Scroll to navigation

scap-security-guide(8) System Manager's Manual scap-security-guide(8)

NAME

SCAP-Security-Guide - Delivers security guidance, baselines, and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP).

DESCRIPTION

The project provides practical security hardening advice and also links it to compliance requirements in order to ease deployment activities, such as certification and accreditation. These include requirements in the U.S. government (Federal, Defense, and Intelligence Community) as well as of the financial services and health care industries. For example, high-level and widely-accepted policies such as NIST 800-53 provides prose stating that System Administrators must audit "privileged user actions," but do not define what "privileged actions" are. The SSG bridges the gap between generalized policy requirements and specific implementation guidance, in SCAP formats to support automation whenever possible.

The projects homepage is located at: https://www.open-scap.org/security-policies/scap-security-guide

Profiles in Guide to the Secure Configuration of Alibaba Cloud Linux 2

Source data stream: ssg-alinux2-ds.xml

The Guide to the Secure Configuration of Alibaba Cloud Linux 2 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

PCI-DSS v4.0 Control Baseline for Alibaba Cloud Linux 2

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed to ensure the secure handling of payment card data, with the goal of preventing data breaches and protecting sensitive financial information.

Standard System Security Profile for Alibaba Cloud Linux 2

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Alibaba Cloud Linux 2 system. Regardless of your system's workload all of these checks should pass.

Profiles in Guide to the Secure Configuration of Alibaba Cloud Linux 3

Source data stream: ssg-alinux3-ds.xml

The Guide to the Secure Configuration of Alibaba Cloud Linux 3 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

PCI-DSS v4.0 Control Baseline for Alibaba Cloud Linux 3

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed to ensure the secure handling of payment card data, with the goal of preventing data breaches and protecting sensitive financial information.

Standard System Security Profile for Alibaba Cloud Linux 3

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Alibaba Cloud Linux 3 system. Regardless of your system's workload all of these checks should pass.

Profiles in Guide to the Secure Configuration of Anolis OS 23

Source data stream: ssg-anolis23-ds.xml

The Guide to the Secure Configuration of Anolis OS 23 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

PCI-DSS v4.0 Control Baseline for Anolis OS 23

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed to ensure the secure handling of payment card data, with the goal of preventing data breaches and protecting sensitive financial information.

Standard System Security Profile for Anolis OS 23

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Anolis OS 23 system.

Profiles in Guide to the Secure Configuration of Anolis OS 8

Source data stream: ssg-anolis8-ds.xml

The Guide to the Secure Configuration of Anolis OS 8 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

PCI-DSS v4.0 Control Baseline for Anolis OS 8

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed to ensure the secure handling of payment card data, with the goal of preventing data breaches and protecting sensitive financial information.

Standard System Security Profile for Anolis OS 8

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Anolis OS 8 system.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Source data stream: ssg-centos7-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

C2S for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_C2S

This profile demonstrates compliance against the U.S. Government Commercial Cloud Services (C2S) baseline.

This baseline was inspired by the Center for Internet Security (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.

For the SCAP Security Guide project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline.

ANSSI-BP-028 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_high

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_minimal

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis

This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 7 Benchmark™, v4.0.0, released 2023-12-21.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1

This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 7 Benchmark™, v4.0.0, released 2023-12-21.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1

This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 7 Benchmark™, v4.0.0, released 2023-12-21.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2

This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 7 Benchmark™, v4.0.0, released 2023-12-21.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS Benchmarks™ content.

Criminal Justice Information Services (CJIS) Security Policy

Profile ID: xccdf_org.ssgproject.content_profile_cjis

This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy can be found at the CJIS Security Policy Resource Center:

https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

Profile ID: xccdf_org.ssgproject.content_profile_cui

From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in non-federal information systems and organizations have a well-defined structure that consists of:

(i) a basic security requirements section; (ii) a derived security requirements section.

The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

This profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI).

Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Red Hat Enterprise Linux 7 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers

Health Insurance Portability and Accountability Act (HIPAA)

Profile ID: xccdf_org.ssgproject.content_profile_hipaa

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).

NIST National Checklist Program Security Guide

Profile ID: xccdf_org.ssgproject.content_profile_ncp

This compliance profile reflects the core set of security related configuration settings for deployment of Red Hat Enterprise Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST 800-171) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for General Purpose Operating Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security Requirements Guide (OS SRG)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the OpenSCAP/SCAP Security Guide initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide content as minor divergences, such as bugfixes, work through the consensus and release processes.

OSPP - Protection Profile for General Purpose Operating Systems v4.2.1

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2.1).

This configuration profile is consistent with CNSSI-1253, which requires U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems.

PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed to ensure the secure handling of payment card data, with the goal of preventing data breaches and protecting sensitive financial information.

This profile ensures Red Hat Enterprise Linux 7 is configured in alignment with PCI-DSS v4.0 requirements.

RHV hardening based on STIG for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig

This profile contains configuration checks for Red Hat Virtualization based on the the DISA STIG for Red Hat Enterprise Linux 7.

VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization

Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp

This compliance profile reflects the core set of security related configuration settings for deployment of Red Hat Enterprise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for Virtualization v1.0 (VPP v1.0)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode project, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)

Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp

This profile contains the minimum security relevant configuration settings recommended by Red Hat, Inc for Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified Cloud Providers.

Standard System Security Profile for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload all of these checks should pass.

DISA STIG for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux V3R14.

In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 7 image

DISA STIG with GUI for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_stig_gui

This profile contains configuration checks that align to the DISA STIG with GUI for Red Hat Enterprise Linux V3R14.

In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 7 image

Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Red Hat Enterprise Linux 7 profile.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 8

Source data stream: ssg-centos8-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

ANSSI-BP-028 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis

This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v3.0.0, released 2023-10-30.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1

This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v3.0.0, released 2023-10-30.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1

This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v3.0.0, released 2023-10-30.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2

This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v3.0.0, released 2023-10-30.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content.

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

Profile ID: xccdf_org.ssgproject.content_profile_cui

From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of:

(i) a basic security requirements section; (ii) a derived security requirements section.

The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

This profile configures Red Hat Enterprise Linux 8 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI)."

Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Red Hat Enterprise Linux 8 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers

Health Insurance Portability and Accountability Act (HIPAA)

Profile ID: xccdf_org.ssgproject.content_profile_hipaa

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).

Australian Cyber Security Centre (ACSC) ISM Official

Profile ID: xccdf_org.ssgproject.content_profile_ism_o

This profile contains configuration checks for Red Hat Enterprise Linux 8 that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) with the applicability marking of OFFICIAL.

