Provided by: ssg-base_0.1.31-5_all 
NAME
SCAP-Security-Guide - Delivers security guidance, baselines, and associated validation
mechanisms utilizing the Security Content Automation Protocol (SCAP).
DESCRIPTION
The project provides practical security hardening advice for Red Hat products, and also
links it to compliance requirements in order to ease deployment activities, such as
certification and accreditation. These include requirements in the U.S. government
(Federal, Defense, and Intelligence Community) as well as of the financial services and
health care industries. For example, high-level and widely-accepted policies such as NIST
800-53 provides prose stating that System Administrators must audit "privileged user
actions," but do not define what "privileged actions" are. The SSG bridges the gap between
generalized policy requirements and specific implementation guidance, in SCAP formats to
support automation whenever possible.
The projects homepage is located at: https://www.open-scap.org/security-policies/scap-
security-guide
Red Hat Enterprise Linux 6 PROFILES
The Red Hat Enterprise Linux 6 SSG content is broken into 'profiles,' groupings of
security settings that correlate to a known policy. Available profiles are:
C2S
The C2S profile demonstrates compliance against the U.S. Government Commercial
Cloud Services (C2S) baseline.
This baseline was inspired by the Center for Internet Security (CIS) Red Hat
Enterprise Linux 7 Benchmark, v1.1.0 - 04-02-2015. For the SCAP Security Guide
project to remain in compliance with CIS' terms and conditions, specifically
Restrictions(8), note there is no representation or claim that the C2S profile will
ensure a system is in compliance or consistency with the CIS baseline.
CS2
The CS2 is an example of a customized server profile.
CSCF-RHEL6-MLS
The CSCF RHEL6 MLS Core Baseline profile reflects the Centralized Super Computing
Facility (CSCF) baseline for Red Hat Enterprise Linux 6. This baseline has received
government ATO through the ICD 503 process, utilizing the CNSSI 1253 cross domain
overlay. This profile should be considered in active development. Additional
tailoring will be needed, such as the creation of RBAC roles for production
deployment.
common
The Common Profile for General-Purpose Systems profile contains items common to
general-purpose desktop and server installations.
desktop
The Desktop Baseline profile is for a desktop installation of Red Hat Enterprise
Linux 6.
fisma-medium-rhel6-server
A FISMA Medium profile for Red Hat Enterprise Linux 6
ftp
A profile for FTP servers
nist-cl-il-al
The CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 6 Profile
follows the Committee on National Security Systems Instruction (CNSSI) No. 1253,
"Security Categorization and Control Selection for National Security Systems" on
security controls to meet low confidentiality, low integrity, and low assurance."
pci-dss
The PCI-DSS v3 Control Baseline Profile for Red Hat Enterprise Linux 6 is a *draft*
profile for PCI-DSS v3
rht-ccp
The Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) profile is a
*draft* SCAP profile for Red Hat Certified Cloud Providers.
server
The Server Baseline profile is for Red Hat Enterprise Linux 6 acting as a server.
standard
The Standard System Security Profile contains rules to ensure standard security
baseline of Red Hat Enterprise Linux 6 system. Regardless of your system's
workload all of these checks should pass.
stig-rhel6-server-gui-upstream
The Security Technical Implementation Guides (STIGs) and the NSA Guides are the
configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA
Field Security Operations (FSO) has played a critical role enhancing the security
posture of DoD's security systems by providing the Security Technical
Implementation Guides (STIGs). This profile was created as a collaboration effort
between the National Security Agency, DISA FSO, and Red Hat.
As a result of the upstream/downstream relationship between the SCAP Security Guide
project and the official DISA FSO STIG baseline, users should expect variance
between SSG and DISA FSO content. For additional information relating to STIGs,
please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/
While this profile is packaged by Red Hat as part of the SCAP Security Guide
package, please note that commercial support of this SCAP content is NOT available.
This profile is provided as example SCAP content with no endorsement for
suitability or production readiness. Support for this profile is provided by the
upstream SCAP Security Guide community on a best-effort basis. The upstream project
homepage is https://www.open-scap.org/security-policies/scap-security-guide.
stig-rhel6-server-upstream
The Security Technical Implementation Guides (STIGs) and the NSA Guides are the
configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA
Field Security Operations (FSO) has played a critical role enhancing the security
posture of DoD's security systems by providing the Security Technical
Implementation Guides (STIGs). This profile was created as a collaboration effort
between the National Security Agency, DISA FSO, and Red Hat.
As a result of the upstream/downstream relationship between the SCAP Security Guide
project and the official DISA FSO STIG baseline, users should expect variance
between SSG and DISA FSO content. For additional information relating to STIGs,
please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/
While this profile is packaged by Red Hat as part of the SCAP Security Guide
package, please note that commercial support of this SCAP content is NOT available.
This profile is provided as example SCAP content with no endorsement for
suitability or production readiness. Support for this profile is provided by the
upstream SCAP Security Guide community on a best-effort basis. The upstream project
homepage is https://www.open-scap.org/security-policies/scap-security-guide.
This profile is being developed under the DoD consensus model to become a STIG in
coordination with DISA FSO.
stig-rhel6-workstation-upstream
The Security Technical Implementation Guides (STIGs) and the NSA Guides are the
configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA
Field Security Operations (FSO) has played a critical role enhancing the security
posture of DoD's security systems by providing the Security Technical
Implementation Guides (STIGs). This profile was created as a collaboration effort
between the National Security Agency, DISA FSO, and Red Hat.
As a result of the upstream/downstream relationship between the SCAP Security Guide
project and the official DISA FSO STIG baseline, users should expect variance
between SSG and DISA FSO content. For additional information relating to STIGs,
please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/
While this profile is packaged by Red Hat as part of the SCAP Security Guide
package, please note that commercial support of this SCAP content is NOT available.
This profile is provided as example SCAP content with no endorsement for
suitability or production readiness. Support for this profile is provided by the
upstream SCAP Security Guide community on a best-effort basis. The upstream project
homepage is https://www.open-scap.org/security-policies/scap-security-guide.
This profile is being developed under the DoD consensus model to become a STIG in
coordination with DISA FSO.
usgcb-rhel6-server
The purpose of the United States Government Configuration Baseline (USGCB)
initiative is to create security configuration baselines for Information Technology
products widely deployed across the federal agencies. The USGCB baseline evolved
from the Federal Desktop Core Configuration mandate. The USGCB is a Federal
government-wide initiative that provides guidance to agencies on what should be
done to improve and maintain an effective configuration settings focusing primarily
on security.
NOTE: While the current content maps to USGCB requirements, it has NOT been
validated by NIST as of yet. This content should be considered draft, we are highly
interested in feedback.
For additional information relating to USGCB, please refer to the NIST webpage at
http://usgcb.nist.gov/usgcb_content.html.
Red Hat Enterprise Linux 7 PROFILES
The Red Hat Enterprise Linux 7 SSG content is broken into 'profiles,' groupings of
security settings that correlate to a known policy. Available profiles are:
C2S
The C2S profile demonstrates compliance against the U.S. Government Commercial
Cloud Services (C2S) baseline.
This baseline was inspired by the Center for Internet Security (CIS) Red Hat
Enterprise Linux 7 Benchmark, v1.1.0 - 04-02-2015. For the SCAP Security Guide
project to remain in compliance with CIS' terms and conditions, specifically
Restrictions(8), note there is no representation or claim that the C2S profile will
ensure a system is in compliance or consistency with the CIS baseline.
cjis-rhel7-server
The Criminal Justice Information Services Security Policy is a *draft* profile for
CJIS v5.4. The scope of this profile is to configure Red Hat Enteprise Linux 7
against the U. S. Department of Justice, FBI CJIS Security Policy.
common
The common profile is intended to be used as a base, universal profile for
scanning of general-purpose Red Hat Enterprise Linux systems.
docker-host
The Standard Docker Host Security Profile contains rules to ensure standard
security baseline of Red Hat Enterprise Linux 7 system running the docker daemon.
This discussion is currently being held on open-scap-list@redhat.com and scap-
security-guide@lists.fedorahosted.org.
nist-cl-il-al
The CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 7 Profile
follows the Committee on National Security Systems Instruction (CNSSI) No. 1253,
"Security Categorization and Control Selection for National Security Systems" on
security controls to meet low confidentiality, low integrity, and low assurance."
ospp-rhel7-server
This is a *draft* profile for NIAP OSPP v4.0. This profile is being developed under
the National Information Assurance Partnership. The scope of this profile is to
configure Red Hat Enteprise Linux 7 against the NIAP Protection Profile for General
Purpose Operating Systems v4.0. The NIAP OSPP profile also serves as a working
draft for USGCB submission against RHEL7 Server.
pci-dss
The PCI-DSS v3 Control Baseline Profile for Red Hat Enterprise Linux 7 is a *draft*
profile for PCI-DSS v3
rht-ccp
The Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) profile is a
*draft* SCAP profile for Red Hat Certified Cloud Providers.
standard
The Standard System Security Profile contains rules to ensure standard security
baseline of Red Hat Enterprise Linux 7 system. Regardless of your system's
workload all of these checks should pass.
stig-rhel7-server-gui-upstream
The STIG for Red Hat Enterprise Linux 7 Server Running GUIs is a *draft* profile
for STIG.
The Security Technical Implementation Guides (STIGs) and the NSA Guides are the
configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA
Field Security Operations (FSO) has played a critical role enhancing the security
posture of DoD's security systems by providing the Security Technical
Implementation Guides (STIGs). This profile was created as a collaboration effort
between the National Security Agency, DISA FSO, and Red Hat.
As a result of the upstream/downstream relationship between the SCAP Security Guide
project and the official DISA FSO STIG baseline, users should expect variance
between SSG and DISA FSO content. For additional information relating to STIGs,
please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/
While this profile is packaged by Red Hat as part of the SCAP Security Guide
package, please note that commercial support of this SCAP content is NOT available.
This profile is provided as example SCAP content with no endorsement for
suitability or production readiness. Support for this profile is provided by the
upstream SCAP Security Guide community on a best-effort basis. The upstream project
homepage is https://www.open-scap.org/security-policies/scap-security-guide.
This profile is being developed under the DoD consensus model to become a STIG in
coordination with DISA FSO.
stig-rhel7-server-upstream
The STIG for Red Hat Enterprise Linux 7 Server is a *draft* profile for STIG.
The Security Technical Implementation Guides (STIGs) and the NSA Guides are the
configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA
Field Security Operations (FSO) has played a critical role enhancing the security
posture of DoD's security systems by providing the Security Technical
Implementation Guides (STIGs). This profile was created as a collaboration effort
between the National Security Agency, DISA FSO, and Red Hat.
As a result of the upstream/downstream relationship between the SCAP Security Guide
project and the official DISA FSO STIG baseline, users should expect variance
between SSG and DISA FSO content. For additional information relating to STIGs,
please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/
While this profile is packaged by Red Hat as part of the SCAP Security Guide
package, please note that commercial support of this SCAP content is NOT available.
This profile is provided as example SCAP content with no endorsement for
suitability or production readiness. Support for this profile is provided by the
upstream SCAP Security Guide community on a best-effort basis. The upstream project
homepage is https://www.open-scap.org/security-policies/scap-security-guide.
This profile is being developed under the DoD consensus model to become a STIG in
coordination with DISA FSO.
stig-rhel7-workstation-upstream
The STIG for Red Hat Enterprise Linux 7 Workstation is a *draft* profile for STIG.
The Security Technical Implementation Guides (STIGs) and the NSA Guides are the
configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA
Field Security Operations (FSO) has played a critical role enhancing the security
posture of DoD's security systems by providing the Security Technical
Implementation Guides (STIGs). This profile was created as a collaboration effort
between the National Security Agency, DISA FSO, and Red Hat.
As a result of the upstream/downstream relationship between the SCAP Security Guide
project and the official DISA FSO STIG baseline, users should expect variance
between SSG and DISA FSO content. For additional information relating to STIGs,
please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/
While this profile is packaged by Red Hat as part of the SCAP Security Guide
package, please note that commercial support of this SCAP content is NOT available.
This profile is provided as example SCAP content with no endorsement for
suitability or production readiness. Support for this profile is provided by the
upstream SCAP Security Guide community on a best-effort basis. The upstream project
homepage is https://www.open-scap.org/security-policies/scap-security-guide.
This profile is being developed under the DoD consensus model to become a STIG in
coordination with DISA FSO.
Fedora PROFILES
The Fedora SSG content is broken into 'profiles,' groupings of security settings that
correlate to a known policy. Currently available profile:
common
The common profile is intended to be used as a base, universal profile for scanning
of general-purpose Fedora systems.
standard
The Standard System Security Profile contains rules to ensure standard security
baseline of a Fedora system. Regardless of your system's workload all of these
checks should pass.
EXAMPLES
To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server-upstream
profile:
oscap xccdf eval --profile stig-rhel6-server-upstream --results /tmp/`hostname`-ssg-
results.xml --report /tmp/`hostname`-ssg-results.html --cpe /usr/share/scap/ssg/ssg-
rhel6-cpe-dictionary.xml /usr/share/scap/ssg/ssg-rhel6-xccdf.xml
Additional details can be found on the projects wiki page:
https://www.github.com/OpenSCAP/scap-security-guide/wiki
FILES
/usr/share/scap/ssg/
Houses SCAP content utilizing the following naming conventions:
CPE_Dictionaries: ssg-{profile}-cpe-dictionary.xml
CPE_OVAL_Content: ssg-{profile}-cpe-oval.xml
OVAL_Content: ssg-{profile}-oval.xml
XCCDF_Content: ssg-{profile}-xccdf.xml
/usr/share/doc/scap-security-guide/guides/
HTML versions of SSG profiles.
STATEMENT OF SUPPORT
The SCAP Security Guide, an open source project jointly maintained by Red Hat and the NSA,
provides XCCDF and OVAL content for Red Hat technologies. As an open source project,
community participation extends into U.S. Department of Defense agencies, civilian
agencies, academia, and other industrial partners.
SCAP Security Guide is provided to consumers through Red Hat's Extended Packages for
Enterprise Linux (EPEL) repository. As such, SCAP Security Guide content is considered
"vendor provided."
Note that while Red Hat hosts the infrastructure for this project and Red Hat engineers
are involved as maintainers and leaders, there is no commercial support contracts or
service level agreements provided by Red Hat.
Support, for both users and developers, is provided through the SCAP Security Guide
community.
Homepage: https://www.open-scap.org/security-policies/scap-security-guide
Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
DEPLOYMENT TO U.S. CIVILIAN GOVERNMENT SYSTEMS
SCAP Security Guide content is considered vendor (Red Hat) provided content. Per guidance
from the U.S. National Institute of Standards and Technology (NIST), U.S. Government
programs are allowed to use Vendor produced SCAP content in absence of "Governmental
Authority" checklists. The specific NIST verbage:
http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
DEPLOYMENT TO U.S. MILITARY SYSTEMS
DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT products incorporated
into DoD information systems shall be configured in accordance with DoD-approved security
configuration guidelines" and tasks Defense Information Systems Agency (DISA) to "develop
and provide security configuration guidance for IA and IA-enabled IT products in
coordination with Director, NSA." The output of this authority is the DISA Security
Technical Implementation Guides, or STIGs. DISA FSO is in the process of moving the STIGs
towards the use of the NIST Security Content Automation Protocol (SCAP) in order to
"automate" compliance reporting of the STIGs.
Through a common, shared vision, the SCAP Security Guide community enjoys close
collaboration directly with NSA and DISA FSO. As stated in Section 1.1 of the Red Hat
Enterprise Linux 6 STIG Overview, Version 1, Release 2, issued on 03-JUNE-2013:
"The consensus content was developed using an open-source project called SCAP Security
Guide. The project's website is https://www.open-scap.org/security-policies/scap-security-
guide. Except for differences in formatting to accommodate the DISA STIG publishing
process, the content of the Red Hat Enterprise Linux 6 STIG should mirrot the SCAP
Security Guide content with only minor divergence as updates from multiple sources work
through the consensus process."
The DoD STIG for Red Hat Enterprise Linux 6 was released June 2013. Currently, the DoD Red
Hat Enterprise Linux 6 STIG contains only XCCDF content and is available online:
http://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx
Content published against the iase.disa.mil website is authoritative STIG content. The
SCAP Security Guide project, as noted in the STIG overview, is considered upstream
content. Unlike DISA FSO, the SCAP Security Guide project does publish OVAL automation
content. Individual programs and C&A evaluators make program-level determinations on the
direct usage of the SCAP Security Guide. Currently there is no blanket approval.
SEE ALSO
oscap(8)
AUTHOR
Please direct all questions to the SSG mailing list:
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide