Provided by: ssg-base_0.1.39-2_all bug

NAME

       SCAP-Security-Guide  -  Delivers  security  guidance,  baselines,  and  associated  validation mechanisms
       utilizing the Security Content Automation Protocol (SCAP).

DESCRIPTION

       The project provides practical security hardening advice for Red Hat  products,  and  also  links  it  to
       compliance  requirements in order to ease deployment activities, such as certification and accreditation.
       These include requirements in the U.S. government (Federal, Defense, and Intelligence Community) as  well
       as  of  the  financial  services  and health care industries. For example, high-level and widely-accepted
       policies such as NIST 800-53 provides prose stating that System  Administrators  must  audit  "privileged
       user  actions,"  but  do  not  define  what  "privileged  actions"  are.  The SSG bridges the gap between
       generalized policy requirements  and  specific  implementation  guidance,  in  SCAP  formats  to  support
       automation whenever possible.

       The projects homepage is located at: https://www.open-scap.org/security-policies/scap-security-guide

Red Hat Enterprise Linux 6 PROFILES

       The Red Hat Enterprise Linux 6 SSG content is broken into 'profiles,' groupings of security settings that
       correlate to a known policy. Available profiles are:

       C2S
              The  C2S  profile  demonstrates  compliance  against the U.S. Government Commercial Cloud Services
              (C2S) baseline.

              This baseline was inspired by the Center for Internet Security (CIS) Red Hat  Enterprise  Linux  7
              Benchmark,  v1.1.0 - 04-02-2015.  For the SCAP Security Guide project to remain in compliance with
              CIS' terms and conditions, specifically Restrictions(8), note there is no representation or  claim
              that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline.

       CS2
              The CS2 is an example of a customized server profile.

       CSCF-RHEL6-MLS
              The  CSCF RHEL6 MLS Core Baseline profile reflects the Centralized Super Computing Facility (CSCF)
              baseline for Red Hat Enterprise Linux 6. This baseline has received government ATO through the ICD
              503 process, utilizing the CNSSI 1253 cross domain overlay. This profile should be  considered  in
              active  development.   Additional tailoring will be needed, such as the creation of RBAC roles for
              production deployment.

       desktop
              The Desktop Baseline profile is for a desktop installation of Red Hat Enterprise Linux 6.

       fisma-medium-rhel6-server
              A FISMA Medium profile for Red Hat Enterprise Linux 6

       ftp
              A profile for FTP servers

       nist-cl-il-al
              The CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux  6  Profile  follows  the
              Committee  on National Security Systems Instruction (CNSSI) No. 1253, "Security Categorization and
              Control Selection for National Security Systems" on security controls to meet low confidentiality,
              low integrity, and low assurance."

       pci-dss
              The PCI-DSS v3 Control Baseline Profile for Red Hat Enterprise Linux 6 is a  *draft*  profile  for
              PCI-DSS v3

       rht-ccp
              The  Red  Hat  Corporate  Profile for Certified Cloud Providers (RH CCP) profile is a *draft* SCAP
              profile for Red Hat Certified Cloud Providers.

       server
              The Server Baseline profile is for Red Hat Enterprise Linux 6 acting as a server.

       standard
              The Standard System Security Profile contains rules to ensure standard security  baseline  of  Red
              Hat  Enterprise  Linux  6 system.  Regardless of your system's workload all of these checks should
              pass.

       stig-rhel6-disa
              The Security Technical Implementation Guides (STIGs) and the  NSA  Guides  are  the  configuration
              standards  for  DOD  IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations
              (FSO) has played a critical role enhancing the security  posture  of  DoD's  security  systems  by
              providing  the  Security  Technical  Implementation  Guides (STIGs). This profile was created as a
              collaboration effort between the National Security Agency, DISA FSO, and Red Hat.

              As a result of the upstream/downstream relationship between the SCAP Security  Guide  project  and
              the  official  DISA  FSO  STIG  baseline,  users  should  expect variance between SSG and DISA FSO
              content. For additional information relating to STIGs, please refer to the  DISA  FSO  webpage  at
              http://iase.disa.mil/stigs/

              While  this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note
              that commercial support of this SCAP content is NOT available. This profile is provided as example
              SCAP content with no endorsement for suitability or production readiness. Support for this profile
              is provided by the upstream SCAP Security Guide community on a  best-effort  basis.  The  upstream
              project homepage is https://www.open-scap.org/security-policies/scap-security-guide.

              This  profile  is  being  developed under the DoD consensus model to become a STIG in coordination
              with DISA FSO.

       usgcb-rhel6-server
              The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create
              security configuration baselines for Information Technology products widely  deployed  across  the
              federal  agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate.
              The USGCB is a Federal government-wide initiative that  provides  guidance  to  agencies  on  what
              should  be  done to improve and maintain an effective configuration settings focusing primarily on
              security.

              NOTE: While the current content maps to USGCB requirements, it has NOT been validated by  NIST  as
              of yet. This content should be considered draft, we are highly interested in feedback.

              For   additional   information   relating   to   USGCB,  please  refer  to  the  NIST  webpage  at
              http://usgcb.nist.gov/usgcb_content.html.

Red Hat Enterprise Linux 7 PROFILES

       The Red Hat Enterprise Linux 7 SSG content is broken into 'profiles,' groupings of security settings that
       correlate to a known policy. Available profiles are:

       C2S
              The C2S profile demonstrates compliance against the  U.S.  Government  Commercial  Cloud  Services
              (C2S) baseline.

              This  baseline  was  inspired by the Center for Internet Security (CIS) Red Hat Enterprise Linux 7
              Benchmark, v1.1.0 - 04-02-2015.  For the SCAP Security Guide project to remain in compliance  with
              CIS'  terms and conditions, specifically Restrictions(8), note there is no representation or claim
              that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline.

       cjis-rhel7-server
              The Criminal Justice Information Services Security Policy is a *draft* profile for CJIS v5.4.  The
              scope  of  this  profile is to configure Red Hat Enteprise Linux 7 against the U. S. Department of
              Justice, FBI CJIS Security Policy.

       common
              The common  profile is intended to be used as a base, universal profile for scanning  of  general-
              purpose Red Hat Enterprise Linux systems.

       docker-host
              The  Standard  Docker Host Security Profile contains rules to ensure standard security baseline of
              Red Hat Enterprise Linux 7 system running the docker daemon.  This discussion is  currently  being
              held on open-scap-list@redhat.com and scap-security-guide@lists.fedorahosted.org.

       ospp
              This  profile  is  developed  in  partnership  with  the  U.S.  National  Institute of Science and
              Technology (NIST), U.S. Department of Defense, the National Security  Agency,  and  Red  Hat.  The
              USGCB  is  intended  to  be  the  core set of security related configuration settings by which all
              federal agencies should comply.

       pci-dss
              The PCI-DSS v3 Control Baseline Profile for Red Hat Enterprise Linux 7 is a  *draft*  profile  for
              PCI-DSS v3

       rht-ccp
              The  Red  Hat  Corporate  Profile for Certified Cloud Providers (RH CCP) profile is a *draft* SCAP
              profile for Red Hat Certified Cloud Providers.

       standard
              The Standard System Security Profile contains rules to ensure standard security  baseline  of  Red
              Hat  Enterprise  Linux  7 system.  Regardless of your system's workload all of these checks should
              pass.

       stig-rhel7-disa
              The DISA STIG for Red Hat Enterprise Linux 7 Server V1R4.

              The Security Technical Implementation Guides (STIGs) and the  NSA  Guides  are  the  configuration
              standards  for  DOD  IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations
              (FSO) has played a critical role enhancing the security  posture  of  DoD's  security  systems  by
              providing  the  Security  Technical  Implementation  Guides (STIGs). This profile was created as a
              collaboration effort between the National Security Agency, DISA FSO, and Red Hat.

              As a result of the upstream/downstream relationship between the SCAP Security  Guide  project  and
              the  official  DISA  FSO  STIG  baseline,  users  should  expect variance between SSG and DISA FSO
              content. For additional information relating to STIGs, please refer to the  DISA  FSO  webpage  at
              http://iase.disa.mil/stigs/

              While  this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note
              that commercial support of this SCAP content is NOT available. This profile is provided as example
              SCAP content with no endorsement for suitability or production readiness. Support for this profile
              is provided by the upstream SCAP Security Guide community on a  best-effort  basis.  The  upstream
              project homepage is https://www.open-scap.org/security-policies/scap-security-guide.

              This profile is developed under the DoD consensus model to become a STIG in coordination with DISA
              FSO.

       nist-800-171-cui
              Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

              From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in
              nonfederal  information  systems and organizations have a well-defined structure that consists of:
              (i) a basic security requirements section; and (ii) a derived security requirements  section.  The
              basic  security requirements are obtained from FIPS Publication 200, which provides the high-level
              and fundamental security requirements for federal information and information systems. The derived
              security requirements, which supplement the  basic  security  requirements,  are  taken  from  the
              security controls in NIST Special Publication 800-53.

              This profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls
              identified for securing Controlled Unclassified Information (CUI).

Fedora PROFILES

       The  Fedora  SSG  content  is  broken into 'profiles,' groupings of security settings that correlate to a
       known policy. Currently available profile:

       common
              The common profile is intended to be used as a base, universal profile for  scanning  of  general-
              purpose Fedora systems.

       standard
              The  Standard  System  Security  Profile  contains rules to ensure standard security baseline of a
              Fedora system.  Regardless of your system's workload all of these checks should pass.

EXAMPLES

       To scan your system utilizing the OpenSCAP utility against the ospp profile:

       oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-results.xml  --report  /tmp/`hostname`-ssg-
       results.html --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

       Additional details can be found on the projects wiki page: https://www.github.com/OpenSCAP/scap-security-
       guide/wiki

FILES

       /usr/share/xml/scap/ssg/content
              Houses SCAP content utilizing the following naming conventions:

              CPE_Dictionaries: ssg-{profile}-cpe-dictionary.xml

              CPE_OVAL_Content: ssg-{profile}-cpe-oval.xml

              OVAL_Content: ssg-{profile}-oval.xml

              XCCDF_Content: ssg-{profile}-xccdf.xml

       /usr/share/doc/scap-security-guide/guides/
              HTML versions of SSG profiles.

STATEMENT OF SUPPORT

       The SCAP Security Guide, an open source project jointly maintained by Red Hat and the NSA, provides XCCDF
       and  OVAL  content  for  Red Hat technologies. As an open source project, community participation extends
       into U.S. Department of Defense agencies, civilian agencies, academia, and other industrial partners.

       SCAP Security Guide is provided to consumers through Red Hat's Extended  Packages  for  Enterprise  Linux
       (EPEL) repository. As such, SCAP Security Guide content is considered "vendor provided."

       Note  that  while Red Hat hosts the infrastructure for this project and Red Hat engineers are involved as
       maintainers and leaders, there is no commercial support contracts or service level agreements provided by
       Red Hat.

       Support, for both users and developers, is provided through the SCAP Security Guide community.

       Homepage: https://www.open-scap.org/security-policies/scap-security-guide

       Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

DEPLOYMENT TO U.S. CIVILIAN GOVERNMENT SYSTEMS

       SCAP Security Guide content is considered vendor (Red Hat) provided content.  Per guidance from the  U.S.
       National Institute of Standards and Technology (NIST), U.S. Government programs are allowed to use Vendor
       produced  SCAP  content  in  absence  of  "Governmental Authority" checklists. The specific NIST verbage:
       http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority

DEPLOYMENT TO U.S. MILITARY SYSTEMS

       DoD Directive (DoDD) 8500.1 requires that "all IA  and  IA-enabled  IT  products  incorporated  into  DoD
       information   systems  shall  be  configured  in  accordance  with  DoD-approved  security  configuration
       guidelines" and tasks Defense  Information  Systems  Agency  (DISA)  to  "develop  and  provide  security
       configuration guidance for IA and IA-enabled IT products in coordination with Director, NSA."  The output
       of  this  authority  is  the  DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in the
       process of moving the STIGs towards the use of the NIST Security Content Automation  Protocol  (SCAP)  in
       order to "automate" compliance reporting of the STIGs.

       Through  a  common,  shared vision, the SCAP Security Guide community enjoys close collaboration directly
       with NSA, NIST, and DISA FSO. As stated in Section 1.1 of the Red Hat Enterprise Linux 6  STIG  Overview,
       Version 1, Release 2, issued on 03-JUNE-2013:

       "The  consensus  content  was  developed  using  an  open-source  project called SCAP Security Guide. The
       project's  website  is   https://www.open-scap.org/security-policies/scap-security-guide.    Except   for
       differences  in  formatting  to  accommodate the DISA STIG publishing process, the content of the Red Hat
       Enterprise Linux 6 STIG should mirrot the SCAP Security Guide  content  with  only  minor  divergence  as
       updates from multiple sources work through the consensus process."

       The DoD STIG for Red Hat Enterprise Linux 6 was released June 2013. Currently, the DoD Red Hat Enterprise
       Linux  6  STIG  contains  only XCCDF content and is available online: http://iase.disa.mil/stigs/os/unix-
       linux/Pages/red-hat.aspx

       Content published against the iase.disa.mil website is authoritative  STIG  content.  The  SCAP  Security
       Guide  project,  as noted in the STIG overview, is considered upstream content. Unlike DISA FSO, the SCAP
       Security Guide project does publish OVAL automation content. Individual programs and C&A evaluators  make
       program-level  determinations  on  the  direct  usage  of the SCAP Security Guide.  Currently there is no
       blanket approval.

SEE ALSO

       oscap(8)

AUTHOR

       Please       direct       all       questions        to        the        SSG        mailing        list:
       https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

version 1                                          26 Jan 2013                            scap-security-guide(8)