The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls specific to an organisation's security posture and risk profile.

A copy of the ISM can be found at the ACSC website:

https://www.cyber.gov.au/ism

Protection Profile for General Purpose Operating Systems

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2.1).

This configuration profile is consistent with CNSSI-1253, which requires U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems.

PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed to ensure the secure handling of payment card data, with the goal of preventing data breaches and protecting sensitive financial information.

This profile ensures Red Hat Enterprise Linux 8 is configured in alignment with PCI-DSS v4.0 requirements.

DISA STIG for Red Hat Enterprise Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 8 V1R14.

In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image

DISA STIG with GUI for Red Hat Enterprise Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_stig_gui

This profile contains configuration checks that align to the DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R14.

In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image

Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Red Hat Enterprise Linux 8 profile.

Profiles in Guide to the Secure Configuration of Chromium

Source data stream: ssg-chromium-ds.xml

The Guide to the Secure Configuration of Chromium is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Upstream STIG for Google Chromium

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving as the upstream development environment for the Google Chromium STIG.

As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, refer to https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance.

While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 9

Source data stream: ssg-cs9-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

ANSSI-BP-028 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Advanced

Profile ID: xccdf_org.ssgproject.content_profile_ccn_advanced

This profile defines a baseline that aligns with the "Advanced" configuration of the CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10.

The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic, intermediate, and advanced levels.

Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Basic

Profile ID: xccdf_org.ssgproject.content_profile_ccn_basic

This profile defines a baseline that aligns with the "Basic" configuration of the CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10.

The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic, intermediate, and advanced levels.

Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Intermediate

Profile ID: xccdf_org.ssgproject.content_profile_ccn_intermediate

This profile defines a baseline that aligns with the "Intermediate" configuration of the CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10.

The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic, intermediate, and advanced levels.

CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis

This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1

This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1

This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2

This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.

DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

Profile ID: xccdf_org.ssgproject.content_profile_cui

From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of:

(i) a basic security requirements section; (ii) a derived security requirements section.

The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

This profile configures Red Hat Enterprise Linux 9 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI)."

Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Red Hat Enterprise Linux 9 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers

Health Insurance Portability and Accountability Act (HIPAA)

Profile ID: xccdf_org.ssgproject.content_profile_hipaa

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).

Australian Cyber Security Centre (ACSC) ISM Official

Profile ID: xccdf_org.ssgproject.content_profile_ism_o

This profile contains configuration checks for Red Hat Enterprise Linux 9 that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) with the applicability marking of OFFICIAL.

The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls specific to an organisation's security posture and risk profile.

A copy of the ISM can be found at the ACSC website:

https://www.cyber.gov.au/ism

Protection Profile for General Purpose Operating Systems

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile is part of Red Hat Enterprise Linux 9 Common Criteria Guidance documentation for Target of Evaluation based on Protection Profile for General Purpose Operating Systems (OSPP) version 4.3 and Functional Package for SSH version 1.0.

Where appropriate, CNSSI 1253 or DoD-specific values are used for configuration, based on Configuration Annex to the OSPP.

PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 9

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed to ensure the secure handling of payment card data, with the goal of preventing data breaches and protecting sensitive financial information.

This profile ensures Red Hat Enterprise Linux 9 is configured in alignment with PCI-DSS v4.0 requirements.

DISA STIG for Red Hat Enterprise Linux 9

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 9 V1R3.

In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9 image

DISA STIG with GUI for Red Hat Enterprise Linux 9

Profile ID: xccdf_org.ssgproject.content_profile_stig_gui

This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 9 V1R3.

In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9 image

Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Red Hat Enterprise Linux 9 profile.

Profiles in Guide to the Secure Configuration of Debian 10

Source data stream: ssg-debian10-ds.xml

The Guide to the Secure Configuration of Debian 10 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Profile for ANSSI DAT-NT28 Average (Intermediate) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average

This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.

Profile for ANSSI DAT-NT28 High (Enforced) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high

This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.

Profile for ANSSI DAT-NT28 Minimal Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

This profile contains items to be applied systematically.

Profile for ANSSI DAT-NT28 Restrictive Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.

Standard System Security Profile for Debian 10

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Debian 10 system. Regardless of your system's workload all of these checks should pass.

Profiles in Guide to the Secure Configuration of Debian 11

Source data stream: ssg-debian11-ds.xml

The Guide to the Secure Configuration of Debian 11 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Profile for ANSSI DAT-NT28 Average (Intermediate) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average

This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.

Profile for ANSSI DAT-NT28 High (Enforced) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high

This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.

Profile for ANSSI DAT-NT28 Minimal Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

This profile contains items to be applied systematically.

Profile for ANSSI DAT-NT28 Restrictive Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.

Standard System Security Profile for Debian 11

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Debian 11 system. Regardless of your system's workload all of these checks should pass.

Profiles in Guide to the Secure Configuration of Debian 12

Source data stream: ssg-debian12-ds.xml

The Guide to the Secure Configuration of Debian 12 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

ANSSI-BP-028 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

ANSSI-BP-028 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

ANSSI-BP-028 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

ANSSI-BP-028 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

Profile for ANSSI DAT-NT28 Average (Intermediate) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average

This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.

Profile for ANSSI DAT-NT28 High (Enforced) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high

This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.

Profile for ANSSI DAT-NT28 Minimal Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

This profile contains items to be applied systematically.

Profile for ANSSI DAT-NT28 Restrictive Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.

Standard System Security Profile for Debian 12

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Debian 12 system. Regardless of your system's workload all of these checks should pass.

Profiles in Guide to the Secure Configuration of Amazon Elastic Kubernetes Service

Source data stream: ssg-eks-ds.xml

The Guide to the Secure Configuration of Amazon Elastic Kubernetes Service is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

CIS Amazon Elastic Kubernetes Service (EKS) Benchmark - Node

Profile ID: xccdf_org.ssgproject.content_profile_cis-node

This profile defines a baseline that aligns to the Center for Internet Security® Amazon Elastic Kubernetes Service (EKS) Benchmark™, V1.0.1.

This profile includes Center for Internet Security® Amazon Elastic Kubernetes Service (EKS)™ content.

This profile is applicable to EKS 1.21 and greater.

CIS Amazon Elastic Kubernetes Service Benchmark - Platform

Profile ID: xccdf_org.ssgproject.content_profile_cis

This profile defines a baseline that aligns to the Center for Internet Security® Amazon Elastic Kubernetes Service (EKS) Benchmark™, V1.0.1.

This profile includes Center for Internet Security® Amazon Elastic Kubernetes Service (EKS)™ content.

This profile is applicable to EKS 1.21 and greater.

Profiles in Guide to the Secure Configuration of Fedora

Source data stream: ssg-fedora-ds.xml

The Guide to the Secure Configuration of Fedora is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

CUSP - Common User Security Profile for Fedora Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cusp_fedora

This profile contains rules to harden Fedora Linux according to the Common User Security Guide for Fedora Workstation.

OSPP - Protection Profile for General Purpose Operating Systems

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2).

As Fedora OS is moving target, this profile does not guarantee to provide security levels required from US National Security Systems. Main goal of the profile is to provide Fedora developers with hardened environment similar to the one mandated by US National Security Systems.

PCI-DSS v3.2.1 Control Baseline for Fedora

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Ensures PCI-DSS v3.2.1 related security configuration settings are applied.

Standard System Security Profile for Fedora

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Fedora system. Regardless of your system's workload all of these checks should pass.

Profiles in Guide to the Secure Configuration of Firefox

Source data stream: ssg-firefox-ds.xml

The Guide to the Secure Configuration of Firefox is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

CUSP - Common User Security Profile for Mozilla Firefox

Profile ID: xccdf_org.ssgproject.content_profile_cusp_firefox

This profile contains rules to harden Mozilla Firefox according to rule 6.1 in the Common User Security Guide for Fedora Workstation.

Mozilla Firefox STIG

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving as the upstream development environment for the Firefox STIG.

As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, refer to https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance.

While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/.

Profiles in Guide to the Secure Configuration of Apple macOS 10.15

Source data stream: ssg-macos1015-ds.xml

The Guide to the Secure Configuration of Apple macOS 10.15 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

NIST 800-53 Moderate-Impact Baseline for Apple macOS 10.15 Catalina

Profile ID: xccdf_org.ssgproject.content_profile_moderate

This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Apple macOS 10.15 Catalina into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, and the the National Security Agency.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

Profiles in Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4

Source data stream: ssg-ocp4-ds.xml

The Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

BSI IT-Grundschutz (Basic Protection) Building Block SYS.1.6 and APP.4.4

Profile ID: xccdf_org.ssgproject.content_profile_bsi-2022

This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz Basic-Protection.

This baseline implements configuration requirements from the following sources:

- Building-Block SYS.1.6 Containerisation - Building-Block APP.4.4 Kubernetes

BSI IT-Grundschutz (Basic Protection) Building Block SYS.1.6 and APP.4.4

Profile ID: xccdf_org.ssgproject.content_profile_bsi-node-2022

This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz Basic-Protection.

This baseline implements configuration requirements from the following sources:

- Building-Block SYS.1.6 Containerisation - Building-Block APP.4.4 Kubernetes

BSI IT-Grundschutz (Basic Protection) Building Block SYS.1.6 and APP.4.4

Profile ID: xccdf_org.ssgproject.content_profile_bsi-node

This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz Basic-Protection.

This baseline implements configuration requirements from the following sources:

- Building-Block SYS.1.6 Containerisation - Building-Block APP.4.4 Kubernetes

BSI IT-Grundschutz (Basic Protection) Building Block SYS.1.6 and APP.4.4

Profile ID: xccdf_org.ssgproject.content_profile_bsi

This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz Basic-Protection.

This baseline implements configuration requirements from the following sources:

- Building-Block SYS.1.6 Containerisation - Building-Block APP.4.4 Kubernetes

CIS Red Hat OpenShift Container Platform 4 Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis-1-4

This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V1.4.

This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content.

Note that this part of the profile is meant to run on the Platform that Red Hat OpenShift Container Platform 4 runs on top of.

This profile is applicable to OpenShift versions 4.10 and greater.

CIS Red Hat OpenShift Container Platform 4 Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis-1-5

This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V1.5.

This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content.

Note that this part of the profile is meant to run on the Platform that Red Hat OpenShift Container Platform 4 runs on top of.

This profile is applicable to OpenShift versions 4.12 and greater.

CIS Red Hat OpenShift Container Platform 4 Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis-node-1-4

This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V1.4.

This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content.

Note that this part of the profile is meant to run on the Operating System that Red Hat OpenShift Container Platform 4 runs on top of.

This profile is applicable to OpenShift versions 4.10 and greater.

CIS Red Hat OpenShift Container Platform 4 Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis-node-1-5

This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V1.5.

This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content.

Note that this part of the profile is meant to run on the Operating System that Red Hat OpenShift Container Platform 4 runs on top of.

This profile is applicable to OpenShift versions 4.12 and greater.

CIS Red Hat OpenShift Container Platform 4 Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis-node

This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V1.5.

This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content.

Note that this part of the profile is meant to run on the Operating System that Red Hat OpenShift Container Platform 4 runs on top of.

This profile is applicable to OpenShift versions 4.12 and greater.

CIS Red Hat OpenShift Container Platform 4 Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis

This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V1.5.

This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content.

Note that this part of the profile is meant to run on the Platform that Red Hat OpenShift Container Platform 4 runs on top of.

This profile is applicable to OpenShift versions 4.12 and greater.

Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Red Hat OpenShift Container Platform that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers

NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level

Profile ID: xccdf_org.ssgproject.content_profile_high-node-rev-4

This compliance profile reflects the core set of High-Impact Baseline configuration settings for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for High-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level

Profile ID: xccdf_org.ssgproject.content_profile_high-node

This compliance profile reflects the core set of High-Impact Baseline configuration settings for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for High-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level

Profile ID: xccdf_org.ssgproject.content_profile_high-rev-4

This compliance profile reflects the core set of High-Impact Baseline configuration settings for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for High-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level

Profile ID: xccdf_org.ssgproject.content_profile_high

This compliance profile reflects the core set of High-Impact Baseline configuration settings for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for High-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level

Profile ID: xccdf_org.ssgproject.content_profile_moderate-node-rev-4

This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level

Profile ID: xccdf_org.ssgproject.content_profile_moderate-node

This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level

Profile ID: xccdf_org.ssgproject.content_profile_moderate-rev-4

This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level

Profile ID: xccdf_org.ssgproject.content_profile_moderate

This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat OpenShift Container Platform into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Node level

Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip-node

This compliance profile reflects a set of security recommendations for the usage of Red Hat OpenShift Container Platform in critical infrastructure in the energy sector. This follows the recommendations coming from the following CIP standards:

- CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 - CIP-007-6 - CIP-009-6

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Platform level

Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip

This compliance profile reflects a set of security recommendations for the usage of Red Hat OpenShift Container Platform in critical infrastructure in the energy sector. This follows the recommendations coming from the following CIP standards:

- CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 - CIP-007-6 - CIP-009-6

PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-3-2

Ensures PCI-DSS v3.2.1 security configuration settings are applied.

PCI-DSS v4.0.0 Control Baseline for Red Hat OpenShift Container Platform 4

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-4-0

Ensures PCI-DSS v4.0.0 security configuration settings are applied.

PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-node-3-2

Ensures PCI-DSS v3.2.1 security configuration settings are applied.

PCI-DSS v4.0.0 Control Baseline for Red Hat OpenShift Container Platform 4

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-node-4-0

Ensures PCI-DSS v4.0.0 security configuration settings are applied.

PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-node

Ensures PCI-DSS v3.2.1 security configuration settings are applied.

PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Ensures PCI-DSS v3.2.1 security configuration settings are applied.

DISA STIG for Red Hat OpenShift Container Platform 4 - Node level

Profile ID: xccdf_org.ssgproject.content_profile_stig-node-v1r1

This profile contains configuration checks that align to the DISA STIG for Red Hat OpenShift Container Platform 4.

DISA STIG for Red Hat OpenShift Container Platform 4 - Node level

Profile ID: xccdf_org.ssgproject.content_profile_stig-node

This profile contains configuration checks that align to the DISA STIG for Red Hat OpenShift Container Platform 4.

DISA STIG for Red Hat OpenShift Container Platform 4 - Platform level

Profile ID: xccdf_org.ssgproject.content_profile_stig-v1r1

This profile contains configuration checks that align to the DISA STIG for Red Hat OpenShift Container Platform 4.

DISA STIG for Red Hat OpenShift Container Platform 4 - Platform level

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for Red Hat OpenShift Container Platform 4.

Profiles in Guide to the Secure Configuration of Oracle Linux 7

Source data stream: ssg-ol7-ds.xml

The Guide to the Secure Configuration of Oracle Linux 7 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

ANSSI-BP-028 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced

This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

DRAFT - ANSSI-BP-028 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_high

This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

ANSSI-BP-028 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary

This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

ANSSI-BP-028 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_minimal

This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

Criminal Justice Information Services (CJIS) Security Policy

Profile ID: xccdf_org.ssgproject.content_profile_cjis

This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy can be found at the CJIS Security Policy Resource Center:

https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

Profile ID: xccdf_org.ssgproject.content_profile_cui

From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in non-federal information systems and organizations have a well-defined structure that consists of:

(i) a basic security requirements section; (ii) a derived security requirements section.

The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

This profile configures Oracle Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI).

DRAFT - Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Oracle Linux 7 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers

Health Insurance Portability and Accountability Act (HIPAA)

Profile ID: xccdf_org.ssgproject.content_profile_hipaa

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This profile configures Oracle Linux 7 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).

NIST National Checklist Program Security Guide

Profile ID: xccdf_org.ssgproject.content_profile_ncp

This compliance profile reflects the core set of security related configuration settings for deployment of Oracle Linux 7 into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST 800-171) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for General Purpose Operating Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security Requirements Guide (OS SRG)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the OpenSCAP/SCAP Security Guide initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide content as minor divergences, such as bugfixes, work through the consensus and release processes.

DRAFT - Protection Profile for General Purpose Operating Systems

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2.1).

This configuration profile is consistent with CNSSI-1253, which requires U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems.

PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Ensures PCI-DSS v3.2.1 related security configuration settings are applied.

Security Profile of Oracle Linux 7 for SAP

Profile ID: xccdf_org.ssgproject.content_profile_sap

This profile contains rules for Oracle Linux 7 Operating System in compliance with SAP note 2069760 and SAP Security Baseline Template version 1.9 Item I-8 and section 4.1.2.2. Regardless of your system's workload all of these checks should pass.

Standard System Security Profile for Oracle Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of Oracle Linux 7 system. Regardless of your system's workload all of these checks should pass.

DISA STIG for Oracle Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for Oracle Linux V2R14.

DISA STIG with GUI for Oracle Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_stig_gui

This profile contains configuration checks that align to the DISA STIG with GUI for Oracle Linux V2R14.

Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Oracle Linux 7 profile.

Profiles in Guide to the Secure Configuration of Oracle Linux 8

Source data stream: ssg-ol8-ds.xml

The Guide to the Secure Configuration of Oracle Linux 8 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

ANSSI-BP-028 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

ANSSI-BP-028 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

ANSSI-BP-028 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

ANSSI-BP-028 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

Criminal Justice Information Services (CJIS) Security Policy

Profile ID: xccdf_org.ssgproject.content_profile_cjis

This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy can be found at the CJIS Security Policy Resource Center:

https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

Profile ID: xccdf_org.ssgproject.content_profile_cui

From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in non-federal information systems and organizations have a well-defined structure that consists of:

(i) a basic security requirements section; (ii) a derived security requirements section.

The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

This profile configures Oracle Linux 8 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI).

DRAFT - Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Oracle Linux 8 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers

Health Insurance Portability and Accountability Act (HIPAA)

Profile ID: xccdf_org.ssgproject.content_profile_hipaa

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This profile configures Oracle Linux 8 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).

DRAFT - Protection Profile for General Purpose Operating Systems

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2.1).

This configuration profile is consistent with CNSSI-1253, which requires U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems.

PCI-DSS v4.0 Control Baseline for Oracle Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed to ensure the secure handling of payment card data, with the goal of preventing data breaches and protecting sensitive financial information.

This profile ensures Oracle Linux 8 is configured in alignment with PCI-DSS v4.0 requirements.

Standard System Security Profile for Oracle Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of Oracle Linux 8 system. Regardless of your system's workload all of these checks should pass.

DISA STIG for Oracle Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for Oracle Linux 8 V1R10.

DISA STIG with GUI for Oracle Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_stig_gui

This profile contains configuration checks that align to the DISA STIG with GUI for Oracle Linux V1R10.

Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Oracle Linux 8 profile.

Profiles in Guide to the Secure Configuration of Oracle Linux 9

Source data stream: ssg-ol9-ds.xml

The Guide to the Secure Configuration of Oracle Linux 9 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

ANSSI-BP-028 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

ANSSI-BP-028 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high

This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

ANSSI-BP-028 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

ANSSI-BP-028 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

Profile ID: xccdf_org.ssgproject.content_profile_cui

From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of:

(i) a basic security requirements section; (ii) a derived security requirements section.

The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

This profile configures Oracle Linux 9 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI)."

Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Oracle Linux 9 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers

Health Insurance Portability and Accountability Act (HIPAA)

Profile ID: xccdf_org.ssgproject.content_profile_hipaa

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This profile configures Oracle Linux 9 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).

DRAFT - Protection Profile for General Purpose Operating Systems

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile is part of Oracle Linux 9 Common Criteria Guidance documentation for Target of Evaluation based on Protection Profile for General Purpose Operating Systems (OSPP) version 4.2.1 and Functional Package for SSH version 1.0.

Where appropriate, CNSSI 1253 or DoD-specific values are used for configuration, based on Configuration Annex to the OSPP.

PCI-DSS v4.0 Control Baseline for Oracle Linux 9

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed to ensure the secure handling of payment card data, with the goal of preventing data breaches and protecting sensitive financial information.

This profile ensures Oracle Linux 9 is configured in alignment with PCI-DSS v4.0 requirements.

Standard System Security Profile for Oracle Linux 9

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of Oracle Linux 9 system. Regardless of your system's workload all of these checks should pass.

DRAFT - DISA STIG for Oracle Linux 9

Profile ID: xccdf_org.ssgproject.content_profile_stig

This is a draft profile based on its OL8 version for experimental purposes. It is not based on the DISA STIG for OL9, because this one was not available at time of the release.

DRAFT - DISA STIG with GUI for Oracle Linux 9

Profile ID: xccdf_org.ssgproject.content_profile_stig_gui

This is a draft profile based on its OL8 version for experimental purposes. It is not based on the DISA STIG for OL9, because this one was not available at time of the release.

Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Oracle Linux 9 profile.

Profiles in Guide to the Secure Configuration of OpenEmbedded

Source data stream: ssg-openembedded-ds.xml

The Guide to the Secure Configuration of OpenEmbedded is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Sample expanded Security Profile for OpenEmbedded Distros

Profile ID: xccdf_org.ssgproject.content_profile_expanded

This profile is a sample for use in documentation and example content. The selected rules include standard profile plus more network rules and password aging; they should still pass quickly on most systems.

Sample Security Profile for OpenEmbedded Distros

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile is an sample for use in documentation and example content. The selected rules are standard and should pass quickly on most systems.

Profiles in Guide to the Secure Configuration of openEuler 2203

Source data stream: ssg-openeuler2203-ds.xml

The Guide to the Secure Configuration of openEuler 2203 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for openEuler 22.03 LTS

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of an openEuler system. Regardless of your system's workload all of these checks should pass.

Profiles in Guide to the Secure Configuration of openSUSE

Source data stream: ssg-opensuse-ds.xml

The Guide to the Secure Configuration of openSUSE is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for openSUSE

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of an openSUSE system. Regardless of your system's workload all of these checks should pass.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4

Source data stream: ssg-rhcos4-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

DRAFT - ANSSI-BP-028 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

DRAFT - ANSSI-BP-028 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high

This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

DRAFT - ANSSI-BP-028 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

DRAFT - ANSSI-BP-028 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

DRAFT - BSI APP.4.4. and SYS.1.6

Profile ID: xccdf_org.ssgproject.content_profile_bsi-2022

This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz Basic-Protection.

This baseline implements OS-Level configuration requirements from the following sources:

- Building-Block SYS.1.6 Containerisation - Building-Block APP.4.4 Kubernetes

THIS DOES NOT INCLUDE REQUIREMENTS FOR A HARDENED LINUX FROM SYS.1.3 LINUX

DRAFT - BSI APP.4.4. and SYS.1.6

Profile ID: xccdf_org.ssgproject.content_profile_bsi

This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz Basic-Protection.

This baseline implements OS-Level configuration requirements from the following sources:

- Building-Block SYS.1.6 Containerisation - Building-Block APP.4.4 Kubernetes

THIS DOES NOT INCLUDE REQUIREMENTS FOR A HARDENED LINUX FROM SYS.1.3 LINUX

Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Red Hat Enterprise Linux CoreOS that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers

NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS

Profile ID: xccdf_org.ssgproject.content_profile_high-rev-4

This compliance profile reflects the core set of High-Impact Baseline configuration settings for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for High-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS

Profile ID: xccdf_org.ssgproject.content_profile_high

This compliance profile reflects the core set of High-Impact Baseline configuration settings for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for High-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS

Profile ID: xccdf_org.ssgproject.content_profile_moderate-rev-4

This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS

Profile ID: xccdf_org.ssgproject.content_profile_moderate

This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS

Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip

This compliance profile reflects a set of security recommendations for the usage of Red Hat Enterprise Linux CoreOS in critical infrastructure in the energy sector. This follows the recommendations coming from the following CIP standards:

- CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 - CIP-007-6 - CIP-009-6

DISA STIG for Red Hat Enterprise Linux CoreOS

Profile ID: xccdf_org.ssgproject.content_profile_stig-v1r1

This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux CoreOS 4.

DISA STIG for Red Hat Enterprise Linux CoreOS

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux CoreOS 4.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Source data stream: ssg-rhel7-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

C2S for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_C2S

This profile demonstrates compliance against the U.S. Government Commercial Cloud Services (C2S) baseline.

This baseline was inspired by the Center for Internet Security (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.

For the SCAP Security Guide project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline.

ANSSI-BP-028 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_high

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_minimal

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis

This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 7 Benchmark™, v4.0.0, released 2023-12-21.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1

This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 7 Benchmark™, v4.0.0, released 2023-12-21.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1

This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 7 Benchmark™, v4.0.0, released 2023-12-21.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2

This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 7 Benchmark™, v4.0.0, released 2023-12-21.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS Benchmarks™ content.

Criminal Justice Information Services (CJIS) Security Policy

Profile ID: xccdf_org.ssgproject.content_profile_cjis

This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy can be found at the CJIS Security Policy Resource Center:

https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

Profile ID: xccdf_org.ssgproject.content_profile_cui

From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in non-federal information systems and organizations have a well-defined structure that consists of:

(i) a basic security requirements section; (ii) a derived security requirements section.

The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

This profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI).

Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Red Hat Enterprise Linux 7 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers

Health Insurance Portability and Accountability Act (HIPAA)

Profile ID: xccdf_org.ssgproject.content_profile_hipaa

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).

NIST National Checklist Program Security Guide

Profile ID: xccdf_org.ssgproject.content_profile_ncp

This compliance profile reflects the core set of security related configuration settings for deployment of Red Hat Enterprise Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST 800-171) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for General Purpose Operating Systems v4.2.1 (OSPP v4.2.1) - DISA Operating System Security Requirements Guide (OS SRG)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the OpenSCAP/SCAP Security Guide initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide content as minor divergences, such as bugfixes, work through the consensus and release processes.

OSPP - Protection Profile for General Purpose Operating Systems v4.2.1

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2.1).

This configuration profile is consistent with CNSSI-1253, which requires U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems.

PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed to ensure the secure handling of payment card data, with the goal of preventing data breaches and protecting sensitive financial information.

This profile ensures Red Hat Enterprise Linux 7 is configured in alignment with PCI-DSS v4.0 requirements.

RHV hardening based on STIG for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig

This profile contains configuration checks for Red Hat Virtualization based on the the DISA STIG for Red Hat Enterprise Linux 7.

VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization

Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp

This compliance profile reflects the core set of security related configuration settings for deployment of Red Hat Enterprise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for Virtualization v1.0 (VPP v1.0)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode project, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)

Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp

This profile contains the minimum security relevant configuration settings recommended by Red Hat, Inc for Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified Cloud Providers.

Standard System Security Profile for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload all of these checks should pass.

DISA STIG for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux V3R14.

In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 7 image

DISA STIG with GUI for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_stig_gui

This profile contains configuration checks that align to the DISA STIG with GUI for Red Hat Enterprise Linux V3R14.

In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 7 image

Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Red Hat Enterprise Linux 7 profile.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 8

Source data stream: ssg-rhel8-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

ANSSI-BP-028 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis

This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v3.0.0, released 2023-10-30.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1

This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v3.0.0, released 2023-10-30.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1

This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v3.0.0, released 2023-10-30.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2

This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v3.0.0, released 2023-10-30.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content.

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

Profile ID: xccdf_org.ssgproject.content_profile_cui

From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of:

(i) a basic security requirements section; (ii) a derived security requirements section.

The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

This profile configures Red Hat Enterprise Linux 8 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI)."

Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Red Hat Enterprise Linux 8 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers

Health Insurance Portability and Accountability Act (HIPAA)

Profile ID: xccdf_org.ssgproject.content_profile_hipaa

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).

Australian Cyber Security Centre (ACSC) ISM Official

Profile ID: xccdf_org.ssgproject.content_profile_ism_o

This profile contains configuration checks for Red Hat Enterprise Linux 8 that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) with the applicability marking of OFFICIAL.

The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls specific to an organisation's security posture and risk profile.

A copy of the ISM can be found at the ACSC website:

https://www.cyber.gov.au/ism

Protection Profile for General Purpose Operating Systems

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2.1).

This configuration profile is consistent with CNSSI-1253, which requires U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems.

PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed to ensure the secure handling of payment card data, with the goal of preventing data breaches and protecting sensitive financial information.

This profile ensures Red Hat Enterprise Linux 8 is configured in alignment with PCI-DSS v4.0 requirements.

DISA STIG for Red Hat Enterprise Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 8 V1R14.

In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image

DISA STIG with GUI for Red Hat Enterprise Linux 8

Profile ID: xccdf_org.ssgproject.content_profile_stig_gui

This profile contains configuration checks that align to the DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R14.

In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image

Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Red Hat Enterprise Linux 8 profile.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 9

Source data stream: ssg-rhel9-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

ANSSI-BP-028 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

ANSSI-BP-028 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

An English version of the ANSSI-BP-028 can also be found at the ANSSI website: https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system

Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Advanced

Profile ID: xccdf_org.ssgproject.content_profile_ccn_advanced

This profile defines a baseline that aligns with the "Advanced" configuration of the CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10.

The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic, intermediate, and advanced levels.

Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Basic

Profile ID: xccdf_org.ssgproject.content_profile_ccn_basic

This profile defines a baseline that aligns with the "Basic" configuration of the CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10.

The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic, intermediate, and advanced levels.

Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Intermediate

Profile ID: xccdf_org.ssgproject.content_profile_ccn_intermediate

This profile defines a baseline that aligns with the "Intermediate" configuration of the CCN-STIC-610A22 Guide issued by the National Cryptological Center of Spain in 2022-10.

The CCN-STIC-610A22 guide includes hardening settings for Red Hat Enterprise Linux 9 at basic, intermediate, and advanced levels.

CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis

This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1

This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1

This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.

CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2

This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.

This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.

DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

Profile ID: xccdf_org.ssgproject.content_profile_cui

From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of:

(i) a basic security requirements section; (ii) a derived security requirements section.

The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

This profile configures Red Hat Enterprise Linux 9 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI)."

Australian Cyber Security Centre (ACSC) Essential Eight

Profile ID: xccdf_org.ssgproject.content_profile_e8

This profile contains configuration checks for Red Hat Enterprise Linux 9 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.

A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:

https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers

Health Insurance Portability and Accountability Act (HIPAA)

Profile ID: xccdf_org.ssgproject.content_profile_hipaa

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).

Australian Cyber Security Centre (ACSC) ISM Official

Profile ID: xccdf_org.ssgproject.content_profile_ism_o

This profile contains configuration checks for Red Hat Enterprise Linux 9 that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) with the applicability marking of OFFICIAL.

The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls specific to an organisation's security posture and risk profile.

A copy of the ISM can be found at the ACSC website:

https://www.cyber.gov.au/ism

Protection Profile for General Purpose Operating Systems

Profile ID: xccdf_org.ssgproject.content_profile_ospp

This profile is part of Red Hat Enterprise Linux 9 Common Criteria Guidance documentation for Target of Evaluation based on Protection Profile for General Purpose Operating Systems (OSPP) version 4.3 and Functional Package for SSH version 1.0.

Where appropriate, CNSSI 1253 or DoD-specific values are used for configuration, based on Configuration Annex to the OSPP.

PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 9

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed to ensure the secure handling of payment card data, with the goal of preventing data breaches and protecting sensitive financial information.

This profile ensures Red Hat Enterprise Linux 9 is configured in alignment with PCI-DSS v4.0 requirements.

DISA STIG for Red Hat Enterprise Linux 9

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 9 V1R3.

In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9 image

DISA STIG with GUI for Red Hat Enterprise Linux 9

Profile ID: xccdf_org.ssgproject.content_profile_stig_gui

This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 9 V1R3.

In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:

- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9 image

Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Red Hat Enterprise Linux 9 profile.

Profiles in Guide to the Secure Configuration of Red Hat Virtualization 4

Source data stream: ssg-rhv4-ds.xml

The Guide to the Secure Configuration of Red Hat Virtualization 4 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

PCI-DSS v3.2.1 Control Baseline for Red Hat Virtualization Host (RHVH)

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Ensures PCI-DSS v3.2.1 security configuration settings are applied.

DRAFT - DISA STIG for Red Hat Virtualization Host (RHVH)

Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig

This *draft* profile contains configuration checks that align to the DISA STIG for Red Hat Virtualization Host (RHVH).

VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization Host (RHVH)

Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp

This compliance profile reflects the core set of security related configuration settings for deployment of Red Hat Virtualization Host (RHVH) 4.x into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat.

This baseline implements configuration requirements from the following sources:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for Virtualization v1.0 (VPP v1.0)

For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package.

This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode project, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7

Source data stream: ssg-sl7-ds.xml

The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Payment Card Industry - Data Security Standard (PCI-DSS) is a set of security standards designed to ensure the secure handling of payment card data, with the goal of preventing data breaches and protecting sensitive financial information.

This profile ensures Red Hat Enterprise Linux 7 is configured in alignment with PCI-DSS v4.0 requirements.

Standard System Security Profile for Red Hat Enterprise Linux 7

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload all of these checks should pass.

Profiles in Guide to the Secure Configuration of SUSE Linux Enterprise 12

Source data stream: ssg-sle12-ds.xml

The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

ANSSI-BP-028 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

Only the components strictly necessary to the service provided by the system should be installed. Those whose presence can not be justified should be disabled, removed or deleted. Performing a minimal install is a good starting point, but doesn't provide any assurance over any package installed later. Manual review is required to assess if the installed services are minimal.

ANSSI-BP-028 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

Only the components strictly necessary to the service provided by the system should be installed. Those whose presence can not be justified should be disabled, removed or deleted. Performing a minimal install is a good starting point, but doesn't provide any assurance over any package installed later. Manual review is required to assess if the installed services are minimal.

ANSSI-BP-028 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

Only the components strictly necessary to the service provided by the system should be installed. Those whose presence can not be justified should be disabled, removed or deleted. Performing a minimal install is a good starting point, but doesn't provide any assurance over any package installed later. Manual review is required to assess if the installed services are minimal.

ANSSI-BP-028 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

Only the components strictly necessary to the service provided by the system should be installed. Those whose presence can not be justified should be disabled, removed or deleted. Performing a minimal install is a good starting point, but doesn't provide any assurance over any package installed later. Manual review is required to assess if the installed services are minimal.

CIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis

This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® SUSE Linux Enterprise 12 Benchmark™, v3.1.0, released 01-24-2022.

This profile includes Center for Internet Security® SUSE Linux Enterprise 12 CIS Benchmarks™ content.

CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1

This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® SUSE Linux Enterprise 12 Benchmark™, v3.1.0, released 01-24-2022.

This profile includes Center for Internet Security® SUSE Linux Enterprise 12 CIS Benchmarks™ content.

CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1

This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® SUSE Linux Enterprise 12 Benchmark™, v3.1.0, released 01-24-2022.

This profile includes Center for Internet Security® SUSE Linux Enterprise 12 CIS Benchmarks™ content.

CIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2

This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® SUSE Linux Enterprise 12 Benchmark™, v3.1.0, released 01-24-2022.

This profile includes Center for Internet Security® SUSE Linux Enterprise 12 CIS Benchmarks™ content.

PCI-DSS v4 Control Baseline for SUSE Linux enterprise 12

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-4

Ensures PCI-DSS v4 security configuration settings are applied.

PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 12

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss

Ensures PCI-DSS v3.2.1 security configuration settings are applied.

Standard System Security Profile for SUSE Linux Enterprise 12

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a SUSE Linux Enterprise 12 system. Regardless of your system's workload all of these checks should pass.

DISA STIG for SUSE Linux Enterprise 12

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for SUSE Linux Enterprise 12 V2R13.

Profiles in Guide to the Secure Configuration of SUSE Linux Enterprise 15

Source data stream: ssg-sle15-ds.xml

The Guide to the Secure Configuration of SUSE Linux Enterprise 15 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

ANSSI-BP-028 (enhanced)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

Only the components strictly necessary to the service provided by the system should be installed. Those whose presence can not be justified should be disabled, removed or deleted. Performing a minimal install is a good starting point, but doesn't provide any assurance over any package installed later. Manual review is required to assess if the installed services are minimal.

ANSSI-BP-028 (high)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

Only the components strictly necessary to the service provided by the system should be installed. Those whose presence can not be justified should be disabled, removed or deleted. Performing a minimal install is a good starting point, but doesn't provide any assurance over any package installed later. Manual review is required to assess if the installed services are minimal.

ANSSI-BP-028 (intermediary)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

Only the components strictly necessary to the service provided by the system should be installed. Those whose presence can not be justified should be disabled, removed or deleted. Performing a minimal install is a good starting point, but doesn't provide any assurance over any package installed later. Manual review is required to assess if the installed services are minimal.

ANSSI-BP-028 (minimal)

Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.

ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.

A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

Only the components strictly necessary to the service provided by the system should be installed. Those whose presence can not be justified should be disabled, removed or deleted. Performing a minimal install is a good starting point, but doesn't provide any assurance over any package installed later. Manual review is required to assess if the installed services are minimal.

CIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis

This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® SUSE Linux Enterprise 15 Benchmark™, v1.1.1, released 01-24-2022.

This profile includes Center for Internet Security® SUSE Linux Enterprise 15 CIS Benchmarks™ content.

CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server

Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1

This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® SUSE Linux Enterprise 15 Benchmark™, v1.1.1, released 01-24-2022.

This profile includes Center for Internet Security® SUSE Linux Enterprise 15 CIS Benchmarks™ content.

CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1

This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® SUSE Linux Enterprise 15 Benchmark™, v1.1.1, released 01-24-2022.

This profile includes Center for Internet Security® SUSE Linux Enterprise 15 CIS Benchmarks™ content.

CIS SUSE Linux Enterprise 15 Benchmark Level 2 - Workstation

Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2

This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® SUSE Linux Enterprise 15 Benchmark™, v1.1.1, released 01-24-2022.

This profile includes Center for Internet Security® SUSE Linux Enterprise 15 CIS Benchmarks™ content.

Health Insurance Portability and Accountability Act (HIPAA)

Profile ID: xccdf_org.ssgproject.content_profile_hipaa

The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

This profile contains configuration checks that align to the HIPPA Security Rule for SUSE Linux Enterprise 15 V1R3.

PCI-DSS v4 Control Baseline for SUSE Linux enterprise 15

Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-4

Ensures PCI-DSS v4 security configuration settings are applied.

Hardening for Public Cloud Image of SUSE Linux Enterprise Server (SLES) for SAP Applications 15

Profile ID: xccdf_org.ssgproject.content_profile_pcs-hardening-sap

This profile contains configuration rules to be used to harden the images of SUSE Linux Enterprise Server (SLES) for SAP Applications 15 including all Service Packs, for Public Cloud providers, currently AWS, Microsoft Azure, and Google Cloud.

Public Cloud Hardening for SUSE Linux Enterprise 15

Profile ID: xccdf_org.ssgproject.content_profile_pcs-hardening

This profile contains configuration checks to be used to harden SUSE Linux Enterprise 15 for use with public cloud providers.

Standard System Security Profile for SUSE Linux Enterprise 15

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a SUSE Linux Enterprise 15 system based off of the SUSE Hardening Guide. Regardless of your system's workload all of these checks should pass.

DISA STIG for SUSE Linux Enterprise 15

Profile ID: xccdf_org.ssgproject.content_profile_stig

This profile contains configuration checks that align to the DISA STIG for SUSE Linux Enterprise 15 V1R12.

Profiles in Guide to the Secure Configuration of Ubuntu 16.04

Source data stream: ssg-ubuntu1604-ds.xml

The Guide to the Secure Configuration of Ubuntu 16.04 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Profile for ANSSI DAT-NT28 Average (Intermediate) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average

This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.

Profile for ANSSI DAT-NT28 High (Enforced) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high

This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.

Profile for ANSSI DAT-NT28 Minimal Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

This profile contains items to be applied systematically.

Profile for ANSSI DAT-NT28 Restrictive Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.

Standard System Security Profile for Ubuntu 16.04

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of an Ubuntu 16.04 system. Regardless of your system's workload all of these checks should pass.

Profiles in Guide to the Secure Configuration of Ubuntu 18.04

Source data stream: ssg-ubuntu1804-ds.xml

The Guide to the Secure Configuration of Ubuntu 18.04 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Profile for ANSSI DAT-NT28 Average (Intermediate) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average

This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.

Profile for ANSSI DAT-NT28 High (Enforced) Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high

This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.

Profile for ANSSI DAT-NT28 Minimal Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

This profile contains items to be applied systematically.

Profile for ANSSI DAT-NT28 Restrictive Level

Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.

CIS Ubuntu 18.04 LTS Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis

This baseline aligns to the Center for Internet Security Ubuntu 18.04 LTS Benchmark, v1.0.0, released 08-13-2018.

Standard System Security Profile for Ubuntu 18.04

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.

Profiles in Guide to the Secure Configuration of Ubuntu 20.04

Source data stream: ssg-ubuntu2004-ds.xml

The Guide to the Secure Configuration of Ubuntu 20.04 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

CIS Ubuntu 20.04 Level 1 Server Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_server

This baseline aligns to the Center for Internet Security Ubuntu 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.

CIS Ubuntu 20.04 Level 1 Workstation Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_workstation

This baseline aligns to the Center for Internet Security Ubuntu 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.

CIS Ubuntu 20.04 Level 2 Server Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_server

This baseline aligns to the Center for Internet Security Ubuntu 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.

CIS Ubuntu 20.04 Level 2 Workstation Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_workstation

This baseline aligns to the Center for Internet Security Ubuntu 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.

Standard System Security Profile for Ubuntu 20.04

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of an Ubuntu 20.04 system. Regardless of your system's workload all of these checks should pass.

Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) V1R9

Profile ID: xccdf_org.ssgproject.content_profile_stig

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents.

Profiles in Guide to the Secure Configuration of Ubuntu 22.04

Source data stream: ssg-ubuntu2204-ds.xml

The Guide to the Secure Configuration of Ubuntu 22.04 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

CIS Ubuntu 22.04 Level 1 Server Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_server

This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS Benchmark, v1.0.0, released 08-30-2022.

CIS Ubuntu 22.04 Level 1 Workstation Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_workstation

This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS Benchmark, v1.0.0, released 08-30-2022.

CIS Ubuntu 22.04 Level 2 Server Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_server

This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS Benchmark, v1.0.0, released 08-30-2022.

CIS Ubuntu 22.04 Level 2 Workstation Benchmark

Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_workstation

This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS Benchmark, v1.0.0, released 08-30-2022.

Standard System Security Profile for Ubuntu 22.04

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of an Ubuntu 22.04 system. Regardless of your system's workload all of these checks should pass.

DRAFT Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) DRAFT

Profile ID: xccdf_org.ssgproject.content_profile_stig

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents.

Profiles in Guide to the Secure Configuration of UnionTech OS Server 20

Source data stream: ssg-uos20-ds.xml

The Guide to the Secure Configuration of UnionTech OS Server 20 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:

Standard System Security Profile for UnionTech OS Server 20

Profile ID: xccdf_org.ssgproject.content_profile_standard

This profile contains rules to ensure standard security baseline of a UnionTech OS Server 20 system. Regardless of your system's workload all of these checks should pass.

EXAMPLES

To scan your system utilizing the OpenSCAP utility against the ospp profile:

oscap xccdf eval --profile ospp --results-arf /tmp/`hostname`-ssg-results.xml --report /tmp/`hostname`-ssg-results.html /usr/share/xml/scap/ssg/content/ssg-{product}-xccdf.xml

Additional details can be found on the following websites:

https://www.github.com/ComplianceAsCode/content

The project's Github page.

https://complianceascode.readthedocs.io

The project's ReadTheDocs page.

https://app.gitter.im/#/room/#Compliance-As-Code-The_content:gitter.im

The project's Gitter IM space

FILES

/usr/share/xml/scap/ssg/content

Houses SCAP content utilizing the following naming conventions:

SCAP Source data streams: ssg-{product}-ds.xml

/usr/share/scap-security-guide/ansible/

Contains Ansible Playbooks for SSG profiles.

/usr/share/scap-security-guide/kickstart/

Contains example kickstarts that install systems hardened against a particular profile.

/usr/share/scap-security-guide/tailoring/

Contains tailoring files that enable rules that are not covered by third-party SCAP content and disables rules that are covered by the content shipped in scap-security-guide.

SEE ALSO

oscap(8)

AUTHOR

Please direct all questions to the SSG mailing list: https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

26 Jan 2013 version 1