Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 7. Scanning the system for configuration compliance and vulnerabilities

A compliance audit is a process of determining whether a given object follows all the rules specified in a compliance policy. The compliance policy is defined by security professionals who specify the required settings, often in the form of a checklist, that a computing environment should use.

Compliance policies can vary substantially across organizations and even across different systems within the same organization. Differences among these policies are based on the purpose of each system and its importance for the organization. Custom software settings and deployment characteristics also raise a need for custom policy checklists.

7.1. Configuration compliance tools in RHEL

You can perform a fully automated compliance audit in Red Hat Enterprise Linux by using the following configuration compliance tools. These tools are based on the Security Content Automation Protocol (SCAP) standard and are designed for automated tailoring of compliance policies.

SCAP Workbench
The scap-workbench graphical utility is designed to perform configuration and vulnerability scans on a single local or remote system. You can also use it to generate security reports based on these scans and evaluations.
OpenSCAP

The OpenSCAP library, with the accompanying oscap command-line utility, is designed to perform configuration and vulnerability scans on a local system, to validate configuration compliance content, and to generate reports and guides based on these scans and evaluations.

Important

You can experience memory-consumption problems while using OpenSCAP, which can cause stopping the program prematurely and prevent generating any result files. See the OpenSCAP memory-consumption problems Knowledgebase article for details.

SCAP Security Guide (SSG)
The scap-security-guide package provides collections of security policies for Linux systems. The guidance consists of a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines.
Script Check Engine (SCE)
With SCE, which is an extension to the SCAP protocol, administrators can write their security content by using a scripting language, such as Bash, Python, and Ruby. The SCE extension is provided in the openscap-engine-sce package. The SCE itself is not part of the SCAP standard.

To perform automated compliance audits on multiple systems remotely, you can use the OpenSCAP solution for Red Hat Satellite.

Additional resources

7.2. Vulnerability scanning

7.2.1. Red Hat Security Advisories OVAL feed

Red Hat Enterprise Linux security auditing capabilities are based on the Security Content Automation Protocol (SCAP) standard. SCAP is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.

SCAP specifications create an ecosystem where the format of security content is well-known and standardized although the implementation of the scanner or policy editor is not mandated. This enables organizations to build their security policy (SCAP content) once, no matter how many security vendors they employ.

The Open Vulnerability Assessment Language (OVAL) is the essential and oldest component of SCAP. Unlike other tools and custom scripts, OVAL describes a required state of resources in a declarative manner. OVAL code is never executed directly but using an OVAL interpreter tool called scanner. The declarative nature of OVAL ensures that the state of the assessed system is not accidentally modified.

Like all other SCAP components, OVAL is based on XML. The SCAP standard defines several document formats. Each of them includes a different kind of information and serves a different purpose.

Red Hat Product Security helps customers evaluate and manage risk by tracking and investigating all security issues affecting Red Hat customers. It provides timely and concise patches and security advisories on the Red Hat Customer Portal. Red Hat creates and supports OVAL patch definitions, providing machine-readable versions of our security advisories.

Because of differences between platforms, versions, and other factors, Red Hat Product Security qualitative severity ratings of vulnerabilities do not directly align with the Common Vulnerability Scoring System (CVSS) baseline ratings provided by third parties. Therefore, we recommend that you use the RHSA OVAL definitions instead of those provided by third parties.

The RHSA OVAL definitions are available individually and as a complete package, and are updated within an hour of a new security advisory being made available on the Red Hat Customer Portal.

Each OVAL patch definition maps one-to-one to a Red Hat Security Advisory (RHSA). Because an RHSA can contain fixes for multiple vulnerabilities, each vulnerability is listed separately by its Common Vulnerabilities and Exposures (CVE) name and has a link to its entry in our public bug database.

The RHSA OVAL definitions are designed to check for vulnerable versions of RPM packages installed on a system. It is possible to extend these definitions to include further checks, for example, to find out if the packages are being used in a vulnerable configuration. These definitions are designed to cover software and updates shipped by Red Hat. Additional definitions are required to detect the patch status of third-party software.

Note

The Red Hat Insights for Red Hat Enterprise Linux compliance service helps IT security and compliance administrators to assess, monitor, and report on the security policy compliance of Red Hat Enterprise Linux systems. You can also create and manage your SCAP security policies entirely within the compliance service UI.

Additional resources

7.2.2. Scanning the system for vulnerabilities

The oscap command-line utility enables you to scan local systems, validate configuration compliance content, and generate reports and guides based on these scans and evaluations. This utility serves as a front end to the OpenSCAP library and groups its functionalities to modules (sub-commands) based on the type of SCAP content it processes.

Prerequisites

  • The openscap-scanner and bzip2 packages are installed.

Procedure

  1. Download the latest RHSA OVAL definitions for your system: 

    # wget -O - https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2 | bzip2 --decompress > rhel-8.oval.xml

  2. Scan the system for vulnerabilities and save results to the vulnerability.html file: 

    # oscap oval eval --report vulnerability.html rhel-8.oval.xml

Verification

  • Check the results in a browser of your choice, for example: 

    $ firefox vulnerability.html &

Additional resources

7.2.3. Scanning remote systems for vulnerabilities

You can check also remote systems for vulnerabilities with the OpenSCAP scanner using the oscap-ssh tool over the SSH protocol.

