Provided by: ssg-base_0.1.65-1_all 
NAME
SCAP-Security-Guide - Delivers security guidance, baselines, and associated validation
mechanisms utilizing the Security Content Automation Protocol (SCAP).
DESCRIPTION
The project provides practical security hardening advice and also links it to compliance
requirements in order to ease deployment activities, such as certification and
accreditation. These include requirements in the U.S. government (Federal, Defense, and
Intelligence Community) as well as of the financial services and health care industries.
For example, high-level and widely-accepted policies such as NIST 800-53 provides prose
stating that System Administrators must audit "privileged user actions," but do not define
what "privileged actions" are. The SSG bridges the gap between generalized policy
requirements and specific implementation guidance, in SCAP formats to support automation
whenever possible.
The projects homepage is located at: https://www.open-scap.org/security-policies/scap-
security-guide
Profiles in Guide to the Secure Configuration of Alibaba Cloud Linux 2
Source Datastream: ssg-alinux2-ds.xml
The Guide to the Secure Configuration of Alibaba Cloud Linux 2 is broken into 'profiles',
groupings of security settings that correlate to a known policy. Available profiles are:
CIS Aliyun Linux 2 Benchmark for Level 2
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2" configuration from the
Center for Internet Security® Aliyun Linux 2 Benchmark™, v1.0.0, released
08-16-2019.
This profile includes Center for Internet Security® Aliyun Linux 2 CIS Benchmarks™
content.
CIS Aliyun Linux 2 Benchmark for Level 1
Profile ID: xccdf_org.ssgproject.content_profile_cis_l1
This profile defines a baseline that aligns to the "Level 1" configuration from the
Center for Internet Security® Aliyun Linux 2 Benchmark™, v1.0.0, released
08-16-2019.
This profile includes Center for Internet Security® Aliyun Linux 2 CIS Benchmarks™
content.
Standard System Security Profile for Alibaba Cloud Linux 2
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Alibaba Cloud
Linux 2 system. Regardless of your system's workload all of these checks should
pass.
Profiles in Guide to the Secure Configuration of Alibaba Cloud Linux 3
Source Datastream: ssg-alinux3-ds.xml
The Guide to the Secure Configuration of Alibaba Cloud Linux 3 is broken into 'profiles',
groupings of security settings that correlate to a known policy. Available profiles are:
CIS Benchmark for Alibaba Cloud Linux 3 for Level 2
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2" configuration from the
Center for Internet Security® Alibaba Cloud Linux 3 Benchmark™, v1.0.0, released
08-16-2019.
This profile includes Center for Internet Security® Alibaba Cloud Linux 3
Benchmark™ content.
CIS Benchmark for Alibaba Cloud Linux 3 for Level 1
Profile ID: xccdf_org.ssgproject.content_profile_cis_l1
This profile defines a baseline that aligns to the "Level 1" configuration from the
Center for Internet Security® Alibaba Cloud Linux 3 Benchmark™, v1.0.0, released
08-16-2019.
This profile includes Center for Internet Security® Alibaba Cloud Linux 3
Benchmark™ content.
Standard System Security Profile for Alibaba Cloud Linux 3
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Alibaba Cloud
Linux 3 system. Regardless of your system's workload all of these checks should
pass.
Profiles in Guide to the Secure Configuration of Anolis OS 8
Source Datastream: ssg-anolis8-ds.xml
The Guide to the Secure Configuration of Anolis OS 8 is broken into 'profiles', groupings
of security settings that correlate to a known policy. Available profiles are:
Standard System Security Profile for Anolis OS 8
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Anolis OS 8
system.
Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Source Datastream: ssg-centos7-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is broken into
'profiles', groupings of security settings that correlate to a known policy. Available
profiles are:
PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
Standard System Security Profile for Red Hat Enterprise Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Red Hat
Enterprise Linux 7 system. Regardless of your system's workload all of these checks
should pass.
Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Source Datastream: ssg-centos8-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is broken into
'profiles', groupings of security settings that correlate to a known policy. Available
profiles are:
ANSSI-BP-028 (enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the
enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the high
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the
intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the minimal
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2 - Server" configuration
from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™,
v2.0.0, released 2022-02-23.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS
Benchmarks™ content.
CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This profile defines a baseline that aligns to the "Level 1 - Server" configuration
from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™,
v2.0.0, released 2022-02-23.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS
Benchmarks™ content.
CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This profile defines a baseline that aligns to the "Level 1 - Workstation"
configuration from the Center for Internet Security® Red Hat Enterprise Linux 8
Benchmark™, v2.0.0, released 2022-02-23.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS
Benchmarks™ content.
CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This profile defines a baseline that aligns to the "Level 2 - Workstation"
configuration from the Center for Internet Security® Red Hat Enterprise Linux 8
Benchmark™, v2.0.0, released 2022-02-23.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS
Benchmarks™ content.
Criminal Justice Information Services (CJIS) Security Policy
Profile ID: xccdf_org.ssgproject.content_profile_cjis
This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy
can be found at the CJIS Security Policy Resource Center:
https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
Unclassified Information in Non-federal Information Systems and Organizations (NIST
800-171)
Profile ID: xccdf_org.ssgproject.content_profile_cui
From NIST 800-171, Section 2.2: Security requirements for protecting the
confidentiality of CUI in nonfederal information systems and organizations have a
well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements
section.
The basic security requirements are obtained from FIPS Publication 200, which
provides the high-level and fundamental security requirements for federal
information and information systems. The derived security requirements, which
supplement the basic security requirements, are taken from the security controls in
NIST Special Publication 800-53.
This profile configures Red Hat Enterprise Linux 8 to the NIST Special Publication
800-53 controls identified for securing Controlled Unclassified Information (CUI)."
Australian Cyber Security Centre (ACSC) Essential Eight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Red Hat Enterprise Linux 8 that
align to the Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC
website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-
workstations-and-servers
Health Insurance Portability and Accountability Act (HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’
electronic personal health information that is created, received, used, or
maintained by a covered entity. The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure the confidentiality,
integrity, and security of electronic protected health information.
This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security Rule
identified for securing of electronic protected health information. Use of this
profile in no way guarantees or makes claims against legal compliance against the
HIPAA Security Rule(s).
Australian Cyber Security Centre (ACSC) ISM Official
Profile ID: xccdf_org.ssgproject.content_profile_ism_o
This profile contains configuration checks for Red Hat Enterprise Linux 8 that
align to the Australian Cyber Security Centre (ACSC) Information Security Manual
(ISM) with the applicability marking of OFFICIAL.
The ISM uses a risk-based approach to cyber security. This profile provides a guide
to aligning Red Hat Enterprise Linux security controls with the ISM, which can be
used to select controls specific to an organisation's security posture and risk
profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
Protection Profile for General Purpose Operating Systems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile reflects mandatory configuration controls identified in the NIAP
Configuration Annex to the Protection Profile for General Purpose Operating Systems
(Protection Profile Version 4.2.1).
This configuration profile is consistent with CNSSI-1253, which requires U.S.
National Security Systems to adhere to certain configuration parameters.
Accordingly, this configuration profile is suitable for use in U.S. National
Security Systems.
PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
This profile contains the minimum security relevant configuration settings
recommended by Red Hat, Inc for Red Hat Enterprise Linux 8 instances deployed by
Red Hat Certified Cloud Providers.
Standard System Security Profile for Red Hat Enterprise Linux 8
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Red Hat
Enterprise Linux 8 system. Regardless of your system's workload all of these checks
should pass.
DISA STIG for Red Hat Enterprise Linux 8
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for Red Hat
Enterprise Linux 8 V1R8.
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
configuration baseline as applicable to the operating system tier of Red Hat
technologies that are based on Red Hat Enterprise Linux 8, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and
Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers
with a Red Hat Enterprise Linux 8 image
DISA STIG with GUI for Red Hat Enterprise Linux 8
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This profile contains configuration checks that align to the DISA STIG with GUI for
Red Hat Enterprise Linux 8 V1R8.
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
configuration baseline as applicable to the operating system tier of Red Hat
technologies that are based on Red Hat Enterprise Linux 8, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and
Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers
with a Red Hat Enterprise Linux 8 image
Warning: The installation and use of a Graphical User Interface (GUI) increases
your attack vector and decreases your overall security posture. If your Information
Systems Security Officer (ISSO) lacks a documented operational requirement for a
graphical user interface, please consider using the standard DISA STIG for Red Hat
Enterprise Linux 8 profile.
Profiles in Guide to the Secure Configuration of Chromium
Source Datastream: ssg-chromium-ds.xml
The Guide to the Secure Configuration of Chromium is broken into 'profiles', groupings of
security settings that correlate to a known policy. Available profiles are:
Upstream STIG for Google Chromium
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile is developed under the DoD consensus model and DISA FSO Vendor STIG
process, serving as the upstream development environment for the Google Chromium
STIG.
