2. EL 6 ELS
  3. scap-security-guide
  4. scap-security-guide(8)

Scroll to navigation

scap-security-guide(8) System Manager's Manual scap-security-guide(8)

NAME

SCAP Security Guide - Delivers security guidance, baselines, and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP).

DESCRIPTION

The project provides practical security hardening advice for Red Hat products, and also links it to compliance requirements in order to ease deployment activities, such as certification and accreditation. These include requirements in the U.S. government (Federal, Defense, and Intelligence Community) as well as of the financial services and health care industries. For example, high-level and widely-accepted policies such as NIST 800-53 provides prose stating that System Administrators must audit "privileged user actions," but do not define what "privileged actions" are. The SSG bridges the gap between generalized policy requirements and specific implementation guidance, in SCAP formats to support automation whenever possible.

The projects homepage is located at: https://fedorahosted.org/scap-security-guide/

Red Hat Enterprise Linux 6 PROFILES

The Red Hat Enterprise Linux 6 SSG content is broken into 'profiles,' groupings of security settings that correlate to a known policy. Available profiles are:

stig-rhel6-server-upstream

The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations (FSO) has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). This profile was created as a collaboration effort between the National Security Agency, DISA FSO, and Red Hat.

As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For additional information relating to STIGs, please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/

While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://fedorahosted.org/scap-security-guide/.

usgcb-rhel6-server
The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security.

NOTE: The following SCAP Security Guide kickstart files can be used to install a Red Hat Enterprise Linux 6 Server system that will be right after the completion of the installation compliant with the selected profile:

/usr/share/scap-security-guide/kickstart/ssg-rhel6-pci-dss-with-gui-ks.cfg

/usr/share/scap-security-guide/kickstart/ssg-rhel6-stig-ks.cfg

/usr/share/scap-security-guide/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg

NOTE: While the current content maps to USGCB requirements, it has NOT been validated by NIST as of yet. This content should be considered draft, we are highly interested in feedback.

For additional information relating to USGCB, please refer to the NIST webpage at http://usgcb.nist.gov/usgcb_content.html.

Red Hat Enterprise Linux 7 PROFILES

The Red Hat Enterprise Linux 7 SSG content is broken into 'profiles,' groupings of security settings that correlate to a known policy. Available profiles are:

stig-rhel7-server-upstream

The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations (FSO) has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). This profile was created as a collaboration effort between the National Security Agency, DISA FSO, and Red Hat.

As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For additional information relating to STIGs, please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/

While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://fedorahosted.org/scap-security-guide/.

rht-cpp

Red Hat Corporate Profile for Certified Cloud Providers (RH CCP). This is a *draft* SCAP profile for Red Hat Certified Cloud Providers.

common

The common profile is intended to be used as a base, universal profile for scanning of general-purpose Red Hat Enterprise Linux systems.

Fedora PROFILES

The Fedora SSG content is broken into 'profiles,' groupings of security settings that correlate to a known policy. Currently available profile:

common

The common profile is intended to be used as a base, universal profile for scanning of general-purpose Fedora systems.

EXAMPLES

To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server-upstream profile:

oscap xccdf eval --profile stig-rhel6-server-upstream --results /tmp/`hostname`-ssg-results.xml --report /tmp/`hostname`-ssg-results.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

Additional details can be found on the projects wiki page: https://fedorahosted.org/scap-security-guide/wiki/usageguide

FILES

/usr/share/xml/scap/ssg/content/

Houses SCAP content utilizing the following naming conventions:

CPE_Dictionaries: ssg-{profile}-cpe-dictionary.xml

CPE_OVAL_Content: ssg-{profile}-cpe-oval.xml

OVAL_Content: ssg-{profile}-oval.xml

XCCDF_Content: ssg-{profile}-xccdf.xml

/usr/share/xml/scap/ssg/guides/

HTML versions of SSG profiles.

/usr/share/xml/scap/ssg/policytables/

HTML tables reflecting which institutionalized policy a particular SSG rule conforms to.

STATEMENT OF SUPPORT

The SCAP Security Guide, an open source project jointly maintained by Red Hat and the NSA, provides XCCDF and OVAL content for Red Hat technologies. As an open source project, community participation extends into U.S. Department of Defense agencies, civilian agencies, academia, and other industrial partners.

SCAP Security Guide is provided to consumers through Red Hat's Extended Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security Guide content is considered "vendor provided."

Note that while Red Hat hosts the infrastructure for this project and Red Hat engineers are involved as maintainers and leaders, there is no commercial support contracts or service level agreements provided by Red Hat.

Support, for both users and developers, is provided through the SCAP Security Guide community.

Homepage: https://fedorahosted.org/scap-security-guide/

Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

DEPLOYMENT TO U.S. CIVILIAN GOVERNMENT SYSTEMS

SCAP Security Guide content is considered vendor (Red Hat) provided content. Per guidance from the U.S. National Institute of Standards and Technology (NIST), U.S. Government programs are allowed to use Vendor produced SCAP content in absence of "Governmental Authority" checklists. The specific NIST verbage: http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority

DEPLOYMENT TO U.S. MILITARY SYSTEMS

DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT products incorporated into DoD information systems shall be configured in accordance with DoD-approved security configuration guidelines" and tasks Defense Information Systems Agency (DISA) to "develop and provide security configuration guidance for IA and IA-enabled IT products in coordination with Director, NSA." The output of this authority is the DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in the process of moving the STIGs towards the use of the NIST Security Content Automation Protocol (SCAP) in order to "automate" compliance reporting of the STIGs.

Through a common, shared vision, the SCAP Security Guide community enjoys close collaboration directly with NSA and DISA FSO. As stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview, Version 1, Release 2, issued on 03-JUNE-2013:

"The consensus content was developed using an open-source project called SCAP Security Guide. The project's website is https://fedorahosted.org/scap-security-guide/. Except for differences in formatting to accomodate the DISA STIG publishing process, the content of the Red Hat Enterprise Linux 6 STIG should mirrot the SCAP Security Guide content with only minor divergence as updates from multiple sources work through the concensus process."

The DoD STIG for Red Hat Enterprise Linux 6 was released June 2013. Currently, the DoD Red Hat Enterprise Linux 6 STIG contains only XCCDF content and is available online: http://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx

Content published against the iase.disa.mil website is authoritative STIG content. The SCAP Security Guide project, as noted in the STIG overview, is considered upstream content. Unlike DISA FSO, the SCAP Security Guide project does publish OVAL automation content. Individual programs and C&A evaluators make program-level determinations on the direct usage of the SCAP Security Guide. Currently there is no blanket approval.

SEE ALSO

oscap(8)

AUTHOR

Please direct all questions to the SSG mailing list: https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

26 Jan 2013 version 1