Prerequisites

  • The openscap-utils and bzip2 packages are installed on the system you use for scanning.
  • The openscap-scanner package is installed on the remote systems.
  • The SSH server is running on the remote systems.

Procedure

  1. Download the latest RHSA OVAL definitions for your system: 

    # wget -O - https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2 | bzip2 --decompress > rhel-8.oval.xml

  2. Scan a remote system with the machine1 host name, SSH running on port 22, and the joesec user name for vulnerabilities and save results to the remote-vulnerability.html file: 

    # oscap-ssh joesec@machine1 22 oval eval --report remote-vulnerability.html rhel-8.oval.xml

Additional resources

7.3. Configuration compliance scanning

7.3.1. Configuration compliance in RHEL

You can use configuration compliance scanning to conform to a baseline defined by a specific organization. For example, if you work with the US government, you might have to align your systems with the Operating System Protection Profile (OSPP), and if you are a payment processor, you might have to align your systems with the Payment Card Industry Data Security Standard (PCI-DSS). You can also perform configuration compliance scanning to harden your system security.

Red Hat recommends you follow the Security Content Automation Protocol (SCAP) content provided in the SCAP Security Guide package because it is in line with Red Hat best practices for affected components.

The SCAP Security Guide package provides content which conforms to the SCAP 1.2 and SCAP 1.3 standards. The openscap scanner utility is compatible with both SCAP 1.2 and SCAP 1.3 content provided in the SCAP Security Guide package.

Important

Performing a configuration compliance scanning does not guarantee the system is compliant.

The SCAP Security Guide suite provides profiles for several platforms in a form of data stream documents. A data stream is a file that contains definitions, benchmarks, profiles, and individual rules. Each rule specifies the applicability and requirements for compliance. RHEL provides several profiles for compliance with security policies. In addition to the industry standard, Red Hat data streams also contain information for remediation of failed rules.

Structure of compliance scanning resources

Data stream
   ├── xccdf
   |      ├── benchmark
   |            ├── profile
   |            |    ├──rule reference
   |            |    └──variable
   |            ├── rule
   |                 ├── human readable data
   |                 ├── oval reference
   ├── oval          ├── ocil reference
   ├── ocil          ├── cpe reference
   └── cpe           └── remediation

A profile is a set of rules based on a security policy, such as OSPP, PCI-DSS, and Health Insurance Portability and Accountability Act (HIPAA). This enables you to audit the system in an automated way for compliance with security standards.

You can modify (tailor) a profile to customize certain rules, for example, password length. For more information about profile tailoring, see Customizing a security profile with SCAP Workbench.

7.3.2. Possible results of an OpenSCAP scan

Depending on the data stream and profile applied to an OpenSCAP scan, as well as various properties of your system, each rule may produce a specific result. These are the possible results with brief explanations of their meanings:

Pass
The scan did not find any conflicts with this rule.
Fail
The scan found a conflict with this rule.
Not checked
OpenSCAP does not perform an automatic evaluation of this rule. Check whether your system conforms to this rule manually.
Not applicable
This rule does not apply to the current configuration.
Not selected
This rule is not part of the profile. OpenSCAP does not evaluate this rule and does not display these rules in the results.
Error
The scan encountered an error. For additional information, you can enter the oscap command with the --verbose DEVEL option. Consider opening a bug report.
Unknown
The scan encountered an unexpected situation. For additional information, you can enter the oscap command with the `--verbose DEVEL option. Consider opening a bug report.

7.3.3. Viewing profiles for configuration compliance

Before you decide to use profiles for scanning or remediation, you can list them and check their detailed descriptions using the oscap info subcommand.

Prerequisites

  • The openscap-scanner and scap-security-guide packages are installed.

Procedure

  1. List all available files with security compliance profiles provided by the SCAP Security Guide project: 

    $ ls /usr/share/xml/scap/ssg/content/
ssg-firefox-cpe-dictionary.xml  ssg-rhel6-ocil.xml
ssg-firefox-cpe-oval.xml        ssg-rhel6-oval.xml
...
ssg-rhel6-ds-1.2.xml          ssg-rhel8-oval.xml
ssg-rhel8-ds.xml              ssg-rhel8-xccdf.xml
...

  2. Display detailed information about a selected data stream using the oscap info subcommand. XML files containing data streams are indicated by the -ds string in their names. In the Profiles section, you can find a list of available profiles and their IDs: 

    $ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Profiles:
...
  Title: Health Insurance Portability and Accountability Act (HIPAA)
    Id: xccdf_org.ssgproject.content_profile_hipaa
  Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
    Id: xccdf_org.ssgproject.content_profile_pci-dss
  Title: OSPP - Protection Profile for General Purpose Operating Systems
    Id: xccdf_org.ssgproject.content_profile_ospp
...

  3. Select a profile from the data stream file and display additional details about the selected profile. To do so, use oscap info with the --profile option followed by the last section of the ID displayed in the output of the previous command. For example, the ID of the HIPPA profile is: xccdf_org.ssgproject.content_profile_hipaa, and the value for the --profile option is hipaa: 

    $ oscap info --profile hipaa /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
...
Profile
	Title: Health Insurance Portability and Accountability Act (HIPAA)

	Description: The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.
...