As a result of the upstream/downstream relationship between the SCAP Security Guide
project and the official DISA FSO STIG baseline, users should expect variance
between SSG and DISA FSO content. For official DISA FSO STIG content, refer to
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-
guidance.
While this profile is packaged by Red Hat as part of the SCAP Security Guide
package, please note that commercial support of this SCAP content is NOT available.
This profile is provided as example SCAP content with no endorsement for
suitability or production readiness. Support for this profile is provided by the
upstream SCAP Security Guide community on a best-effort basis. The upstream project
homepage is https://www.open-scap.org/security-policies/scap-security-guide/.
Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Source Datastream: ssg-cs9-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is broken into
'profiles', groupings of security settings that correlate to a known policy. Available
profiles are:
ANSSI-BP-028 (enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 at the enhanced
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 at the high
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 at the intermediary
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 at the minimal
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This is a draft profile based on its RHEL8 version for experimental purposes. It
is not based on the CIS benchmark for RHEL9, because this one was not available at
time of the release.
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This is a draft profile based on its RHEL8 version for experimental purposes. It
is not based on the CIS benchmark for RHEL9, because this one was not available at
time of the release.
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This is a draft profile based on its RHEL8 version for experimental purposes. It
is not based on the CIS benchmark for RHEL9, because this one was not available at
time of the release.
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This is a draft profile based on its RHEL8 version for experimental purposes. It
is not based on the CIS benchmark for RHEL9, because this one was not available at
time of the release.
[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations
(NIST 800-171)
Profile ID: xccdf_org.ssgproject.content_profile_cui
From NIST 800-171, Section 2.2: Security requirements for protecting the
confidentiality of CUI in nonfederal information systems and organizations have a
well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements
section.
The basic security requirements are obtained from FIPS Publication 200, which
provides the high-level and fundamental security requirements for federal
information and information systems. The derived security requirements, which
supplement the basic security requirements, are taken from the security controls in
NIST Special Publication 800-53.
This profile configures Red Hat Enterprise Linux 9 to the NIST Special Publication
800-53 controls identified for securing Controlled Unclassified Information (CUI)."
Australian Cyber Security Centre (ACSC) Essential Eight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Red Hat Enterprise Linux 9 that
align to the Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC
website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-
workstations-and-servers
Health Insurance Portability and Accountability Act (HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’
electronic personal health information that is created, received, used, or
maintained by a covered entity. The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure the confidentiality,
integrity, and security of electronic protected health information.
This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security Rule
identified for securing of electronic protected health information. Use of this
profile in no way guarantees or makes claims against legal compliance against the
HIPAA Security Rule(s).
Australian Cyber Security Centre (ACSC) ISM Official
Profile ID: xccdf_org.ssgproject.content_profile_ism_o
This profile contains configuration checks for Red Hat Enterprise Linux 9 that
align to the Australian Cyber Security Centre (ACSC) Information Security Manual
(ISM) with the applicability marking of OFFICIAL.
The ISM uses a risk-based approach to cyber security. This profile provides a guide
to aligning Red Hat Enterprise Linux security controls with the ISM, which can be
used to select controls specific to an organisation's security posture and risk
profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
Protection Profile for General Purpose Operating Systems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile is part of Red Hat Enterprise Linux 9 Common Criteria Guidance
documentation for Target of Evaluation based on Protection Profile for General
Purpose Operating Systems (OSPP) version 4.2.1 and Functional Package for SSH
version 1.0.
Where appropriate, CNSSI 1253 or DoD-specific values are used for configuration,
based on Configuration Annex to the OSPP.
PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
[DRAFT] DISA STIG for Red Hat Enterprise Linux 9
Profile ID: xccdf_org.ssgproject.content_profile_stig
This is a draft profile based on its RHEL8 version for experimental purposes. It
is not based on the DISA STIG for RHEL9, because this one was not available at time
of the release.
In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this
configuration baseline as applicable to the operating system tier of Red Hat
technologies that are based on Red Hat Enterprise Linux 9, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and
Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers
with a Red Hat Enterprise Linux 9 image
[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This is a draft profile based on its RHEL8 version for experimental purposes. It
is not based on the DISA STIG for RHEL9, because this one was not available at time
of the release.
In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this
configuration baseline as applicable to the operating system tier of Red Hat
technologies that are based on Red Hat Enterprise Linux 9, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and
Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers
with a Red Hat Enterprise Linux 9 image
Warning: The installation and use of a Graphical User Interface (GUI) increases
your attack vector and decreases your overall security posture. If your Information
Systems Security Officer (ISSO) lacks a documented operational requirement for a
graphical user interface, please consider using the standard DISA STIG for Red Hat
Enterprise Linux 9 profile.
Profiles in Guide to the Secure Configuration of Debian 10
Source Datastream: ssg-debian10-ds.xml
The Guide to the Secure Configuration of Debian 10 is broken into 'profiles', groupings of
security settings that correlate to a known policy. Available profiles are:
Profile for ANSSI DAT-NT28 Average (Intermediate) Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
This profile contains items for GNU/Linux installations already protected by
multiple higher level security stacks.
Profile for ANSSI DAT-NT28 High (Enforced) Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
This profile contains items for GNU/Linux installations storing sensitive
information that can be accessible from unauthenticated or uncontroled networks.
Profile for ANSSI DAT-NT28 Minimal Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
This profile contains items to be applied systematically.
Profile for ANSSI DAT-NT28 Restrictive Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
This profile contains items for GNU/Linux installations exposed to unauthenticated
flows or multiple sources.
Standard System Security Profile for Debian 10
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Debian 10
system. Regardless of your system's workload all of these checks should pass.
Profiles in Guide to the Secure Configuration of Debian 11
Source Datastream: ssg-debian11-ds.xml
The Guide to the Secure Configuration of Debian 11 is broken into 'profiles', groupings of
security settings that correlate to a known policy. Available profiles are:
Profile for ANSSI DAT-NT28 Average (Intermediate) Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
This profile contains items for GNU/Linux installations already protected by
multiple higher level security stacks.
Profile for ANSSI DAT-NT28 High (Enforced) Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
This profile contains items for GNU/Linux installations storing sensitive
information that can be accessible from unauthenticated or uncontroled networks.
Profile for ANSSI DAT-NT28 Minimal Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
This profile contains items to be applied systematically.
Profile for ANSSI DAT-NT28 Restrictive Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
This profile contains items for GNU/Linux installations exposed to unauthenticated
flows or multiple sources.
Standard System Security Profile for Debian 11
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Debian 11
system. Regardless of your system's workload all of these checks should pass.
Profiles in Guide to the Secure Configuration of Amazon Elastic Kubernetes Service
Source Datastream: ssg-eks-ds.xml
The Guide to the Secure Configuration of Amazon Elastic Kubernetes Service is broken into
'profiles', groupings of security settings that correlate to a known policy. Available
profiles are:
CIS Amazon Elastic Kubernetes Service (EKS) Benchmark - Node
Profile ID: xccdf_org.ssgproject.content_profile_cis-node
This profile defines a baseline that aligns to the Center for Internet Security®
Amazon Elastic Kubernetes Service (EKS) Benchmark™, V1.0.1.
This profile includes Center for Internet Security® Amazon Elastic Kubernetes
Service (EKS)™ content.
This profile is applicable to EKS 1.21 and greater.
CIS Amazon Elastic Kubernetes Service Benchmark - Platform
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the Center for Internet Security®
Amazon Elastic Kubernetes Service (EKS) Benchmark™, V1.0.1.
This profile includes Center for Internet Security® Amazon Elastic Kubernetes
Service (EKS)™ content.
This profile is applicable to EKS 1.21 and greater.
Profiles in Guide to the Secure Configuration of Fedora
Source Datastream: ssg-fedora-ds.xml
The Guide to the Secure Configuration of Fedora is broken into 'profiles', groupings of
security settings that correlate to a known policy. Available profiles are:
OSPP - Protection Profile for General Purpose Operating Systems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile reflects mandatory configuration controls identified in the NIAP
Configuration Annex to the Protection Profile for General Purpose Operating Systems
(Protection Profile Version 4.2).
As Fedora OS is moving target, this profile does not guarantee to provide security
levels required from US National Security Systems. Main goal of the profile is to
provide Fedora developers with hardened environment similar to the one mandated by
US National Security Systems.
PCI-DSS v3.2.1 Control Baseline for Fedora
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 related security configuration settings are applied.
Standard System Security Profile for Fedora
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Fedora
system. Regardless of your system's workload all of these checks should pass.
Profiles in Guide to the Secure Configuration of Firefox
Source Datastream: ssg-firefox-ds.xml
The Guide to the Secure Configuration of Firefox is broken into 'profiles', groupings of
security settings that correlate to a known policy. Available profiles are:
Mozilla Firefox STIG
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile is developed under the DoD consensus model and DISA FSO Vendor STIG
process, serving as the upstream development environment for the Firefox STIG.
