CCN-STIC - Security of Information and Communication Technologies

The National Cryptologic Centre of Spain (Centro Criptológico Nacional - CCN), which is part of the National Intelligence Centre of Spain (Centro Nacional de Inteligencia - CNI), issues the Security of Information and Communication Technologies Guides (Seguridad de las Tecnologías de la Información y Comunicaciones - STIC). These documents provide guidance for hardening the security of ICT systems, in particular to comply with the Spanish National Security Framework (Esquema Nacional de Seguridad - ENS).

Built-in compliance capabilities

Red Hat products have built-in capabilities that help you to align with the CCN-STIC policy. By using integrations with the system management solutions available in our portfolio, you can align the configuration of the machine with the requirements. However, the result is not full compliance - you always need to review the results and take the context of your specific deployment into account.

Red Hat Enterprise Linux

The latest available version of the CCN-STIC policy is 2022-10, provided in SCAP Security Guide 0.1.69 and later versions.

To configure RHEL systems, use only the profile provided in the particular minor release of RHEL. This is because the hardening components and Security Content Automation Protocol (SCAP) content might not be compatible with earlier versions. 

Use the following profile ID to align your RHEL system with CCN-STIC at the specific level:

You can install the system already pre-configured to CCN-STIC by using RHEL image builder:

• RHEL 9: Creating pre-hardened images with RHEL image builder OpenSCAP integration

Note that this is integrated also in the Red Hat Insights, linked below.

If you prefer a kickstart-based installation, the method is described in the RHEL security guide:

• RHEL 9: Kickstart-based installation of compliant systems

You can build and deploy hardened bootable images pre-configured to CCN-STIC for RHEL Image mode:

• RHEL 9: Security hardening and compliance of bootable images

You can check the system configuration during runtime by using the OpenSCAP command-line tool:

• RHEL 9: Scanning the system for configuration compliance and vulnerabilities

Red Hat Satellite

You can plan and configure compliance policies, deploy the policies to hosts, and monitor the compliance of your hosts in Red Hat Satellite. For more information, see the product documentation:

• Managing Security Compliance (Red Hat Satellite)

Red Hat Insights for RHEL

You can create and manage your custom security policies entirely within the compliance service UI, as well as monitor the compliance state of your systems, remediate any discrepancies, and use the custom security policies in image builder to deploy additional systems:

• Managing SCAP security policies in the Insights for RHEL compliance service

Security Profiling Application Guide for Red Hat Enterprise Linux 9 (Spanish)