Additional resources

7.3.4. Assessing configuration compliance with a specific baseline

To determine whether your system conforms to a specific baseline, follow these steps.

Prerequisites

Procedure

  1. Evaluate the compliance of the system with the selected profile and save the scan results in the report.html HTML file, for example: 

    $ oscap xccdf eval --report report.html --profile hipaa /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

  2. Optional: Scan a remote system with the machine1 host name, SSH running on port 22, and the joesec user name for compliance and save results to the remote-report.html file: 

    $ oscap-ssh joesec@machine1 22 xccdf eval --report remote_report.html --profile hipaa /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Additional resources

  • scap-security-guide(8) man page
  • SCAP Security Guide documentation in the /usr/share/doc/scap-security-guide/ directory
  • /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-index.html - [Guide to the Secure Configuration of Red Hat Enterprise Linux 8] installed with the scap-security-guide-doc package
  • OpenSCAP memory consumption problems

7.4. Remediating the system to align with a specific baseline

You can remediate the RHEL system to align with a specific baseline. This example uses the Health Insurance Portability and Accountability Act (HIPAA) profile, but you can remediate to align with any other profile provided by the SCAP Security Guide. For the details on listing the available profiles, see the Viewing profiles for configuration compliance section.

Warning

If not used carefully, running the system evaluation with the Remediate option enabled might render the system non-functional. Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.

Prerequisites

  • The scap-security-guide package is installed on your RHEL system.

Procedure

  1. Use the oscap command with the --remediate option: 

    # oscap xccdf eval --profile hipaa --remediate /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
  2. Restart your system.

Verification

  1. Evaluate compliance of the system with the HIPAA profile, and save scan results in the hipaa_report.html file: 

    $ oscap xccdf eval --report hipaa_report.html --profile hipaa /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Additional resources

7.5. Remediating the system to align with a specific baseline using an SSG Ansible playbook

You can remediate your system to align with a specific baseline by using an Ansible playbook file from the SCAP Security Guide project. This example uses the Health Insurance Portability and Accountability Act (HIPAA) profile, but you can remediate to align with any other profile provided by the SCAP Security Guide. For the details on listing the available profiles, see the Viewing profiles for configuration compliance section.

Warning

If not used carefully, running the system evaluation with the Remediate option enabled might render the system non-functional. Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.

Prerequisites

  • The scap-security-guide package is installed.
  • The ansible-core package is installed. See the Ansible Installation Guide for more information.
Note

In RHEL 8.6 and later, Ansible Engine is replaced by the ansible-core package, which contains only built-in modules. Note that many Ansible remediations use modules from the community and Portable Operating System Interface (POSIX) collections, which are not included in the built-in modules. In this case, you can use Bash remediations as a substitute to Ansible remediations. The Red Hat Connector in RHEL 8 includes the necessary Ansible modules to enable the remediation playbooks to function with Ansible Core.

Procedure

  1. Remediate your system to align with HIPAA using Ansible: 

    # ansible-playbook -i localhost, -c local /usr/share/scap-security-guide/ansible/rhel8-playbook-hipaa.yml
  2. Restart the system.

Verification

  1. Evaluate compliance of the system with the HIPAA profile, and save scan results in the hipaa_report.html file: 

    # oscap xccdf eval --profile hipaa --report hipaa_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Additional resources

7.6. Creating a remediation Ansible playbook to align the system with a specific baseline

You can create an Ansible playbook containing only the remediations that are required to align your system with a specific baseline. This example uses the Health Insurance Portability and Accountability Act (HIPAA) profile. With this procedure, you create a smaller playbook that does not cover already satisfied requirements. By following these steps, you do not modify your system in any way, you only prepare a file for later application.

Note

In RHEL 8.6, Ansible Engine is replaced by the ansible-core package, which contains only built-in modules. Note that many Ansible remediations use modules from the community and Portable Operating System Interface (POSIX) collections, which are not included in the built-in modules. In this case, you can use Bash remediations as a substitute for Ansible remediations. The Red Hat Connector in RHEL 8.6 includes the necessary Ansible modules to enable the remediation playbooks to function with Ansible Core.

Prerequisites

  • The scap-security-guide package is installed.

Procedure

  1. Scan the system and save the results: 

    # oscap xccdf eval --profile hipaa --results <hipaa-results.xml> /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

  2. Find the value of the result ID in the file with the results: 

    # oscap info <hipaa-results.xml>

  3. Generate an Ansible playbook based on the file generated in step 1: 

    # oscap xccdf generate fix --fix-type ansible --result-id <xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_hipaa> --output <hipaa-remediations.yml> <hipaa-results.xml>
  4. Review the generated file, which contains the Ansible remediations for rules that failed during the scan performed in step 1. After reviewing this generated file, you can apply it by using the ansible-playbook <hipaa-remediations.yml> command.

Verification

  • In a text editor of your choice, review that the generated <hipaa-remediations.yml> file contains rules that failed in the scan performed in step 1.

Additional resources

7.7. Creating a remediation Bash script for a later application

Use this procedure to create a Bash script containing remediations that align your system with a security profile such as HIPAA. Using the following steps, you do not do any modifications to your system, you only prepare a file for later application.

Prerequisites

  • The scap-security-guide package is installed on your RHEL system.

Procedure

  1. Use the oscap command to scan the system and to save the results to an XML file. In the following example, oscap evaluates the system against the hipaa profile: 

    # oscap xccdf eval --profile hipaa --results <hipaa-results.xml> /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

  2. Find the value of the result ID in the file with the results: 

    # oscap info <hipaa-results.xml>

  3. Generate a Bash script based on the results file generated in step 1: 

    # oscap xccdf generate fix --fix-type bash --result-id <xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_hipaa> --output <hipaa-remediations.sh> <hipaa-results.xml>
  4. The <hipaa-remediations.sh> file contains remediations for rules that failed during the scan performed in step 1. After reviewing this generated file, you can apply it with the ./<hipaa-remediations.sh> command when you are in the same directory as this file.

Verification

  • In a text editor of your choice, review that the <hipaa-remediations.sh> file contains rules that failed in the scan performed in step 1.

Additional resources

  • scap-security-guide(8), oscap(8), and bash(1) man pages

7.8. Scanning the system with a customized profile using SCAP Workbench

SCAP Workbench, which is contained in the scap-workbench package, is a graphical utility that enables users to perform configuration and vulnerability scans on a single local or a remote system, perform remediation of the system, and generate reports based on scan evaluations. Note that SCAP Workbench has limited functionality compared with the oscap command-line utility. SCAP Workbench processes security content in the form of data stream files.

7.8.1. Using SCAP Workbench to scan and remediate the system

To evaluate your system against the selected security policy, use the following procedure.

Prerequisites

  • The scap-workbench package is installed on your system.

Procedure

  1. To run SCAP Workbench from the GNOME Classic desktop environment, press the Super key to enter the Activities Overview, type scap-workbench, and then press Enter. Alternatively, use: 

    $ scap-workbench &

  2. Select a security policy using either of the following options:

    • Load Content button on the starting window
    • Open content from SCAP Security Guide

    • Open Other Content in the File menu, and search the respective XCCDF, SCAP RPM, or data stream file.

      scap workbench start

  3. You can allow automatic correction of the system configuration by selecting the Remediate check box. With this option enabled, SCAP Workbench attempts to change the system configuration in accordance with the security rules applied by the policy. This process should fix the related checks that fail during the system scan.

    Warning

    If not used carefully, running the system evaluation with the Remediate option enabled might render the system non-functional. Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.

  4. Scan your system with the selected profile by clicking the Scan button.

    scap workbench results
  5. To store the scan results in form of an XCCDF, ARF, or HTML file, click the Save Results combo box. Choose the HTML Report option to generate the scan report in human-readable format. The XCCDF and ARF (data stream) formats are suitable for further automatic processing. You can repeatedly choose all three options.
  6. To export results-based remediations to a file, use the Generate remediation role pop-up menu.

7.8.2. Customizing a security profile with SCAP Workbench

You can customize a security profile by changing parameters in certain rules (for example, minimum password length), removing rules that you cover in a different way, and selecting additional rules, to implement internal policies. You cannot define new rules by customizing a profile.

The following procedure demonstrates the use of SCAP Workbench for customizing (tailoring) a profile. You can also save the tailored profile for use with the oscap command-line utility.

Prerequisites

  • The scap-workbench package is installed on your system.

Procedure

  1. Run SCAP Workbench, and select the profile to customize by using either Open content from SCAP Security Guide or Open Other Content in the File menu.

  2. To adjust the selected security profile according to your needs, click the Customize button.

    This opens the new Customization window that enables you to modify the currently selected profile without changing the original data stream file. Choose a new profile ID.

    Choosing the ID of your new profile
  3. Find a rule to modify using either the tree structure with rules organized into logical groups or the Search field.

  4. Include or exclude rules using check boxes in the tree structure, or modify values in rules where applicable.

    Customizing a rule in the OSPP profile
  5. Confirm the changes by clicking the OK button.

  6. To store your changes permanently, use one of the following options:

    • Save a customization file separately by using Save Customization Only in the File menu.

    • Save all security content at once by Save All in the File menu.

      If you select the Into a directory option, SCAP Workbench saves both the data stream file and the customization file to the specified location. You can use this as a backup solution.

      By selecting the As RPM option, you can instruct SCAP Workbench to create an RPM package containing the data stream file and the customization file. This is useful for distributing the security content to systems that cannot be scanned remotely, and for delivering the content for further processing.

Note

Because SCAP Workbench does not support results-based remediations for tailored profiles, use the exported remediations with the oscap command-line utility.

7.8.3. Additional resources

7.9. Deploying systems that are compliant with a security profile immediately after an installation

You can use the OpenSCAP suite to deploy RHEL systems that are compliant with a security profile, such as OSPP, PCI-DSS, and HIPAA profile, immediately after the installation process. Using this deployment method, you can apply specific rules that cannot be applied later using remediation scripts, for example, a rule for password strength and partitioning.

7.9.1. Profiles not compatible with Server with GUI

Certain security profiles provided as part of the SCAP Security Guide are not compatible with the extended package set included in the Server with GUI base environment. Therefore, do not select Server with GUI when installing systems compliant with one of the following profiles:

Table 7.1. Profiles not compatible with Server with GUI

Profile nameProfile IDJustificationNotes

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server

xccdf_org.ssgproject.content_profile_cis

Packages xorg-x11-server-Xorg, xorg-x11-server-common, xorg-x11-server-utils, and xorg-x11-server-Xwayland are part of the Server with GUI package set, but the policy requires their removal.

 

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server

xccdf_org.ssgproject.content_profile_cis_server_l1

Packages xorg-x11-server-Xorg, xorg-x11-server-common, xorg-x11-server-utils, and xorg-x11-server-Xwayland are part of the Server with GUI package set, but the policy requires their removal.

 

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

xccdf_org.ssgproject.content_profile_cui

The nfs-utils package is part of the Server with GUI package set, but the policy requires its removal.

 

Protection Profile for General Purpose Operating Systems

xccdf_org.ssgproject.content_profile_ospp

The nfs-utils package is part of the Server with GUI package set, but the policy requires its removal.

 

DISA STIG for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig

Packages xorg-x11-server-Xorg, xorg-x11-server-common, xorg-x11-server-utils, and xorg-x11-server-Xwayland are part of the Server with GUI package set, but the policy requires their removal.

To install a RHEL system as a Server with GUI aligned with DISA STIG in RHEL version 8.4 and later, you can use the DISA STIG with GUI profile.

7.9.2. Deploying baseline-compliant RHEL systems using the graphical installation

Use this procedure to deploy a RHEL system that is aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).

Warning

Certain security profiles provided as part of the SCAP Security Guide are not compatible with the extended package set included in the Server with GUI base environment. For additional details, see Profiles not compatible with a GUI server.

Prerequisites

  • You have booted into the graphical installation program. Note that the OSCAP Anaconda Add-on does not support interactive text-only installation.
  • You have accessed the Installation Summary window.

Procedure

  1. From the Installation Summary window, click Software Selection. The Software Selection window opens.
  2. From the Base Environment pane, select the Server environment. You can select only one base environment.
  3. Click Done to apply the setting and return to the Installation Summary window.
  4. Because OSPP has strict partitioning requirements that must be met, create separate partitions for /boot, /home, /var, /tmp, /var/log, /var/tmp, and /var/log/audit.
  5. Click Security Policy. The Security Policy window opens.
  6. To enable security policies on the system, toggle the Apply security policy switch to ON.
  7. Select Protection Profile for General Purpose Operating Systems from the profile pane.
  8. Click Select Profile to confirm the selection.
  9. Confirm the changes in the Changes that were done or need to be done pane that is displayed at the bottom of the window. Complete any remaining manual changes.

  10. Complete the graphical installation process.

    Note

    The graphical installation program automatically creates a corresponding Kickstart file after a successful installation. You can use the /root/anaconda-ks.cfg file to automatically install OSPP-compliant systems.

Verification

  • To check the current status of the system after installation is complete, reboot the system and start a new scan: 

    # oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Additional resources

7.9.3. Deploying baseline-compliant RHEL systems using Kickstart

Use this procedure to deploy RHEL systems that are aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).

Prerequisites

  • The scap-security-guide package is installed on your RHEL 8 system.

Procedure

  1. Open the /usr/share/scap-security-guide/kickstart/ssg-rhel8-ospp-ks.cfg Kickstart file in an editor of your choice.
  2. Update the partitioning scheme to fit your configuration requirements. For OSPP compliance, the separate partitions for /boot, /home, /var, /tmp, /var/log, /var/tmp, and /var/log/audit must be preserved, and you can only change the size of the partitions.
  3. Start a Kickstart installation as described in Performing an automated installation using Kickstart.
Important

Passwords in Kickstart files are not checked for OSPP requirements.

Verification

  1. To check the current status of the system after installation is complete, reboot the system and start a new scan: 

    # oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Additional resources

7.10. Scanning container and container images for vulnerabilities

Use this procedure to find security vulnerabilities in a container or a container image.

Note

The oscap-podman command is available from RHEL 8.2. For RHEL 8.1 and 8.0, use the workaround described in the Using OpenSCAP for scanning containers in RHEL 8 Knowledgebase article.

Prerequisites

  • The openscap-utils and bzip2 packages are installed.

Procedure

  1. Download the latest RHSA OVAL definitions for your system: 

    # wget -O - https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2 | bzip2 --decompress > rhel-8.oval.xml

  2. Get the ID of a container or a container image, for example: 

    # podman images
REPOSITORY                            TAG      IMAGE ID       CREATED       SIZE
registry.access.redhat.com/ubi8/ubi   latest   096cae65a207   7 weeks ago   239 MB

  3. Scan the container or the container image for vulnerabilities and save results to the vulnerability.html file: 

    # oscap-podman 096cae65a207 oval eval --report vulnerability.html rhel-8.oval.xml

    Note that the oscap-podman command requires root privileges, and the ID of a container is the first argument.

Verification

  • Check the results in a browser of your choice, for example: 

    $ firefox vulnerability.html &

Additional resources

  • For more information, see the oscap-podman(8) and oscap(8) man pages.

7.11. Assessing security compliance of a container or a container image with a specific baseline

Follow these steps to assess compliance of your container or a container image with a specific security baseline, such as Operating System Protection Profile (OSPP), Payment Card Industry Data Security Standard (PCI-DSS), and Health Insurance Portability and Accountability Act (HIPAA).

Note

The oscap-podman command is available from RHEL 8.2. For RHEL 8.1 and 8.0, use the workaround described in the Using OpenSCAP for scanning containers in RHEL 8 Knowledgebase article.