As a result of the upstream/downstream relationship between the SCAP Security Guide
project and the official DISA FSO STIG baseline, users should expect variance
between SSG and DISA FSO content. For official DISA FSO STIG content, refer to
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-
guidance.
While this profile is packaged by Red Hat as part of the SCAP Security Guide
package, please note that commercial support of this SCAP content is NOT available.
This profile is provided as example SCAP content with no endorsement for
suitability or production readiness. Support for this profile is provided by the
upstream SCAP Security Guide community on a best-effort basis. The upstream project
homepage is https://www.open-scap.org/security-policies/scap-security-guide/.
Profiles in Guide to the Secure Configuration of Apple macOS 10.15
Source Datastream: ssg-macos1015-ds.xml
The Guide to the Secure Configuration of Apple macOS 10.15 is broken into 'profiles',
groupings of security settings that correlate to a known policy. Available profiles are:
NIST 800-53 Moderate-Impact Baseline for Apple macOS 10.15 Catalina
Profile ID: xccdf_org.ssgproject.content_profile_moderate
This compliance profile reflects the core set of Moderate-Impact Baseline
configuration settings for deployment of Apple macOS 10.15 Catalina into U.S.
Defense, Intelligence, and Civilian agencies. Development partners and sponsors
include the U.S. National Institute of Standards and Technology (NIST), U.S.
Department of Defense, and the the National Security Agency.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen. Security Requirement Traceability Guides (RTMs) and
sample System Security Configuration Guides are provided via the scap-security-
guide-docs package.
This profile reflects U.S. Government consensus content and is developed through
the ComplianceAsCode initiative, championed by the National Security Agency. Except
for differences in formatting to accommodate publishing processes, this profile
mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work
through the consensus and release processes.
Profiles in Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Source Datastream: ssg-ocp4-ds.xml
The Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4 is broken
into 'profiles', groupings of security settings that correlate to a known policy.
Available profiles are:
CIS Red Hat OpenShift Container Platform 4 Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis-node
This profile defines a baseline that aligns to the Center for Internet Security®
Red Hat OpenShift Container Platform 4 Benchmark™, V1.1.
This profile includes Center for Internet Security® Red Hat OpenShift Container
Platform 4 CIS Benchmarks™ content.
Note that this part of the profile is meant to run on the Operating System that Red
Hat OpenShift Container Platform 4 runs on top of.
This profile is applicable to OpenShift versions 4.6 and greater.
CIS Red Hat OpenShift Container Platform 4 Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the Center for Internet Security®
Red Hat OpenShift Container Platform 4 Benchmark™, V1.1.
This profile includes Center for Internet Security® Red Hat OpenShift Container
Platform 4 CIS Benchmarks™ content.
Note that this part of the profile is meant to run on the Platform that Red Hat
OpenShift Container Platform 4 runs on top of.
This profile is applicable to OpenShift versions 4.6 and greater.
Australian Cyber Security Centre (ACSC) Essential Eight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Red Hat OpenShift Container Platform
that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC
website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-
workstations-and-servers
NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level
Profile ID: xccdf_org.ssgproject.content_profile_high-node
This compliance profile reflects the core set of High-Impact Baseline configuration
settings for deployment of Red Hat OpenShift Container Platform into U.S. Defense,
Intelligence, and Civilian agencies. Development partners and sponsors include the
U.S. National Institute of Standards and Technology (NIST), U.S. Department of
Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for High-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen. Security Requirement Traceability Guides (RTMs) and
sample System Security Configuration Guides are provided via the scap-security-
guide-docs package.
This profile reflects U.S. Government consensus content and is developed through
the ComplianceAsCode initiative, championed by the National Security Agency. Except
for differences in formatting to accommodate publishing processes, this profile
mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work
through the consensus and release processes.
NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level
Profile ID: xccdf_org.ssgproject.content_profile_high
This compliance profile reflects the core set of High-Impact Baseline configuration
settings for deployment of Red Hat OpenShift Container Platform into U.S. Defense,
Intelligence, and Civilian agencies. Development partners and sponsors include the
U.S. National Institute of Standards and Technology (NIST), U.S. Department of
Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for High-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen. Security Requirement Traceability Guides (RTMs) and
sample System Security Configuration Guides are provided via the scap-security-
guide-docs package.
This profile reflects U.S. Government consensus content and is developed through
the ComplianceAsCode initiative, championed by the National Security Agency. Except
for differences in formatting to accommodate publishing processes, this profile
mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work
through the consensus and release processes.
NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
Profile ID: xccdf_org.ssgproject.content_profile_moderate-node
This compliance profile reflects the core set of Moderate-Impact Baseline
configuration settings for deployment of Red Hat OpenShift Container Platform into
U.S. Defense, Intelligence, and Civilian agencies. Development partners and
sponsors include the U.S. National Institute of Standards and Technology (NIST),
U.S. Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen. Security Requirement Traceability Guides (RTMs) and
sample System Security Configuration Guides are provided via the scap-security-
guide-docs package.
This profile reflects U.S. Government consensus content and is developed through
the ComplianceAsCode initiative, championed by the National Security Agency. Except
for differences in formatting to accommodate publishing processes, this profile
mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work
through the consensus and release processes.
NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level
Profile ID: xccdf_org.ssgproject.content_profile_moderate
This compliance profile reflects the core set of Moderate-Impact Baseline
configuration settings for deployment of Red Hat OpenShift Container Platform into
U.S. Defense, Intelligence, and Civilian agencies. Development partners and
sponsors include the U.S. National Institute of Standards and Technology (NIST),
U.S. Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen. Security Requirement Traceability Guides (RTMs) and
sample System Security Configuration Guides are provided via the scap-security-
guide-docs package.
This profile reflects U.S. Government consensus content and is developed through
the ComplianceAsCode initiative, championed by the National Security Agency. Except
for differences in formatting to accommodate publishing processes, this profile
mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work
through the consensus and release processes.
North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection
(CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Node
level
Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip-node
This compliance profile reflects a set of security recommendations for the usage of
Red Hat OpenShift Container Platform in critical infrastructure in the energy
sector. This follows the recommendations coming from the following CIP standards:
- CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 - CIP-007-6 - CIP-009-6
North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection
(CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform -
Platform level
Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip
This compliance profile reflects a set of security recommendations for the usage of
Red Hat OpenShift Container Platform in critical infrastructure in the energy
sector. This follows the recommendations coming from the following CIP standards:
- CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 - CIP-007-6 - CIP-009-6
PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-node
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
Profiles in Guide to the Secure Configuration of Oracle Linux 7
Source Datastream: ssg-ol7-ds.xml
The Guide to the Secure Configuration of Oracle Linux 7 is broken into 'profiles',
groupings of security settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028 (enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced
This profile contains configurations that align to ANSSI-BP-028 at the enhanced
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
DRAFT - ANSSI-BP-028 (high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_high
This profile contains configurations that align to ANSSI-BP-028 at the high
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary
This profile contains configurations that align to ANSSI-BP-028 at the intermediary
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_minimal
This profile contains configurations that align to ANSSI-BP-028 at the minimal
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
Criminal Justice Information Services (CJIS) Security Policy
Profile ID: xccdf_org.ssgproject.content_profile_cjis
This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy
can be found at the CJIS Security Policy Resource Center:
https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
Unclassified Information in Non-federal Information Systems and Organizations (NIST
800-171)
Profile ID: xccdf_org.ssgproject.content_profile_cui
From NIST 800-171, Section 2.2: Security requirements for protecting the
confidentiality of CUI in non-federal information systems and organizations have a
well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements
section.
The basic security requirements are obtained from FIPS Publication 200, which
provides the high-level and fundamental security requirements for federal
information and information systems. The derived security requirements, which
supplement the basic security requirements, are taken from the security controls in
NIST Special Publication 800-53.
This profile configures Oracle Linux 7 to the NIST Special Publication 800-53
controls identified for securing Controlled Unclassified Information (CUI).
[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Oracle Linux 7 that align to the
Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC
website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-
workstations-and-servers
Health Insurance Portability and Accountability Act (HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’
electronic personal health information that is created, received, used, or
maintained by a covered entity. The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure the confidentiality,
integrity, and security of electronic protected health information.
This profile configures Oracle Linux 7 to the HIPAA Security Rule identified for
securing of electronic protected health information. Use of this profile in no way
guarantees or makes claims against legal compliance against the HIPAA Security
Rule(s).
NIST National Checklist Program Security Guide
Profile ID: xccdf_org.ssgproject.content_profile_ncp
This compliance profile reflects the core set of security related configuration
settings for deployment of Oracle Linux 7 into U.S. Defense, Intelligence, and
Civilian agencies. Development partners and sponsors include the U.S. National
Institute of Standards and Technology (NIST), U.S. Department of Defense, the
National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST
Controlled Unclassified Information (NIST 800-171) - NIST 800-53 control selections
for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline
(USGCB) - NIAP Protection Profile for General Purpose Operating Systems v4.2.1
(OSPP v4.2.1) - DISA Operating System Security Requirements Guide (OS SRG)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen. Security Requirement Traceability Guides (RTMs) and
sample System Security Configuration Guides are provided via the scap-security-
guide-docs package.
This profile reflects U.S. Government consensus content and is developed through
the OpenSCAP/SCAP Security Guide initiative, championed by the National Security
Agency. Except for differences in formatting to accommodate publishing processes,
this profile mirrors OpenSCAP/SCAP Security Guide content as minor divergences,
such as bugfixes, work through the consensus and release processes.
[DRAFT] Protection Profile for General Purpose Operating Systems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile reflects mandatory configuration controls identified in the NIAP
Configuration Annex to the Protection Profile for General Purpose Operating Systems
(Protection Profile Version 4.2.1).
This configuration profile is consistent with CNSSI-1253, which requires U.S.
National Security Systems to adhere to certain configuration parameters.
Accordingly, this configuration profile is suitable for use in U.S. National
Security Systems.
PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 related security configuration settings are applied.
Security Profile of Oracle Linux 7 for SAP
Profile ID: xccdf_org.ssgproject.content_profile_sap
This profile contains rules for Oracle Linux 7 Operating System in compliance with
SAP note 2069760 and SAP Security Baseline Template version 1.9 Item I-8 and
section 4.1.2.2. Regardless of your system's workload all of these checks should
pass.
Standard System Security Profile for Oracle Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of Oracle Linux 7
system. Regardless of your system's workload all of these checks should pass.
DISA STIG for Oracle Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for Oracle
Linux V2R8.
DISA STIG with GUI for Oracle Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This profile contains configuration checks that align to the DISA STIG with GUI for
Oracle Linux V2R8.
Warning: The installation and use of a Graphical User Interface (GUI) increases
your attack vector and decreases your overall security posture. If your Information
Systems Security Officer (ISSO) lacks a documented operational requirement for a
graphical user interface, please consider using the standard DISA STIG for Oracle
Linux 7 profile.
Profiles in Guide to the Secure Configuration of Oracle Linux 8
Source Datastream: ssg-ol8-ds.xml
The Guide to the Secure Configuration of Oracle Linux 8 is broken into 'profiles',
groupings of security settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028 (enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the
enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the high
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the
intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the minimal
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
Criminal Justice Information Services (CJIS) Security Policy
Profile ID: xccdf_org.ssgproject.content_profile_cjis
This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy
can be found at the CJIS Security Policy Resource Center:
https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
Unclassified Information in Non-federal Information Systems and Organizations (NIST
800-171)
Profile ID: xccdf_org.ssgproject.content_profile_cui
From NIST 800-171, Section 2.2: Security requirements for protecting the
confidentiality of CUI in non-federal information systems and organizations have a
well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements
section.
The basic security requirements are obtained from FIPS Publication 200, which
provides the high-level and fundamental security requirements for federal
information and information systems. The derived security requirements, which
supplement the basic security requirements, are taken from the security controls in
NIST Special Publication 800-53.
This profile configures Oracle Linux 8 to the NIST Special Publication 800-53
controls identified for securing Controlled Unclassified Information (CUI).
[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Oracle Linux 8 that align to the
Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC
website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-
workstations-and-servers
Health Insurance Portability and Accountability Act (HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’
electronic personal health information that is created, received, used, or
maintained by a covered entity. The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure the confidentiality,
integrity, and security of electronic protected health information.
This profile configures Oracle Linux 8 to the HIPAA Security Rule identified for
securing of electronic protected health information. Use of this profile in no way
guarantees or makes claims against legal compliance against the HIPAA Security
Rule(s).
[DRAFT] Protection Profile for General Purpose Operating Systems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile reflects mandatory configuration controls identified in the NIAP
Configuration Annex to the Protection Profile for General Purpose Operating Systems
(Protection Profile Version 4.2.1).
This configuration profile is consistent with CNSSI-1253, which requires U.S.
National Security Systems to adhere to certain configuration parameters.
Accordingly, this configuration profile is suitable for use in U.S. National
Security Systems.
PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 related security configuration settings are applied.
Standard System Security Profile for Oracle Linux 8
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of Oracle Linux 8
system. Regardless of your system's workload all of these checks should pass.
DISA STIG for Oracle Linux 8
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for Oracle
Linux 8 V1R3.
DISA STIG with GUI for Oracle Linux 8
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This profile contains configuration checks that align to the DISA STIG with GUI for
Oracle Linux V1R3.
Warning: The installation and use of a Graphical User Interface (GUI) increases
your attack vector and decreases your overall security posture. If your Information
Systems Security Officer (ISSO) lacks a documented operational requirement for a
graphical user interface, please consider using the standard DISA STIG for Oracle
Linux 8 profile.
Profiles in Guide to the Secure Configuration of Oracle Linux 9
Source Datastream: ssg-ol9-ds.xml
The Guide to the Secure Configuration of Oracle Linux 9 is broken into 'profiles',
groupings of security settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028 (enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 at the enhanced
hardening level. ANSSI is the French National Information Security Agency, and
stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028
is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 at the high
hardening level. ANSSI is the French National Information Security Agency, and
stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028
is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 at the intermediary
hardening level. ANSSI is the French National Information Security Agency, and
stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028
is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 at the minimal
hardening level. ANSSI is the French National Information Security Agency, and
stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028
is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations
(NIST 800-171)
Profile ID: xccdf_org.ssgproject.content_profile_cui
From NIST 800-171, Section 2.2: Security requirements for protecting the
confidentiality of CUI in nonfederal information systems and organizations have a
well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements
section.
The basic security requirements are obtained from FIPS Publication 200, which
provides the high-level and fundamental security requirements for federal
information and information systems. The derived security requirements, which
supplement the basic security requirements, are taken from the security controls in
NIST Special Publication 800-53.
This profile configures Oracle Linux 9 to the NIST Special Publication 800-53
controls identified for securing Controlled Unclassified Information (CUI)."
Australian Cyber Security Centre (ACSC) Essential Eight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Oracle Linux 9 that align to the
Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC
website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-
workstations-and-servers
Health Insurance Portability and Accountability Act (HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’
electronic personal health information that is created, received, used, or
maintained by a covered entity. The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure the confidentiality,
integrity, and security of electronic protected health information.
This profile configures Oracle Linux 9 to the HIPAA Security Rule identified for
securing of electronic protected health information. Use of this profile in no way
guarantees or makes claims against legal compliance against the HIPAA Security
Rule(s).
[DRAFT] Protection Profile for General Purpose Operating Systems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile is part of Oracle Linux 9 Common Criteria Guidance documentation for
Target of Evaluation based on Protection Profile for General Purpose Operating
Systems (OSPP) version 4.2.1 and Functional Package for SSH version 1.0.
Where appropriate, CNSSI 1253 or DoD-specific values are used for configuration,
based on Configuration Annex to the OSPP.
PCI-DSS v3.2.1 Control Baseline for Oracle Linux 9
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
Standard System Security Profile for Oracle Linux 9
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of Oracle Linux 9
system. Regardless of your system's workload all of these checks should pass.
[DRAFT] DISA STIG for Oracle Linux 9
Profile ID: xccdf_org.ssgproject.content_profile_stig
This is a draft profile based on its OL8 version for experimental purposes. It is
not based on the DISA STIG for OL9, because this one was not available at time of
the release.
[DRAFT] DISA STIG with GUI for Oracle Linux 9
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This is a draft profile based on its OL8 version for experimental purposes. It is
not based on the DISA STIG for OL9, because this one was not available at time of
the release.
Warning: The installation and use of a Graphical User Interface (GUI) increases
your attack vector and decreases your overall security posture. If your Information
Systems Security Officer (ISSO) lacks a documented operational requirement for a
graphical user interface, please consider using the standard DISA STIG for Oracle
Linux 9 profile.
Profiles in Guide to the Secure Configuration of openSUSE
Source Datastream: ssg-opensuse-ds.xml
The Guide to the Secure Configuration of openSUSE is broken into 'profiles', groupings of
security settings that correlate to a known policy. Available profiles are:
Standard System Security Profile for openSUSE
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of an openSUSE
system. Regardless of your system's workload all of these checks should pass.
Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Source Datastream: ssg-rhcos4-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4 is broken into
'profiles', groupings of security settings that correlate to a known policy. Available
profiles are:
DRAFT - ANSSI-BP-028 (enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 at the enhanced
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
DRAFT - ANSSI-BP-028 (high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 at the high
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
DRAFT - ANSSI-BP-028 (intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 at the intermediary
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
DRAFT - ANSSI-BP-028 (minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 at the minimal
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
Australian Cyber Security Centre (ACSC) Essential Eight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Red Hat Enterprise Linux CoreOS that
align to the Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC
website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-
workstations-and-servers
NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS
Profile ID: xccdf_org.ssgproject.content_profile_high
This compliance profile reflects the core set of High-Impact Baseline configuration
settings for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense,
Intelligence, and Civilian agencies. Development partners and sponsors include the
U.S. National Institute of Standards and Technology (NIST), U.S. Department of
Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for High-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen. Security Requirement Traceability Guides (RTMs) and
sample System Security Configuration Guides are provided via the scap-security-
guide-docs package.
