scap-security-guide - Man Page

Delivers security guidance, baselines, and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP).

Description

The project provides practical security hardening advice for Red Hat products, and also links it to compliance requirements in order to ease deployment activities, such as certification and accreditation. These include requirements in the U.S. government (Federal, Defense, and Intelligence Community) as well as of the financial services and health care industries. For example, high-level and widely-accepted policies such as NIST 800-53 provides prose stating that System Administrators must audit "privileged user actions," but do not define what "privileged actions" are. The SSG bridges the gap between generalized policy requirements and specific implementation guidance, in SCAP formats to support automation whenever possible.

The projects homepage is located at: https://www.open-scap.org/security-policies/scap-security-guide

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 6

Source Datastream: ssg-centos6-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Red Hat Enterprise Linux 6

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 6 system. Regardless of your system's workload all of these checks should pass.

Desktop Baseline

Profile ID: xccdf_org.ssgproject.content_profile_desktop

This profile is for a desktop installation of Red Hat Enterprise Linux 6.

Server Baseline

Profile ID: xccdf_org.ssgproject.content_profile_server

This profile is for Red Hat Enterprise Linux 6 acting as a server.

PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

This is a *draft* profile for PCI-DSS v3.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Source Datastream: ssg-centos7-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload all of these checks should pass.

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Ensures PCI-DSS v3.2.1 security configuration settings are applied.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 8

Source Datastream: ssg-centos8-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Red Hat Enterprise Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload all of these checks should pass.

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Ensures PCI-DSS v3.2.1 security configuration settings are applied.

Profiles in Guide to the Secure Configuration of Chromium

Source Datastream: ssg-chromium-ds.xml

The Guide to the Secure Configuration of Chromium is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Upstream STIG for Google Chromium

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving as the upstream development environment for the Google Chromium STIG.

As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, refer to https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance.

While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/.

Profiles in Guide to the Secure Configuration of Debian 10

Source Datastream: ssg-debian10-ds.xml

The Guide to the Secure Configuration of Debian 10 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Debian 10

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Debian 10 system. Regardless of your system's workload all of these checks should pass.

Profile for ANSSI DAT-NT28 Average (Intermediate) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average

This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.

Profile for ANSSI DAT-NT28 Restrictive Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.

Profile for ANSSI DAT-NT28 High (Enforced) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high

This profile contains items for GNU/Linux installations storing sensitive informations that can be accessible from unauthenticated or uncontroled networks.

Profile for ANSSI DAT-NT28 Minimal Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

This profile contains items to be applied systematically.

Profiles in Guide to the Secure Configuration of Debian 8

Source Datastream: ssg-debian8-ds.xml

The Guide to the Secure Configuration of Debian 8 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Debian 8

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Debian 8 system. Regardless of your system's workload all of these checks should pass.

Profile for ANSSI DAT-NT28 Average (Intermediate) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average

This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.

Profile for ANSSI DAT-NT28 Restrictive Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.

Profile for ANSSI DAT-NT28 High (Enforced) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high

This profile contains items for GNU/Linux installations storing sensitive informations that can be accessible from unauthenticated or uncontroled networks.

Profile for ANSSI DAT-NT28 Minimal Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

This profile contains items to be applied systematically.

Profiles in Guide to the Secure Configuration of Debian 9

Source Datastream: ssg-debian9-ds.xml

The Guide to the Secure Configuration of Debian 9 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Debian 9

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Debian 9 system. Regardless of your system's workload all of these checks should pass.

Profile for ANSSI DAT-NT28 Average (Intermediate) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average

This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.

Profile for ANSSI DAT-NT28 Restrictive Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.

Profile for ANSSI DAT-NT28 High (Enforced) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high

This profile contains items for GNU/Linux installations storing sensitive informations that can be accessible from unauthenticated or uncontroled networks.

Profile for ANSSI DAT-NT28 Minimal Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

This profile contains items to be applied systematically.

Profiles in Guide to the Secure Configuration of JBoss EAP 6

Source Datastream: ssg-eap6-ds.xml

The Guide to the Secure Configuration of JBoss EAP 6 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

STIG for JBoss Enterprise Application Platform 6

Profile ID: xccdf_org.ssgproject.content_profile_stig

This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.

Profiles in Guide to the Secure Configuration of Fedora

Source Datastream: ssg-fedora-ds.xml

The Guide to the Secure Configuration of Fedora is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Fedora

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Fedora system. Regardless of your system's workload all of these checks should pass.

OSPP - Protection Profile for General Purpose Operating Systems

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2).

As Fedora OS is moving target, this profile does not guarantee to provide security levels required from US National Security Systems. Main goal of the profile is to provide Fedora developers with hardened environment similar to the one mandated by US National Security Systems.

PCI-DSS v3 Control Baseline for Fedora

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Ensures PCI-DSS v3 related security configuration settings are applied.

Profiles in Guide to the Secure Configuration of Firefox

Source Datastream: ssg-firefox-ds.xml

The Guide to the Secure Configuration of Firefox is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Upstream Firefox STIG

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving as the upstream development environment for the Firefox STIG.

As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, refer to https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance.

While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/.

Profiles in Guide to the Secure Configuration of JBoss Fuse 6

Source Datastream: ssg-fuse6-ds.xml

The Guide to the Secure Configuration of JBoss Fuse 6 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for JBoss

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of JBoss Fuse. Regardless of your system's workload all of these checks should pass.

STIG for JBoss Fuse 6

Profile ID: xccdf_org.ssgproject.content_profile_stig

This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.

STIG for Apache ActiveMQ

Profile ID: xccdf_org.ssgproject.content_profile_amq-stig

This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.

Profiles in Guide to the Secure Configuration of Java Runtime Environment

Source Datastream: ssg-jre-ds.xml

The Guide to the Secure Configuration of Java Runtime Environment is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Java Runtime Environment (JRE) STIG

Profile ID: xccdf_org.ssgproject.content_profile_stig

The Java Runtime Environment (JRE) is a bundle developed and offered by Oracle Corporation which includes the Java Virtual Machine (JVM), class libraries, and other components necessary to run Java applications and applets. Certain default settings within the JRE pose a security risk so it is necessary to deploy system wide properties to ensure a higher degree of security when utilizing the JRE.

The IBM Corporation also develops and bundles the Java Runtime Environment (JRE) as well as Red Hat with OpenJDK.

Profiles in Guide to the Secure Configuration of Apple macOS 10.15

Source Datastream: ssg-macos1015-ds.xml

The Guide to the Secure Configuration of Apple macOS 10.15 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

NIST 800-53 Moderate-Impact Baseline for Apple macOS 10.15 Catalina

Profile ID: xccdf_org.ssgproject.content_profile_moderate

This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Apple macOS 10.15 Catalina into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, and the the National Security Agency.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

Profiles in Guide to the Secure Configuration of Red Hat OpenShift Container Platform 3

Source Datastream: ssg-ocp3-ds.xml

The Guide to the Secure Configuration of Red Hat OpenShift Container Platform 3 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Open Computing Information Security Profile for OpenShift Node

Profile ID: xccdf_org.ssgproject.content_profile_opencis-node

This baseline was inspired by the Center for Internet Security (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.

For the ComplianceAsCode project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the OpenCIS profile will ensure a system is in compliance or consistency with the CIS baseline.

Open Computing Information Security Profile for OpenShift Master Node

Profile ID: xccdf_org.ssgproject.content_profile_opencis-master

This baseline was inspired by the Center for Internet Security (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.

For the ComplianceAsCode project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the OpenCIS profile will ensure a system is in compliance or consistency with the CIS baseline.

Profiles in Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4

Source Datastream: ssg-ocp4-ds.xml

The Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift

Profile ID: xccdf_org.ssgproject.content_profile_moderate

This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Red Hat OpenShift Container Platform that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/publications/essential-eight-in-linux-environments

CIS Red Hat OpenShift Container Platform 4 Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis

This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, v1.0.0, currently unreleased.

This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content.

NIST National Checklist for Red Hat OpenShift Container Platform

Profile ID: xccdf_org.ssgproject.content_profile_ncp

This compliance profile reflects the core set of security related configuration settings for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST 800-171) - NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for General Purpose Operating Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security Requirements Guide (OS SRG)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

Profiles in Guide to the Secure Configuration of Oracle Linux 7

Source Datastream: ssg-ol7-ds.xml

The Guide to the Secure Configuration of Oracle Linux 7 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Oracle Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of Oracle Linux 7 system. Regardless of your system's workload all of these checks should pass.

DISA STIG for Oracle Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for Oracle Linux V1R1.

Security Profile of Oracle Linux 7 for SAP

Profile ID: xccdf_org.ssgproject.content_profile_sap

This profile contains rules for Oracle Linux 7 Operating System in compliance with SAP note 2069760 and SAP Security Baseline Template version 1.9 Item I-8 and section 4.1.2.2. Regardless of your system's workload all of these checks should pass.

PCI-DSS v3 Control Baseline Draft for Oracle Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Ensures PCI-DSS v3 related security configuration settings are applied.

Profiles in Guide to the Secure Configuration of Oracle Linux 8

Source Datastream: ssg-ol8-ds.xml

The Guide to the Secure Configuration of Oracle Linux 8 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Oracle Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of Oracle Linux 8 system. Regardless of your system's workload all of these checks should pass.

[DRAFT] Protection Profile for General Purpose Operating Systems

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2.1).

This configuration profile is consistent with CNSSI-1253, which requires U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems.

Criminal Justice Information Services (CJIS) Security Policy

Profile ID: xccdf_org.ssgproject.content_profile_cjis

This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy can be found at the CJIS Security Policy Resource Center:

https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

Health Insurance Portability and Accountability Act (HIPAA)

Profile ID: xccdf_org.ssgproject.content_profile_hipaa

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This profile configures Oracle Linux 8 to the HIPAA Security Rule identified for securing of electronic protected health information.

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

Profile ID: xccdf_org.ssgproject.content_profile_cui

From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of:

(i) a basic security requirements section; (ii) a derived security requirements section.

The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

This profile configures Oracle Linux 8 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI).

[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Oracle Linux 8 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/publications/essential-eight-in-linux-environments

PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Ensures PCI-DSS v3.2.1 related security configuration settings are applied.

Profiles in Guide to the Secure Configuration of openSUSE

Source Datastream: ssg-opensuse-ds.xml

The Guide to the Secure Configuration of openSUSE is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for openSUSE

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of an openSUSE system. Regardless of your system's workload all of these checks should pass.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4

Source Datastream: ssg-rhcos4-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS

Profile ID: xccdf_org.ssgproject.content_profile_moderate

This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Red Hat Enterprise Linux CoreOS that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/publications/essential-eight-in-linux-environments

NIST National Checklist for Red Hat Enterprise Linux CoreOS

Profile ID: xccdf_org.ssgproject.content_profile_ncp

This compliance profile reflects the core set of security related configuration settings for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST 800-171) - NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for General Purpose Operating Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security Requirements Guide (OS SRG)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 6

Source Datastream: ssg-rhel6-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

CSCF RHEL6 MLS Core Baseline

Profile ID: xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS

This profile reflects the Centralized Super Computing Facility (CSCF) baseline for Red Hat Enterprise Linux 6. This baseline has received government ATO through the ICD 503 process, utilizing the CNSSI 1253 cross domain overlay. This profile should be considered in active development. Additional tailoring will be needed, such as the creation of RBAC roles for production deployment.

FTP Server Profile (vsftpd)

Profile ID: xccdf_org.ssgproject.content_profile_ftp-server

This is a profile for the vsftpd FTP server.

Standard System Security Profile for Red Hat Enterprise Linux 6

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 6 system. Regardless of your system's workload all of these checks should pass.

DISA STIG for Red Hat Enterprise Linux 6

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 6.

In addition to being applicable to RHEL6, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on RHEL6, such as RHEL Server,  RHV-H, RHEL for HPC, RHEL Workstation, and Red Hat Storage deployments.

United States Government Configuration Baseline (USGCB)

Profile ID: xccdf_org.ssgproject.content_profile_usgcb-rhel6-server

This profile is a working draft for a USGCB submission against RHEL6 Server.

Desktop Baseline

Profile ID: xccdf_org.ssgproject.content_profile_desktop

This profile is for a desktop installation of Red Hat Enterprise Linux 6.

Server Baseline

Profile ID: xccdf_org.ssgproject.content_profile_server

This profile is for Red Hat Enterprise Linux 6 acting as a server.

FISMA Medium for Red Hat Enterprise Linux 6

Profile ID: xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server

FISMA Medium for Red Hat Enterprise Linux 6.

Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)

Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp

This is a *draft* SCAP profile for Red Hat Certified Cloud Providers

C2S for Red Hat Enterprise Linux 6

Profile ID: xccdf_org.ssgproject.content_profile_C2S

This profile demonstrates compliance against the U.S. Government Commercial Cloud Services (C2S) baseline. nThis baseline was inspired by the Center for Internet Security (CIS) Red Hat Enterprise Linux 6 Benchmark, v1.2.0 - 06-25-2013. For the SCAP Security Guide project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline.

CNSSI 1253 Low/Low/Low Control Baseline

Profile ID: xccdf_org.ssgproject.content_profile_nist-CL-IL-AL

This profile follows the Committee on National Security Systems Instruction (CNSSI) No. 1253,  "Security Categorization and Control Selection for National Security Systems"  on security controls to meet low confidentiality, low integrity, and low assurance.

Example Server Profile

Profile ID: xccdf_org.ssgproject.content_profile_CS2

This profile is an example of a customized server profile.

PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

This is a *draft* profile for PCI-DSS v3.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Source Datastream: ssg-rhel7-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload all of these checks should pass.

DISA STIG for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux V1R4.

In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 7 image

DRAFT - ANSSI DAT-NT28 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary

Draft profile for ANSSI compliance at the intermediary level. ANSSI stands for Agence nationale de la sécurité des systèmes d'information. Based on https://www.ssi.gouv.fr/.

OSPP - Protection Profile for General Purpose Operating Systems v4.2.1

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2.1).

This configuration profile is consistent with CNSSI-1253, which requires U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems.

DRAFT - ANSSI DAT-NT28 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced

Draft profile for ANSSI compliance at the enhanced level. ANSSI stands for Agence nationale de la sécurité des systèmes d'information. Based on https://www.ssi.gouv.fr/.

DRAFT - ANSSI DAT-NT28 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_minimal

Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des systèmes d'information. Based on https://www.ssi.gouv.fr/.

Criminal Justice Information Services (CJIS) Security Policy

Profile ID: xccdf_org.ssgproject.content_profile_cjis

This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy can be found at the CJIS Security Policy Resource Center:

https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

Health Insurance Portability and Accountability Act (HIPAA)

Profile ID: xccdf_org.ssgproject.content_profile_hipaa

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security Rule identified for securing of electronic protected health information.

[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)

Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig

This *draft* profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH).

Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)

Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp

This profile contains the minimum security relevant configuration settings recommended by Red Hat, Inc for Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified Cloud Providers.

C2S for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_C2S

This profile demonstrates compliance against the U.S. Government Commercial Cloud Services (C2S) baseline.

This baseline was inspired by the Center for Internet Security (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.

For the SCAP Security Guide project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline.

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

Profile ID: xccdf_org.ssgproject.content_profile_cui

From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in non-federal information systems and organizations have a well-defined structure that consists of:

(i) a basic security requirements section; (ii) a derived security requirements section.

The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

This profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI).

DRAFT - ANSSI DAT-NT28 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_high

Draft profile for ANSSI compliance at the high level. ANSSI stands for Agence nationale de la sécurité des systèmes d'information. Based on https://www.ssi.gouv.fr/.

Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Red Hat Enterprise Linux 7 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/publications/essential-eight-in-linux-environments

VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)

Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp

This compliance profile reflects the core set of security related configuration settings for deployment of Red Hat Enterprise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for Virtualization v1.0 (VPP v1.0)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode project, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

CIS Red Hat Enterprise Linux 7 Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis

This profile defines a baseline that aligns to the Center for Internet Security® Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS Benchmarks™ content.

NIST National Checklist Program Security Guide

Profile ID: xccdf_org.ssgproject.content_profile_ncp

This compliance profile reflects the core set of security related configuration settings for deployment of Red Hat Enterprise Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST 800-171) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for General Purpose Operating Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security Requirements Guide (OS SRG)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the OpenSCAP/SCAP Security Guide initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide content as minor divergences, such as bugfixes, work through the consensus and release processes.

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Ensures PCI-DSS v3.2.1 security configuration settings are applied.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 8

Source Datastream: ssg-rhel8-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Red Hat Enterprise Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload all of these checks should pass.

[DRAFT] DISA STIG for Red Hat Enterprise Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the [DRAFT] DISA STIG for Red Hat Enterprise Linux 8.

In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image

Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) Official

Profile ID: xccdf_org.ssgproject.content_profile_ism_o

This profile contains configuration checks for Red Hat Enterprise Linux 8 that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) with the Attorney-General’s Department (AGD)’s applicability marking of OFFICIAL.

A overview and list of Cyber security guidelines of the  Information Security Manual can be found at the ACSC website:

https://www.cyber.gov.au/ism

Protection Profile for General Purpose Operating Systems

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2.1).

This configuration profile is consistent with CNSSI-1253, which requires U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems.

Criminal Justice Information Services (CJIS) Security Policy

Profile ID: xccdf_org.ssgproject.content_profile_cjis

This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy can be found at the CJIS Security Policy Resource Center:

https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

Health Insurance Portability and Accountability Act (HIPAA)

Profile ID: xccdf_org.ssgproject.content_profile_hipaa

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security Rule identified for securing of electronic protected health information.

[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)

Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig

This *draft* profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH).

Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)

Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp

This profile contains the minimum security relevant configuration settings recommended by Red Hat, Inc for Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified Cloud Providers.

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

Profile ID: xccdf_org.ssgproject.content_profile_cui

From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of:

(i) a basic security requirements section; (ii) a derived security requirements section.

The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

This profile configures Red Hat Enterprise Linux 8 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI)."

Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Red Hat Enterprise Linux 8 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/publications/essential-eight-in-linux-environments

VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)

Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp

This compliance profile reflects the core set of security related configuration settings for deployment of Red Hat Enterprise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for Virtualization v1.0 (VPP v1.0)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode project, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

CIS Red Hat Enterprise Linux 8 Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis

This profile defines a baseline that aligns to the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content.

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Ensures PCI-DSS v3.2.1 security configuration settings are applied.

Profiles in Guide to the Secure Configuration of Red Hat OpenStack Platform 10

Source Datastream: ssg-rhosp10-ds.xml

The Guide to the Secure Configuration of Red Hat OpenStack Platform 10 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

[DRAFT] STIG for Red Hat OpenStack Plaform 10

Profile ID: xccdf_org.ssgproject.content_profile_stig

Controls for scanning against classified STIG for rhosp10

[DRAFT] Controlled Unclassified Infomration (CUI) Profile for Red Hat OpenStack Plaform 10

Profile ID: xccdf_org.ssgproject.content_profile_cui

These are the controls for scanning against CUI for rhosp10

Profiles in Guide to the Secure Configuration of Red Hat OpenStack Platform 13

Source Datastream: ssg-rhosp13-ds.xml

The Guide to the Secure Configuration of Red Hat OpenStack Platform 13 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

RHOSP STIG

Profile ID: xccdf_org.ssgproject.content_profile_stig

Sample profile description.

Profiles in Guide to the Secure Configuration of Red Hat Virtualization 4

Source Datastream: ssg-rhv4-ds.xml

The Guide to the Secure Configuration of Red Hat Virtualization 4 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

[DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)

Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig

This *draft* profile contains configuration checks that align to the DISA STIG for Red Hat Virtualization Host (RHVH).

VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization Host (RHVH)

Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp

This compliance profile reflects the core set of security related configuration settings for deployment of Red Hat Virtualization Host (RHVH) 4.x into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for Virtualization v1.0 (VPP v1.0)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode project, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 6

Source Datastream: ssg-sl6-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Red Hat Enterprise Linux 6

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 6 system. Regardless of your system's workload all of these checks should pass.

Desktop Baseline

Profile ID: xccdf_org.ssgproject.content_profile_desktop

This profile is for a desktop installation of Red Hat Enterprise Linux 6.

Server Baseline

Profile ID: xccdf_org.ssgproject.content_profile_server

This profile is for Red Hat Enterprise Linux 6 acting as a server.

PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

This is a *draft* profile for PCI-DSS v3.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Source Datastream: ssg-sl7-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload all of these checks should pass.

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Ensures PCI-DSS v3.2.1 security configuration settings are applied.

Profiles in Guide to the Secure Configuration of SUSE Linux Enterprise 11

Source Datastream: ssg-sle11-ds.xml

The Guide to the Secure Configuration of SUSE Linux Enterprise 11 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for SUSE Linux Enterprise 11

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a SUSE Linux Enterprise 11 system. Regardless of your system's workload all of these checks should pass.

Server Baseline

Profile ID: xccdf_org.ssgproject.content_profile_server

This profile is for SUSE Enterprise Linux 11 acting as a server.

Profiles in Guide to the Secure Configuration of SUSE Linux Enterprise 12

Source Datastream: ssg-sle12-ds.xml

The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for SUSE Linux Enterprise 12

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a SUSE Linux Enterprise 12 system. Regardless of your system's workload all of these checks should pass.

DISA STIG for SUSE Linux Enterprise 12

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for SUSE Linux Enterprise 12 V1R2.

Profiles in Guide to the Secure Configuration of SUSE Linux Enterprise 15

Source Datastream: ssg-sle15-ds.xml

The Guide to the Secure Configuration of SUSE Linux Enterprise 15 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for SUSE Linux Enterprise 15

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a SUSE Linux Enterprise 15 system based off of the SUSE Hardening Guide. Regardless of your system's workload all of these checks should pass.

CIS SUSE Linux Enterprise 15 Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis

This baseline aligns to the Center for Internet Security SUSE Linux Enterprise 15 Benchmark, v1.0.0, currently in draft.

Profiles in Guide to the Secure Configuration of Ubuntu 14.04

Source Datastream: ssg-ubuntu1404-ds.xml

The Guide to the Secure Configuration of Ubuntu 14.04 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Ubuntu 14.04

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of an Ubuntu 14.04 system. Regardless of your system's workload all of these checks should pass.

Profile for ANSSI DAT-NT28 Average (Intermediate) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average

This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.

Profile for ANSSI DAT-NT28 Restrictive Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.

Profile for ANSSI DAT-NT28 High (Enforced) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high

This profile contains items for GNU/Linux installations storing sensitive informations that can be accessible from unauthenticated or uncontroled networks.

Profile for ANSSI DAT-NT28 Minimal Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

This profile contains items to be applied systematically.

Profiles in Guide to the Secure Configuration of Ubuntu 16.04

Source Datastream: ssg-ubuntu1604-ds.xml

The Guide to the Secure Configuration of Ubuntu 16.04 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Ubuntu 16.04

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of an Ubuntu 16.04 system. Regardless of your system's workload all of these checks should pass.

Profile for ANSSI DAT-NT28 Average (Intermediate) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average

This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.

Profile for ANSSI DAT-NT28 Restrictive Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.

Profile for ANSSI DAT-NT28 High (Enforced) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high

This profile contains items for GNU/Linux installations storing sensitive informations that can be accessible from unauthenticated or uncontroled networks.

Profile for ANSSI DAT-NT28 Minimal Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

This profile contains items to be applied systematically.

Profiles in Guide to the Secure Configuration of Ubuntu 18.04

Source Datastream: ssg-ubuntu1804-ds.xml

The Guide to the Secure Configuration of Ubuntu 18.04 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for Ubuntu 18.04

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.

Profile for ANSSI DAT-NT28 Average (Intermediate) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average

This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.

Profile for ANSSI DAT-NT28 Restrictive Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.

Profile for ANSSI DAT-NT28 High (Enforced) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high

This profile contains items for GNU/Linux installations storing sensitive informations that can be accessible from unauthenticated or uncontroled networks.

Profile for ANSSI DAT-NT28 Minimal Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

This profile contains items to be applied systematically.

CIS Ubuntu 18.04 LTS Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis

This baseline aligns to the Center for Internet Security Ubuntu 18.04 LTS Benchmark, v1.0.0, released 08-13-2018.

Profiles in Guide to the Secure Configuration of McAfee VirusScan Enterprise for Linux

Source Datastream: ssg-vsel-ds.xml

The Guide to the Secure Configuration of McAfee VirusScan Enterprise for Linux is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

McAfee VirusScan Enterprise for Linux (VSEL) STIG

Profile ID: xccdf_org.ssgproject.content_profile_stig

The McAfee VirusScan Enterprise for Linux software provides a realtime virus scanner for Linux systems.

Profiles in Guide to the Secure Configuration of WRLinux 1019

Source Datastream: ssg-wrlinux1019-ds.xml

The Guide to the Secure Configuration of WRLinux 1019 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Basic Profile for Embedded Systems

Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded

This profile contains items common to many embedded Linux installations. Regardless of your system's deployment objective, all of these checks should pass.

DRAFT DISA STIG for Wind River Linux

Profile ID: xccdf_org.ssgproject.content_profile_draft_stig_wrlinux_disa

This profile contains configuration checks that align to the DISA STIG for Wind River Linux. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO. What is the status of the Wind River Linux STIG? The Wind River Linux STIG is in development under the DoD consensus model and Wind River has started the process to get approval from DISA. However, in the absence of an approved SRG or STIG, vendor recommendations may be used instead. The current contents constitute the vendor recommendations at the time of the product release containing these contents. Note that changes are expected before approval is granted, and those changes will be made available in future Wind River Linux Security Profile 1019 RCPL releases. More information, including the following, is available from the DISA FAQs at https://public.cyber.mil/stigs/faqs/

Profiles in Guide to the Secure Configuration of WRLinux 8

Source Datastream: ssg-wrlinux8-ds.xml

The Guide to the Secure Configuration of WRLinux 8 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Basic Profile for Embedded Systems

Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded

This profile contains items common to many embedded Linux installations. Regardless of your system's deployment objective, all of these checks should pass.

Examples

To scan your system utilizing the OpenSCAP utility against the ospp profile:

oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-results.xml --report /tmp/`hostname`-ssg-results.html --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

Additional details can be found on the projects wiki page: https://www.github.com/OpenSCAP/scap-security-guide/wiki

Files

/usr/share/xml/scap/ssg/content

Houses SCAP content utilizing the following naming conventions:

SCAP Source Datastreams: ssg-{product}-ds.xml

CPE Dictionaries: ssg-{product}-cpe-dictionary.xml

CPE OVAL Content: ssg-{product}-cpe-oval.xml

OVAL Content: ssg-{product}-oval.xml

XCCDF Content: ssg-{product}-xccdf.xml

/usr/share/doc/scap-security-guide/guides/

HTML versions of SSG profiles.

/usr/share/scap-security-guide/ansible/

Contains Ansible Playbooks for SSG profiles.

/usr/share/scap-security-guide/bash/

Contains Bash remediation scripts for SSG profiles.

Statement of Support

The SCAP Security Guide, an open source project jointly maintained by Red Hat and the NSA, provides XCCDF and OVAL content for Red Hat technologies. As an open source project, community participation extends into U.S. Department of Defense agencies, civilian agencies, academia, and other industrial partners.

SCAP Security Guide is provided to consumers through Red Hat's Extended Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security Guide content is considered "vendor provided."

Note that while Red Hat hosts the infrastructure for this project and Red Hat engineers are involved as maintainers and leaders, there is no commercial support contracts or service level agreements provided by Red Hat.

Support, for both users and developers, is provided through the SCAP Security Guide community.

Homepage: https://www.open-scap.org/security-policies/scap-security-guide

Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Deployment to U.S. Civilian Government Systems

SCAP Security Guide content is considered vendor (Red Hat) provided content. Per guidance from the U.S. National Institute of Standards and Technology (NIST), U.S. Government programs are allowed to use Vendor produced SCAP content in absence of "Governmental Authority" checklists. The specific NIST verbage: http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority

Deployment to U.S. Military Systems

DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT products incorporated into DoD information systems shall be configured in accordance with DoD-approved security configuration guidelines" and tasks Defense Information Systems Agency (DISA) to "develop and provide security configuration guidance for IA and IA-enabled IT products in coordination with Director, NSA." The output of this authority is the DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in the process of moving the STIGs towards the use of the NIST Security Content Automation Protocol (SCAP) in order to "automate" compliance reporting of the STIGs.

Through a common, shared vision, the SCAP Security Guide community enjoys close collaboration directly with NSA, NIST, and DISA FSO. As stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview, Version 1, Release 2, issued on 03-JUNE-2013:

"The consensus content was developed using an open-source project called SCAP Security Guide. The project's website is https://www.open-scap.org/security-policies/scap-security-guide. Except for differences in formatting to accomodate the DISA STIG publishing process, the content of the Red Hat Enterprise Linux 6 STIG should mirror the SCAP Security Guide content with only minor divergence as updates from multiple sources work through the consensus process."

The DoD STIG for Red Hat Enterprise Linux 7, revision V2R4, was released in July 2019 Currently, the DoD Red Hat Enterprise Linux 7 STIG contains only XCCDF content and is available online: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux

Content published against the public.cyber.mil website is authoritative STIG content. The SCAP Security Guide project, as noted in the STIG overview, is considered upstream content. Unlike DISA FSO, the SCAP Security Guide project does publish OVAL automation content. Individual programs and C&A evaluators make program-level determinations on the direct usage of the SCAP Security Guide. Currently there is no blanket approval.

See Also

oscap(8)

Author

Please direct all questions to the SSG mailing list: https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Referenced By

oscap-vm(8).

26 Jan 2013 version 1