Prerequisites

  • The openscap-utils and scap-security-guide packages are installed.

Procedure

  1. Get the ID of a container or a container image, for example: 

    # podman images
REPOSITORY                            TAG      IMAGE ID       CREATED       SIZE
registry.access.redhat.com/ubi8/ubi   latest   096cae65a207   7 weeks ago   239 MB

  2. Evaluate the compliance of the container image with the HIPAA profile and save scan results into the report.html HTML file 

    # oscap-podman 096cae65a207 xccdf eval --report report.html --profile hipaa /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

    Replace 096cae65a207 with the ID of your container image and the hipaa value with ospp or pci-dss if you assess security compliance with the OSPP or PCI-DSS baseline. Note that the oscap-podman command requires root privileges.

Verification

  • Check the results in a browser of your choice, for example: 

    $ firefox report.html &
Note

The rules marked as notapplicable are rules that do not apply to containerized systems. These rules apply only to bare-metal and virtualized systems.

Additional resources

  • oscap-podman(8) and scap-security-guide(8) man pages.
  • /usr/share/doc/scap-security-guide/ directory.

7.12. SCAP Security Guide profiles supported in RHEL 8

Use only the SCAP content provided in the particular minor release of RHEL. This is because components that participate in hardening are sometimes updated with new capabilities. SCAP content changes to reflect these updates, but it is not always backward compatible.

In the following tables, you can find the profiles provided in each minor version of RHEL, together with the version of the policy with which the profile aligns.

Table 7.2. SCAP Security Guide profiles supported in RHEL 8.9

Profile nameProfile IDPolicy version

French National Agency for the Security of Information Systems (ANSSI) BP-028 Enhanced Level

xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level

xccdf_org.ssgproject.content_profile_anssi_bp28_high

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 Intermediary Level

xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 Minimal Level

xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

2.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server

xccdf_org.ssgproject.content_profile_cis

RHEL 8.9.0 and RHEL 8.9.2:2.0.0
RHEL 8.9.3:3.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server

xccdf_org.ssgproject.content_profile_cis_server_l1

RHEL 8.9.0 and RHEL 8.9.2:2.0.0
RHEL 8.9.3:3.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l1

RHEL 8.9.0 and RHEL 8.9.2:2.0.0
RHEL 8.9.3:3.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l2

RHEL 8.9.0 and RHEL 8.9.2:2.0.0
RHEL 8.9.3:3.0.0

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

xccdf_org.ssgproject.content_profile_cui

r1

Australian Cyber Security Centre (ACSC) Essential Eight

xccdf_org.ssgproject.content_profile_e8

not versioned

Health Insurance Portability and Accountability Act (HIPAA)

xccdf_org.ssgproject.content_profile_hipaa

not versioned

Australian Cyber Security Centre (ACSC) ISM Official

xccdf_org.ssgproject.content_profile_ism_o

not versioned

Protection Profile for General Purpose Operating Systems

xccdf_org.ssgproject.content_profile_ospp

4.2.1

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_pci-dss

RHEL 8.9.0 and RHEL 8.9.2:3.2.1
RHEL 8.9.3:4.0

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig

RHEL 8.9.0 and RHEL 8.9.2:V1R11
RHEL 8.9.3:V1R13

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) with GUI for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig_gui

RHEL 8.9.0 and RHEL 8.9.2:V1R11
RHEL 8.9.3:V1R13

Table 7.3. SCAP Security Guide profiles supported in RHEL 8.8

Profile nameProfile IDPolicy version

French National Agency for the Security of Information Systems (ANSSI) BP-028 Enhanced Level

xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level

xccdf_org.ssgproject.content_profile_anssi_bp28_high

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 Intermediary Level

xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 Minimal Level

xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

2.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server

xccdf_org.ssgproject.content_profile_cis

RHEL 8.8.0 and RHEL 8.8.5:2.0.0
RHEL 8.8.6:3.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server

xccdf_org.ssgproject.content_profile_cis_server_l1

RHEL 8.8.0 and RHEL 8.8.5:2.0.0
RHEL 8.8.6:3.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l1

RHEL 8.8.0 and RHEL 8.8.5:2.0.0
RHEL 8.8.6:3.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l2

RHEL 8.8.0 and RHEL 8.8.5:2.0.0
RHEL 8.8.6:3.0.0

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

xccdf_org.ssgproject.content_profile_cui

r1

Australian Cyber Security Centre (ACSC) Essential Eight

xccdf_org.ssgproject.content_profile_e8

not versioned

Health Insurance Portability and Accountability Act (HIPAA)

xccdf_org.ssgproject.content_profile_hipaa

not versioned

Australian Cyber Security Centre (ACSC) ISM Official

xccdf_org.ssgproject.content_profile_ism_o

not versioned

Protection Profile for General Purpose Operating Systems

xccdf_org.ssgproject.content_profile_ospp

4.2.1

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_pci-dss

RHEL 8.8.0 and RHEL 8.8.5:3.2.1
RHEL 8.8.6:4.0

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig

RHEL 8.8.0 and RHEL 8.8.5:V1R9
RHEL 8.8.6:V1R13

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) with GUI for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig_gui

RHEL 8.8.0 and RHEL 8.8.5:V1R9
RHEL 8.8.6:V1R13

Table 7.4. SCAP Security Guide profiles supported in RHEL 8.7

Profile nameProfile IDPolicy version

French National Agency for the Security of Information Systems (ANSSI) BP-028 Enhanced Level

xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

1.2

French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level

xccdf_org.ssgproject.content_profile_anssi_bp28_high

1.2

French National Agency for the Security of Information Systems (ANSSI) BP-028 Intermediary Level

xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

1.2

French National Agency for the Security of Information Systems (ANSSI) BP-028 Minimal Level

xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

1.2

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server

xccdf_org.ssgproject.content_profile_cis

2.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server

xccdf_org.ssgproject.content_profile_cis_server_l1

2.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l1

2.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l2

2.0.0

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

xccdf_org.ssgproject.content_profile_cui

r1

Australian Cyber Security Centre (ACSC) Essential Eight

xccdf_org.ssgproject.content_profile_e8

not versioned

Health Insurance Portability and Accountability Act (HIPAA)

xccdf_org.ssgproject.content_profile_hipaa

not versioned

Australian Cyber Security Centre (ACSC) ISM Official

xccdf_org.ssgproject.content_profile_ism_o

not versioned

Protection Profile for General Purpose Operating Systems

xccdf_org.ssgproject.content_profile_ospp

4.2.1

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_pci-dss

3.2.1

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig

RHEL 8.7.0 and RHEL 8.7.1:V1R7
RHEL 8.7.2 and later:V1R9

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) with GUI for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig_gui

RHEL 8.7.0 and RHEL 8.7.1:V1R7
RHEL 8.7.2 and later:V1R9

Table 7.5. SCAP Security Guide profiles supported in RHEL 8.6

Profile nameProfile IDPolicy version

French National Agency for the Security of Information Systems (ANSSI) BP-028 Enhanced Level

xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

RHEL 8.6.0 to 8.6.10:1.2
RHEL 8.6.11 and later:2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level

xccdf_org.ssgproject.content_profile_anssi_bp28_high

RHEL 8.6.0 to 8.6.10:1.2
RHEL 8.6.11 and later:2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 Intermediary Level

xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

RHEL 8.6.0 to 8.6.10:1.2
RHEL 8.6.11 and later:2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 Minimal Level

xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

RHEL 8.6.0 to 8.6.10:1.2
RHEL 8.6.11 and later:2.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server

xccdf_org.ssgproject.content_profile_cis

RHEL 8.6.0 to RHEL 8.6.2:1.0.0
RHEL 8.6.3 to RHEL 8.6.15:2.0.0
RHEL 8.6.16 and later:3.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server

xccdf_org.ssgproject.content_profile_cis_server_l1

RHEL 8.6.0 to RHEL 8.6.2:1.0.0
RHEL 8.6.3 to RHEL 8.6.15:2.0.0
RHEL 8.6.16 and later:3.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l1

RHEL 8.6.0 to RHEL 8.6.2:1.0.0
RHEL 8.6.3 to RHEL 8.6.15:2.0.0
RHEL 8.6.16 and later:3.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l2

RHEL 8.6.0 to RHEL 8.6.2:1.0.0
RHEL 8.6.3 to RHEL 8.6.15:2.0.0
RHEL 8.6.16 and later:3.0.0

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

xccdf_org.ssgproject.content_profile_cui

r1

Australian Cyber Security Centre (ACSC) Essential Eight

xccdf_org.ssgproject.content_profile_e8

not versioned

Health Insurance Portability and Accountability Act (HIPAA)

xccdf_org.ssgproject.content_profile_hipaa

not versioned

Australian Cyber Security Centre (ACSC) ISM Official

xccdf_org.ssgproject.content_profile_ism_o

not versioned

Protection Profile for General Purpose Operating Systems

xccdf_org.ssgproject.content_profile_ospp

4.2.1

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_pci-dss

3.2.1

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig

RHEL 8.6.0:V1R5
RHEL 8.6.1 and RHEL 8.6.2:V1R6
RHEL 8.6.3 to RHEL 8.6.6:V1R7
RHEL 8.6.7 to RHEL 8.6.10:V1R9
RHEL 8.6.11 to RHEL 8.6.15:V1R11
RHEL 8.6.16 and later:V1R13

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) with GUI for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig_gui

RHEL 8.6.0:V1R5
RHEL 8.6.1 and RHEL 8.6.2:V1R6
RHEL 8.6.3 to RHEL 8.6.6:V1R7
RHEL 8.6.7 to RHEL 8.6.10:V1R9
RHEL 8.6.11 to RHEL 8.6.15:V1R11
RHEL 8.6.16 and later:V1R13

Table 7.6. SCAP Security Guide profiles supported in RHEL 8.5

Profile nameProfile IDPolicy version

French National Agency for the Security of Information Systems (ANSSI) BP-028 Enhanced Level

xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

1.2

French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level

xccdf_org.ssgproject.content_profile_anssi_bp28_high

1.2

French National Agency for the Security of Information Systems (ANSSI) BP-028 Intermediary Level

xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

1.2

French National Agency for the Security of Information Systems (ANSSI) BP-028 Minimal Level

xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

1.2

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server

xccdf_org.ssgproject.content_profile_cis

1.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server

xccdf_org.ssgproject.content_profile_cis_server_l1

1.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l1

1.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l2

1.0.0

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

xccdf_org.ssgproject.content_profile_cui

r1

Australian Cyber Security Centre (ACSC) Essential Eight

xccdf_org.ssgproject.content_profile_e8

not versioned

Health Insurance Portability and Accountability Act (HIPAA)

xccdf_org.ssgproject.content_profile_hipaa

not versioned

Australian Cyber Security Centre (ACSC) ISM Official

xccdf_org.ssgproject.content_profile_ism_o

not versioned

Protection Profile for General Purpose Operating Systems

xccdf_org.ssgproject.content_profile_ospp

4.2.1

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_pci-dss

3.2.1

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig

RHEL 8.5.0 to RHEL 8.5.3:V1R3
RHEL 8.5.4 and later:V1R5

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) with GUI for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig_gui

RHEL 8.5.0 to RHEL 8.5.3:V1R3
RHEL 8.5.4 and later:V1R5

Table 7.7. SCAP Security Guide profiles supported in RHEL 8.4

Profile nameProfile IDPolicy version

French National Agency for the Security of Information Systems (ANSSI) BP-028 Enhanced Level

xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

1.2

French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level

xccdf_org.ssgproject.content_profile_anssi_bp28_high

RHEL 8.4.4 and later:1.2

French National Agency for the Security of Information Systems (ANSSI) BP-028 Intermediary Level

xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

1.2

French National Agency for the Security of Information Systems (ANSSI) BP-028 Minimal Level

xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

1.2

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server

xccdf_org.ssgproject.content_profile_cis

RHEL 8.4.3 and earlier:1.0.0
RHEL 8.4.4 to RHEL 8.4.10:1.0.1
RHEL 8.4.11 and later:2.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server

xccdf_org.ssgproject.content_profile_cis_server_l1

RHEL 8.4.4 to RHEL 8.4.10:1.0.1
RHEL 8.4.11 and later:2.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l1

RHEL 8.4.4 to RHEL 8.4.10:1.0.1
RHEL 8.4.11 and later:2.0.0

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l2

RHEL 8.4.4 to RHEL 8.4.10:1.0.1
RHEL 8.4.11 and later:2.0.0

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

xccdf_org.ssgproject.content_profile_cui

r1

Australian Cyber Security Centre (ACSC) Essential Eight

xccdf_org.ssgproject.content_profile_e8

not versioned

Australian Cyber Security Centre (ACSC) ISM Official

xccdf_org.ssgproject.content_profile_ism_o

RHEL 8.4.4 and later:not versioned

Health Insurance Portability and Accountability Act (HIPAA)

xccdf_org.ssgproject.content_profile_hipaa

not versioned

Protection Profile for General Purpose Operating Systems

xccdf_org.ssgproject.content_profile_ospp

4.2.1

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_pci-dss

3.2.1

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig

RHEL 8.4.3 and earlier:V1R1
RHEL 8.4.4 to RHEL 8.4.7:V1R3
RHEL 8.4.8:V1R5
RHEL 8.4.9 to RHEL 8.4.10:V1R6
RHEL 8.4.11 to RHEL 8.4.14:V1R7
RHEL 8.4.15 and later:V1R9

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) with GUI for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig_gui

RHEL 8.4.4 to RHEL 8.4.7:V1R3
RHEL 8.4.8:V1R5
RHEL 8.4.9 to RHEL 8.4.10:V1R6
RHEL 8.4.11 to RHEL 8.4.14:V1R7
RHEL 8.4.15 and later:V1R9

Table 7.8. SCAP Security Guide profiles supported in RHEL 8.3

Profile nameProfile IDPolicy version

CIS Red Hat Enterprise Linux 8 Benchmark

xccdf_org.ssgproject.content_profile_cis

1.0.0

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

xccdf_org.ssgproject.content_profile_cui

r1

Australian Cyber Security Centre (ACSC) Essential Eight

xccdf_org.ssgproject.content_profile_e8

not versioned

Health Insurance Portability and Accountability Act (HIPAA)

xccdf_org.ssgproject.content_profile_hipaa

not versioned

Protection Profile for General Purpose Operating Systems

xccdf_org.ssgproject.content_profile_ospp

4.2.1

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_pci-dss

3.2.1

[DRAFT] The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig

draft

Table 7.9. SCAP Security Guide profiles supported in RHEL 8.2

Profile nameProfile IDPolicy version

Australian Cyber Security Centre (ACSC) Essential Eight

xccdf_org.ssgproject.content_profile_e8

not versioned

Protection Profile for General Purpose Operating Systems

xccdf_org.ssgproject.content_profile_ospp

4.2.1

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_pci-dss

3.2.1

[DRAFT] DISA STIG for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig

draft

Table 7.10. SCAP Security Guide profiles supported in RHEL 8.1

Profile nameProfile IDPolicy version

Protection Profile for General Purpose Operating Systems

xccdf_org.ssgproject.content_profile_ospp

4.2.1

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_pci-dss

3.2.1

Table 7.11. SCAP Security Guide profiles supported in RHEL 8.0

Profile nameProfile IDPolicy version

OSPP - Protection Profile for General Purpose Operating Systems

xccdf_org.ssgproject.content_profile_ospp

draft

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_pci-dss

3.2.1

7.13. Additional resources