This profile reflects U.S. Government consensus content and is developed through
the ComplianceAsCode initiative, championed by the National Security Agency. Except
for differences in formatting to accommodate publishing processes, this profile
mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work
through the consensus and release processes.
NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS
Profile ID: xccdf_org.ssgproject.content_profile_moderate
This compliance profile reflects the core set of Moderate-Impact Baseline
configuration settings for deployment of Red Hat Enterprise Linux CoreOS into U.S.
Defense, Intelligence, and Civilian agencies. Development partners and sponsors
include the U.S. National Institute of Standards and Technology (NIST), U.S.
Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen. Security Requirement Traceability Guides (RTMs) and
sample System Security Configuration Guides are provided via the scap-security-
guide-docs package.
This profile reflects U.S. Government consensus content and is developed through
the ComplianceAsCode initiative, championed by the National Security Agency. Except
for differences in formatting to accommodate publishing processes, this profile
mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work
through the consensus and release processes.
North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection
(CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS
Profile ID: xccdf_org.ssgproject.content_profile_nerc-cip
This compliance profile reflects a set of security recommendations for the usage of
Red Hat Enterprise Linux CoreOS in critical infrastructure in the energy sector.
This follows the recommendations coming from the following CIP standards:
- CIP-002-5 - CIP-003-8 - CIP-004-6 - CIP-005-6 - CIP-007-3 - CIP-007-6 - CIP-009-6
Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Source Datastream: ssg-rhel7-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is broken into
'profiles', groupings of security settings that correlate to a known policy. Available
profiles are:
C2S for Red Hat Enterprise Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_C2S
This profile demonstrates compliance against the U.S. Government Commercial Cloud
Services (C2S) baseline.
This baseline was inspired by the Center for Internet Security (CIS) Red Hat
Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
For the SCAP Security Guide project to remain in compliance with CIS' terms and
conditions, specifically Restrictions(8), note there is no representation or claim
that the C2S profile will ensure a system is in compliance or consistency with the
CIS baseline.
ANSSI-BP-028 (enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the
enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_high
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the high
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the
intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_nt28_minimal
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the minimal
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2 - Server" configuration
from the Center for Internet Security® Red Hat Enterprise Linux 7 Benchmark™,
v3.1.1, released 05-21-2021.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS
Benchmarks™ content.
CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This profile defines a baseline that aligns to the "Level 1 - Server" configuration
from the Center for Internet Security® Red Hat Enterprise Linux 7 Benchmark™,
v3.1.1, released 05-21-2021.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS
Benchmarks™ content.
CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This profile defines a baseline that aligns to the "Level 1 - Workstation"
configuration from the Center for Internet Security® Red Hat Enterprise Linux 7
Benchmark™, v3.1.1, released 05-21-2021.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS
Benchmarks™ content.
CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This profile defines a baseline that aligns to the "Level 2 - Workstation"
configuration from the Center for Internet Security® Red Hat Enterprise Linux 7
Benchmark™, v3.1.1, released 05-21-2021.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS
Benchmarks™ content.
Criminal Justice Information Services (CJIS) Security Policy
Profile ID: xccdf_org.ssgproject.content_profile_cjis
This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy
can be found at the CJIS Security Policy Resource Center:
https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
Unclassified Information in Non-federal Information Systems and Organizations (NIST
800-171)
Profile ID: xccdf_org.ssgproject.content_profile_cui
From NIST 800-171, Section 2.2: Security requirements for protecting the
confidentiality of CUI in non-federal information systems and organizations have a
well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements
section.
The basic security requirements are obtained from FIPS Publication 200, which
provides the high-level and fundamental security requirements for federal
information and information systems. The derived security requirements, which
supplement the basic security requirements, are taken from the security controls in
NIST Special Publication 800-53.
This profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication
800-53 controls identified for securing Controlled Unclassified Information (CUI).
Australian Cyber Security Centre (ACSC) Essential Eight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Red Hat Enterprise Linux 7 that
align to the Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC
website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-
workstations-and-servers
Health Insurance Portability and Accountability Act (HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’
electronic personal health information that is created, received, used, or
maintained by a covered entity. The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure the confidentiality,
integrity, and security of electronic protected health information.
This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security Rule
identified for securing of electronic protected health information. Use of this
profile in no way guarantees or makes claims against legal compliance against the
HIPAA Security Rule(s).
NIST National Checklist Program Security Guide
Profile ID: xccdf_org.ssgproject.content_profile_ncp
This compliance profile reflects the core set of security related configuration
settings for deployment of Red Hat Enterprise Linux 7.x into U.S. Defense,
Intelligence, and Civilian agencies. Development partners and sponsors include the
U.S. National Institute of Standards and Technology (NIST), U.S. Department of
Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST
Controlled Unclassified Information (NIST 800-171) - NIST 800-53 control selections
for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline
(USGCB) - NIAP Protection Profile for General Purpose Operating Systems v4.2.1
(OSPP v4.2.1) - DISA Operating System Security Requirements Guide (OS SRG)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen. Security Requirement Traceability Guides (RTMs) and
sample System Security Configuration Guides are provided via the scap-security-
guide-docs package.
This profile reflects U.S. Government consensus content and is developed through
the OpenSCAP/SCAP Security Guide initiative, championed by the National Security
Agency. Except for differences in formatting to accommodate publishing processes,
this profile mirrors OpenSCAP/SCAP Security Guide content as minor divergences,
such as bugfixes, work through the consensus and release processes.
OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile reflects mandatory configuration controls identified in the NIAP
Configuration Annex to the Protection Profile for General Purpose Operating Systems
(Protection Profile Version 4.2.1).
This configuration profile is consistent with CNSSI-1253, which requires U.S.
National Security Systems to adhere to certain configuration parameters.
Accordingly, this configuration profile is suitable for use in U.S. National
Security Systems.
PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
RHV hardening based on STIG for Red Hat Enterprise Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
This profile contains configuration checks for Red Hat Virtualization based on the
the DISA STIG for Red Hat Enterprise Linux 7.
VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization
Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
This compliance profile reflects the core set of security related configuration
settings for deployment of Red Hat Enterprise Linux Hypervisor (RHELH) 7.x into
U.S. Defense, Intelligence, and Civilian agencies. Development partners and
sponsors include the U.S. National Institute of Standards and Technology (NIST),
U.S. Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST
800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S.
Government Configuration Baseline (USGCB) - NIAP Protection Profile for
Virtualization v1.0 (VPP v1.0)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen. Security Requirement Traceability Guides (RTMs) and
sample System Security Configuration Guides are provided via the scap-security-
guide-docs package.
This profile reflects U.S. Government consensus content and is developed through
the ComplianceAsCode project, championed by the National Security Agency. Except
for differences in formatting to accommodate publishing processes, this profile
mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work
through the consensus and release processes.
Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
This profile contains the minimum security relevant configuration settings
recommended by Red Hat, Inc for Red Hat Enterprise Linux 7 instances deployed by
Red Hat Certified Cloud Providers.
Standard System Security Profile for Red Hat Enterprise Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Red Hat
Enterprise Linux 7 system. Regardless of your system's workload all of these checks
should pass.
DISA STIG for Red Hat Enterprise Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for Red Hat
Enterprise Linux V3R9.
In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this
configuration baseline as applicable to the operating system tier of Red Hat
technologies that are based on Red Hat Enterprise Linux 7, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and
Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers
with a Red Hat Enterprise Linux 7 image
DISA STIG with GUI for Red Hat Enterprise Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This profile contains configuration checks that align to the DISA STIG with GUI for
Red Hat Enterprise Linux V3R9.
In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this
configuration baseline as applicable to the operating system tier of Red Hat
technologies that are based on Red Hat Enterprise Linux 7, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and
Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers
with a Red Hat Enterprise Linux 7 image
Warning: The installation and use of a Graphical User Interface (GUI) increases
your attack vector and decreases your overall security posture. If your Information
Systems Security Officer (ISSO) lacks a documented operational requirement for a
graphical user interface, please consider using the standard DISA STIG for Red Hat
Enterprise Linux 7 profile.
Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Source Datastream: ssg-rhel8-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is broken into
'profiles', groupings of security settings that correlate to a known policy. Available
profiles are:
ANSSI-BP-028 (enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the
enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the high
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the
intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the minimal
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2 - Server" configuration
from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™,
v2.0.0, released 2022-02-23.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS
Benchmarks™ content.
CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This profile defines a baseline that aligns to the "Level 1 - Server" configuration
from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™,
v2.0.0, released 2022-02-23.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS
Benchmarks™ content.
CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This profile defines a baseline that aligns to the "Level 1 - Workstation"
configuration from the Center for Internet Security® Red Hat Enterprise Linux 8
Benchmark™, v2.0.0, released 2022-02-23.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS
Benchmarks™ content.
CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This profile defines a baseline that aligns to the "Level 2 - Workstation"
configuration from the Center for Internet Security® Red Hat Enterprise Linux 8
Benchmark™, v2.0.0, released 2022-02-23.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS
Benchmarks™ content.
Criminal Justice Information Services (CJIS) Security Policy
Profile ID: xccdf_org.ssgproject.content_profile_cjis
This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy
can be found at the CJIS Security Policy Resource Center:
https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
Unclassified Information in Non-federal Information Systems and Organizations (NIST
800-171)
Profile ID: xccdf_org.ssgproject.content_profile_cui
From NIST 800-171, Section 2.2: Security requirements for protecting the
confidentiality of CUI in nonfederal information systems and organizations have a
well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements
section.
The basic security requirements are obtained from FIPS Publication 200, which
provides the high-level and fundamental security requirements for federal
information and information systems. The derived security requirements, which
supplement the basic security requirements, are taken from the security controls in
NIST Special Publication 800-53.
This profile configures Red Hat Enterprise Linux 8 to the NIST Special Publication
800-53 controls identified for securing Controlled Unclassified Information (CUI)."
Australian Cyber Security Centre (ACSC) Essential Eight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Red Hat Enterprise Linux 8 that
align to the Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC
website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-
workstations-and-servers
Health Insurance Portability and Accountability Act (HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’
electronic personal health information that is created, received, used, or
maintained by a covered entity. The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure the confidentiality,
integrity, and security of electronic protected health information.
This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security Rule
identified for securing of electronic protected health information. Use of this
profile in no way guarantees or makes claims against legal compliance against the
HIPAA Security Rule(s).
Australian Cyber Security Centre (ACSC) ISM Official
Profile ID: xccdf_org.ssgproject.content_profile_ism_o
This profile contains configuration checks for Red Hat Enterprise Linux 8 that
align to the Australian Cyber Security Centre (ACSC) Information Security Manual
(ISM) with the applicability marking of OFFICIAL.
The ISM uses a risk-based approach to cyber security. This profile provides a guide
to aligning Red Hat Enterprise Linux security controls with the ISM, which can be
used to select controls specific to an organisation's security posture and risk
profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
Protection Profile for General Purpose Operating Systems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile reflects mandatory configuration controls identified in the NIAP
Configuration Annex to the Protection Profile for General Purpose Operating Systems
(Protection Profile Version 4.2.1).
This configuration profile is consistent with CNSSI-1253, which requires U.S.
National Security Systems to adhere to certain configuration parameters.
Accordingly, this configuration profile is suitable for use in U.S. National
Security Systems.
PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
This profile contains the minimum security relevant configuration settings
recommended by Red Hat, Inc for Red Hat Enterprise Linux 8 instances deployed by
Red Hat Certified Cloud Providers.
Standard System Security Profile for Red Hat Enterprise Linux 8
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Red Hat
Enterprise Linux 8 system. Regardless of your system's workload all of these checks
should pass.
DISA STIG for Red Hat Enterprise Linux 8
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for Red Hat
Enterprise Linux 8 V1R8.
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
configuration baseline as applicable to the operating system tier of Red Hat
technologies that are based on Red Hat Enterprise Linux 8, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and
Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers
with a Red Hat Enterprise Linux 8 image
DISA STIG with GUI for Red Hat Enterprise Linux 8
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This profile contains configuration checks that align to the DISA STIG with GUI for
Red Hat Enterprise Linux 8 V1R8.
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
configuration baseline as applicable to the operating system tier of Red Hat
technologies that are based on Red Hat Enterprise Linux 8, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and
Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers
with a Red Hat Enterprise Linux 8 image
Warning: The installation and use of a Graphical User Interface (GUI) increases
your attack vector and decreases your overall security posture. If your Information
Systems Security Officer (ISSO) lacks a documented operational requirement for a
graphical user interface, please consider using the standard DISA STIG for Red Hat
Enterprise Linux 8 profile.
Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Source Datastream: ssg-rhel9-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is broken into
'profiles', groupings of security settings that correlate to a known policy. Available
profiles are:
ANSSI-BP-028 (enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 at the enhanced
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 at the high
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 at the intermediary
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
ANSSI-BP-028 (minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 at the minimal
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This is a draft profile based on its RHEL8 version for experimental purposes. It
is not based on the CIS benchmark for RHEL9, because this one was not available at
time of the release.
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This is a draft profile based on its RHEL8 version for experimental purposes. It
is not based on the CIS benchmark for RHEL9, because this one was not available at
time of the release.
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This is a draft profile based on its RHEL8 version for experimental purposes. It
is not based on the CIS benchmark for RHEL9, because this one was not available at
time of the release.
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This is a draft profile based on its RHEL8 version for experimental purposes. It
is not based on the CIS benchmark for RHEL9, because this one was not available at
time of the release.
[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations
(NIST 800-171)
Profile ID: xccdf_org.ssgproject.content_profile_cui
From NIST 800-171, Section 2.2: Security requirements for protecting the
confidentiality of CUI in nonfederal information systems and organizations have a
well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements
section.
The basic security requirements are obtained from FIPS Publication 200, which
provides the high-level and fundamental security requirements for federal
information and information systems. The derived security requirements, which
supplement the basic security requirements, are taken from the security controls in
NIST Special Publication 800-53.
This profile configures Red Hat Enterprise Linux 9 to the NIST Special Publication
800-53 controls identified for securing Controlled Unclassified Information (CUI)."
Australian Cyber Security Centre (ACSC) Essential Eight
Profile ID: xccdf_org.ssgproject.content_profile_e8
This profile contains configuration checks for Red Hat Enterprise Linux 9 that
align to the Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC
website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-
workstations-and-servers
Health Insurance Portability and Accountability Act (HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’
electronic personal health information that is created, received, used, or
maintained by a covered entity. The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure the confidentiality,
integrity, and security of electronic protected health information.
This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security Rule
identified for securing of electronic protected health information. Use of this
profile in no way guarantees or makes claims against legal compliance against the
HIPAA Security Rule(s).
Australian Cyber Security Centre (ACSC) ISM Official
Profile ID: xccdf_org.ssgproject.content_profile_ism_o
This profile contains configuration checks for Red Hat Enterprise Linux 9 that
align to the Australian Cyber Security Centre (ACSC) Information Security Manual
(ISM) with the applicability marking of OFFICIAL.
The ISM uses a risk-based approach to cyber security. This profile provides a guide
to aligning Red Hat Enterprise Linux security controls with the ISM, which can be
used to select controls specific to an organisation's security posture and risk
profile.
A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
Protection Profile for General Purpose Operating Systems
Profile ID: xccdf_org.ssgproject.content_profile_ospp
This profile is part of Red Hat Enterprise Linux 9 Common Criteria Guidance
documentation for Target of Evaluation based on Protection Profile for General
Purpose Operating Systems (OSPP) version 4.2.1 and Functional Package for SSH
version 1.0.
Where appropriate, CNSSI 1253 or DoD-specific values are used for configuration,
based on Configuration Annex to the OSPP.
PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
[DRAFT] DISA STIG for Red Hat Enterprise Linux 9
Profile ID: xccdf_org.ssgproject.content_profile_stig
This is a draft profile based on its RHEL8 version for experimental purposes. It
is not based on the DISA STIG for RHEL9, because this one was not available at time
of the release.
In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this
configuration baseline as applicable to the operating system tier of Red Hat
technologies that are based on Red Hat Enterprise Linux 9, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and
Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers
with a Red Hat Enterprise Linux 9 image
[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
Profile ID: xccdf_org.ssgproject.content_profile_stig_gui
This is a draft profile based on its RHEL8 version for experimental purposes. It
is not based on the DISA STIG for RHEL9, because this one was not available at time
of the release.
In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this
configuration baseline as applicable to the operating system tier of Red Hat
technologies that are based on Red Hat Enterprise Linux 9, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and
Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers
with a Red Hat Enterprise Linux 9 image
Warning: The installation and use of a Graphical User Interface (GUI) increases
your attack vector and decreases your overall security posture. If your Information
Systems Security Officer (ISSO) lacks a documented operational requirement for a
graphical user interface, please consider using the standard DISA STIG for Red Hat
Enterprise Linux 9 profile.
Profiles in Guide to the Secure Configuration of Red Hat Virtualization 4
Source Datastream: ssg-rhv4-ds.xml
The Guide to the Secure Configuration of Red Hat Virtualization 4 is broken into
'profiles', groupings of security settings that correlate to a known policy. Available
profiles are:
PCI-DSS v3.2.1 Control Baseline for Red Hat Virtualization Host (RHVH)
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
[DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
This *draft* profile contains configuration checks that align to the DISA STIG for
Red Hat Virtualization Host (RHVH).
VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization Host (RHVH)
Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
This compliance profile reflects the core set of security related configuration
settings for deployment of Red Hat Virtualization Host (RHVH) 4.x into U.S.
Defense, Intelligence, and Civilian agencies. Development partners and sponsors
include the U.S. National Institute of Standards and Technology (NIST), U.S.
Department of Defense, the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following sources:
- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST
800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S.
Government Configuration Baseline (USGCB) - NIAP Protection Profile for
Virtualization v1.0 (VPP v1.0)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen. Security Requirement Traceability Guides (RTMs) and
sample System Security Configuration Guides are provided via the scap-security-
guide-docs package.
This profile reflects U.S. Government consensus content and is developed through
the ComplianceAsCode project, championed by the National Security Agency. Except
for differences in formatting to accommodate publishing processes, this profile
mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work
through the consensus and release processes.
Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Source Datastream: ssg-sl7-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is broken into
'profiles', groupings of security settings that correlate to a known policy. Available
profiles are:
PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
Standard System Security Profile for Red Hat Enterprise Linux 7
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a Red Hat
Enterprise Linux 7 system. Regardless of your system's workload all of these checks
should pass.
Profiles in Guide to the Secure Configuration of SUSE Linux Enterprise 12
Source Datastream: ssg-sle12-ds.xml
The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is broken into
'profiles', groupings of security settings that correlate to a known policy. Available
profiles are:
ANSSI-BP-028 (enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the
enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
Only the components strictly necessary to the service provided by the system should
be installed. Those whose presence can not be justified should be disabled,
removed or deleted. Performing a minimal install is a good starting point, but
doesn't provide any assurance over any package installed later. Manual review is
required to assess if the installed services are minimal.
ANSSI-BP-028 (high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the high
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
Only the components strictly necessary to the service provided by the system should
be installed. Those whose presence can not be justified should be disabled,
removed or deleted. Performing a minimal install is a good starting point, but
doesn't provide any assurance over any package installed later. Manual review is
required to assess if the installed services are minimal.
ANSSI-BP-028 (intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the
intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
Only the components strictly necessary to the service provided by the system should
be installed. Those whose presence can not be justified should be disabled,
removed or deleted. Performing a minimal install is a good starting point, but
doesn't provide any assurance over any package installed later. Manual review is
required to assess if the installed services are minimal.
ANSSI-BP-028 (minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the minimal
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
Only the components strictly necessary to the service provided by the system should
be installed. Those whose presence can not be justified should be disabled,
removed or deleted. Performing a minimal install is a good starting point, but
doesn't provide any assurance over any package installed later. Manual review is
required to assess if the installed services are minimal.
CIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2 - Server" configuration
from the Center for Internet Security® SUSE Linux Enterprise 12 Benchmark™, v3.0.0,
released 04-27-2021.
This profile includes Center for Internet Security® SUSE Linux Enterprise 12 CIS
Benchmarks™ content.
CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This profile defines a baseline that aligns to the "Level 1 - Server" configuration
from the Center for Internet Security® SUSE Linux Enterprise 12 Benchmark™, v3.0.0,
released 04-27-2021.
This profile includes Center for Internet Security® SUSE Linux Enterprise 12 CIS
Benchmarks™ content.
CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This profile defines a baseline that aligns to the "Level 1 - Workstation"
configuration from the Center for Internet Security® SUSE Linux Enterprise 12
Benchmark™, v3.0.0, released 04-27-2021.
This profile includes Center for Internet Security® SUSE Linux Enterprise 12 CIS
Benchmarks™ content.
CIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This profile defines a baseline that aligns to the "Level 2 - Workstation"
configuration from the Center for Internet Security® SUSE Linux Enterprise 12
Benchmark™, v3.0.0, released 04-27-2021.
This profile includes Center for Internet Security® SUSE Linux Enterprise 12 CIS
Benchmarks™ content.
PCI-DSS v4 Control Baseline for SUSE Linux enterprise 12
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-4
Ensures PCI-DSS v4 security configuration settings are applied.
PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 12
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
Standard System Security Profile for SUSE Linux Enterprise 12
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a SUSE Linux
Enterprise 12 system. Regardless of your system's workload all of these checks
should pass.
DISA STIG for SUSE Linux Enterprise 12
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for SUSE
Linux Enterprise 12 V2R5.
Profiles in Guide to the Secure Configuration of SUSE Linux Enterprise 15
Source Datastream: ssg-sle15-ds.xml
The Guide to the Secure Configuration of SUSE Linux Enterprise 15 is broken into
'profiles', groupings of security settings that correlate to a known policy. Available
profiles are:
ANSSI-BP-028 (enhanced)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the
enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
Only the components strictly necessary to the service provided by the system should
be installed. Those whose presence can not be justified should be disabled,
removed or deleted. Performing a minimal install is a good starting point, but
doesn't provide any assurance over any package installed later. Manual review is
required to assess if the installed services are minimal.
ANSSI-BP-028 (high)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_high
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the high
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
Only the components strictly necessary to the service provided by the system should
be installed. Those whose presence can not be justified should be disabled,
removed or deleted. Performing a minimal install is a good starting point, but
doesn't provide any assurance over any package installed later. Manual review is
required to assess if the installed services are minimal.
ANSSI-BP-028 (intermediary)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the
intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
Only the components strictly necessary to the service provided by the system should
be installed. Those whose presence can not be justified should be disabled,
removed or deleted. Performing a minimal install is a good starting point, but
doesn't provide any assurance over any package installed later. Manual review is
required to assess if the installed services are minimal.
ANSSI-BP-028 (minimal)
Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
This profile contains configurations that align to ANSSI-BP-028 v1.2 at the minimal
hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence
nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a
configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-
a-un-systeme-gnulinux/
Only the components strictly necessary to the service provided by the system should
be installed. Those whose presence can not be justified should be disabled,
removed or deleted. Performing a minimal install is a good starting point, but
doesn't provide any assurance over any package installed later. Manual review is
required to assess if the installed services are minimal.
CIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis
This profile defines a baseline that aligns to the "Level 2 - Server" configuration
from the Center for Internet Security® SUSE Linux Enterprise 15 Benchmark™, v1.1.0,
released 09-17-2021.
This profile includes Center for Internet Security® SUSE Linux Enterprise 15 CIS
Benchmarks™ content.
CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server
Profile ID: xccdf_org.ssgproject.content_profile_cis_server_l1
This profile defines a baseline that aligns to the "Level 1 - Server" configuration
from the Center for Internet Security® SUSE Linux Enterprise 15 Benchmark™, v1.1.0,
released 09-17-2021.
This profile includes Center for Internet Security® SUSE Linux Enterprise 15 CIS
Benchmarks™ content.
CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l1
This profile defines a baseline that aligns to the "Level 1 - Workstation"
configuration from the Center for Internet Security® SUSE Linux Enterprise 15
Benchmark™, v1.1.0, released 09-17-2021.
This profile includes Center for Internet Security® SUSE Linux Enterprise 15 CIS
Benchmarks™ content.
CIS SUSE Linux Enterprise 15 Benchmark Level 2 - Workstation
Profile ID: xccdf_org.ssgproject.content_profile_cis_workstation_l2
This profile defines a baseline that aligns to the "Level 2 - Workstation"
configuration from the Center for Internet Security® SUSE Linux Enterprise 15
Benchmark™, v1.1.0, released 09-17-2021.
This profile includes Center for Internet Security® SUSE Linux Enterprise 15 CIS
Benchmarks™ content.
Health Insurance Portability and Accountability Act (HIPAA)
Profile ID: xccdf_org.ssgproject.content_profile_hipaa
The HIPAA Security Rule establishes U.S. national standards to protect individuals’
electronic personal health information that is created, received, used, or
maintained by a covered entity. The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure the confidentiality,
integrity, and security of electronic protected health information.
This profile contains configuration checks that align to the HIPPA Security Rule
for SUSE Linux Enterprise 15 V1R3.
PCI-DSS v4 Control Baseline for SUSE Linux enterprise 15
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss-4
Ensures PCI-DSS v4 security configuration settings are applied.
PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 15
Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
Hardening for Public Cloud Image of SUSE Linux Enterprise Server (SLES) for SAP
Applications 15
Profile ID: xccdf_org.ssgproject.content_profile_pcs-hardening-sap
This profile contains configuration rules to be used to harden the images of SUSE
Linux Enterprise Server (SLES) for SAP Applications 15 including all Service Packs,
for Public Cloud providers, currently AWS, Microsoft Azure, and Google Cloud.
Public Cloud Hardening for SUSE Linux Enterprise 15
Profile ID: xccdf_org.ssgproject.content_profile_pcs-hardening
This profile contains configuration checks to be used to harden SUSE Linux
Enterprise 15 for use with public cloud providers.
Standard System Security Profile for SUSE Linux Enterprise 15
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a SUSE Linux
Enterprise 15 system based off of the SUSE Hardening Guide. Regardless of your
system's workload all of these checks should pass.
DISA STIG for SUSE Linux Enterprise 15
Profile ID: xccdf_org.ssgproject.content_profile_stig
This profile contains configuration checks that align to the DISA STIG for SUSE
Linux Enterprise 15 V1R4.
Profiles in Guide to the Secure Configuration of Ubuntu 16.04
Source Datastream: ssg-ubuntu1604-ds.xml
The Guide to the Secure Configuration of Ubuntu 16.04 is broken into 'profiles', groupings
of security settings that correlate to a known policy. Available profiles are:
Profile for ANSSI DAT-NT28 Average (Intermediate) Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
This profile contains items for GNU/Linux installations already protected by
multiple higher level security stacks.
Profile for ANSSI DAT-NT28 High (Enforced) Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
This profile contains items for GNU/Linux installations storing sensitive
information that can be accessible from unauthenticated or uncontroled networks.
Profile for ANSSI DAT-NT28 Minimal Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
This profile contains items to be applied systematically.
Profile for ANSSI DAT-NT28 Restrictive Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
This profile contains items for GNU/Linux installations exposed to unauthenticated
flows or multiple sources.
Standard System Security Profile for Ubuntu 16.04
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of an Ubuntu 16.04
system. Regardless of your system's workload all of these checks should pass.
Profiles in Guide to the Secure Configuration of Ubuntu 18.04
Source Datastream: ssg-ubuntu1804-ds.xml
The Guide to the Secure Configuration of Ubuntu 18.04 is broken into 'profiles', groupings
of security settings that correlate to a known policy. Available profiles are:
Profile for ANSSI DAT-NT28 Average (Intermediate) Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
This profile contains items for GNU/Linux installations already protected by
multiple higher level security stacks.
Profile for ANSSI DAT-NT28 High (Enforced) Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
This profile contains items for GNU/Linux installations storing sensitive
information that can be accessible from unauthenticated or uncontroled networks.
Profile for ANSSI DAT-NT28 Minimal Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
This profile contains items to be applied systematically.
Profile for ANSSI DAT-NT28 Restrictive Level
Profile ID: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
This profile contains items for GNU/Linux installations exposed to unauthenticated
flows or multiple sources.
CIS Ubuntu 18.04 LTS Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis
This baseline aligns to the Center for Internet Security Ubuntu 18.04 LTS
Benchmark, v1.0.0, released 08-13-2018.
Standard System Security Profile for Ubuntu 18.04
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of an Ubuntu 18.04
system. Regardless of your system's workload all of these checks should pass.
Profiles in Guide to the Secure Configuration of Ubuntu 20.04
Source Datastream: ssg-ubuntu2004-ds.xml
The Guide to the Secure Configuration of Ubuntu 20.04 is broken into 'profiles', groupings
of security settings that correlate to a known policy. Available profiles are:
CIS Ubuntu 20.04 Level 1 Server Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_server
This baseline aligns to the Center for Internet Security Ubuntu 20.04 LTS
Benchmark, v1.0.0, released 07-21-2020.
CIS Ubuntu 20.04 Level 1 Workstation Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_workstation
This baseline aligns to the Center for Internet Security Ubuntu 20.04 LTS
Benchmark, v1.0.0, released 07-21-2020.
CIS Ubuntu 20.04 Level 2 Server Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_server
This baseline aligns to the Center for Internet Security Ubuntu 20.04 LTS
Benchmark, v1.0.0, released 07-21-2020.
CIS Ubuntu 20.04 Level 2 Workstation Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_workstation
This baseline aligns to the Center for Internet Security Ubuntu 20.04 LTS
Benchmark, v1.0.0, released 07-21-2020.
Standard System Security Profile for Ubuntu 20.04
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of an Ubuntu 20.04
system. Regardless of your system's workload all of these checks should pass.
Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) V1R1
Profile ID: xccdf_org.ssgproject.content_profile_stig
This Security Technical Implementation Guide is published as a tool to improve the
security of Department of Defense (DoD) information systems. The requirements are
derived from the National Institute of Standards and Technology (NIST) 800-53 and
related documents.
Profiles in Guide to the Secure Configuration of Ubuntu 22.04
Source Datastream: ssg-ubuntu2204-ds.xml
The Guide to the Secure Configuration of Ubuntu 22.04 is broken into 'profiles', groupings
of security settings that correlate to a known policy. Available profiles are:
CIS Ubuntu 22.04 Level 1 Server Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_server
This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS
Benchmark, v1.0.0, released 07-21-2020.
CIS Ubuntu 22.04 Level 1 Workstation Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_workstation
This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS
Benchmark, v1.0.0, released 07-21-2020.
CIS Ubuntu 22.04 Level 2 Server Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_server
This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS
Benchmark, v1.0.0, released 07-21-2020.
CIS Ubuntu 22.04 Level 2 Workstation Benchmark
Profile ID: xccdf_org.ssgproject.content_profile_cis_level2_workstation
This baseline aligns to the Center for Internet Security Ubuntu 22.04 LTS
Benchmark, v1.0.0, released 07-21-2020.
Standard System Security Profile for Ubuntu 22.04
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of an Ubuntu 22.04
system. Regardless of your system's workload all of these checks should pass.
Profiles in Guide to the Secure Configuration of UnionTech OS Server 20
Source Datastream: ssg-uos20-ds.xml
The Guide to the Secure Configuration of UnionTech OS Server 20 is broken into 'profiles',
groupings of security settings that correlate to a known policy. Available profiles are:
Standard System Security Profile for UnionTech OS Server 20
Profile ID: xccdf_org.ssgproject.content_profile_standard
This profile contains rules to ensure standard security baseline of a UnionTech OS
Server 20 system. Regardless of your system's workload all of these checks should
pass.
EXAMPLES
To scan your system utilizing the OpenSCAP utility against the ospp profile:
oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-results.xml --report
/tmp/`hostname`-ssg-results.html --oval-results
/usr/share/xml/scap/ssg/content/ssg-{product}-xccdf.xml
Additional details can be found on the projects wiki page:
https://www.github.com/ComplianceAsCode/content/wiki
FILES
/usr/share/xml/scap/ssg/content
Houses SCAP content utilizing the following naming conventions:
SCAP Source Datastreams: ssg-{product}-ds.xml
CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
CPE OVAL Content: ssg-{product}-cpe-oval.xml
OVAL Content: ssg-{product}-oval.xml
XCCDF Content: ssg-{product}-xccdf.xml
/usr/share/doc/scap-security-guide/guides/
HTML versions of SSG profiles.
/usr/share/scap-security-guide/ansible/
Contains Ansible Playbooks for SSG profiles.
/usr/share/scap-security-guide/bash/
Contains Bash remediation scripts for SSG profiles.
DEPLOYMENT TO U.S. CIVILIAN GOVERNMENT SYSTEMS
SCAP Security Guide content is considered vendor (Red Hat) provided content. Per guidance
from the U.S. National Institute of Standards and Technology (NIST), U.S. Government
programs are allowed to use Vendor produced SCAP content in absence of "Governmental
Authority" checklists. The specific NIST verbage:
http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
DEPLOYMENT TO U.S. MILITARY SYSTEMS
DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT products incorporated
into DoD information systems shall be configured in accordance with DoD-approved security
configuration guidelines" and tasks Defense Information Systems Agency (DISA) to "develop
and provide security configuration guidance for IA and IA-enabled IT products in
coordination with Director, NSA." The output of this authority is the DISA Security
Technical Implementation Guides, or STIGs. DISA FSO is in the process of moving the STIGs
towards the use of the NIST Security Content Automation Protocol (SCAP) in order to
"automate" compliance reporting of the STIGs.
Through a common, shared vision, the SCAP Security Guide community enjoys close
collaboration directly with NSA, NIST, and DISA FSO. As stated in Section 1.1 of the Red
Hat Enterprise Linux 6 STIG Overview, Version 1, Release 2, issued on 03-JUNE-2013:
"The consensus content was developed using an open-source project called SCAP Security
Guide. The project's website is https://www.open-scap.org/security-policies/scap-security-
guide. Except for differences in formatting to accommodate the DISA STIG publishing
process, the content of the Red Hat Enterprise Linux 6 STIG should mirror the SCAP
Security Guide content with only minor divergence as updates from multiple sources work
through the consensus process."
The DoD STIG for Red Hat Enterprise Linux 7, revision V2R4, was released in July 2019
Currently, the DoD Red Hat Enterprise Linux 7 STIG contains only XCCDF content and is
available online: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-
systems%2Cunix-linux
Content published against the public.cyber.mil website is authoritative STIG content. The
SCAP Security Guide project, as noted in the STIG overview, is considered upstream
content. Unlike DISA FSO, the SCAP Security Guide project does publish OVAL automation
content. Individual programs and C&A evaluators make program-level determinations on the
direct usage of the SCAP Security Guide. Currently there is no blanket approval.
SEE ALSO
oscap(8)
AUTHOR
Please direct all questions to the SSG mailing list:
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide