupings of security settings that correlate to a
80 known policy. Available profiles are:
81 CIS Benchmark for Alibaba Cloud Linux 3 for Level 2
85 Profile ID: xccdf_org.ssgproject.content_profile_cis
87 This profile defines a baseline that aligns to the "Level 2"
89 configuration from the Center for Internet Security® Alibaba
90 Cloud Linux 3 Benchmark™, v1.0.0, released 08-16-2019.
91 This profile includes Center for Internet Security® Alibaba
93 Cloud Linux 3 Benchmark™ content.
94 CIS Benchmark for Alibaba Cloud Linux 3 for Level 1
97 Profile ID: xccdf_org.ssgproject.content_profile_cis_l1
99 This profile defines a baseline that aligns to the "Level 1"
101 configuration from the Center for Internet Security® Alibaba
102 Cloud Linux 3 Benchmark™, v1.0.0, released 08-16-2019.
103 This profile includes Center for Internet Security® Alibaba
105 Cloud Linux 3 Benchmark™ content.
106 Standard System Security Profile for Alibaba Cloud Linux 3
109 Profile ID: xccdf_org.ssgproject.content_profile_standard
111 This profile contains rules to ensure standard security baseline
113 of a Alibaba Cloud Linux 3 system. Regardless of your system's
114 workload all of these checks should pass.
115
121 Source Datastream: ssg-anolis8-ds.xml
122 The Guide to the Secure Configuration of Anolis OS 8 is broken into
124 'profiles', groupings of security settings that correlate to a known
125 policy. Available profiles are:
126 Standard System Security Profile for Anolis OS 8
130 Profile ID: xccdf_org.ssgproject.content_profile_standard
132 This profile contains rules to ensure standard security baseline
134 of a Anolis OS 8 system.
135
141 Source Datastream: ssg-centos7-ds.xml
142 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
144 broken into 'profiles', groupings of security settings that correlate
145 to a known policy. Available profiles are:
146 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
150 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
152 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
154 plied.
155 Standard System Security Profile for Red Hat Enterprise Linux 7
158 Profile ID: xccdf_org.ssgproject.content_profile_standard
160 This profile contains rules to ensure standard security baseline
162 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
163 tem's workload all of these checks should pass.
164
170 Source Datastream: ssg-centos8-ds.xml
171 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
173 broken into 'profiles', groupings of security settings that correlate
174 to a known policy. Available profiles are:
175 ANSSI-BP-028 (enhanced)
179 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
181 hanced
182 This profile contains configurations that align to ANSSI-BP-028
184 v1.2 at the enhanced hardening level.
185 ANSSI is the French National Information Security Agency, and
187 stands for Agence nationale de la sécurité des systèmes d'infor‐
188 mation. ANSSI-BP-028 is a configuration recommendation for
189 GNU/Linux systems.
190 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
192 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
193 securite-relatives-a-un-systeme-gnulinux/
194 ANSSI-BP-028 (high)
197 Profile ID: xccdf_org.ssgproject.content_pro‐
199 file_anssi_bp28_high
200 This profile contains configurations that align to ANSSI-BP-028
202 v1.2 at the high hardening level.
203 ANSSI is the French National Information Security Agency, and
205 stands for Agence nationale de la sécurité des systèmes d'infor‐
206 mation. ANSSI-BP-028 is a configuration recommendation for
207 GNU/Linux systems.
208 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
210 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
211 securite-relatives-a-un-systeme-gnulinux/
212 ANSSI-BP-028 (intermediary)
215 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
217 termediary
218 This profile contains configurations that align to ANSSI-BP-028
220 v1.2 at the intermediary hardening level.
221 ANSSI is the French National Information Security Agency, and
223 stands for Agence nationale de la sécurité des systèmes d'infor‐
224 mation. ANSSI-BP-028 is a configuration recommendation for
225 GNU/Linux systems.
226 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
228 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
229 securite-relatives-a-un-systeme-gnulinux/
230 ANSSI-BP-028 (minimal)
233 Profile ID: xccdf_org.ssgproject.content_pro‐
235 file_anssi_bp28_minimal
236 This profile contains configurations that align to ANSSI-BP-028
238 v1.2 at the minimal hardening level.
239 ANSSI is the French National Information Security Agency, and
241 stands for Agence nationale de la sécurité des systèmes d'infor‐
242 mation. ANSSI-BP-028 is a configuration recommendation for
243 GNU/Linux systems.
244 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
246 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
247 securite-relatives-a-un-systeme-gnulinux/
248 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
251 Profile ID: xccdf_org.ssgproject.content_profile_cis
253 This profile defines a baseline that aligns to the "Level 2 -
255 Server" configuration from the Center for Internet Security® Red
256 Hat Enterprise Linux 8 Benchmark™, v2.0.0, released 2022-02-23.
257 This profile includes Center for Internet Security® Red Hat En‐
259 terprise Linux 8 CIS Benchmarks™ content.
260 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
263 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
265 This profile defines a baseline that aligns to the "Level 1 -
267 Server" configuration from the Center for Internet Security® Red
268 Hat Enterprise Linux 8 Benchmark™, v2.0.0, released 2022-02-23.
269 This profile includes Center for Internet Security® Red Hat En‐
271 terprise Linux 8 CIS Benchmarks™ content.
272 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation
275 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
277 tion_l1
278 This profile defines a baseline that aligns to the "Level 1 -
280 Workstation" configuration from the Center for Internet Secu‐
281 rity® Red Hat Enterprise Linux 8 Benchmark™, v2.0.0, released
282 2022-02-23.
283 This profile includes Center for Internet Security® Red Hat En‐
285 terprise Linux 8 CIS Benchmarks™ content.
286 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation
289 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
291 tion_l2
292 This profile defines a baseline that aligns to the "Level 2 -
294 Workstation" configuration from the Center for Internet Secu‐
295 rity® Red Hat Enterprise Linux 8 Benchmark™, v2.0.0, released
296 2022-02-23.
297 This profile includes Center for Internet Security® Red Hat En‐
299 terprise Linux 8 CIS Benchmarks™ content.
300 Criminal Justice Information Services (CJIS) Security Policy
303 Profile ID: xccdf_org.ssgproject.content_profile_cjis
305 This profile is derived from FBI's CJIS v5.4 Security Policy. A
307 copy of this policy can be found at the CJIS Security Policy Re‐
308 source Center:
309 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
311 center
312 Unclassified Information in Non-federal Information Systems and Organi‐
315 zations (NIST 800-171)
316 Profile ID: xccdf_org.ssgproject.content_profile_cui
318 From NIST 800-171, Section 2.2: Security requirements for pro‐
320 tecting the confidentiality of CUI in nonfederal information
321 systems and organizations have a well-defined structure that
322 consists of:
323 (i) a basic security requirements section; (ii) a derived secu‐
325 rity requirements section.
326 The basic security requirements are obtained from FIPS Publica‐
328 tion 200, which provides the high-level and fundamental security
329 requirements for federal information and information systems.
330 The derived security requirements, which supplement the basic
331 security requirements, are taken from the security controls in
332 NIST Special Publication 800-53.
333 This profile configures Red Hat Enterprise Linux 8 to the NIST
335 Special Publication 800-53 controls identified for securing Con‐
336 trolled Unclassified Information (CUI)."
337 Australian Cyber Security Centre (ACSC) Essential Eight
340 Profile ID: xccdf_org.ssgproject.content_profile_e8
342 This profile contains configuration checks for Red Hat Enter‐
344 prise Linux 8 that align to the Australian Cyber Security Centre
345 (ACSC) Essential Eight.
346 A copy of the Essential Eight in Linux Environments guide can be
348 found at the ACSC website:
349 https://www.cyber.gov.au/acsc/view-all-content/publica‐
351 tions/hardening-linux-workstations-and-servers
352 Health Insurance Portability and Accountability Act (HIPAA)
355 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
357 The HIPAA Security Rule establishes U.S. national standards to
359 protect individuals’ electronic personal health information that
360 is created, received, used, or maintained by a covered entity.
361 The Security Rule requires appropriate administrative, physical
362 and technical safeguards to ensure the confidentiality, integ‐
363 rity, and security of electronic protected health information.
364 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
366 Security Rule identified for securing of electronic protected
367 health information. Use of this profile in no way guarantees or
368 makes claims against legal compliance against the HIPAA Security
369 Rule(s).
370 Australian Cyber Security Centre (ACSC) ISM Official
373 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
375 This profile contains configuration checks for Red Hat Enter‐
377 prise Linux 8 that align to the Australian Cyber Security Centre
378 (ACSC) Information Security Manual (ISM) with the applicability
379 marking of OFFICIAL.
380 The ISM uses a risk-based approach to cyber security. This pro‐
382 file provides a guide to aligning Red Hat Enterprise Linux secu‐
383 rity controls with the ISM, which can be used to select controls
384 specific to an organisation's security posture and risk profile.
385 A copy of the ISM can be found at the ACSC website:
387 https://www.cyber.gov.au/ism
389 Protection Profile for General Purpose Operating Systems
392 Profile ID: xccdf_org.ssgproject.content_profile_ospp
394 This profile reflects mandatory configuration controls identi‐
396 fied in the NIAP Configuration Annex to the Protection Profile
397 for General Purpose Operating Systems (Protection Profile Ver‐
398 sion 4.2.1).
399 This configuration profile is consistent with CNSSI-1253, which
401 requires U.S. National Security Systems to adhere to certain
402 configuration parameters. Accordingly, this configuration pro‐
403 file is suitable for use in U.S. National Security Systems.
404 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
407 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
409 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
411 plied.
412 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
415 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
417 This profile contains the minimum security relevant configura‐
419 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
420 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
421 Standard System Security Profile for Red Hat Enterprise Linux 8
424 Profile ID: xccdf_org.ssgproject.content_profile_standard
426 This profile contains rules to ensure standard security baseline
428 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
429 tem's workload all of these checks should pass.
430 DISA STIG for Red Hat Enterprise Linux 8
433 Profile ID: xccdf_org.ssgproject.content_profile_stig
435 This profile contains configuration checks that align to the
437 DISA STIG for Red Hat Enterprise Linux 8 V1R8.
438 In addition to being applicable to Red Hat Enterprise Linux 8,
440 DISA recognizes this configuration baseline as applicable to the
441 operating system tier of Red Hat technologies that are based on
442 Red Hat Enterprise Linux 8, such as:
443 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
445 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
446 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
447 8 image
448 DISA STIG with GUI for Red Hat Enterprise Linux 8
451 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
453 This profile contains configuration checks that align to the
455 DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R8.
456 In addition to being applicable to Red Hat Enterprise Linux 8,
458 DISA recognizes this configuration baseline as applicable to the
459 operating system tier of Red Hat technologies that are based on
460 Red Hat Enterprise Linux 8, such as:
461 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
463 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
464 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
465 8 image
466 Warning: The installation and use of a Graphical User Interface
468 (GUI) increases your attack vector and decreases your overall
469 security posture. If your Information Systems Security Officer
470 (ISSO) lacks a documented operational requirement for a graphi‐
471 cal user interface, please consider using the standard DISA STIG
472 for Red Hat Enterprise Linux 8 profile.
473
479 Source Datastream: ssg-chromium-ds.xml
480 The Guide to the Secure Configuration of Chromium is broken into 'pro‐
482 files', groupings of security settings that correlate to a known pol‐
483 icy. Available profiles are:
484 Upstream STIG for Google Chromium
488 Profile ID: xccdf_org.ssgproject.content_profile_stig
490 This profile is developed under the DoD consensus model and DISA
492 FSO Vendor STIG process, serving as the upstream development en‐
493 vironment for the Google Chromium STIG.
494 As a result of the upstream/downstream relationship between the
496 SCAP Security Guide project and the official DISA FSO STIG base‐
497 line, users should expect variance between SSG and DISA FSO con‐
498 tent. For official DISA FSO STIG content, refer to https://pub‐
499 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
500 rity%2Cbrowser-guidance.
501 While this profile is packaged by Red Hat as part of the SCAP
503 Security Guide package, please note that commercial support of
504 this SCAP content is NOT available. This profile is provided as
505 example SCAP content with no endorsement for suitability or pro‐
506 duction readiness. Support for this profile is provided by the
507 upstream SCAP Security Guide community on a best-effort basis.
508 The upstream project homepage is https://www.open-scap.org/secu‐
509 rity-policies/scap-security-guide/.
510
516 Source Datastream: ssg-cs9-ds.xml
517 The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is
519 broken into 'profiles', groupings of security settings that correlate
520 to a known policy. Available profiles are:
521 ANSSI-BP-028 (enhanced)
525 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
527 hanced
528 This profile contains configurations that align to ANSSI-BP-028
530 at the enhanced hardening level.
531 ANSSI is the French National Information Security Agency, and
533 stands for Agence nationale de la sécurité des systèmes d'infor‐
534 mation. ANSSI-BP-028 is a configuration recommendation for
535 GNU/Linux systems.
536 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
538 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
539 securite-relatives-a-un-systeme-gnulinux/
540 ANSSI-BP-028 (high)
543 Profile ID: xccdf_org.ssgproject.content_pro‐
545 file_anssi_bp28_high
546 This profile contains configurations that align to ANSSI-BP-028
548 at the high hardening level.
549 ANSSI is the French National Information Security Agency, and
551 stands for Agence nationale de la sécurité des systèmes d'infor‐
552 mation. ANSSI-BP-028 is a configuration recommendation for
553 GNU/Linux systems.
554 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
556 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
557 securite-relatives-a-un-systeme-gnulinux/
558 ANSSI-BP-028 (intermediary)
561 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
563 termediary
564 This profile contains configurations that align to ANSSI-BP-028
566 at the intermediary hardening level.
567 ANSSI is the French National Information Security Agency, and
569 stands for Agence nationale de la sécurité des systèmes d'infor‐
570 mation. ANSSI-BP-028 is a configuration recommendation for
571 GNU/Linux systems.
572 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
574 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
575 securite-relatives-a-un-systeme-gnulinux/
576 ANSSI-BP-028 (minimal)
579 Profile ID: xccdf_org.ssgproject.content_pro‐
581 file_anssi_bp28_minimal
582 This profile contains configurations that align to ANSSI-BP-028
584 at the minimal hardening level.
585 ANSSI is the French National Information Security Agency, and
587 stands for Agence nationale de la sécurité des systèmes d'infor‐
588 mation. ANSSI-BP-028 is a configuration recommendation for
589 GNU/Linux systems.
590 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
592 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
593 securite-relatives-a-un-systeme-gnulinux/
594 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
597 Profile ID: xccdf_org.ssgproject.content_profile_cis
599 This is a draft profile based on its RHEL8 version for experi‐
601 mental purposes. It is not based on the CIS benchmark for
602 RHEL9, because this one was not available at time of the re‐
603 lease.
604 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
607 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
609 This is a draft profile based on its RHEL8 version for experi‐
611 mental purposes. It is not based on the CIS benchmark for
612 RHEL9, because this one was not available at time of the re‐
613 lease.
614 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Worksta‐
617 tion
618 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
620 tion_l1
621 This is a draft profile based on its RHEL8 version for experi‐
623 mental purposes. It is not based on the CIS benchmark for
624 RHEL9, because this one was not available at time of the re‐
625 lease.
626 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Worksta‐
629 tion
630 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
632 tion_l2
633 This is a draft profile based on its RHEL8 version for experi‐
635 mental purposes. It is not based on the CIS benchmark for
636 RHEL9, because this one was not available at time of the re‐
637 lease.
638 [DRAFT] Unclassified Information in Non-federal Information Systems and
641 Organizations (NIST 800-171)
642 Profile ID: xccdf_org.ssgproject.content_profile_cui
644 From NIST 800-171, Section 2.2: Security requirements for pro‐
646 tecting the confidentiality of CUI in nonfederal information
647 systems and organizations have a well-defined structure that
648 consists of:
649 (i) a basic security requirements section; (ii) a derived secu‐
651 rity requirements section.
652 The basic security requirements are obtained from FIPS Publica‐
654 tion 200, which provides the high-level and fundamental security
655 requirements for federal information and information systems.
656 The derived security requirements, which supplement the basic
657 security requirements, are taken from the security controls in
658 NIST Special Publication 800-53.
659 This profile configures Red Hat Enterprise Linux 9 to the NIST
661 Special Publication 800-53 controls identified for securing Con‐
662 trolled Unclassified Information (CUI)."
663 Australian Cyber Security Centre (ACSC) Essential Eight
666 Profile ID: xccdf_org.ssgproject.content_profile_e8
668 This profile contains configuration checks for Red Hat Enter‐
670 prise Linux 9 that align to the Australian Cyber Security Centre
671 (ACSC) Essential Eight.
672 A copy of the Essential Eight in Linux Environments guide can be
674 found at the ACSC website:
675 https://www.cyber.gov.au/acsc/view-all-content/publica‐
677 tions/hardening-linux-workstations-and-servers
678 Health Insurance Portability and Accountability Act (HIPAA)
681 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
683 The HIPAA Security Rule establishes U.S. national standards to
685 protect individuals’ electronic personal health information that
686 is created, received, used, or maintained by a covered entity.
687 The Security Rule requires appropriate administrative, physical
688 and technical safeguards to ensure the confidentiality, integ‐
689 rity, and security of electronic protected health information.
690 This profile configures Red Hat Enterprise Linux 9 to the HIPAA
692 Security Rule identified for securing of electronic protected
693 health information. Use of this profile in no way guarantees or
694 makes claims against legal compliance against the HIPAA Security
695 Rule(s).
696 Australian Cyber Security Centre (ACSC) ISM Official
699 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
701 This profile contains configuration checks for Red Hat Enter‐
703 prise Linux 9 that align to the Australian Cyber Security Centre
704 (ACSC) Information Security Manual (ISM) with the applicability
705 marking of OFFICIAL.
706 The ISM uses a risk-based approach to cyber security. This pro‐
708 file provides a guide to aligning Red Hat Enterprise Linux secu‐
709 rity controls with the ISM, which can be used to select controls
710 specific to an organisation's security posture and risk profile.
711 A copy of the ISM can be found at the ACSC website:
713 https://www.cyber.gov.au/ism
715 Protection Profile for General Purpose Operating Systems
718 Profile ID: xccdf_org.ssgproject.content_profile_ospp
720 This profile is part of Red Hat Enterprise Linux 9 Common Crite‐
722 ria Guidance documentation for Target of Evaluation based on
723 Protection Profile for General Purpose Operating Systems (OSPP)
724 version 4.2.1 and Functional Package for SSH version 1.0.
725 Where appropriate, CNSSI 1253 or DoD-specific values are used
727 for configuration, based on Configuration Annex to the OSPP.
728 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
731 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
733 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
735 plied.
736 [DRAFT] DISA STIG for Red Hat Enterprise Linux 9
739 Profile ID: xccdf_org.ssgproject.content_profile_stig
741 This is a draft profile based on its RHEL8 version for experi‐
743 mental purposes. It is not based on the DISA STIG for RHEL9,
744 because this one was not available at time of the release.
745 In addition to being applicable to Red Hat Enterprise Linux 9,
747 DISA recognizes this configuration baseline as applicable to the
748 operating system tier of Red Hat technologies that are based on
749 Red Hat Enterprise Linux 9, such as:
750 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
752 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
753 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
754 9 image
755 [DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
758 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
760 This is a draft profile based on its RHEL8 version for experi‐
762 mental purposes. It is not based on the DISA STIG for RHEL9,
763 because this one was not available at time of the release.
764 In addition to being applicable to Red Hat Enterprise Linux 9,
766 DISA recognizes this configuration baseline as applicable to the
767 operating system tier of Red Hat technologies that are based on
768 Red Hat Enterprise Linux 9, such as:
769 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
771 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
772 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
773 9 image
774 Warning: The installation and use of a Graphical User Interface
776 (GUI) increases your attack vector and decreases your overall
777 security posture. If your Information Systems Security Officer
778 (ISSO) lacks a documented operational requirement for a graphi‐
779 cal user interface, please consider using the standard DISA STIG
780 for Red Hat Enterprise Linux 9 profile.
781
787 Source Datastream: ssg-debian10-ds.xml
788 The Guide to the Secure Configuration of Debian 10 is broken into 'pro‐
790 files', groupings of security settings that correlate to a known pol‐
791 icy. Available profiles are:
792 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
796 Profile ID: xccdf_org.ssgproject.content_pro‐
798 file_anssi_np_nt28_average
799 This profile contains items for GNU/Linux installations already
801 protected by multiple higher level security stacks.
802 Profile for ANSSI DAT-NT28 High (Enforced) Level
805 Profile ID: xccdf_org.ssgproject.content_pro‐
807 file_anssi_np_nt28_high
808 This profile contains items for GNU/Linux installations storing
810 sensitive information that can be accessible from unauthenti‐
811 cated or uncontroled networks.
812 Profile for ANSSI DAT-NT28 Minimal Level
815 Profile ID: xccdf_org.ssgproject.content_pro‐
817 file_anssi_np_nt28_minimal
818 This profile contains items to be applied systematically.
820 Profile for ANSSI DAT-NT28 Restrictive Level
823 Profile ID: xccdf_org.ssgproject.content_pro‐
825 file_anssi_np_nt28_restrictive
826 This profile contains items for GNU/Linux installations exposed
828 to unauthenticated flows or multiple sources.
829 Standard System Security Profile for Debian 10
832 Profile ID: xccdf_org.ssgproject.content_profile_standard
834 This profile contains rules to ensure standard security baseline
836 of a Debian 10 system. Regardless of your system's workload all
837 of these checks should pass.
838
844 Source Datastream: ssg-debian11-ds.xml
845 The Guide to the Secure Configuration of Debian 11 is broken into 'pro‐
847 files', groupings of security settings that correlate to a known pol‐
848 icy. Available profiles are:
849 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
853 Profile ID: xccdf_org.ssgproject.content_pro‐
855 file_anssi_np_nt28_average
856 This profile contains items for GNU/Linux installations already
858 protected by multiple higher level security stacks.
859 Profile for ANSSI DAT-NT28 High (Enforced) Level
862 Profile ID: xccdf_org.ssgproject.content_pro‐
864 file_anssi_np_nt28_high
865 This profile contains items for GNU/Linux installations storing
867 sensitive information that can be accessible from unauthenti‐
868 cated or uncontroled networks.
869 Profile for ANSSI DAT-NT28 Minimal Level
872 Profile ID: xccdf_org.ssgproject.content_pro‐
874 file_anssi_np_nt28_minimal
875 This profile contains items to be applied systematically.
877 Profile for ANSSI DAT-NT28 Restrictive Level
880 Profile ID: xccdf_org.ssgproject.content_pro‐
882 file_anssi_np_nt28_restrictive
883 This profile contains items for GNU/Linux installations exposed
885 to unauthenticated flows or multiple sources.
886 Standard System Security Profile for Debian 11
889 Profile ID: xccdf_org.ssgproject.content_profile_standard
891 This profile contains rules to ensure standard security baseline
893 of a Debian 11 system. Regardless of your system's workload all
894 of these checks should pass.
895
901 Service
902 Source Datastream: ssg-eks-ds.xml
903 The Guide to the Secure Configuration of Amazon Elastic Kubernetes Ser‐
905 vice is broken into 'profiles', groupings of security settings that
906 correlate to a known policy. Available profiles are:
907 CIS Amazon Elastic Kubernetes Service (EKS) Benchmark - Node
911 Profile ID: xccdf_org.ssgproject.content_profile_cis-node
913 This profile defines a baseline that aligns to the Center for
915 Internet Security® Amazon Elastic Kubernetes Service (EKS)
916 Benchmark™, V1.0.1.
917 This profile includes Center for Internet Security® Amazon Elas‐
919 tic Kubernetes Service (EKS)™ content.
920 This profile is applicable to EKS 1.21 and greater.
922 CIS Amazon Elastic Kubernetes Service Benchmark - Platform
925 Profile ID: xccdf_org.ssgproject.content_profile_cis
927 This profile defines a baseline that aligns to the Center for
929 Internet Security® Amazon Elastic Kubernetes Service (EKS)
930 Benchmark™, V1.0.1.
931 This profile includes Center for Internet Security® Amazon Elas‐
933 tic Kubernetes Service (EKS)™ content.
934 This profile is applicable to EKS 1.21 and greater.
936
942 Source Datastream: ssg-fedora-ds.xml
943 The Guide to the Secure Configuration of Fedora is broken into 'pro‐
945 files', groupings of security settings that correlate to a known pol‐
946 icy. Available profiles are:
947 OSPP - Protection Profile for General Purpose Operating Systems
951 Profile ID: xccdf_org.ssgproject.content_profile_ospp
953 This profile reflects mandatory configuration controls identi‐
955 fied in the NIAP Configuration Annex to the Protection Profile
956 for General Purpose Operating Systems (Protection Profile Ver‐
957 sion 4.2).
958 As Fedora OS is moving target, this profile does not guarantee
960 to provide security levels required from US National Security
961 Systems. Main goal of the profile is to provide Fedora develop‐
962 ers with hardened environment similar to the one mandated by US
963 National Security Systems.
964 PCI-DSS v3.2.1 Control Baseline for Fedora
967 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
969 Ensures PCI-DSS v3.2.1 related security configuration settings
971 are applied.
972 Standard System Security Profile for Fedora
975 Profile ID: xccdf_org.ssgproject.content_profile_standard
977 This profile contains rules to ensure standard security baseline
979 of a Fedora system. Regardless of your system's workload all of
980 these checks should pass.
981
987 Source Datastream: ssg-firefox-ds.xml
988 The Guide to the Secure Configuration of Firefox is broken into 'pro‐
990 files', groupings of security settings that correlate to a known pol‐
991 icy. Available profiles are:
992 Mozilla Firefox STIG
996 Profile ID: xccdf_org.ssgproject.content_profile_stig
998 This profile is developed under the DoD consensus model and DISA
1000 FSO Vendor STIG process, serving as the upstream development en‐
1001 vironment for the Firefox STIG.
1002 As a result of the upstream/downstream relationship between the
1004 SCAP Security Guide project and the official DISA FSO STIG base‐
1005 line, users should expect variance between SSG and DISA FSO con‐
1006 tent. For official DISA FSO STIG content, refer to https://pub‐
1007 lic.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-secu‐
1008 rity%2Cbrowser-guidance.
1009 While this profile is packaged by Red Hat as part of the SCAP
1011 Security Guide package, please note that commercial support of
1012 this SCAP content is NOT available. This profile is provided as
1013 example SCAP content with no endorsement for suitability or pro‐
1014 duction readiness. Support for this profile is provided by the
1015 upstream SCAP Security Guide community on a best-effort basis.
1016 The upstream project homepage is https://www.open-scap.org/secu‐
1017 rity-policies/scap-security-guide/.
1018
1024 Source Datastream: ssg-macos1015-ds.xml
1025 The Guide to the Secure Configuration of Apple macOS 10.15 is broken
1027 into 'profiles', groupings of security settings that correlate to a
1028 known policy. Available profiles are:
1029 NIST 800-53 Moderate-Impact Baseline for Apple macOS 10.15 Catalina
1033 Profile ID: xccdf_org.ssgproject.content_profile_moderate
1035 This compliance profile reflects the core set of Moderate-Impact
1037 Baseline configuration settings for deployment of Apple macOS
1038 10.15 Catalina into U.S. Defense, Intelligence, and Civilian
1039 agencies. Development partners and sponsors include the U.S.
1040 National Institute of Standards and Technology (NIST), U.S. De‐
1041 partment of Defense, and the the National Security Agency.
1042 This baseline implements configuration requirements from the
1044 following sources:
1045 - NIST 800-53 control selections for Moderate-Impact systems
1047 (NIST 800-53)
1048 For any differing configuration requirements, e.g. password
1050 lengths, the stricter security setting was chosen. Security Re‐
1051 quirement Traceability Guides (RTMs) and sample System Security
1052 Configuration Guides are provided via the scap-security-guide-
1053 docs package.
1054 This profile reflects U.S. Government consensus content and is
1056 developed through the ComplianceAsCode initiative, championed by
1057 the National Security Agency. Except for differences in format‐
1058 ting to accommodate publishing processes, this profile mirrors
1059 ComplianceAsCode content as minor divergences, such as bugfixes,
1060 work through the consensus and release processes.
1061
1067 Platform 4
1068 Source Datastream: ssg-ocp4-ds.xml
1069 The Guide to the Secure Configuration of Red Hat OpenShift Container
1071 Platform 4 is broken into 'profiles', groupings of security settings
1072 that correlate to a known policy. Available profiles are:
1073 CIS Red Hat OpenShift Container Platform 4 Benchmark
1077 Profile ID: xccdf_org.ssgproject.content_profile_cis-node
1079 This profile defines a baseline that aligns to the Center for
1081 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
1082 mark™, V1.1.
1083 This profile includes Center for Internet Security® Red Hat
1085 OpenShift Container Platform 4 CIS Benchmarks™ content.
1086 Note that this part of the profile is meant to run on the Oper‐
1088 ating System that Red Hat OpenShift Container Platform 4 runs on
1089 top of.
1090 This profile is applicable to OpenShift versions 4.6 and
1092 greater.
1093 CIS Red Hat OpenShift Container Platform 4 Benchmark
1096 Profile ID: xccdf_org.ssgproject.content_profile_cis
1098 This profile defines a baseline that aligns to the Center for
1100 Internet Security® Red Hat OpenShift Container Platform 4 Bench‐
1101 mark™, V1.1.
1102 This profile includes Center for Internet Security® Red Hat
1104 OpenShift Container Platform 4 CIS Benchmarks™ content.
1105 Note that this part of the profile is meant to run on the Plat‐
1107 form that Red Hat OpenShift Container Platform 4 runs on top of.
1108 This profile is applicable to OpenShift versions 4.6 and
1110 greater.
1111 Australian Cyber Security Centre (ACSC) Essential Eight
1114 Profile ID: xccdf_org.ssgproject.content_profile_e8
1116 This profile contains configuration checks for Red Hat OpenShift
1118 Container Platform that align to the Australian Cyber Security
1119 Centre (ACSC) Essential Eight.
1120 A copy of the Essential Eight in Linux Environments guide can be
1122 found at the ACSC website:
1123 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1125 tions/hardening-linux-workstations-and-servers
1126 NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level
1129 Profile ID: xccdf_org.ssgproject.content_profile_high-node
1131 This compliance profile reflects the core set of High-Impact
1133 Baseline configuration settings for deployment of Red Hat Open‐
1134 Shift Container Platform into U.S. Defense, Intelligence, and
1135 Civilian agencies. Development partners and sponsors include
1136 the U.S. National Institute of Standards and Technology (NIST),
1137 U.S. Department of Defense, the National Security Agency, and
1138 Red Hat.
1139 This baseline implements configuration requirements from the
1141 following sources:
1142 - NIST 800-53 control selections for High-Impact systems (NIST
1144 800-53)
1145 For any differing configuration requirements, e.g. password
1147 lengths, the stricter security setting was chosen. Security Re‐
1148 quirement Traceability Guides (RTMs) and sample System Security
1149 Configuration Guides are provided via the scap-security-guide-
1150 docs package.
1151 This profile reflects U.S. Government consensus content and is
1153 developed through the ComplianceAsCode initiative, championed by
1154 the National Security Agency. Except for differences in format‐
1155 ting to accommodate publishing processes, this profile mirrors
1156 ComplianceAsCode content as minor divergences, such as bugfixes,
1157 work through the consensus and release processes.
1158 NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level
1161 Profile ID: xccdf_org.ssgproject.content_profile_high
1163 This compliance profile reflects the core set of High-Impact
1165 Baseline configuration settings for deployment of Red Hat Open‐
1166 Shift Container Platform into U.S. Defense, Intelligence, and
1167 Civilian agencies. Development partners and sponsors include
1168 the U.S. National Institute of Standards and Technology (NIST),
1169 U.S. Department of Defense, the National Security Agency, and
1170 Red Hat.
1171 This baseline implements configuration requirements from the
1173 following sources:
1174 - NIST 800-53 control selections for High-Impact systems (NIST
1176 800-53)
1177 For any differing configuration requirements, e.g. password
1179 lengths, the stricter security setting was chosen. Security Re‐
1180 quirement Traceability Guides (RTMs) and sample System Security
1181 Configuration Guides are provided via the scap-security-guide-
1182 docs package.
1183 This profile reflects U.S. Government consensus content and is
1185 developed through the ComplianceAsCode initiative, championed by
1186 the National Security Agency. Except for differences in format‐
1187 ting to accommodate publishing processes, this profile mirrors
1188 ComplianceAsCode content as minor divergences, such as bugfixes,
1189 work through the consensus and release processes.
1190 NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
1193 Profile ID: xccdf_org.ssgproject.content_profile_moderate-node
1195 This compliance profile reflects the core set of Moderate-Impact
1197 Baseline configuration settings for deployment of Red Hat Open‐
1198 Shift Container Platform into U.S. Defense, Intelligence, and
1199 Civilian agencies. Development partners and sponsors include
1200 the U.S. National Institute of Standards and Technology (NIST),
1201 U.S. Department of Defense, the National Security Agency, and
1202 Red Hat.
1203 This baseline implements configuration requirements from the
1205 following sources:
1206 - NIST 800-53 control selections for Moderate-Impact systems
1208 (NIST 800-53)
1209 For any differing configuration requirements, e.g. password
1211 lengths, the stricter security setting was chosen. Security Re‐
1212 quirement Traceability Guides (RTMs) and sample System Security
1213 Configuration Guides are provided via the scap-security-guide-
1214 docs package.
1215 This profile reflects U.S. Government consensus content and is
1217 developed through the ComplianceAsCode initiative, championed by
1218 the National Security Agency. Except for differences in format‐
1219 ting to accommodate publishing processes, this profile mirrors
1220 ComplianceAsCode content as minor divergences, such as bugfixes,
1221 work through the consensus and release processes.
1222 NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform
1225 level
1226 Profile ID: xccdf_org.ssgproject.content_profile_moderate
1228 This compliance profile reflects the core set of Moderate-Impact
1230 Baseline configuration settings for deployment of Red Hat Open‐
1231 Shift Container Platform into U.S. Defense, Intelligence, and
1232 Civilian agencies. Development partners and sponsors include
1233 the U.S. National Institute of Standards and Technology (NIST),
1234 U.S. Department of Defense, the National Security Agency, and
1235 Red Hat.
1236 This baseline implements configuration requirements from the
1238 following sources:
1239 - NIST 800-53 control selections for Moderate-Impact systems
1241 (NIST 800-53)
1242 For any differing configuration requirements, e.g. password
1244 lengths, the stricter security setting was chosen. Security Re‐
1245 quirement Traceability Guides (RTMs) and sample System Security
1246 Configuration Guides are provided via the scap-security-guide-
1247 docs package.
1248 This profile reflects U.S. Government consensus content and is
1250 developed through the ComplianceAsCode initiative, championed by
1251 the National Security Agency. Except for differences in format‐
1252 ting to accommodate publishing processes, this profile mirrors
1253 ComplianceAsCode content as minor divergences, such as bugfixes,
1254 work through the consensus and release processes.
1255 North American Electric Reliability Corporation (NERC) Critical Infra‐
1258 structure Protection (CIP) cybersecurity standards profile for the Red
1259 Hat OpenShift Container Platform - Node level
1260 Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip-node
1262 This compliance profile reflects a set of security recommenda‐
1264 tions for the usage of Red Hat OpenShift Container Platform in
1265 critical infrastructure in the energy sector. This follows the
1266 recommendations coming from the following CIP standards:
1267 - CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 -
1269 CIP-007-6 - CIP-009-6
1270 North American Electric Reliability Corporation (NERC) Critical Infra‐
1273 structure Protection (CIP) cybersecurity standards profile for the Red
1274 Hat OpenShift Container Platform - Platform level
1275 Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip
1277 This compliance profile reflects a set of security recommenda‐
1279 tions for the usage of Red Hat OpenShift Container Platform in
1280 critical infrastructure in the energy sector. This follows the
1281 recommendations coming from the following CIP standards:
1282 - CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 -
1284 CIP-007-6 - CIP-009-6
1285 PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Plat‐
1288 form 4
1289 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-node
1291 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1293 plied.
1294 PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Plat‐
1297 form 4
1298 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1300 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1302 plied.
1303
1309 Source Datastream: ssg-ol7-ds.xml
1310 The Guide to the Secure Configuration of Oracle Linux 7 is broken into
1312 'profiles', groupings of security settings that correlate to a known
1313 policy. Available profiles are:
1314 ANSSI-BP-028 (enhanced)
1318 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
1320 hanced
1321 This profile contains configurations that align to ANSSI-BP-028
1323 at the enhanced hardening level.
1324 ANSSI is the French National Information Security Agency, and
1326 stands for Agence nationale de la sécurité des systèmes d'infor‐
1327 mation. ANSSI-BP-028 is a configuration recommendation for
1328 GNU/Linux systems.
1329 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1331 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1332 securite-relatives-a-un-systeme-gnulinux/
1333 DRAFT - ANSSI-BP-028 (high)
1336 Profile ID: xccdf_org.ssgproject.content_pro‐
1338 file_anssi_nt28_high
1339 This profile contains configurations that align to ANSSI-BP-028
1341 at the high hardening level.
1342 ANSSI is the French National Information Security Agency, and
1344 stands for Agence nationale de la sécurité des systèmes d'infor‐
1345 mation. ANSSI-BP-028 is a configuration recommendation for
1346 GNU/Linux systems.
1347 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1349 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1350 securite-relatives-a-un-systeme-gnulinux/
1351 ANSSI-BP-028 (intermediary)
1354 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
1356 termediary
1357 This profile contains configurations that align to ANSSI-BP-028
1359 at the intermediary hardening level.
1360 ANSSI is the French National Information Security Agency, and
1362 stands for Agence nationale de la sécurité des systèmes d'infor‐
1363 mation. ANSSI-BP-028 is a configuration recommendation for
1364 GNU/Linux systems.
1365 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1367 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1368 securite-relatives-a-un-systeme-gnulinux/
1369 ANSSI-BP-028 (minimal)
1372 Profile ID: xccdf_org.ssgproject.content_pro‐
1374 file_anssi_nt28_minimal
1375 This profile contains configurations that align to ANSSI-BP-028
1377 at the minimal hardening level.
1378 ANSSI is the French National Information Security Agency, and
1380 stands for Agence nationale de la sécurité des systèmes d'infor‐
1381 mation. ANSSI-BP-028 is a configuration recommendation for
1382 GNU/Linux systems.
1383 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1385 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1386 securite-relatives-a-un-systeme-gnulinux/
1387 Criminal Justice Information Services (CJIS) Security Policy
1390 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1392 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1394 copy of this policy can be found at the CJIS Security Policy Re‐
1395 source Center:
1396 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1398 center
1399 Unclassified Information in Non-federal Information Systems and Organi‐
1402 zations (NIST 800-171)
1403 Profile ID: xccdf_org.ssgproject.content_profile_cui
1405 From NIST 800-171, Section 2.2: Security requirements for pro‐
1407 tecting the confidentiality of CUI in non-federal information
1408 systems and organizations have a well-defined structure that
1409 consists of:
1410 (i) a basic security requirements section; (ii) a derived secu‐
1412 rity requirements section.
1413 The basic security requirements are obtained from FIPS Publica‐
1415 tion 200, which provides the high-level and fundamental security
1416 requirements for federal information and information systems.
1417 The derived security requirements, which supplement the basic
1418 security requirements, are taken from the security controls in
1419 NIST Special Publication 800-53.
1420 This profile configures Oracle Linux 7 to the NIST Special Pub‐
1422 lication 800-53 controls identified for securing Controlled Un‐
1423 classified Information (CUI).
1424 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
1427 Profile ID: xccdf_org.ssgproject.content_profile_e8
1429 This profile contains configuration checks for Oracle Linux 7
1431 that align to the Australian Cyber Security Centre (ACSC) Essen‐
1432 tial Eight.
1433 A copy of the Essential Eight in Linux Environments guide can be
1435 found at the ACSC website:
1436 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1438 tions/hardening-linux-workstations-and-servers
1439 Health Insurance Portability and Accountability Act (HIPAA)
1442 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1444 The HIPAA Security Rule establishes U.S. national standards to
1446 protect individuals’ electronic personal health information that
1447 is created, received, used, or maintained by a covered entity.
1448 The Security Rule requires appropriate administrative, physical
1449 and technical safeguards to ensure the confidentiality, integ‐
1450 rity, and security of electronic protected health information.
1451 This profile configures Oracle Linux 7 to the HIPAA Security
1453 Rule identified for securing of electronic protected health in‐
1454 formation. Use of this profile in no way guarantees or makes
1455 claims against legal compliance against the HIPAA Security
1456 Rule(s).
1457 NIST National Checklist Program Security Guide
1460 Profile ID: xccdf_org.ssgproject.content_profile_ncp
1462 This compliance profile reflects the core set of security re‐
1464 lated configuration settings for deployment of Oracle Linux 7
1465 into U.S. Defense, Intelligence, and Civilian agencies. Devel‐
1466 opment partners and sponsors include the U.S. National Institute
1467 of Standards and Technology (NIST), U.S. Department of Defense,
1468 the National Security Agency, and Red Hat.
1469 This baseline implements configuration requirements from the
1471 following sources:
1472 - Committee on National Security Systems Instruction No. 1253
1474 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
1475 800-171) - NIST 800-53 control selections for MODERATE impact
1476 systems (NIST 800-53) - U.S. Government Configuration Baseline
1477 (USGCB) - NIAP Protection Profile for General Purpose Operating
1478 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
1479 Requirements Guide (OS SRG)
1480 For any differing configuration requirements, e.g. password
1482 lengths, the stricter security setting was chosen. Security Re‐
1483 quirement Traceability Guides (RTMs) and sample System Security
1484 Configuration Guides are provided via the scap-security-guide-
1485 docs package.
1486 This profile reflects U.S. Government consensus content and is
1488 developed through the OpenSCAP/SCAP Security Guide initiative,
1489 championed by the National Security Agency. Except for differ‐
1490 ences in formatting to accommodate publishing processes, this
1491 profile mirrors OpenSCAP/SCAP Security Guide content as minor
1492 divergences, such as bugfixes, work through the consensus and
1493 release processes.
1494 [DRAFT] Protection Profile for General Purpose Operating Systems
1497 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1499 This profile reflects mandatory configuration controls identi‐
1501 fied in the NIAP Configuration Annex to the Protection Profile
1502 for General Purpose Operating Systems (Protection Profile Ver‐
1503 sion 4.2.1).
1504 This configuration profile is consistent with CNSSI-1253, which
1506 requires U.S. National Security Systems to adhere to certain
1507 configuration parameters. Accordingly, this configuration pro‐
1508 file is suitable for use in U.S. National Security Systems.
1509 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7
1512 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1514 Ensures PCI-DSS v3.2.1 related security configuration settings
1516 are applied.
1517 Security Profile of Oracle Linux 7 for SAP
1520 Profile ID: xccdf_org.ssgproject.content_profile_sap
1522 This profile contains rules for Oracle Linux 7 Operating System
1524 in compliance with SAP note 2069760 and SAP Security Baseline
1525 Template version 1.9 Item I-8 and section 4.1.2.2. Regardless
1526 of your system's workload all of these checks should pass.
1527 Standard System Security Profile for Oracle Linux 7
1530 Profile ID: xccdf_org.ssgproject.content_profile_standard
1532 This profile contains rules to ensure standard security baseline
1534 of Oracle Linux 7 system. Regardless of your system's workload
1535 all of these checks should pass.
1536 DISA STIG for Oracle Linux 7
1539 Profile ID: xccdf_org.ssgproject.content_profile_stig
1541 This profile contains configuration checks that align to the
1543 DISA STIG for Oracle Linux V2R8.
1544 DISA STIG with GUI for Oracle Linux 7
1547 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
1549 This profile contains configuration checks that align to the
1551 DISA STIG with GUI for Oracle Linux V2R8.
1552 Warning: The installation and use of a Graphical User Interface
1554 (GUI) increases your attack vector and decreases your overall
1555 security posture. If your Information Systems Security Officer
1556 (ISSO) lacks a documented operational requirement for a graphi‐
1557 cal user interface, please consider using the standard DISA STIG
1558 for Oracle Linux 7 profile.
1559
1565 Source Datastream: ssg-ol8-ds.xml
1566 The Guide to the Secure Configuration of Oracle Linux 8 is broken into
1568 'profiles', groupings of security settings that correlate to a known
1569 policy. Available profiles are:
1570 ANSSI-BP-028 (enhanced)
1574 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1576 hanced
1577 This profile contains configurations that align to ANSSI-BP-028
1579 v1.2 at the enhanced hardening level.
1580 ANSSI is the French National Information Security Agency, and
1582 stands for Agence nationale de la sécurité des systèmes d'infor‐
1583 mation. ANSSI-BP-028 is a configuration recommendation for
1584 GNU/Linux systems.
1585 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1587 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1588 securite-relatives-a-un-systeme-gnulinux/
1589 ANSSI-BP-028 (high)
1592 Profile ID: xccdf_org.ssgproject.content_pro‐
1594 file_anssi_bp28_high
1595 This profile contains configurations that align to ANSSI-BP-028
1597 v1.2 at the high hardening level.
1598 ANSSI is the French National Information Security Agency, and
1600 stands for Agence nationale de la sécurité des systèmes d'infor‐
1601 mation. ANSSI-BP-028 is a configuration recommendation for
1602 GNU/Linux systems.
1603 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1605 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1606 securite-relatives-a-un-systeme-gnulinux/
1607 ANSSI-BP-028 (intermediary)
1610 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1612 termediary
1613 This profile contains configurations that align to ANSSI-BP-028
1615 v1.2 at the intermediary hardening level.
1616 ANSSI is the French National Information Security Agency, and
1618 stands for Agence nationale de la sécurité des systèmes d'infor‐
1619 mation. ANSSI-BP-028 is a configuration recommendation for
1620 GNU/Linux systems.
1621 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1623 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1624 securite-relatives-a-un-systeme-gnulinux/
1625 ANSSI-BP-028 (minimal)
1628 Profile ID: xccdf_org.ssgproject.content_pro‐
1630 file_anssi_bp28_minimal
1631 This profile contains configurations that align to ANSSI-BP-028
1633 v1.2 at the minimal hardening level.
1634 ANSSI is the French National Information Security Agency, and
1636 stands for Agence nationale de la sécurité des systèmes d'infor‐
1637 mation. ANSSI-BP-028 is a configuration recommendation for
1638 GNU/Linux systems.
1639 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1641 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1642 securite-relatives-a-un-systeme-gnulinux/
1643 Criminal Justice Information Services (CJIS) Security Policy
1646 Profile ID: xccdf_org.ssgproject.content_profile_cjis
1648 This profile is derived from FBI's CJIS v5.4 Security Policy. A
1650 copy of this policy can be found at the CJIS Security Policy Re‐
1651 source Center:
1652 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
1654 center
1655 Unclassified Information in Non-federal Information Systems and Organi‐
1658 zations (NIST 800-171)
1659 Profile ID: xccdf_org.ssgproject.content_profile_cui
1661 From NIST 800-171, Section 2.2: Security requirements for pro‐
1663 tecting the confidentiality of CUI in non-federal information
1664 systems and organizations have a well-defined structure that
1665 consists of:
1666 (i) a basic security requirements section; (ii) a derived secu‐
1668 rity requirements section.
1669 The basic security requirements are obtained from FIPS Publica‐
1671 tion 200, which provides the high-level and fundamental security
1672 requirements for federal information and information systems.
1673 The derived security requirements, which supplement the basic
1674 security requirements, are taken from the security controls in
1675 NIST Special Publication 800-53.
1676 This profile configures Oracle Linux 8 to the NIST Special Pub‐
1678 lication 800-53 controls identified for securing Controlled Un‐
1679 classified Information (CUI).
1680 [DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
1683 Profile ID: xccdf_org.ssgproject.content_profile_e8
1685 This profile contains configuration checks for Oracle Linux 8
1687 that align to the Australian Cyber Security Centre (ACSC) Essen‐
1688 tial Eight.
1689 A copy of the Essential Eight in Linux Environments guide can be
1691 found at the ACSC website:
1692 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1694 tions/hardening-linux-workstations-and-servers
1695 Health Insurance Portability and Accountability Act (HIPAA)
1698 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1700 The HIPAA Security Rule establishes U.S. national standards to
1702 protect individuals’ electronic personal health information that
1703 is created, received, used, or maintained by a covered entity.
1704 The Security Rule requires appropriate administrative, physical
1705 and technical safeguards to ensure the confidentiality, integ‐
1706 rity, and security of electronic protected health information.
1707 This profile configures Oracle Linux 8 to the HIPAA Security
1709 Rule identified for securing of electronic protected health in‐
1710 formation. Use of this profile in no way guarantees or makes
1711 claims against legal compliance against the HIPAA Security
1712 Rule(s).
1713 [DRAFT] Protection Profile for General Purpose Operating Systems
1716 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1718 This profile reflects mandatory configuration controls identi‐
1720 fied in the NIAP Configuration Annex to the Protection Profile
1721 for General Purpose Operating Systems (Protection Profile Ver‐
1722 sion 4.2.1).
1723 This configuration profile is consistent with CNSSI-1253, which
1725 requires U.S. National Security Systems to adhere to certain
1726 configuration parameters. Accordingly, this configuration pro‐
1727 file is suitable for use in U.S. National Security Systems.
1728 PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8
1731 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1733 Ensures PCI-DSS v3.2.1 related security configuration settings
1735 are applied.
1736 Standard System Security Profile for Oracle Linux 8
1739 Profile ID: xccdf_org.ssgproject.content_profile_standard
1741 This profile contains rules to ensure standard security baseline
1743 of Oracle Linux 8 system. Regardless of your system's workload
1744 all of these checks should pass.
1745 DISA STIG for Oracle Linux 8
1748 Profile ID: xccdf_org.ssgproject.content_profile_stig
1750 This profile contains configuration checks that align to the
1752 DISA STIG for Oracle Linux 8 V1R3.
1753 DISA STIG with GUI for Oracle Linux 8
1756 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
1758 This profile contains configuration checks that align to the
1760 DISA STIG with GUI for Oracle Linux V1R3.
1761 Warning: The installation and use of a Graphical User Interface
1763 (GUI) increases your attack vector and decreases your overall
1764 security posture. If your Information Systems Security Officer
1765 (ISSO) lacks a documented operational requirement for a graphi‐
1766 cal user interface, please consider using the standard DISA STIG
1767 for Oracle Linux 8 profile.
1768
1774 Source Datastream: ssg-ol9-ds.xml
1775 The Guide to the Secure Configuration of Oracle Linux 9 is broken into
1777 'profiles', groupings of security settings that correlate to a known
1778 policy. Available profiles are:
1779 ANSSI-BP-028 (enhanced)
1783 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1785 hanced
1786 This profile contains configurations that align to ANSSI-BP-028
1788 at the enhanced hardening level. ANSSI is the French National
1789 Information Security Agency, and stands for Agence nationale de
1790 la sécurité des systèmes d'information. ANSSI-BP-028 is a con‐
1791 figuration recommendation for GNU/Linux systems.
1792 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1794 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1795 securite-relatives-a-un-systeme-gnulinux/
1796 ANSSI-BP-028 (high)
1799 Profile ID: xccdf_org.ssgproject.content_pro‐
1801 file_anssi_bp28_high
1802 This profile contains configurations that align to ANSSI-BP-028
1804 at the high hardening level. ANSSI is the French National Infor‐
1805 mation Security Agency, and stands for Agence nationale de la
1806 sécurité des systèmes d'information. ANSSI-BP-028 is a configu‐
1807 ration recommendation for GNU/Linux systems.
1808 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1810 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1811 securite-relatives-a-un-systeme-gnulinux/
1812 ANSSI-BP-028 (intermediary)
1815 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
1817 termediary
1818 This profile contains configurations that align to ANSSI-BP-028
1820 at the intermediary hardening level. ANSSI is the French Na‐
1821 tional Information Security Agency, and stands for Agence na‐
1822 tionale de la sécurité des systèmes d'information. ANSSI-BP-028
1823 is a configuration recommendation for GNU/Linux systems.
1824 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1826 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1827 securite-relatives-a-un-systeme-gnulinux/
1828 ANSSI-BP-028 (minimal)
1831 Profile ID: xccdf_org.ssgproject.content_pro‐
1833 file_anssi_bp28_minimal
1834 This profile contains configurations that align to ANSSI-BP-028
1836 at the minimal hardening level. ANSSI is the French National In‐
1837 formation Security Agency, and stands for Agence nationale de la
1838 sécurité des systèmes d'information. ANSSI-BP-028 is a configu‐
1839 ration recommendation for GNU/Linux systems.
1840 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
1842 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
1843 securite-relatives-a-un-systeme-gnulinux/
1844 [DRAFT] Unclassified Information in Non-federal Information Systems and
1847 Organizations (NIST 800-171)
1848 Profile ID: xccdf_org.ssgproject.content_profile_cui
1850 From NIST 800-171, Section 2.2: Security requirements for pro‐
1852 tecting the confidentiality of CUI in nonfederal information
1853 systems and organizations have a well-defined structure that
1854 consists of:
1855 (i) a basic security requirements section; (ii) a derived secu‐
1857 rity requirements section.
1858 The basic security requirements are obtained from FIPS Publica‐
1860 tion 200, which provides the high-level and fundamental security
1861 requirements for federal information and information systems.
1862 The derived security requirements, which supplement the basic
1863 security requirements, are taken from the security controls in
1864 NIST Special Publication 800-53.
1865 This profile configures Oracle Linux 9 to the NIST Special Pub‐
1867 lication 800-53 controls identified for securing Controlled Un‐
1868 classified Information (CUI)."
1869 Australian Cyber Security Centre (ACSC) Essential Eight
1872 Profile ID: xccdf_org.ssgproject.content_profile_e8
1874 This profile contains configuration checks for Oracle Linux 9
1876 that align to the Australian Cyber Security Centre (ACSC) Essen‐
1877 tial Eight.
1878 A copy of the Essential Eight in Linux Environments guide can be
1880 found at the ACSC website:
1881 https://www.cyber.gov.au/acsc/view-all-content/publica‐
1883 tions/hardening-linux-workstations-and-servers
1884 Health Insurance Portability and Accountability Act (HIPAA)
1887 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
1889 The HIPAA Security Rule establishes U.S. national standards to
1891 protect individuals’ electronic personal health information that
1892 is created, received, used, or maintained by a covered entity.
1893 The Security Rule requires appropriate administrative, physical
1894 and technical safeguards to ensure the confidentiality, integ‐
1895 rity, and security of electronic protected health information.
1896 This profile configures Oracle Linux 9 to the HIPAA Security
1898 Rule identified for securing of electronic protected health in‐
1899 formation. Use of this profile in no way guarantees or makes
1900 claims against legal compliance against the HIPAA Security
1901 Rule(s).
1902 [DRAFT] Protection Profile for General Purpose Operating Systems
1905 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1907 This profile is part of Oracle Linux 9 Common Criteria Guidance
1909 documentation for Target of Evaluation based on Protection Pro‐
1910 file for General Purpose Operating Systems (OSPP) version 4.2.1
1911 and Functional Package for SSH version 1.0.
1912 Where appropriate, CNSSI 1253 or DoD-specific values are used
1914 for configuration, based on Configuration Annex to the OSPP.
1915 PCI-DSS v3.2.1 Control Baseline for Oracle Linux 9
1918 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1920 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
1922 plied.
1923 Standard System Security Profile for Oracle Linux 9
1926 Profile ID: xccdf_org.ssgproject.content_profile_standard
1928 This profile contains rules to ensure standard security baseline
1930 of Oracle Linux 9 system. Regardless of your system's workload
1931 all of these checks should pass.
1932 [DRAFT] DISA STIG for Oracle Linux 9
1935 Profile ID: xccdf_org.ssgproject.content_profile_stig
1937 This is a draft profile based on its OL8 version for experimen‐
1939 tal purposes. It is not based on the DISA STIG for OL9, because
1940 this one was not available at time of the release.
1941 [DRAFT] DISA STIG with GUI for Oracle Linux 9
1944 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
1946 This is a draft profile based on its OL8 version for experimen‐
1948 tal purposes. It is not based on the DISA STIG for OL9, because
1949 this one was not available at time of the release.
1950 Warning: The installation and use of a Graphical User Interface
1952 (GUI) increases your attack vector and decreases your overall
1953 security posture. If your Information Systems Security Officer
1954 (ISSO) lacks a documented operational requirement for a graphi‐
1955 cal user interface, please consider using the standard DISA STIG
1956 for Oracle Linux 9 profile.
1957
1963 Source Datastream: ssg-opensuse-ds.xml
1964 The Guide to the Secure Configuration of openSUSE is broken into 'pro‐
1966 files', groupings of security settings that correlate to a known pol‐
1967 icy. Available profiles are:
1968 Standard System Security Profile for openSUSE
1972 Profile ID: xccdf_org.ssgproject.content_profile_standard
1974 This profile contains rules to ensure standard security baseline
1976 of an openSUSE system. Regardless of your system's workload all
1977 of these checks should pass.
1978
1984 CoreOS 4
1985 Source Datastream: ssg-rhcos4-ds.xml
1986 The Guide to the Secure Configuration of Red Hat Enterprise Linux
1988 CoreOS 4 is broken into 'profiles', groupings of security settings that
1989 correlate to a known policy. Available profiles are:
1990 DRAFT - ANSSI-BP-028 (enhanced)
1994 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
1996 hanced
1997 This profile contains configurations that align to ANSSI-BP-028
1999 at the enhanced hardening level.
2000 ANSSI is the French National Information Security Agency, and
2002 stands for Agence nationale de la sécurité des systèmes d'infor‐
2003 mation. ANSSI-BP-028 is a configuration recommendation for
2004 GNU/Linux systems.
2005 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2007 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2008 securite-relatives-a-un-systeme-gnulinux/
2009 DRAFT - ANSSI-BP-028 (high)
2012 Profile ID: xccdf_org.ssgproject.content_pro‐
2014 file_anssi_bp28_high
2015 This profile contains configurations that align to ANSSI-BP-028
2017 at the high hardening level.
2018 ANSSI is the French National Information Security Agency, and
2020 stands for Agence nationale de la sécurité des systèmes d'infor‐
2021 mation. ANSSI-BP-028 is a configuration recommendation for
2022 GNU/Linux systems.
2023 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2025 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2026 securite-relatives-a-un-systeme-gnulinux/
2027 DRAFT - ANSSI-BP-028 (intermediary)
2030 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
2032 termediary
2033 This profile contains configurations that align to ANSSI-BP-028
2035 at the intermediary hardening level.
2036 ANSSI is the French National Information Security Agency, and
2038 stands for Agence nationale de la sécurité des systèmes d'infor‐
2039 mation. ANSSI-BP-028 is a configuration recommendation for
2040 GNU/Linux systems.
2041 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2043 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2044 securite-relatives-a-un-systeme-gnulinux/
2045 DRAFT - ANSSI-BP-028 (minimal)
2048 Profile ID: xccdf_org.ssgproject.content_pro‐
2050 file_anssi_bp28_minimal
2051 This profile contains configurations that align to ANSSI-BP-028
2053 at the minimal hardening level.
2054 ANSSI is the French National Information Security Agency, and
2056 stands for Agence nationale de la sécurité des systèmes d'infor‐
2057 mation. ANSSI-BP-028 is a configuration recommendation for
2058 GNU/Linux systems.
2059 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2061 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2062 securite-relatives-a-un-systeme-gnulinux/
2063 Australian Cyber Security Centre (ACSC) Essential Eight
2066 Profile ID: xccdf_org.ssgproject.content_profile_e8
2068 This profile contains configuration checks for Red Hat Enter‐
2070 prise Linux CoreOS that align to the Australian Cyber Security
2071 Centre (ACSC) Essential Eight.
2072 A copy of the Essential Eight in Linux Environments guide can be
2074 found at the ACSC website:
2075 https://www.cyber.gov.au/acsc/view-all-content/publica‐
2077 tions/hardening-linux-workstations-and-servers
2078 NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS
2081 Profile ID: xccdf_org.ssgproject.content_profile_high
2083 This compliance profile reflects the core set of High-Impact
2085 Baseline configuration settings for deployment of Red Hat Enter‐
2086 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
2087 agencies. Development partners and sponsors include the U.S.
2088 National Institute of Standards and Technology (NIST), U.S. De‐
2089 partment of Defense, the National Security Agency, and Red Hat.
2090 This baseline implements configuration requirements from the
2092 following sources:
2093 - NIST 800-53 control selections for High-Impact systems (NIST
2095 800-53)
2096 For any differing configuration requirements, e.g. password
2098 lengths, the stricter security setting was chosen. Security Re‐
2099 quirement Traceability Guides (RTMs) and sample System Security
2100 Configuration Guides are provided via the scap-security-guide-
2101 docs package.
2102 This profile reflects U.S. Government consensus content and is
2104 developed through the ComplianceAsCode initiative, championed by
2105 the National Security Agency. Except for differences in format‐
2106 ting to accommodate publishing processes, this profile mirrors
2107 ComplianceAsCode content as minor divergences, such as bugfixes,
2108 work through the consensus and release processes.
2109 NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux
2112 CoreOS
2113 Profile ID: xccdf_org.ssgproject.content_profile_moderate
2115 This compliance profile reflects the core set of Moderate-Impact
2117 Baseline configuration settings for deployment of Red Hat Enter‐
2118 prise Linux CoreOS into U.S. Defense, Intelligence, and Civilian
2119 agencies. Development partners and sponsors include the U.S.
2120 National Institute of Standards and Technology (NIST), U.S. De‐
2121 partment of Defense, the National Security Agency, and Red Hat.
2122 This baseline implements configuration requirements from the
2124 following sources:
2125 - NIST 800-53 control selections for Moderate-Impact systems
2127 (NIST 800-53)
2128 For any differing configuration requirements, e.g. password
2130 lengths, the stricter security setting was chosen. Security Re‐
2131 quirement Traceability Guides (RTMs) and sample System Security
2132 Configuration Guides are provided via the scap-security-guide-
2133 docs package.
2134 This profile reflects U.S. Government consensus content and is
2136 developed through the ComplianceAsCode initiative, championed by
2137 the National Security Agency. Except for differences in format‐
2138 ting to accommodate publishing processes, this profile mirrors
2139 ComplianceAsCode content as minor divergences, such as bugfixes,
2140 work through the consensus and release processes.
2141 North American Electric Reliability Corporation (NERC) Critical Infra‐
2144 structure Protection (CIP) cybersecurity standards profile for Red Hat
2145 Enterprise Linux CoreOS
2146 Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip
2148 This compliance profile reflects a set of security recommenda‐
2150 tions for the usage of Red Hat Enterprise Linux CoreOS in criti‐
2151 cal infrastructure in the energy sector. This follows the recom‐
2152 mendations coming from the following CIP standards:
2153 - CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 -
2155 CIP-007-6 - CIP-009-6
2156
2162 Source Datastream: ssg-rhel7-ds.xml
2163 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
2165 broken into 'profiles', groupings of security settings that correlate
2166 to a known policy. Available profiles are:
2167 C2S for Red Hat Enterprise Linux 7
2171 Profile ID: xccdf_org.ssgproject.content_profile_C2S
2173 This profile demonstrates compliance against the U.S. Government
2175 Commercial Cloud Services (C2S) baseline.
2176 This baseline was inspired by the Center for Internet Security
2178 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
2179 For the SCAP Security Guide project to remain in compliance with
2181 CIS' terms and conditions, specifically Restrictions(8), note
2182 there is no representation or claim that the C2S profile will
2183 ensure a system is in compliance or consistency with the CIS
2184 baseline.
2185 ANSSI-BP-028 (enhanced)
2188 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_en‐
2190 hanced
2191 This profile contains configurations that align to ANSSI-BP-028
2193 v1.2 at the enhanced hardening level.
2194 ANSSI is the French National Information Security Agency, and
2196 stands for Agence nationale de la sécurité des systèmes d'infor‐
2197 mation. ANSSI-BP-028 is a configuration recommendation for
2198 GNU/Linux systems.
2199 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2201 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2202 securite-relatives-a-un-systeme-gnulinux/
2203 ANSSI-BP-028 (high)
2206 Profile ID: xccdf_org.ssgproject.content_pro‐
2208 file_anssi_nt28_high
2209 This profile contains configurations that align to ANSSI-BP-028
2211 v1.2 at the high hardening level.
2212 ANSSI is the French National Information Security Agency, and
2214 stands for Agence nationale de la sécurité des systèmes d'infor‐
2215 mation. ANSSI-BP-028 is a configuration recommendation for
2216 GNU/Linux systems.
2217 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2219 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2220 securite-relatives-a-un-systeme-gnulinux/
2221 ANSSI-BP-028 (intermediary)
2224 Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_in‐
2226 termediary
2227 This profile contains configurations that align to ANSSI-BP-028
2229 v1.2 at the intermediary hardening level.
2230 ANSSI is the French National Information Security Agency, and
2232 stands for Agence nationale de la sécurité des systèmes d'infor‐
2233 mation. ANSSI-BP-028 is a configuration recommendation for
2234 GNU/Linux systems.
2235 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2237 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2238 securite-relatives-a-un-systeme-gnulinux/
2239 ANSSI-BP-028 (minimal)
2242 Profile ID: xccdf_org.ssgproject.content_pro‐
2244 file_anssi_nt28_minimal
2245 This profile contains configurations that align to ANSSI-BP-028
2247 v1.2 at the minimal hardening level.
2248 ANSSI is the French National Information Security Agency, and
2250 stands for Agence nationale de la sécurité des systèmes d'infor‐
2251 mation. ANSSI-BP-028 is a configuration recommendation for
2252 GNU/Linux systems.
2253 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2255 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2256 securite-relatives-a-un-systeme-gnulinux/
2257 CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
2260 Profile ID: xccdf_org.ssgproject.content_profile_cis
2262 This profile defines a baseline that aligns to the "Level 2 -
2264 Server" configuration from the Center for Internet Security® Red
2265 Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
2266 This profile includes Center for Internet Security® Red Hat En‐
2268 terprise Linux 7 CIS Benchmarks™ content.
2269 CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
2272 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
2274 This profile defines a baseline that aligns to the "Level 1 -
2276 Server" configuration from the Center for Internet Security® Red
2277 Hat Enterprise Linux 7 Benchmark™, v3.1.1, released 05-21-2021.
2278 This profile includes Center for Internet Security® Red Hat En‐
2280 terprise Linux 7 CIS Benchmarks™ content.
2281 CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation
2284 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2286 tion_l1
2287 This profile defines a baseline that aligns to the "Level 1 -
2289 Workstation" configuration from the Center for Internet Secu‐
2290 rity® Red Hat Enterprise Linux 7 Benchmark™, v3.1.1, released
2291 05-21-2021.
2292 This profile includes Center for Internet Security® Red Hat En‐
2294 terprise Linux 7 CIS Benchmarks™ content.
2295 CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation
2298 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2300 tion_l2
2301 This profile defines a baseline that aligns to the "Level 2 -
2303 Workstation" configuration from the Center for Internet Secu‐
2304 rity® Red Hat Enterprise Linux 7 Benchmark™, v3.1.1, released
2305 05-21-2021.
2306 This profile includes Center for Internet Security® Red Hat En‐
2308 terprise Linux 7 CIS Benchmarks™ content.
2309 Criminal Justice Information Services (CJIS) Security Policy
2312 Profile ID: xccdf_org.ssgproject.content_profile_cjis
2314 This profile is derived from FBI's CJIS v5.4 Security Policy. A
2316 copy of this policy can be found at the CJIS Security Policy Re‐
2317 source Center:
2318 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
2320 center
2321 Unclassified Information in Non-federal Information Systems and Organi‐
2324 zations (NIST 800-171)
2325 Profile ID: xccdf_org.ssgproject.content_profile_cui
2327 From NIST 800-171, Section 2.2: Security requirements for pro‐
2329 tecting the confidentiality of CUI in non-federal information
2330 systems and organizations have a well-defined structure that
2331 consists of:
2332 (i) a basic security requirements section; (ii) a derived secu‐
2334 rity requirements section.
2335 The basic security requirements are obtained from FIPS Publica‐
2337 tion 200, which provides the high-level and fundamental security
2338 requirements for federal information and information systems.
2339 The derived security requirements, which supplement the basic
2340 security requirements, are taken from the security controls in
2341 NIST Special Publication 800-53.
2342 This profile configures Red Hat Enterprise Linux 7 to the NIST
2344 Special Publication 800-53 controls identified for securing Con‐
2345 trolled Unclassified Information (CUI).
2346 Australian Cyber Security Centre (ACSC) Essential Eight
2349 Profile ID: xccdf_org.ssgproject.content_profile_e8
2351 This profile contains configuration checks for Red Hat Enter‐
2353 prise Linux 7 that align to the Australian Cyber Security Centre
2354 (ACSC) Essential Eight.
2355 A copy of the Essential Eight in Linux Environments guide can be
2357 found at the ACSC website:
2358 https://www.cyber.gov.au/acsc/view-all-content/publica‐
2360 tions/hardening-linux-workstations-and-servers
2361 Health Insurance Portability and Accountability Act (HIPAA)
2364 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
2366 The HIPAA Security Rule establishes U.S. national standards to
2368 protect individuals’ electronic personal health information that
2369 is created, received, used, or maintained by a covered entity.
2370 The Security Rule requires appropriate administrative, physical
2371 and technical safeguards to ensure the confidentiality, integ‐
2372 rity, and security of electronic protected health information.
2373 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
2375 Security Rule identified for securing of electronic protected
2376 health information. Use of this profile in no way guarantees or
2377 makes claims against legal compliance against the HIPAA Security
2378 Rule(s).
2379 NIST National Checklist Program Security Guide
2382 Profile ID: xccdf_org.ssgproject.content_profile_ncp
2384 This compliance profile reflects the core set of security re‐
2386 lated configuration settings for deployment of Red Hat Enter‐
2387 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
2388 agencies. Development partners and sponsors include the U.S.
2389 National Institute of Standards and Technology (NIST), U.S. De‐
2390 partment of Defense, the National Security Agency, and Red Hat.
2391 This baseline implements configuration requirements from the
2393 following sources:
2394 - Committee on National Security Systems Instruction No. 1253
2396 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
2397 800-171) - NIST 800-53 control selections for MODERATE impact
2398 systems (NIST 800-53) - U.S. Government Configuration Baseline
2399 (USGCB) - NIAP Protection Profile for General Purpose Operating
2400 Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security
2401 Requirements Guide (OS SRG)
2402 For any differing configuration requirements, e.g. password
2404 lengths, the stricter security setting was chosen. Security Re‐
2405 quirement Traceability Guides (RTMs) and sample System Security
2406 Configuration Guides are provided via the scap-security-guide-
2407 docs package.
2408 This profile reflects U.S. Government consensus content and is
2410 developed through the OpenSCAP/SCAP Security Guide initiative,
2411 championed by the National Security Agency. Except for differ‐
2412 ences in formatting to accommodate publishing processes, this
2413 profile mirrors OpenSCAP/SCAP Security Guide content as minor
2414 divergences, such as bugfixes, work through the consensus and
2415 release processes.
2416 OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
2419 Profile ID: xccdf_org.ssgproject.content_profile_ospp
2421 This profile reflects mandatory configuration controls identi‐
2423 fied in the NIAP Configuration Annex to the Protection Profile
2424 for General Purpose Operating Systems (Protection Profile Ver‐
2425 sion 4.2.1).
2426 This configuration profile is consistent with CNSSI-1253, which
2428 requires U.S. National Security Systems to adhere to certain
2429 configuration parameters. Accordingly, this configuration pro‐
2430 file is suitable for use in U.S. National Security Systems.
2431 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
2434 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2436 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2438 plied.
2439 RHV hardening based on STIG for Red Hat Enterprise Linux 7
2442 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
2444 This profile contains configuration checks for Red Hat Virtual‐
2446 ization based on the the DISA STIG for Red Hat Enterprise Linux
2447 7.
2448 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
2451 ization
2452 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
2454 This compliance profile reflects the core set of security re‐
2456 lated configuration settings for deployment of Red Hat Enter‐
2457 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
2458 gence, and Civilian agencies. Development partners and sponsors
2459 include the U.S. National Institute of Standards and Technology
2460 (NIST), U.S. Department of Defense, the National Security
2461 Agency, and Red Hat.
2462 This baseline implements configuration requirements from the
2464 following sources:
2465 - Committee on National Security Systems Instruction No. 1253
2467 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
2468 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
2469 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
2470 (VPP v1.0)
2471 For any differing configuration requirements, e.g. password
2473 lengths, the stricter security setting was chosen. Security Re‐
2474 quirement Traceability Guides (RTMs) and sample System Security
2475 Configuration Guides are provided via the scap-security-guide-
2476 docs package.
2477 This profile reflects U.S. Government consensus content and is
2479 developed through the ComplianceAsCode project, championed by
2480 the National Security Agency. Except for differences in format‐
2481 ting to accommodate publishing processes, this profile mirrors
2482 ComplianceAsCode content as minor divergences, such as bugfixes,
2483 work through the consensus and release processes.
2484 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
2487 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
2489 This profile contains the minimum security relevant configura‐
2491 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
2492 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
2493 Standard System Security Profile for Red Hat Enterprise Linux 7
2496 Profile ID: xccdf_org.ssgproject.content_profile_standard
2498 This profile contains rules to ensure standard security baseline
2500 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
2501 tem's workload all of these checks should pass.
2502 DISA STIG for Red Hat Enterprise Linux 7
2505 Profile ID: xccdf_org.ssgproject.content_profile_stig
2507 This profile contains configuration checks that align to the
2509 DISA STIG for Red Hat Enterprise Linux V3R9.
2510 In addition to being applicable to Red Hat Enterprise Linux 7,
2512 DISA recognizes this configuration baseline as applicable to the
2513 operating system tier of Red Hat technologies that are based on
2514 Red Hat Enterprise Linux 7, such as:
2515 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2517 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2518 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2519 7 image
2520 DISA STIG with GUI for Red Hat Enterprise Linux 7
2523 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
2525 This profile contains configuration checks that align to the
2527 DISA STIG with GUI for Red Hat Enterprise Linux V3R9.
2528 In addition to being applicable to Red Hat Enterprise Linux 7,
2530 DISA recognizes this configuration baseline as applicable to the
2531 operating system tier of Red Hat technologies that are based on
2532 Red Hat Enterprise Linux 7, such as:
2533 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2535 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2536 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2537 7 image
2538 Warning: The installation and use of a Graphical User Interface
2540 (GUI) increases your attack vector and decreases your overall
2541 security posture. If your Information Systems Security Officer
2542 (ISSO) lacks a documented operational requirement for a graphi‐
2543 cal user interface, please consider using the standard DISA STIG
2544 for Red Hat Enterprise Linux 7 profile.
2545
2551 Source Datastream: ssg-rhel8-ds.xml
2552 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
2554 broken into 'profiles', groupings of security settings that correlate
2555 to a known policy. Available profiles are:
2556 ANSSI-BP-028 (enhanced)
2560 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
2562 hanced
2563 This profile contains configurations that align to ANSSI-BP-028
2565 v1.2 at the enhanced hardening level.
2566 ANSSI is the French National Information Security Agency, and
2568 stands for Agence nationale de la sécurité des systèmes d'infor‐
2569 mation. ANSSI-BP-028 is a configuration recommendation for
2570 GNU/Linux systems.
2571 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2573 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2574 securite-relatives-a-un-systeme-gnulinux/
2575 ANSSI-BP-028 (high)
2578 Profile ID: xccdf_org.ssgproject.content_pro‐
2580 file_anssi_bp28_high
2581 This profile contains configurations that align to ANSSI-BP-028
2583 v1.2 at the high hardening level.
2584 ANSSI is the French National Information Security Agency, and
2586 stands for Agence nationale de la sécurité des systèmes d'infor‐
2587 mation. ANSSI-BP-028 is a configuration recommendation for
2588 GNU/Linux systems.
2589 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2591 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2592 securite-relatives-a-un-systeme-gnulinux/
2593 ANSSI-BP-028 (intermediary)
2596 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
2598 termediary
2599 This profile contains configurations that align to ANSSI-BP-028
2601 v1.2 at the intermediary hardening level.
2602 ANSSI is the French National Information Security Agency, and
2604 stands for Agence nationale de la sécurité des systèmes d'infor‐
2605 mation. ANSSI-BP-028 is a configuration recommendation for
2606 GNU/Linux systems.
2607 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2609 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2610 securite-relatives-a-un-systeme-gnulinux/
2611 ANSSI-BP-028 (minimal)
2614 Profile ID: xccdf_org.ssgproject.content_pro‐
2616 file_anssi_bp28_minimal
2617 This profile contains configurations that align to ANSSI-BP-028
2619 v1.2 at the minimal hardening level.
2620 ANSSI is the French National Information Security Agency, and
2622 stands for Agence nationale de la sécurité des systèmes d'infor‐
2623 mation. ANSSI-BP-028 is a configuration recommendation for
2624 GNU/Linux systems.
2625 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2627 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2628 securite-relatives-a-un-systeme-gnulinux/
2629 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
2632 Profile ID: xccdf_org.ssgproject.content_profile_cis
2634 This profile defines a baseline that aligns to the "Level 2 -
2636 Server" configuration from the Center for Internet Security® Red
2637 Hat Enterprise Linux 8 Benchmark™, v2.0.0, released 2022-02-23.
2638 This profile includes Center for Internet Security® Red Hat En‐
2640 terprise Linux 8 CIS Benchmarks™ content.
2641 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
2644 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
2646 This profile defines a baseline that aligns to the "Level 1 -
2648 Server" configuration from the Center for Internet Security® Red
2649 Hat Enterprise Linux 8 Benchmark™, v2.0.0, released 2022-02-23.
2650 This profile includes Center for Internet Security® Red Hat En‐
2652 terprise Linux 8 CIS Benchmarks™ content.
2653 CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation
2656 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2658 tion_l1
2659 This profile defines a baseline that aligns to the "Level 1 -
2661 Workstation" configuration from the Center for Internet Secu‐
2662 rity® Red Hat Enterprise Linux 8 Benchmark™, v2.0.0, released
2663 2022-02-23.
2664 This profile includes Center for Internet Security® Red Hat En‐
2666 terprise Linux 8 CIS Benchmarks™ content.
2667 CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation
2670 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2672 tion_l2
2673 This profile defines a baseline that aligns to the "Level 2 -
2675 Workstation" configuration from the Center for Internet Secu‐
2676 rity® Red Hat Enterprise Linux 8 Benchmark™, v2.0.0, released
2677 2022-02-23.
2678 This profile includes Center for Internet Security® Red Hat En‐
2680 terprise Linux 8 CIS Benchmarks™ content.
2681 Criminal Justice Information Services (CJIS) Security Policy
2684 Profile ID: xccdf_org.ssgproject.content_profile_cjis
2686 This profile is derived from FBI's CJIS v5.4 Security Policy. A
2688 copy of this policy can be found at the CJIS Security Policy Re‐
2689 source Center:
2690 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
2692 center
2693 Unclassified Information in Non-federal Information Systems and Organi‐
2696 zations (NIST 800-171)
2697 Profile ID: xccdf_org.ssgproject.content_profile_cui
2699 From NIST 800-171, Section 2.2: Security requirements for pro‐
2701 tecting the confidentiality of CUI in nonfederal information
2702 systems and organizations have a well-defined structure that
2703 consists of:
2704 (i) a basic security requirements section; (ii) a derived secu‐
2706 rity requirements section.
2707 The basic security requirements are obtained from FIPS Publica‐
2709 tion 200, which provides the high-level and fundamental security
2710 requirements for federal information and information systems.
2711 The derived security requirements, which supplement the basic
2712 security requirements, are taken from the security controls in
2713 NIST Special Publication 800-53.
2714 This profile configures Red Hat Enterprise Linux 8 to the NIST
2716 Special Publication 800-53 controls identified for securing Con‐
2717 trolled Unclassified Information (CUI)."
2718 Australian Cyber Security Centre (ACSC) Essential Eight
2721 Profile ID: xccdf_org.ssgproject.content_profile_e8
2723 This profile contains configuration checks for Red Hat Enter‐
2725 prise Linux 8 that align to the Australian Cyber Security Centre
2726 (ACSC) Essential Eight.
2727 A copy of the Essential Eight in Linux Environments guide can be
2729 found at the ACSC website:
2730 https://www.cyber.gov.au/acsc/view-all-content/publica‐
2732 tions/hardening-linux-workstations-and-servers
2733 Health Insurance Portability and Accountability Act (HIPAA)
2736 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
2738 The HIPAA Security Rule establishes U.S. national standards to
2740 protect individuals’ electronic personal health information that
2741 is created, received, used, or maintained by a covered entity.
2742 The Security Rule requires appropriate administrative, physical
2743 and technical safeguards to ensure the confidentiality, integ‐
2744 rity, and security of electronic protected health information.
2745 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
2747 Security Rule identified for securing of electronic protected
2748 health information. Use of this profile in no way guarantees or
2749 makes claims against legal compliance against the HIPAA Security
2750 Rule(s).
2751 Australian Cyber Security Centre (ACSC) ISM Official
2754 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
2756 This profile contains configuration checks for Red Hat Enter‐
2758 prise Linux 8 that align to the Australian Cyber Security Centre
2759 (ACSC) Information Security Manual (ISM) with the applicability
2760 marking of OFFICIAL.
2761 The ISM uses a risk-based approach to cyber security. This pro‐
2763 file provides a guide to aligning Red Hat Enterprise Linux secu‐
2764 rity controls with the ISM, which can be used to select controls
2765 specific to an organisation's security posture and risk profile.
2766 A copy of the ISM can be found at the ACSC website:
2768 https://www.cyber.gov.au/ism
2770 Protection Profile for General Purpose Operating Systems
2773 Profile ID: xccdf_org.ssgproject.content_profile_ospp
2775 This profile reflects mandatory configuration controls identi‐
2777 fied in the NIAP Configuration Annex to the Protection Profile
2778 for General Purpose Operating Systems (Protection Profile Ver‐
2779 sion 4.2.1).
2780 This configuration profile is consistent with CNSSI-1253, which
2782 requires U.S. National Security Systems to adhere to certain
2783 configuration parameters. Accordingly, this configuration pro‐
2784 file is suitable for use in U.S. National Security Systems.
2785 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
2788 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
2790 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
2792 plied.
2793 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
2796 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
2798 This profile contains the minimum security relevant configura‐
2800 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
2801 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
2802 Standard System Security Profile for Red Hat Enterprise Linux 8
2805 Profile ID: xccdf_org.ssgproject.content_profile_standard
2807 This profile contains rules to ensure standard security baseline
2809 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
2810 tem's workload all of these checks should pass.
2811 DISA STIG for Red Hat Enterprise Linux 8
2814 Profile ID: xccdf_org.ssgproject.content_profile_stig
2816 This profile contains configuration checks that align to the
2818 DISA STIG for Red Hat Enterprise Linux 8 V1R8.
2819 In addition to being applicable to Red Hat Enterprise Linux 8,
2821 DISA recognizes this configuration baseline as applicable to the
2822 operating system tier of Red Hat technologies that are based on
2823 Red Hat Enterprise Linux 8, such as:
2824 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2826 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2827 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2828 8 image
2829 DISA STIG with GUI for Red Hat Enterprise Linux 8
2832 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
2834 This profile contains configuration checks that align to the
2836 DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R8.
2837 In addition to being applicable to Red Hat Enterprise Linux 8,
2839 DISA recognizes this configuration baseline as applicable to the
2840 operating system tier of Red Hat technologies that are based on
2841 Red Hat Enterprise Linux 8, such as:
2842 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
2844 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
2845 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
2846 8 image
2847 Warning: The installation and use of a Graphical User Interface
2849 (GUI) increases your attack vector and decreases your overall
2850 security posture. If your Information Systems Security Officer
2851 (ISSO) lacks a documented operational requirement for a graphi‐
2852 cal user interface, please consider using the standard DISA STIG
2853 for Red Hat Enterprise Linux 8 profile.
2854
2860 Source Datastream: ssg-rhel9-ds.xml
2861 The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is
2863 broken into 'profiles', groupings of security settings that correlate
2864 to a known policy. Available profiles are:
2865 ANSSI-BP-028 (enhanced)
2869 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
2871 hanced
2872 This profile contains configurations that align to ANSSI-BP-028
2874 at the enhanced hardening level.
2875 ANSSI is the French National Information Security Agency, and
2877 stands for Agence nationale de la sécurité des systèmes d'infor‐
2878 mation. ANSSI-BP-028 is a configuration recommendation for
2879 GNU/Linux systems.
2880 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2882 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2883 securite-relatives-a-un-systeme-gnulinux/
2884 ANSSI-BP-028 (high)
2887 Profile ID: xccdf_org.ssgproject.content_pro‐
2889 file_anssi_bp28_high
2890 This profile contains configurations that align to ANSSI-BP-028
2892 at the high hardening level.
2893 ANSSI is the French National Information Security Agency, and
2895 stands for Agence nationale de la sécurité des systèmes d'infor‐
2896 mation. ANSSI-BP-028 is a configuration recommendation for
2897 GNU/Linux systems.
2898 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2900 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2901 securite-relatives-a-un-systeme-gnulinux/
2902 ANSSI-BP-028 (intermediary)
2905 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
2907 termediary
2908 This profile contains configurations that align to ANSSI-BP-028
2910 at the intermediary hardening level.
2911 ANSSI is the French National Information Security Agency, and
2913 stands for Agence nationale de la sécurité des systèmes d'infor‐
2914 mation. ANSSI-BP-028 is a configuration recommendation for
2915 GNU/Linux systems.
2916 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2918 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2919 securite-relatives-a-un-systeme-gnulinux/
2920 ANSSI-BP-028 (minimal)
2923 Profile ID: xccdf_org.ssgproject.content_pro‐
2925 file_anssi_bp28_minimal
2926 This profile contains configurations that align to ANSSI-BP-028
2928 at the minimal hardening level.
2929 ANSSI is the French National Information Security Agency, and
2931 stands for Agence nationale de la sécurité des systèmes d'infor‐
2932 mation. ANSSI-BP-028 is a configuration recommendation for
2933 GNU/Linux systems.
2934 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
2936 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
2937 securite-relatives-a-un-systeme-gnulinux/
2938 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
2941 Profile ID: xccdf_org.ssgproject.content_profile_cis
2943 This is a draft profile based on its RHEL8 version for experi‐
2945 mental purposes. It is not based on the CIS benchmark for
2946 RHEL9, because this one was not available at time of the re‐
2947 lease.
2948 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
2951 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
2953 This is a draft profile based on its RHEL8 version for experi‐
2955 mental purposes. It is not based on the CIS benchmark for
2956 RHEL9, because this one was not available at time of the re‐
2957 lease.
2958 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Worksta‐
2961 tion
2962 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2964 tion_l1
2965 This is a draft profile based on its RHEL8 version for experi‐
2967 mental purposes. It is not based on the CIS benchmark for
2968 RHEL9, because this one was not available at time of the re‐
2969 lease.
2970 [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Worksta‐
2973 tion
2974 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
2976 tion_l2
2977 This is a draft profile based on its RHEL8 version for experi‐
2979 mental purposes. It is not based on the CIS benchmark for
2980 RHEL9, because this one was not available at time of the re‐
2981 lease.
2982 [DRAFT] Unclassified Information in Non-federal Information Systems and
2985 Organizations (NIST 800-171)
2986 Profile ID: xccdf_org.ssgproject.content_profile_cui
2988 From NIST 800-171, Section 2.2: Security requirements for pro‐
2990 tecting the confidentiality of CUI in nonfederal information
2991 systems and organizations have a well-defined structure that
2992 consists of:
2993 (i) a basic security requirements section; (ii) a derived secu‐
2995 rity requirements section.
2996 The basic security requirements are obtained from FIPS Publica‐
2998 tion 200, which provides the high-level and fundamental security
2999 requirements for federal information and information systems.
3000 The derived security requirements, which supplement the basic
3001 security requirements, are taken from the security controls in
3002 NIST Special Publication 800-53.
3003 This profile configures Red Hat Enterprise Linux 9 to the NIST
3005 Special Publication 800-53 controls identified for securing Con‐
3006 trolled Unclassified Information (CUI)."
3007 Australian Cyber Security Centre (ACSC) Essential Eight
3010 Profile ID: xccdf_org.ssgproject.content_profile_e8
3012 This profile contains configuration checks for Red Hat Enter‐
3014 prise Linux 9 that align to the Australian Cyber Security Centre
3015 (ACSC) Essential Eight.
3016 A copy of the Essential Eight in Linux Environments guide can be
3018 found at the ACSC website:
3019 https://www.cyber.gov.au/acsc/view-all-content/publica‐
3021 tions/hardening-linux-workstations-and-servers
3022 Health Insurance Portability and Accountability Act (HIPAA)
3025 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
3027 The HIPAA Security Rule establishes U.S. national standards to
3029 protect individuals’ electronic personal health information that
3030 is created, received, used, or maintained by a covered entity.
3031 The Security Rule requires appropriate administrative, physical
3032 and technical safeguards to ensure the confidentiality, integ‐
3033 rity, and security of electronic protected health information.
3034 This profile configures Red Hat Enterprise Linux 9 to the HIPAA
3036 Security Rule identified for securing of electronic protected
3037 health information. Use of this profile in no way guarantees or
3038 makes claims against legal compliance against the HIPAA Security
3039 Rule(s).
3040 Australian Cyber Security Centre (ACSC) ISM Official
3043 Profile ID: xccdf_org.ssgproject.content_profile_ism_o
3045 This profile contains configuration checks for Red Hat Enter‐
3047 prise Linux 9 that align to the Australian Cyber Security Centre
3048 (ACSC) Information Security Manual (ISM) with the applicability
3049 marking of OFFICIAL.
3050 The ISM uses a risk-based approach to cyber security. This pro‐
3052 file provides a guide to aligning Red Hat Enterprise Linux secu‐
3053 rity controls with the ISM, which can be used to select controls
3054 specific to an organisation's security posture and risk profile.
3055 A copy of the ISM can be found at the ACSC website:
3057 https://www.cyber.gov.au/ism
3059 Protection Profile for General Purpose Operating Systems
3062 Profile ID: xccdf_org.ssgproject.content_profile_ospp
3064 This profile is part of Red Hat Enterprise Linux 9 Common Crite‐
3066 ria Guidance documentation for Target of Evaluation based on
3067 Protection Profile for General Purpose Operating Systems (OSPP)
3068 version 4.2.1 and Functional Package for SSH version 1.0.
3069 Where appropriate, CNSSI 1253 or DoD-specific values are used
3071 for configuration, based on Configuration Annex to the OSPP.
3072 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
3075 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
3077 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
3079 plied.
3080 [DRAFT] DISA STIG for Red Hat Enterprise Linux 9
3083 Profile ID: xccdf_org.ssgproject.content_profile_stig
3085 This is a draft profile based on its RHEL8 version for experi‐
3087 mental purposes. It is not based on the DISA STIG for RHEL9,
3088 because this one was not available at time of the release.
3089 In addition to being applicable to Red Hat Enterprise Linux 9,
3091 DISA recognizes this configuration baseline as applicable to the
3092 operating system tier of Red Hat technologies that are based on
3093 Red Hat Enterprise Linux 9, such as:
3094 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
3096 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
3097 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
3098 9 image
3099 [DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
3102 Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
3104 This is a draft profile based on its RHEL8 version for experi‐
3106 mental purposes. It is not based on the DISA STIG for RHEL9,
3107 because this one was not available at time of the release.
3108 In addition to being applicable to Red Hat Enterprise Linux 9,
3110 DISA recognizes this configuration baseline as applicable to the
3111 operating system tier of Red Hat technologies that are based on
3112 Red Hat Enterprise Linux 9, such as:
3113 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
3115 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
3116 Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux
3117 9 image
3118 Warning: The installation and use of a Graphical User Interface
3120 (GUI) increases your attack vector and decreases your overall
3121 security posture. If your Information Systems Security Officer
3122 (ISSO) lacks a documented operational requirement for a graphi‐
3123 cal user interface, please consider using the standard DISA STIG
3124 for Red Hat Enterprise Linux 9 profile.
3125
3131 Source Datastream: ssg-rhv4-ds.xml
3132 The Guide to the Secure Configuration of Red Hat Virtualization 4 is
3134 broken into 'profiles', groupings of security settings that correlate
3135 to a known policy. Available profiles are:
3136 PCI-DSS v3.2.1 Control Baseline for Red Hat Virtualization Host (RHVH)
3140 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
3142 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
3144 plied.
3145 [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
3148 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
3150 This *draft* profile contains configuration checks that align to
3152 the DISA STIG for Red Hat Virtualization Host (RHVH).
3153 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
3156 ization Host (RHVH)
3157 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
3159 This compliance profile reflects the core set of security re‐
3161 lated configuration settings for deployment of Red Hat Virtual‐
3162 ization Host (RHVH) 4.x into U.S. Defense, Intelligence, and
3163 Civilian agencies. Development partners and sponsors include
3164 the U.S. National Institute of Standards and Technology (NIST),
3165 U.S. Department of Defense, the National Security Agency, and
3166 Red Hat.
3167 This baseline implements configuration requirements from the
3169 following sources:
3170 - Committee on National Security Systems Instruction No. 1253
3172 (CNSSI 1253) - NIST 800-53 control selections for MODERATE im‐
3173 pact systems (NIST 800-53) - U.S. Government Configuration Base‐
3174 line (USGCB) - NIAP Protection Profile for Virtualization v1.0
3175 (VPP v1.0)
3176 For any differing configuration requirements, e.g. password
3178 lengths, the stricter security setting was chosen. Security Re‐
3179 quirement Traceability Guides (RTMs) and sample System Security
3180 Configuration Guides are provided via the scap-security-guide-
3181 docs package.
3182 This profile reflects U.S. Government consensus content and is
3184 developed through the ComplianceAsCode project, championed by
3185 the National Security Agency. Except for differences in format‐
3186 ting to accommodate publishing processes, this profile mirrors
3187 ComplianceAsCode content as minor divergences, such as bugfixes,
3188 work through the consensus and release processes.
3189
3195 Source Datastream: ssg-sl7-ds.xml
3196 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
3198 broken into 'profiles', groupings of security settings that correlate
3199 to a known policy. Available profiles are:
3200 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
3204 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
3206 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
3208 plied.
3209 Standard System Security Profile for Red Hat Enterprise Linux 7
3212 Profile ID: xccdf_org.ssgproject.content_profile_standard
3214 This profile contains rules to ensure standard security baseline
3216 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
3217 tem's workload all of these checks should pass.
3218
3224 Source Datastream: ssg-sle12-ds.xml
3225 The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is
3227 broken into 'profiles', groupings of security settings that correlate
3228 to a known policy. Available profiles are:
3229 ANSSI-BP-028 (enhanced)
3233 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
3235 hanced
3236 This profile contains configurations that align to ANSSI-BP-028
3238 v1.2 at the enhanced hardening level.
3239 ANSSI is the French National Information Security Agency, and
3241 stands for Agence nationale de la sécurité des systèmes d'infor‐
3242 mation. ANSSI-BP-028 is a configuration recommendation for
3243 GNU/Linux systems.
3244 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3246 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3247 securite-relatives-a-un-systeme-gnulinux/
3248 Only the components strictly necessary to the service provided
3250 by the system should be installed. Those whose presence can not
3251 be justified should be disabled, removed or deleted. Performing
3252 a minimal install is a good starting point, but doesn't provide
3253 any assurance over any package installed later. Manual review
3254 is required to assess if the installed services are minimal.
3255 ANSSI-BP-028 (high)
3258 Profile ID: xccdf_org.ssgproject.content_pro‐
3260 file_anssi_bp28_high
3261 This profile contains configurations that align to ANSSI-BP-028
3263 v1.2 at the high hardening level.
3264 ANSSI is the French National Information Security Agency, and
3266 stands for Agence nationale de la sécurité des systèmes d'infor‐
3267 mation. ANSSI-BP-028 is a configuration recommendation for
3268 GNU/Linux systems.
3269 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3271 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3272 securite-relatives-a-un-systeme-gnulinux/
3273 Only the components strictly necessary to the service provided
3275 by the system should be installed. Those whose presence can not
3276 be justified should be disabled, removed or deleted. Performing
3277 a minimal install is a good starting point, but doesn't provide
3278 any assurance over any package installed later. Manual review
3279 is required to assess if the installed services are minimal.
3280 ANSSI-BP-028 (intermediary)
3283 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
3285 termediary
3286 This profile contains configurations that align to ANSSI-BP-028
3288 v1.2 at the intermediary hardening level.
3289 ANSSI is the French National Information Security Agency, and
3291 stands for Agence nationale de la sécurité des systèmes d'infor‐
3292 mation. ANSSI-BP-028 is a configuration recommendation for
3293 GNU/Linux systems.
3294 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3296 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3297 securite-relatives-a-un-systeme-gnulinux/
3298 Only the components strictly necessary to the service provided
3300 by the system should be installed. Those whose presence can not
3301 be justified should be disabled, removed or deleted. Performing
3302 a minimal install is a good starting point, but doesn't provide
3303 any assurance over any package installed later. Manual review
3304 is required to assess if the installed services are minimal.
3305 ANSSI-BP-028 (minimal)
3308 Profile ID: xccdf_org.ssgproject.content_pro‐
3310 file_anssi_bp28_minimal
3311 This profile contains configurations that align to ANSSI-BP-028
3313 v1.2 at the minimal hardening level.
3314 ANSSI is the French National Information Security Agency, and
3316 stands for Agence nationale de la sécurité des systèmes d'infor‐
3317 mation. ANSSI-BP-028 is a configuration recommendation for
3318 GNU/Linux systems.
3319 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3321 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3322 securite-relatives-a-un-systeme-gnulinux/
3323 Only the components strictly necessary to the service provided
3325 by the system should be installed. Those whose presence can not
3326 be justified should be disabled, removed or deleted. Performing
3327 a minimal install is a good starting point, but doesn't provide
3328 any assurance over any package installed later. Manual review
3329 is required to assess if the installed services are minimal.
3330 CIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server
3333 Profile ID: xccdf_org.ssgproject.content_profile_cis
3335 This profile defines a baseline that aligns to the "Level 2 -
3337 Server" configuration from the Center for Internet Security®
3338 SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
3339 04-27-2021.
3340 This profile includes Center for Internet Security® SUSE Linux
3342 Enterprise 12 CIS Benchmarks™ content.
3343 CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server
3346 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
3348 This profile defines a baseline that aligns to the "Level 1 -
3350 Server" configuration from the Center for Internet Security®
3351 SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
3352 04-27-2021.
3353 This profile includes Center for Internet Security® SUSE Linux
3355 Enterprise 12 CIS Benchmarks™ content.
3356 CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation
3359 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
3361 tion_l1
3362 This profile defines a baseline that aligns to the "Level 1 -
3364 Workstation" configuration from the Center for Internet Secu‐
3365 rity® SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
3366 04-27-2021.
3367 This profile includes Center for Internet Security® SUSE Linux
3369 Enterprise 12 CIS Benchmarks™ content.
3370 CIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation
3373 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
3375 tion_l2
3376 This profile defines a baseline that aligns to the "Level 2 -
3378 Workstation" configuration from the Center for Internet Secu‐
3379 rity® SUSE Linux Enterprise 12 Benchmark™, v3.0.0, released
3380 04-27-2021.
3381 This profile includes Center for Internet Security® SUSE Linux
3383 Enterprise 12 CIS Benchmarks™ content.
3384 PCI-DSS v4 Control Baseline for SUSE Linux enterprise 12
3387 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-4
3389 Ensures PCI-DSS v4 security configuration settings are applied.
3391 PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 12
3394 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
3396 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
3398 plied.
3399 Standard System Security Profile for SUSE Linux Enterprise 12
3402 Profile ID: xccdf_org.ssgproject.content_profile_standard
3404 This profile contains rules to ensure standard security baseline
3406 of a SUSE Linux Enterprise 12 system. Regardless of your sys‐
3407 tem's workload all of these checks should pass.
3408 DISA STIG for SUSE Linux Enterprise 12
3411 Profile ID: xccdf_org.ssgproject.content_profile_stig
3413 This profile contains configuration checks that align to the
3415 DISA STIG for SUSE Linux Enterprise 12 V2R5.
3416
3422 Source Datastream: ssg-sle15-ds.xml
3423 The Guide to the Secure Configuration of SUSE Linux Enterprise 15 is
3425 broken into 'profiles', groupings of security settings that correlate
3426 to a known policy. Available profiles are:
3427 ANSSI-BP-028 (enhanced)
3431 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_en‐
3433 hanced
3434 This profile contains configurations that align to ANSSI-BP-028
3436 v1.2 at the enhanced hardening level.
3437 ANSSI is the French National Information Security Agency, and
3439 stands for Agence nationale de la sécurité des systèmes d'infor‐
3440 mation. ANSSI-BP-028 is a configuration recommendation for
3441 GNU/Linux systems.
3442 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3444 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3445 securite-relatives-a-un-systeme-gnulinux/
3446 Only the components strictly necessary to the service provided
3448 by the system should be installed. Those whose presence can not
3449 be justified should be disabled, removed or deleted. Performing
3450 a minimal install is a good starting point, but doesn't provide
3451 any assurance over any package installed later. Manual review
3452 is required to assess if the installed services are minimal.
3453 ANSSI-BP-028 (high)
3456 Profile ID: xccdf_org.ssgproject.content_pro‐
3458 file_anssi_bp28_high
3459 This profile contains configurations that align to ANSSI-BP-028
3461 v1.2 at the high hardening level.
3462 ANSSI is the French National Information Security Agency, and
3464 stands for Agence nationale de la sécurité des systèmes d'infor‐
3465 mation. ANSSI-BP-028 is a configuration recommendation for
3466 GNU/Linux systems.
3467 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3469 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3470 securite-relatives-a-un-systeme-gnulinux/
3471 Only the components strictly necessary to the service provided
3473 by the system should be installed. Those whose presence can not
3474 be justified should be disabled, removed or deleted. Performing
3475 a minimal install is a good starting point, but doesn't provide
3476 any assurance over any package installed later. Manual review
3477 is required to assess if the installed services are minimal.
3478 ANSSI-BP-028 (intermediary)
3481 Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_in‐
3483 termediary
3484 This profile contains configurations that align to ANSSI-BP-028
3486 v1.2 at the intermediary hardening level.
3487 ANSSI is the French National Information Security Agency, and
3489 stands for Agence nationale de la sécurité des systèmes d'infor‐
3490 mation. ANSSI-BP-028 is a configuration recommendation for
3491 GNU/Linux systems.
3492 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3494 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3495 securite-relatives-a-un-systeme-gnulinux/
3496 Only the components strictly necessary to the service provided
3498 by the system should be installed. Those whose presence can not
3499 be justified should be disabled, removed or deleted. Performing
3500 a minimal install is a good starting point, but doesn't provide
3501 any assurance over any package installed later. Manual review
3502 is required to assess if the installed services are minimal.
3503 ANSSI-BP-028 (minimal)
3506 Profile ID: xccdf_org.ssgproject.content_pro‐
3508 file_anssi_bp28_minimal
3509 This profile contains configurations that align to ANSSI-BP-028
3511 v1.2 at the minimal hardening level.
3512 ANSSI is the French National Information Security Agency, and
3514 stands for Agence nationale de la sécurité des systèmes d'infor‐
3515 mation. ANSSI-BP-028 is a configuration recommendation for
3516 GNU/Linux systems.
3517 A copy of the ANSSI-BP-028 can be found at the ANSSI website:
3519 https://www.ssi.gouv.fr/administration/guide/recommandations-de-
3520 securite-relatives-a-un-systeme-gnulinux/
3521 Only the components strictly necessary to the service provided
3523 by the system should be installed. Those whose presence can not
3524 be justified should be disabled, removed or deleted. Performing
3525 a minimal install is a good starting point, but doesn't provide
3526 any assurance over any package installed later. Manual review
3527 is required to assess if the installed services are minimal.
3528 CIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server
3531 Profile ID: xccdf_org.ssgproject.content_profile_cis
3533 This profile defines a baseline that aligns to the "Level 2 -
3535 Server" configuration from the Center for Internet Security®
3536 SUSE Linux Enterprise 15 Benchmark™, v1.1.0, released
3537 09-17-2021.
3538 This profile includes Center for Internet Security® SUSE Linux
3540 Enterprise 15 CIS Benchmarks™ content.
3541 CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server
3544 Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
3546 This profile defines a baseline that aligns to the "Level 1 -
3548 Server" configuration from the Center for Internet Security®
3549 SUSE Linux Enterprise 15 Benchmark™, v1.1.0, released
3550 09-17-2021.
3551 This profile includes Center for Internet Security® SUSE Linux
3553 Enterprise 15 CIS Benchmarks™ content.
3554 CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation
3557 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
3559 tion_l1
3560 This profile defines a baseline that aligns to the "Level 1 -
3562 Workstation" configuration from the Center for Internet Secu‐
3563 rity® SUSE Linux Enterprise 15 Benchmark™, v1.1.0, released
3564 09-17-2021.
3565 This profile includes Center for Internet Security® SUSE Linux
3567 Enterprise 15 CIS Benchmarks™ content.
3568 CIS SUSE Linux Enterprise 15 Benchmark Level 2 - Workstation
3571 Profile ID: xccdf_org.ssgproject.content_profile_cis_worksta‐
3573 tion_l2
3574 This profile defines a baseline that aligns to the "Level 2 -
3576 Workstation" configuration from the Center for Internet Secu‐
3577 rity® SUSE Linux Enterprise 15 Benchmark™, v1.1.0, released
3578 09-17-2021.
3579 This profile includes Center for Internet Security® SUSE Linux
3581 Enterprise 15 CIS Benchmarks™ content.
3582 Health Insurance Portability and Accountability Act (HIPAA)
3585 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
3587 The HIPAA Security Rule establishes U.S. national standards to
3589 protect individuals’ electronic personal health information that
3590 is created, received, used, or maintained by a covered entity.
3591 The Security Rule requires appropriate administrative, physical
3592 and technical safeguards to ensure the confidentiality, integ‐
3593 rity, and security of electronic protected health information.
3594 This profile contains configuration checks that align to the
3596 HIPPA Security Rule for SUSE Linux Enterprise 15 V1R3.
3597 PCI-DSS v4 Control Baseline for SUSE Linux enterprise 15
3600 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-4
3602 Ensures PCI-DSS v4 security configuration settings are applied.
3604 PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 15
3607 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
3609 Ensures PCI-DSS v3.2.1 security configuration settings are ap‐
3611 plied.
3612 Hardening for Public Cloud Image of SUSE Linux Enterprise Server (SLES)
3615 for SAP Applications 15
3616 Profile ID: xccdf_org.ssgproject.content_profile_pcs-hardening-
3618 sap
3619 This profile contains configuration rules to be used to harden
3621 the images of SUSE Linux Enterprise Server (SLES) for SAP Appli‐
3622 cations 15 including all Service Packs, for Public Cloud
3623 providers, currently AWS, Microsoft Azure, and Google Cloud.
3624 Public Cloud Hardening for SUSE Linux Enterprise 15
3627 Profile ID: xccdf_org.ssgproject.content_profile_pcs-hardening
3629 This profile contains configuration checks to be used to harden
3631 SUSE Linux Enterprise 15 for use with public cloud providers.
3632 Standard System Security Profile for SUSE Linux Enterprise 15
3635 Profile ID: xccdf_org.ssgproject.content_profile_standard
3637 This profile contains rules to ensure standard security baseline
3639 of a SUSE Linux Enterprise 15 system based off of the SUSE Hard‐
3640 ening Guide. Regardless of your system's workload all of these
3641 checks should pass.
3642 DISA STIG for SUSE Linux Enterprise 15
3645 Profile ID: xccdf_org.ssgproject.content_profile_stig
3647 This profile contains configuration checks that align to the
3649 DISA STIG for SUSE Linux Enterprise 15 V1R4.
3650
3656 Source Datastream: ssg-ubuntu1604-ds.xml
3657 The Guide to the Secure Configuration of Ubuntu 16.04 is broken into
3659 'profiles', groupings of security settings that correlate to a known
3660 policy. Available profiles are:
3661 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
3665 Profile ID: xccdf_org.ssgproject.content_pro‐
3667 file_anssi_np_nt28_average
3668 This profile contains items for GNU/Linux installations already
3670 protected by multiple higher level security stacks.
3671 Profile for ANSSI DAT-NT28 High (Enforced) Level
3674 Profile ID: xccdf_org.ssgproject.content_pro‐
3676 file_anssi_np_nt28_high
3677 This profile contains items for GNU/Linux installations storing
3679 sensitive information that can be accessible from unauthenti‐
3680 cated or uncontroled networks.
3681 Profile for ANSSI DAT-NT28 Minimal Level
3684 Profile ID: xccdf_org.ssgproject.content_pro‐
3686 file_anssi_np_nt28_minimal
3687 This profile contains items to be applied systematically.
3689 Profile for ANSSI DAT-NT28 Restrictive Level
3692 Profile ID: xccdf_org.ssgproject.content_pro‐
3694 file_anssi_np_nt28_restrictive
3695 This profile contains items for GNU/Linux installations exposed
3697 to unauthenticated flows or multiple sources.
3698 Standard System Security Profile for Ubuntu 16.04
3701 Profile ID: xccdf_org.ssgproject.content_profile_standard
3703 This profile contains rules to ensure standard security baseline
3705 of an Ubuntu 16.04 system. Regardless of your system's workload
3706 all of these checks should pass.
3707
3713 Source Datastream: ssg-ubuntu1804-ds.xml
3714 The Guide to the Secure Configuration of Ubuntu 18.04 is broken into
3716 'profiles', groupings of security settings that correlate to a known
3717 policy. Available profiles are:
3718 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
3722 Profile ID: xccdf_org.ssgproject.content_pro‐
3724 file_anssi_np_nt28_average
3725 This profile contains items for GNU/Linux installations already
3727 protected by multiple higher level security stacks.
3728 Profile for ANSSI DAT-NT28 High (Enforced) Level
3731 Profile ID: xccdf_org.ssgproject.content_pro‐
3733 file_anssi_np_nt28_high
3734 This profile contains items for GNU/Linux installations storing
3736 sensitive information that can be accessible from unauthenti‐
3737 cated or uncontroled networks.
3738 Profile for ANSSI DAT-NT28 Minimal Level
3741 Profile ID: xccdf_org.ssgproject.content_pro‐
3743 file_anssi_np_nt28_minimal
3744 This profile contains items to be applied systematically.
3746 Profile for ANSSI DAT-NT28 Restrictive Level
3749 Profile ID: xccdf_org.ssgproject.content_pro‐
3751 file_anssi_np_nt28_restrictive
3752 This profile contains items for GNU/Linux installations exposed
3754 to unauthenticated flows or multiple sources.
3755 CIS Ubuntu 18.04 LTS Benchmark
3758 Profile ID: xccdf_org.ssgproject.content_profile_cis
3760 This baseline aligns to the Center for Internet Security Ubuntu
3762 18.04 LTS Benchmark, v1.0.0, released 08-13-2018.
3763 Standard System Security Profile for Ubuntu 18.04
3766 Profile ID: xccdf_org.ssgproject.content_profile_standard
3768 This profile contains rules to ensure standard security baseline
3770 of an Ubuntu 18.04 system. Regardless of your system's workload
3771 all of these checks should pass.
3772
3778 Source Datastream: ssg-ubuntu2004-ds.xml
3779 The Guide to the Secure Configuration of Ubuntu 20.04 is broken into
3781 'profiles', groupings of security settings that correlate to a known
3782 policy. Available profiles are:
3783 CIS Ubuntu 20.04 Level 1 Server Benchmark
3787 Profile ID: xccdf_org.ssgproject.content_pro‐
3789 file_cis_level1_server
3790 This baseline aligns to the Center for Internet Security Ubuntu
3792 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
3793 CIS Ubuntu 20.04 Level 1 Workstation Benchmark
3796 Profile ID: xccdf_org.ssgproject.content_pro‐
3798 file_cis_level1_workstation
3799 This baseline aligns to the Center for Internet Security Ubuntu
3801 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
3802 CIS Ubuntu 20.04 Level 2 Server Benchmark
3805 Profile ID: xccdf_org.ssgproject.content_pro‐
3807 file_cis_level2_server
3808 This baseline aligns to the Center for Internet Security Ubuntu
3810 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
3811 CIS Ubuntu 20.04 Level 2 Workstation Benchmark
3814 Profile ID: xccdf_org.ssgproject.content_pro‐
3816 file_cis_level2_workstation
3817 This baseline aligns to the Center for Internet Security Ubuntu
3819 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
3820 Standard System Security Profile for Ubuntu 20.04
3823 Profile ID: xccdf_org.ssgproject.content_profile_standard
3825 This profile contains rules to ensure standard security baseline
3827 of an Ubuntu 20.04 system. Regardless of your system's workload
3828 all of these checks should pass.
3829 Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide
3832 (STIG) V1R1
3833 Profile ID: xccdf_org.ssgproject.content_profile_stig
3835 This Security Technical Implementation Guide is published as a
3837 tool to improve the security of Department of Defense (DoD) in‐
3838 formation systems. The requirements are derived from the Na‐
3839 tional Institute of Standards and Technology (NIST) 800-53 and
3840 related documents.
3841
3847 Source Datastream: ssg-ubuntu2204-ds.xml
3848 The Guide to the Secure Configuration of Ubuntu 22.04 is broken into
3850 'profiles', groupings of security settings that correlate to a known
3851 policy. Available profiles are:
3852 CIS Ubuntu 22.04 Level 1 Server Benchmark
3856 Profile ID: xccdf_org.ssgproject.content_pro‐
3858 file_cis_level1_server
3859 This baseline aligns to the Center for Internet Security Ubuntu
3861 22.04 LTS Benchmark, v1.0.0, released 07-21-2020.
3862 CIS Ubuntu 22.04 Level 1 Workstation Benchmark
3865 Profile ID: xccdf_org.ssgproject.content_pro‐
3867 file_cis_level1_workstation
3868 This baseline aligns to the Center for Internet Security Ubuntu
3870 22.04 LTS Benchmark, v1.0.0, released 07-21-2020.
3871 CIS Ubuntu 22.04 Level 2 Server Benchmark
3874 Profile ID: xccdf_org.ssgproject.content_pro‐
3876 file_cis_level2_server
3877 This baseline aligns to the Center for Internet Security Ubuntu
3879 22.04 LTS Benchmark, v1.0.0, released 07-21-2020.
3880 CIS Ubuntu 22.04 Level 2 Workstation Benchmark
3883 Profile ID: xccdf_org.ssgproject.content_pro‐
3885 file_cis_level2_workstation
3886 This baseline aligns to the Center for Internet Security Ubuntu
3888 22.04 LTS Benchmark, v1.0.0, released 07-21-2020.
3889 Standard System Security Profile for Ubuntu 22.04
3892 Profile ID: xccdf_org.ssgproject.content_profile_standard
3894 This profile contains rules to ensure standard security baseline
3896 of an Ubuntu 22.04 system. Regardless of your system's workload
3897 all of these checks should pass.
3898
3904 Source Datastream: ssg-uos20-ds.xml
3905 The Guide to the Secure Configuration of UnionTech OS Server 20 is bro‐
3907 ken into 'profiles', groupings of security settings that correlate to a
3908 known policy. Available profiles are:
3909 Standard System Security Profile for UnionTech OS Server 20
3913 Profile ID: xccdf_org.ssgproject.content_profile_standard
3915 This profile contains rules to ensure standard security baseline
3917 of a UnionTech OS Server 20 system. Regardless of your system's
3918 workload all of these checks should pass.
3919
3926 To scan your system utilizing the OpenSCAP utility against the ospp
3927 profile:
3928 oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-re‐
3930 sults.xml --report /tmp/`hostname`-ssg-results.html --oval-results
3931 /usr/share/xml/scap/ssg/content/ssg-{product}-xccdf.xml
3932 Additional details can be found on the projects wiki page:
3934 https://www.github.com/ComplianceAsCode/content/wiki
3935
3939 /usr/share/xml/scap/ssg/content
3940 Houses SCAP content utilizing the following naming conventions:
3941 SCAP Source Datastreams: ssg-{product}-ds.xml
3943 CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
3945 CPE OVAL Content: ssg-{product}-cpe-oval.xml
3947 OVAL Content: ssg-{product}-oval.xml
3949 XCCDF Content: ssg-{product}-xccdf.xml
3951 /usr/share/doc/scap-security-guide/guides/
3953 HTML versions of SSG profiles.
3954 /usr/share/scap-security-guide/ansible/
3956 Contains Ansible Playbooks for SSG profiles.
3957 /usr/share/scap-security-guide/bash/
3959 Contains Bash remediation scripts for SSG profiles.
3960
3964 SCAP Security Guide content is considered vendor (Red Hat) provided
3965 content. Per guidance from the U.S. National Institute of Standards
3966 and Technology (NIST), U.S. Government programs are allowed to use Ven‐
3967 dor produced SCAP content in absence of "Governmental Authority" check‐
3968 lists. The specific NIST verbage:
3969 http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
3970
3974 DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT
3975 products incorporated into DoD information systems shall be configured
3976 in accordance with DoD-approved security configuration guidelines" and
3977 tasks Defense Information Systems Agency (DISA) to "develop and provide
3978 security configuration guidance for IA and IA-enabled IT products in
3979 coordination with Director, NSA." The output of this authority is the
3980 DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
3981 the process of moving the STIGs towards the use of the NIST Security
3982 Content Automation Protocol (SCAP) in order to "automate" compliance
3983 reporting of the STIGs.
3984 Through a common, shared vision, the SCAP Security Guide community en‐
3986 joys close collaboration directly with NSA, NIST, and DISA FSO. As
3987 stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
3988 Version 1, Release 2, issued on 03-JUNE-2013:
3989 "The consensus content was developed using an open-source project
3991 called SCAP Security Guide. The project's website is https://www.open-
3992 scap.org/security-policies/scap-security-guide. Except for differences
3993 in formatting to accommodate the DISA STIG publishing process, the con‐
3994 tent of the Red Hat Enterprise Linux 6 STIG should mirror the SCAP Se‐
3995 curity Guide content with only minor divergence as updates from multi‐
3996 ple sources work through the consensus process."
3997 The DoD STIG for Red Hat Enterprise Linux 7, revision V2R4, was re‐
3999 leased in July 2019 Currently, the DoD Red Hat Enterprise Linux 7 STIG
4000 contains only XCCDF content and is available online: https://public.cy‐
4001 ber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
4002 Content published against the public.cyber.mil website is authoritative
4004 STIG content. The SCAP Security Guide project, as noted in the STIG
4005 overview, is considered upstream content. Unlike DISA FSO, the SCAP Se‐
4006 curity Guide project does publish OVAL automation content. Individual
4007 programs and C&A evaluators make program-level determinations on the
4008 direct usage of the SCAP Security Guide. Currently there is no blanket
4009 approval.
4010
4014 oscap(8)
4015
4019 Please direct all questions to the SSG mailing list: https://lists.fe‐
4020 dorahosted.org/mailman/listinfo/scap-security-guide
4021version 1 26 Jan 2013 scap-security-guide(8)