table of contents
- NAME
- DESCRIPTION
- Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 9
- Profiles in Guide to the Secure Configuration of EuroLinux 9
- Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 9
- EXAMPLES
- FILES
- DEPLOYMENT TO U.S. CIVILIAN GOVERNMENT SYSTEMS
- DEPLOYMENT TO U.S. MILITARY SYSTEMS
- SEE ALSO
- AUTHOR
| scap-security-guide(8) | System Manager's Manual | scap-security-guide(8) |
NAME¶
SCAP-Security-Guide - Delivers security guidance, baselines, and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP).
DESCRIPTION¶
The project provides practical security hardening advice and also links it to compliance requirements in order to ease deployment activities, such as certification and accreditation. These include requirements in the U.S. government (Federal, Defense, and Intelligence Community) as well as of the financial services and health care industries. For example, high-level and widely-accepted policies such as NIST 800-53 provides prose stating that System Administrators must audit "privileged user actions," but do not define what "privileged actions" are. The SSG bridges the gap between generalized policy requirements and specific implementation guidance, in SCAP formats to support automation whenever possible.
The projects homepage is located at: https://www.open-scap.org/security-policies/scap-security-guide
Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 9¶
Source Datastream: ssg-cs9-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028 (enhanced)
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
ANSSI-BP-028 (high)
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
ANSSI-BP-028 (intermediary)
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
ANSSI-BP-028 (minimal)
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.
CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.
CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.
CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.
[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements section.
The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.
This profile configures Red Hat Enterprise Linux 9 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI)."
Australian Cyber Security Centre (ACSC) Essential Eight
This profile contains configuration checks for Red Hat Enterprise Linux 9 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
Australian Cyber Security Centre (ACSC) ISM Official
This profile contains configuration checks for Red Hat Enterprise Linux 9 that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) with the applicability marking of OFFICIAL.
The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls specific to an organisation's security posture and risk profile.
A copy of the ISM can be found at the ACSC website:
Protection Profile for General Purpose Operating Systems
This profile is part of Red Hat Enterprise Linux 9 Common Criteria Guidance documentation for Target of Evaluation based on Protection Profile for General Purpose Operating Systems (OSPP) version 4.2.1 and Functional Package for SSH version 1.0.
Where appropriate, CNSSI 1253 or DoD-specific values are used for configuration, based on Configuration Annex to the OSPP.
PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
[DRAFT] DISA STIG for Red Hat Enterprise Linux 9
This is a draft profile based on its RHEL8 version for experimental purposes. It is not based on the DISA STIG for RHEL9, because this one was not available at time of the release.
In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9 image
[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
This is a draft profile based on its RHEL8 version for experimental purposes. It is not based on the DISA STIG for RHEL9, because this one was not available at time of the release.
In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9 image
Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Red Hat Enterprise Linux 9 profile.
Profiles in Guide to the Secure Configuration of EuroLinux 9¶
Source Datastream: ssg-eurolinux9-ds.xml
The Guide to the Secure Configuration of EuroLinux 9 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028 (enhanced)
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
ANSSI-BP-028 (high)
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
ANSSI-BP-028 (intermediary)
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
ANSSI-BP-028 (minimal)
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
CIS EuroLinux OS 9 Benchmark for Level 2 - Server
This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® EuroLinux OS 9 Benchmark™, v1.0.0, released 2022-12-12.
This profile includes Center for Internet Security® EuroLinux OS 9 CIS Benchmarks™ content.
CIS EuroLinux OS 9 Benchmark for Level 1 - Server
This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® EuroLinux OS 9 Benchmark™, v1.0.0, released 2022-12-12.
This profile includes Center for Internet Security® EuroLinux OS 9 CIS Benchmarks™ content.
CIS EuroLinux OS 9 Benchmark for Level 1 - Workstation
This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® EuroLinux OS 9 Benchmark™, v1.0.0, released 2022-12-12.
This profile includes Center for Internet Security® EuroLinux OS 9 CIS Benchmarks™ content.
CIS EuroLinux OS 9 Benchmark for Level 2 - Workstation
This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® EuroLinux OS 9 Benchmark™, v1.0.0, released 2022-12-12.
This profile includes Center for Internet Security® EuroLinux OS 9 CIS Benchmarks™ content.
[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements section.
The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.
This profile configures EuroLinux 9 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI)."
Australian Cyber Security Centre (ACSC) Essential Eight
This profile contains configuration checks for EuroLinux 9 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
This profile configures EuroLinux 9 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
Australian Cyber Security Centre (ACSC) ISM Official
This profile contains configuration checks for EuroLinux 9 that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) with the applicability marking of OFFICIAL.
The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning EuroLinux security controls with the ISM, which can be used to select controls specific to an organisation's security posture and risk profile.
A copy of the ISM can be found at the ACSC website:
Protection Profile for General Purpose Operating Systems
This profile is part of EuroLinux 9 Common Criteria Guidance documentation for Target of Evaluation based on Protection Profile for General Purpose Operating Systems (OSPP) version 4.2.1 and Functional Package for SSH version 1.0.
Where appropriate, CNSSI 1253 or DoD-specific values are used for configuration, based on Configuration Annex to the OSPP.
PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
[DRAFT] DISA STIG for Red Hat Enterprise Linux 9
This is a draft profile based on its RHEL8 version for experimental purposes. It is not based on the DISA STIG for RHEL9, because this one was not available at time of the release.
[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
This is a draft profile based on its RHEL8 version for experimental purposes. It is not based on the DISA STIG for RHEL9, because this one was not available at time of the release.
Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Red Hat Enterprise Linux 9 profile.
Profiles in Guide to the Secure Configuration of Red Hat Enterprise Linux 9¶
Source Datastream: ssg-rhel9-ds.xml
The Guide to the Secure Configuration of Red Hat Enterprise Linux 9 is broken into 'profiles', groupings of security settings that correlate to a known policy. Available profiles are:
ANSSI-BP-028 (enhanced)
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
ANSSI-BP-028 (high)
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
ANSSI-BP-028 (intermediary)
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
ANSSI-BP-028 (minimal)
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.
CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.
CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.
CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content.
[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of:
(i) a basic security requirements section; (ii) a derived security requirements section.
The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.
This profile configures Red Hat Enterprise Linux 9 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI)."
Australian Cyber Security Centre (ACSC) Essential Eight
This profile contains configuration checks for Red Hat Enterprise Linux 9 that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the ACSC website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
Australian Cyber Security Centre (ACSC) ISM Official
This profile contains configuration checks for Red Hat Enterprise Linux 9 that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) with the applicability marking of OFFICIAL.
The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls specific to an organisation's security posture and risk profile.
A copy of the ISM can be found at the ACSC website:
Protection Profile for General Purpose Operating Systems
This profile is part of Red Hat Enterprise Linux 9 Common Criteria Guidance documentation for Target of Evaluation based on Protection Profile for General Purpose Operating Systems (OSPP) version 4.2.1 and Functional Package for SSH version 1.0.
Where appropriate, CNSSI 1253 or DoD-specific values are used for configuration, based on Configuration Annex to the OSPP.
PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
[DRAFT] DISA STIG for Red Hat Enterprise Linux 9
This is a draft profile based on its RHEL8 version for experimental purposes. It is not based on the DISA STIG for RHEL9, because this one was not available at time of the release.
In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9 image
[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
This is a draft profile based on its RHEL8 version for experimental purposes. It is not based on the DISA STIG for RHEL9, because this one was not available at time of the release.
In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:
- Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9 image
Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Red Hat Enterprise Linux 9 profile.
EXAMPLES¶
To scan your system utilizing the OpenSCAP utility against the ospp profile:
oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-results.xml --report /tmp/`hostname`-ssg-results.html --oval-results /usr/share/xml/scap/ssg/content/ssg-{product}-xccdf.xml
Additional details can be found on the projects wiki page: https://www.github.com/ComplianceAsCode/content/wiki
FILES¶
/usr/share/xml/scap/ssg/content
SCAP Source Datastreams: ssg-{product}-ds.xml
CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
CPE OVAL Content: ssg-{product}-cpe-oval.xml
OVAL Content: ssg-{product}-oval.xml
XCCDF Content: ssg-{product}-xccdf.xml
/usr/share/doc/scap-security-guide/guides/
/usr/share/scap-security-guide/ansible/
/usr/share/scap-security-guide/bash/
DEPLOYMENT TO U.S. CIVILIAN GOVERNMENT SYSTEMS¶
SCAP Security Guide content is considered vendor (Red Hat) provided content. Per guidance from the U.S. National Institute of Standards and Technology (NIST), U.S. Government programs are allowed to use Vendor produced SCAP content in absence of "Governmental Authority" checklists. The specific NIST verbage: http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
DEPLOYMENT TO U.S. MILITARY SYSTEMS¶
DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT products incorporated into DoD information systems shall be configured in accordance with DoD-approved security configuration guidelines" and tasks Defense Information Systems Agency (DISA) to "develop and provide security configuration guidance for IA and IA-enabled IT products in coordination with Director, NSA." The output of this authority is the DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in the process of moving the STIGs towards the use of the NIST Security Content Automation Protocol (SCAP) in order to "automate" compliance reporting of the STIGs.
Through a common, shared vision, the SCAP Security Guide community enjoys close collaboration directly with NSA, NIST, and DISA FSO. As stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview, Version 1, Release 2, issued on 03-JUNE-2013:
"The consensus content was developed using an open-source project called SCAP Security Guide. The project's website is https://www.open-scap.org/security-policies/scap-security-guide. Except for differences in formatting to accommodate the DISA STIG publishing process, the content of the Red Hat Enterprise Linux 6 STIG should mirror the SCAP Security Guide content with only minor divergence as updates from multiple sources work through the consensus process."
The DoD STIG for Red Hat Enterprise Linux 7, revision V2R4, was released in July 2019 Currently, the DoD Red Hat Enterprise Linux 7 STIG contains only XCCDF content and is available online: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
Content published against the public.cyber.mil website is authoritative STIG content. The SCAP Security Guide project, as noted in the STIG overview, is considered upstream content. Unlike DISA FSO, the SCAP Security Guide project does publish OVAL automation content. Individual programs and C&A evaluators make program-level determinations on the direct usage of the SCAP Security Guide. Currently there is no blanket approval.
SEE ALSO¶
AUTHOR¶
Please direct all questions to the SSG mailing list: https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
| 26 Jan 2013 | version 1 |