Provided by: ssg-base_0.1.31-5_all bug

NAME

       SCAP-Security-Guide  -  Delivers  security  guidance,  baselines,  and  associated  validation mechanisms
       utilizing the Security Content Automation Protocol (SCAP).

DESCRIPTION

       The project provides practical security hardening advice for Red Hat  products,  and  also  links  it  to
       compliance  requirements in order to ease deployment activities, such as certification and accreditation.
       These include requirements in the U.S. government (Federal, Defense, and Intelligence Community) as  well
       as  of  the  financial  services  and health care industries. For example, high-level and widely-accepted
       policies such as NIST 800-53 provides prose stating that System  Administrators  must  audit  "privileged
       user  actions,"  but  do  not  define  what  "privileged  actions"  are.  The SSG bridges the gap between
       generalized policy requirements  and  specific  implementation  guidance,  in  SCAP  formats  to  support
       automation whenever possible.

       The projects homepage is located at: https://www.open-scap.org/security-policies/scap-security-guide

Red Hat Enterprise Linux 6 PROFILES

       The Red Hat Enterprise Linux 6 SSG content is broken into 'profiles,' groupings of security settings that
       correlate to a known policy. Available profiles are:

       C2S
              The C2S profile demonstrates compliance against the  U.S.  Government  Commercial  Cloud  Services
              (C2S) baseline.

              This  baseline  was  inspired by the Center for Internet Security (CIS) Red Hat Enterprise Linux 7
              Benchmark, v1.1.0 - 04-02-2015.  For the SCAP Security Guide project to remain in compliance  with
              CIS'  terms and conditions, specifically Restrictions(8), note there is no representation or claim
              that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline.

       CS2
              The CS2 is an example of a customized server profile.

       CSCF-RHEL6-MLS
              The CSCF RHEL6 MLS Core Baseline profile reflects the Centralized Super Computing Facility  (CSCF)
              baseline for Red Hat Enterprise Linux 6. This baseline has received government ATO through the ICD
              503 process, utilizing the CNSSI 1253 cross domain overlay. This profile should be  considered  in
              active  development.   Additional tailoring will be needed, such as the creation of RBAC roles for
              production deployment.

       common
              The Common Profile for General-Purpose Systems profile contains items  common  to  general-purpose
              desktop and server installations.

       desktop
              The Desktop Baseline profile is for a desktop installation of Red Hat Enterprise Linux 6.

       fisma-medium-rhel6-server
              A FISMA Medium profile for Red Hat Enterprise Linux 6

       ftp
              A profile for FTP servers

       nist-cl-il-al
              The  CNSSI  1253  Low/Low/Low  Control Baseline for Red Hat Enterprise Linux 6 Profile follows the
              Committee on National Security Systems Instruction (CNSSI) No. 1253, "Security Categorization  and
              Control Selection for National Security Systems" on security controls to meet low confidentiality,
              low integrity, and low assurance."

       pci-dss
              The PCI-DSS v3 Control Baseline Profile for Red Hat Enterprise Linux 6 is a  *draft*  profile  for
              PCI-DSS v3

       rht-ccp
              The  Red  Hat  Corporate  Profile for Certified Cloud Providers (RH CCP) profile is a *draft* SCAP
              profile for Red Hat Certified Cloud Providers.

       server
              The Server Baseline profile is for Red Hat Enterprise Linux 6 acting as a server.

       standard
              The Standard System Security Profile contains rules to ensure standard security  baseline  of  Red
              Hat  Enterprise  Linux  6 system.  Regardless of your system's workload all of these checks should
              pass.

       stig-rhel6-server-gui-upstream
              The Security Technical Implementation Guides (STIGs) and the  NSA  Guides  are  the  configuration
              standards  for  DOD  IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations
              (FSO) has played a critical role enhancing the security  posture  of  DoD's  security  systems  by
              providing  the  Security  Technical  Implementation  Guides (STIGs). This profile was created as a
              collaboration effort between the National Security Agency, DISA FSO, and Red Hat.

              As a result of the upstream/downstream relationship between the SCAP Security  Guide  project  and
              the  official  DISA  FSO  STIG  baseline,  users  should  expect variance between SSG and DISA FSO
              content. For additional information relating to STIGs, please refer to the  DISA  FSO  webpage  at
              http://iase.disa.mil/stigs/

              While  this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note
              that commercial support of this SCAP content is NOT available. This profile is provided as example
              SCAP content with no endorsement for suitability or production readiness. Support for this profile
              is provided by the upstream SCAP Security Guide community on a  best-effort  basis.  The  upstream
              project homepage is https://www.open-scap.org/security-policies/scap-security-guide.

       stig-rhel6-server-upstream
              The  Security  Technical  Implementation  Guides  (STIGs) and the NSA Guides are the configuration
              standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA  Field  Security  Operations
              (FSO)  has  played  a  critical  role  enhancing the security posture of DoD's security systems by
              providing the Security Technical Implementation Guides (STIGs). This  profile  was  created  as  a
              collaboration effort between the National Security Agency, DISA FSO, and Red Hat.

              As  a  result  of the upstream/downstream relationship between the SCAP Security Guide project and
              the official DISA FSO STIG baseline, users  should  expect  variance  between  SSG  and  DISA  FSO
              content.  For  additional  information  relating to STIGs, please refer to the DISA FSO webpage at
              http://iase.disa.mil/stigs/

              While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please  note
              that commercial support of this SCAP content is NOT available. This profile is provided as example
              SCAP content with no endorsement for suitability or production readiness. Support for this profile
              is  provided  by  the  upstream SCAP Security Guide community on a best-effort basis. The upstream
              project homepage is https://www.open-scap.org/security-policies/scap-security-guide.

              This profile is being developed under the DoD consensus model to become  a  STIG  in  coordination
              with DISA FSO.

       stig-rhel6-workstation-upstream
              The  Security  Technical  Implementation  Guides  (STIGs) and the NSA Guides are the configuration
              standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA  Field  Security  Operations
              (FSO)  has  played  a  critical  role  enhancing the security posture of DoD's security systems by
              providing the Security Technical Implementation Guides (STIGs). This  profile  was  created  as  a
              collaboration effort between the National Security Agency, DISA FSO, and Red Hat.

              As  a  result  of the upstream/downstream relationship between the SCAP Security Guide project and
              the official DISA FSO STIG baseline, users  should  expect  variance  between  SSG  and  DISA  FSO
              content.  For  additional  information  relating to STIGs, please refer to the DISA FSO webpage at
              http://iase.disa.mil/stigs/

              While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please  note
              that commercial support of this SCAP content is NOT available. This profile is provided as example
              SCAP content with no endorsement for suitability or production readiness. Support for this profile
              is  provided  by  the  upstream SCAP Security Guide community on a best-effort basis. The upstream
              project homepage is https://www.open-scap.org/security-policies/scap-security-guide.

              This profile is being developed under the DoD consensus model to become  a  STIG  in  coordination
              with DISA FSO.

       usgcb-rhel6-server
              The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create
              security configuration baselines for Information Technology products widely  deployed  across  the
              federal  agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate.
              The USGCB is a Federal government-wide initiative that  provides  guidance  to  agencies  on  what
              should  be  done to improve and maintain an effective configuration settings focusing primarily on
              security.

              NOTE: While the current content maps to USGCB requirements, it has NOT been validated by  NIST  as
              of yet. This content should be considered draft, we are highly interested in feedback.

              For   additional   information   relating   to   USGCB,  please  refer  to  the  NIST  webpage  at
              http://usgcb.nist.gov/usgcb_content.html.

Red Hat Enterprise Linux 7 PROFILES

       The Red Hat Enterprise Linux 7 SSG content is broken into 'profiles,' groupings of security settings that
       correlate to a known policy. Available profiles are:

       C2S
              The  C2S  profile  demonstrates  compliance  against the U.S. Government Commercial Cloud Services
              (C2S) baseline.

              This baseline was inspired by the Center for Internet Security (CIS) Red Hat  Enterprise  Linux  7
              Benchmark,  v1.1.0 - 04-02-2015.  For the SCAP Security Guide project to remain in compliance with
              CIS' terms and conditions, specifically Restrictions(8), note there is no representation or  claim
              that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline.

       cjis-rhel7-server
              The  Criminal Justice Information Services Security Policy is a *draft* profile for CJIS v5.4. The
              scope of this profile is to configure Red Hat Enteprise Linux 7 against the U.  S.  Department  of
              Justice, FBI CJIS Security Policy.

       common
              The  common   profile is intended to be used as a base, universal profile for scanning of general-
              purpose Red Hat Enterprise Linux systems.

       docker-host
              The Standard Docker Host Security Profile contains rules to ensure standard security  baseline  of
              Red  Hat  Enterprise Linux 7 system running the docker daemon.  This discussion is currently being
              held on open-scap-list@redhat.com and scap-security-guide@lists.fedorahosted.org.

       nist-cl-il-al
              The CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux  7  Profile  follows  the
              Committee  on National Security Systems Instruction (CNSSI) No. 1253, "Security Categorization and
              Control Selection for National Security Systems" on security controls to meet low confidentiality,
              low integrity, and low assurance."

       ospp-rhel7-server
              This  is  a *draft* profile for NIAP OSPP v4.0. This profile is being developed under the National
              Information Assurance Partnership. The scope of this profile is to  configure  Red  Hat  Enteprise
              Linux  7  against the NIAP Protection Profile for General Purpose Operating Systems v4.0. The NIAP
              OSPP profile also serves as a working draft for USGCB submission against RHEL7 Server.

       pci-dss
              The PCI-DSS v3 Control Baseline Profile for Red Hat Enterprise Linux 7 is a  *draft*  profile  for
              PCI-DSS v3

       rht-ccp
              The  Red  Hat  Corporate  Profile for Certified Cloud Providers (RH CCP) profile is a *draft* SCAP
              profile for Red Hat Certified Cloud Providers.

       standard
              The Standard System Security Profile contains rules to ensure standard security  baseline  of  Red
              Hat  Enterprise  Linux  7 system.  Regardless of your system's workload all of these checks should
              pass.

       stig-rhel7-server-gui-upstream
              The STIG for Red Hat Enterprise Linux 7 Server Running GUIs is a *draft* profile for STIG.

              The Security Technical Implementation Guides (STIGs) and the  NSA  Guides  are  the  configuration
              standards  for  DOD  IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations
              (FSO) has played a critical role enhancing the security  posture  of  DoD's  security  systems  by
              providing  the  Security  Technical  Implementation  Guides (STIGs). This profile was created as a
              collaboration effort between the National Security Agency, DISA FSO, and Red Hat.

              As a result of the upstream/downstream relationship between the SCAP Security  Guide  project  and
              the  official  DISA  FSO  STIG  baseline,  users  should  expect variance between SSG and DISA FSO
              content. For additional information relating to STIGs, please refer to the  DISA  FSO  webpage  at
              http://iase.disa.mil/stigs/

              While  this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note
              that commercial support of this SCAP content is NOT available. This profile is provided as example
              SCAP content with no endorsement for suitability or production readiness. Support for this profile
              is provided by the upstream SCAP Security Guide community on a  best-effort  basis.  The  upstream
              project homepage is https://www.open-scap.org/security-policies/scap-security-guide.

              This  profile  is  being  developed under the DoD consensus model to become a STIG in coordination
              with DISA FSO.

       stig-rhel7-server-upstream
              The STIG for Red Hat Enterprise Linux 7 Server is a *draft* profile for STIG.

              The Security Technical Implementation Guides (STIGs) and the  NSA  Guides  are  the  configuration
              standards  for  DOD  IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations
              (FSO) has played a critical role enhancing the security  posture  of  DoD's  security  systems  by
              providing  the  Security  Technical  Implementation  Guides (STIGs). This profile was created as a
              collaboration effort between the National Security Agency, DISA FSO, and Red Hat.

              As a result of the upstream/downstream relationship between the SCAP Security  Guide  project  and
              the  official  DISA  FSO  STIG  baseline,  users  should  expect variance between SSG and DISA FSO
              content. For additional information relating to STIGs, please refer to the  DISA  FSO  webpage  at
              http://iase.disa.mil/stigs/

              While  this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note
              that commercial support of this SCAP content is NOT available. This profile is provided as example
              SCAP content with no endorsement for suitability or production readiness. Support for this profile
              is provided by the upstream SCAP Security Guide community on a  best-effort  basis.  The  upstream
              project homepage is https://www.open-scap.org/security-policies/scap-security-guide.

              This  profile  is  being  developed under the DoD consensus model to become a STIG in coordination
              with DISA FSO.

       stig-rhel7-workstation-upstream
              The STIG for Red Hat Enterprise Linux 7 Workstation is a *draft* profile for STIG.

              The Security Technical Implementation Guides (STIGs) and the  NSA  Guides  are  the  configuration
              standards  for  DOD  IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations
              (FSO) has played a critical role enhancing the security  posture  of  DoD's  security  systems  by
              providing  the  Security  Technical  Implementation  Guides (STIGs). This profile was created as a
              collaboration effort between the National Security Agency, DISA FSO, and Red Hat.

              As a result of the upstream/downstream relationship between the SCAP Security  Guide  project  and
              the  official  DISA  FSO  STIG  baseline,  users  should  expect variance between SSG and DISA FSO
              content. For additional information relating to STIGs, please refer to the  DISA  FSO  webpage  at
              http://iase.disa.mil/stigs/

              While  this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note
              that commercial support of this SCAP content is NOT available. This profile is provided as example
              SCAP content with no endorsement for suitability or production readiness. Support for this profile
              is provided by the upstream SCAP Security Guide community on a  best-effort  basis.  The  upstream
              project homepage is https://www.open-scap.org/security-policies/scap-security-guide.

              This  profile  is  being  developed under the DoD consensus model to become a STIG in coordination
              with DISA FSO.

Fedora PROFILES

       The Fedora SSG content is broken into 'profiles,' groupings of security  settings  that  correlate  to  a
       known policy. Currently available profile:

       common
              The  common  profile  is intended to be used as a base, universal profile for scanning of general-
              purpose Fedora systems.

       standard
              The Standard System Security Profile contains rules to ensure  standard  security  baseline  of  a
              Fedora system.  Regardless of your system's workload all of these checks should pass.

EXAMPLES

       To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server-upstream profile:

       oscap  xccdf eval --profile stig-rhel6-server-upstream --results /tmp/`hostname`-ssg-results.xml --report
       /tmp/`hostname`-ssg-results.html          --cpe          /usr/share/scap/ssg/ssg-rhel6-cpe-dictionary.xml
       /usr/share/scap/ssg/ssg-rhel6-xccdf.xml

       Additional details can be found on the projects wiki page: https://www.github.com/OpenSCAP/scap-security-
       guide/wiki

FILES

       /usr/share/scap/ssg/
              Houses SCAP content utilizing the following naming conventions:

              CPE_Dictionaries: ssg-{profile}-cpe-dictionary.xml

              CPE_OVAL_Content: ssg-{profile}-cpe-oval.xml

              OVAL_Content: ssg-{profile}-oval.xml

              XCCDF_Content: ssg-{profile}-xccdf.xml

       /usr/share/doc/scap-security-guide/guides/
              HTML versions of SSG profiles.

STATEMENT OF SUPPORT

       The SCAP Security Guide, an open source project jointly maintained by Red Hat and the NSA, provides XCCDF
       and  OVAL  content  for  Red Hat technologies. As an open source project, community participation extends
       into U.S. Department of Defense agencies, civilian agencies, academia, and other industrial partners.

       SCAP Security Guide is provided to consumers through Red Hat's Extended  Packages  for  Enterprise  Linux
       (EPEL) repository. As such, SCAP Security Guide content is considered "vendor provided."

       Note  that  while Red Hat hosts the infrastructure for this project and Red Hat engineers are involved as
       maintainers and leaders, there is no commercial support contracts or service level agreements provided by
       Red Hat.

       Support, for both users and developers, is provided through the SCAP Security Guide community.

       Homepage: https://www.open-scap.org/security-policies/scap-security-guide

       Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

DEPLOYMENT TO U.S. CIVILIAN GOVERNMENT SYSTEMS

       SCAP  Security Guide content is considered vendor (Red Hat) provided content.  Per guidance from the U.S.
       National Institute of Standards and Technology (NIST), U.S. Government programs are allowed to use Vendor
       produced  SCAP  content  in  absence  of  "Governmental Authority" checklists. The specific NIST verbage:
       http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority

DEPLOYMENT TO U.S. MILITARY SYSTEMS

       DoD Directive (DoDD) 8500.1 requires that "all IA  and  IA-enabled  IT  products  incorporated  into  DoD
       information   systems  shall  be  configured  in  accordance  with  DoD-approved  security  configuration
       guidelines" and tasks Defense  Information  Systems  Agency  (DISA)  to  "develop  and  provide  security
       configuration guidance for IA and IA-enabled IT products in coordination with Director, NSA."  The output
       of this authority is the DISA Security Technical Implementation Guides, or STIGs.  DISA  FSO  is  in  the
       process  of  moving  the STIGs towards the use of the NIST Security Content Automation Protocol (SCAP) in
       order to "automate" compliance reporting of the STIGs.

       Through a common, shared vision, the SCAP Security Guide community enjoys  close  collaboration  directly
       with  NSA and DISA FSO. As stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview, Version
       1, Release 2, issued on 03-JUNE-2013:

       "The consensus content was developed using  an  open-source  project  called  SCAP  Security  Guide.  The
       project's   website   is   https://www.open-scap.org/security-policies/scap-security-guide.   Except  for
       differences in formatting to accommodate the DISA STIG publishing process, the content  of  the  Red  Hat
       Enterprise  Linux  6  STIG  should  mirrot  the SCAP Security Guide content with only minor divergence as
       updates from multiple sources work through the consensus process."

       The DoD STIG for Red Hat Enterprise Linux 6 was released June 2013. Currently, the DoD Red Hat Enterprise
       Linux  6  STIG  contains  only XCCDF content and is available online: http://iase.disa.mil/stigs/os/unix-
       linux/Pages/red-hat.aspx

       Content published against the iase.disa.mil website  is authoritative STIG  content.  The  SCAP  Security
       Guide  project,  as noted in the STIG overview, is considered upstream content. Unlike DISA FSO, the SCAP
       Security Guide project does publish OVAL automation content. Individual programs and C&A evaluators  make
       program-level  determinations  on  the  direct  usage  of the SCAP Security Guide.  Currently there is no
       blanket approval.

SEE ALSO

       oscap(8)

AUTHOR

       Please       direct       all       questions        to        the        SSG        mailing        list:
       https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide