|
 |
575137 |
From 8e1b095971e92e7960f606bb43810102c6c77152 Mon Sep 17 00:00:00 2001
|
|
|
575137 |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
575137 |
Date: Mon, 7 Jan 2019 14:36:06 +0100
|
|
|
575137 |
Subject: [PATCH] Reformatted profile descriptions.
|
|
|
575137 |
|
|
|
575137 |
Went for the `description: |-` way, so there is no need for quoting
|
|
|
575137 |
or for using `\n` to introduce newlines.
|
|
|
575137 |
|
|
|
575137 |
This makes descriptions easier to read and edit, and removes some cases when
|
|
|
575137 |
literal `\n` made it to the actual description.
|
|
|
575137 |
---
|
|
|
575137 |
fedora/profiles/pci-dss.profile | 4 ++--
|
|
|
575137 |
ol7/profiles/sap.profile | 2 +-
|
|
|
575137 |
rhel6/profiles/C2S.profile | 15 +++++++++-----
|
|
|
575137 |
rhel6/profiles/CSCF-RHEL6-MLS.profile | 11 ++++++----
|
|
|
575137 |
rhel6/profiles/desktop.profile | 3 ++-
|
|
|
575137 |
rhel6/profiles/nist-CL-IL-AL.profile | 7 ++++---
|
|
|
575137 |
rhel6/profiles/server.profile | 3 +--
|
|
|
575137 |
rhel6/profiles/usgcb-rhel6-server.profile | 3 +--
|
|
|
575137 |
rhel7/profiles/docker-host.profile | 11 +++++-----
|
|
|
575137 |
rhel7/profiles/nist-800-171-cui.profile | 25 ++++++++++++++++-------
|
|
|
575137 |
rhel7/profiles/pci-dss.profile | 4 ++--
|
|
|
575137 |
rhel7/profiles/rht-ccp.profile | 9 ++++----
|
|
|
575137 |
rhel7/profiles/stig-rhel7-disa.profile | 24 ++++++++++++----------
|
|
|
575137 |
rhel7/profiles/stig-rhvh-upstream.profile | 7 ++++---
|
|
|
575137 |
rhel8/profiles/pci-dss.profile | 4 ++--
|
|
|
575137 |
15 files changed, 78 insertions(+), 54 deletions(-)
|
|
|
575137 |
|
|
|
575137 |
diff --git a/fedora/profiles/pci-dss.profile b/fedora/profiles/pci-dss.profile
|
|
|
575137 |
index cfa48b6051..5e47534e81 100644
|
|
|
575137 |
--- a/fedora/profiles/pci-dss.profile
|
|
|
575137 |
+++ b/fedora/profiles/pci-dss.profile
|
|
|
575137 |
@@ -2,8 +2,8 @@ documentation_complete: true
|
|
|
575137 |
|
|
|
575137 |
title: 'PCI-DSS v3 Control Baseline for Fedora'
|
|
|
575137 |
|
|
|
575137 |
-description: 'Ensures PCI-DSS v3 related security configuration settings \n
|
|
|
575137 |
- \ are applied.'
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ Ensures PCI-DSS v3 related security configuration settings are applied.
|
|
|
575137 |
|
|
|
575137 |
selections:
|
|
|
575137 |
- var_password_pam_unix_remember=4
|
|
|
575137 |
diff --git a/ol7/profiles/sap.profile b/ol7/profiles/sap.profile
|
|
|
575137 |
index f2a017e389..199866b300 100644
|
|
|
575137 |
--- a/ol7/profiles/sap.profile
|
|
|
575137 |
+++ b/ol7/profiles/sap.profile
|
|
|
575137 |
@@ -5,7 +5,7 @@ title: 'Security Profile of Oracle Linux 7 for SAP'
|
|
|
575137 |
description: |-
|
|
|
575137 |
This profile contains rules for Oracle Linux 7 Operating System in compliance with SAP note 2069760 and SAP Security Baseline Template version 1.9 Item I-8 and section 4.1.2.2.
|
|
|
575137 |
Regardless of your system's workload all of these checks should pass.
|
|
|
575137 |
-
|
|
|
575137 |
+
|
|
|
575137 |
selections:
|
|
|
575137 |
- package_glibc_installed
|
|
|
575137 |
- package_uuidd_installed
|
|
|
575137 |
diff --git a/rhel6/profiles/C2S.profile b/rhel6/profiles/C2S.profile
|
|
|
575137 |
index 3d26cb7b43..f3a3f82590 100644
|
|
|
575137 |
--- a/rhel6/profiles/C2S.profile
|
|
|
575137 |
+++ b/rhel6/profiles/C2S.profile
|
|
|
575137 |
@@ -2,11 +2,16 @@ documentation_complete: true
|
|
|
575137 |
|
|
|
575137 |
title: 'C2S for Red Hat Enterprise Linux 6'
|
|
|
575137 |
|
|
|
575137 |
-description: "This profile demonstrates compliance against the \nU.S. Government Commercial Cloud Services (C2S) baseline.\n\
|
|
|
575137 |
- \nThis baseline was inspired by the Center for Internet Security\n(CIS) Red Hat Enterprise Linux 6 Benchmark, v1.2.0 -\
|
|
|
575137 |
- \ 06-25-2013.\nFor the SCAP Security Guide project to remain in compliance with\nCIS' terms and conditions, specifically\
|
|
|
575137 |
- \ Restrictions(8), note \nthere is no representation or claim that the C2S profile will\nensure a system is in compliance\
|
|
|
575137 |
- \ or consistency with the CIS\nbaseline."
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ This profile demonstrates compliance against the
|
|
|
575137 |
+ U.S. Government Commercial Cloud Services (C2S) baseline.
|
|
|
575137 |
+ nThis baseline was inspired by the Center for Internet Security
|
|
|
575137 |
+ (CIS) Red Hat Enterprise Linux 6 Benchmark, v1.2.0 - 06-25-2013.
|
|
|
575137 |
+ For the SCAP Security Guide project to remain in compliance with
|
|
|
575137 |
+ CIS' terms and conditions, specifically Restrictions(8), note
|
|
|
575137 |
+ there is no representation or claim that the C2S profile will
|
|
|
575137 |
+ ensure a system is in compliance or consistency with the CIS
|
|
|
575137 |
+ baseline.
|
|
|
575137 |
|
|
|
575137 |
selections:
|
|
|
575137 |
- var_selinux_state=enforcing
|
|
|
575137 |
diff --git a/rhel6/profiles/CSCF-RHEL6-MLS.profile b/rhel6/profiles/CSCF-RHEL6-MLS.profile
|
|
|
575137 |
index dbd3a4ee88..104ebeadca 100644
|
|
|
575137 |
--- a/rhel6/profiles/CSCF-RHEL6-MLS.profile
|
|
|
575137 |
+++ b/rhel6/profiles/CSCF-RHEL6-MLS.profile
|
|
|
575137 |
@@ -2,10 +2,13 @@ documentation_complete: true
|
|
|
575137 |
|
|
|
575137 |
title: 'CSCF RHEL6 MLS Core Baseline'
|
|
|
575137 |
|
|
|
575137 |
-description: "This profile reflects the Centralized Super Computing Facility \n(CSCF) baseline for Red Hat Enterprise Linux\
|
|
|
575137 |
- \ 6. This baseline has received \ngovernment ATO through the ICD 503 process, utilizing the CNSSI 1253 cross \ndomain\
|
|
|
575137 |
- \ overlay. This profile should be considered in active development. \nAdditional tailoring will be needed, such as the\
|
|
|
575137 |
- \ creation of RBAC roles \nfor production deployment."
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ This profile reflects the Centralized Super Computing Facility
|
|
|
575137 |
+ (CSCF) baseline for Red Hat Enterprise Linux 6. This baseline has received
|
|
|
575137 |
+ government ATO through the ICD 503 process, utilizing the CNSSI 1253 cross
|
|
|
575137 |
+ domain overlay. This profile should be considered in active development.
|
|
|
575137 |
+ Additional tailoring will be needed, such as the creation of RBAC roles
|
|
|
575137 |
+ for production deployment.
|
|
|
575137 |
|
|
|
575137 |
selections:
|
|
|
575137 |
- var_auditd_max_log_file_action=keep_logs
|
|
|
575137 |
diff --git a/rhel6/profiles/desktop.profile b/rhel6/profiles/desktop.profile
|
|
|
575137 |
index 4c24a8e44c..f800f0ffe1 100644
|
|
|
575137 |
--- a/rhel6/profiles/desktop.profile
|
|
|
575137 |
+++ b/rhel6/profiles/desktop.profile
|
|
|
575137 |
@@ -2,7 +2,8 @@ documentation_complete: true
|
|
|
575137 |
|
|
|
575137 |
title: 'Desktop Baseline'
|
|
|
575137 |
|
|
|
575137 |
-description: "This profile is for a desktop installation of \nRed Hat Enterprise Linux 6."
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ This profile is for a desktop installation of Red Hat Enterprise Linux 6.
|
|
|
575137 |
|
|
|
575137 |
extends: standard
|
|
|
575137 |
|
|
|
575137 |
diff --git a/rhel6/profiles/nist-CL-IL-AL.profile b/rhel6/profiles/nist-CL-IL-AL.profile
|
|
|
575137 |
index 3117952d56..9f8718329b 100644
|
|
|
575137 |
--- a/rhel6/profiles/nist-CL-IL-AL.profile
|
|
|
575137 |
+++ b/rhel6/profiles/nist-CL-IL-AL.profile
|
|
|
575137 |
@@ -2,9 +2,10 @@ documentation_complete: true
|
|
|
575137 |
|
|
|
575137 |
title: "CNSSI 1253 Low/Low/Low Control Baseline"
|
|
|
575137 |
|
|
|
575137 |
-description: "This profile follows the Committee on National \nSecurity Systems Instruction (CNSSI) No. 1253, \"Security Categorization\
|
|
|
575137 |
- \ and \nControl Selection for National Security Systems\" on security controls to meet\nlow confidentiality, low integrity,\
|
|
|
575137 |
- \ and low assurance.\""
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ This profile follows the Committee on National Security Systems Instruction (CNSSI) No. 1253,
|
|
|
575137 |
+ "Security Categorization and Control Selection for National Security Systems"
|
|
|
575137 |
+ on security controls to meet low confidentiality, low integrity, and low assurance.
|
|
|
575137 |
|
|
|
575137 |
extends: standard
|
|
|
575137 |
|
|
|
575137 |
diff --git a/rhel6/profiles/server.profile b/rhel6/profiles/server.profile
|
|
|
575137 |
index bd38be4751..833a12f2e4 100644
|
|
|
575137 |
--- a/rhel6/profiles/server.profile
|
|
|
575137 |
+++ b/rhel6/profiles/server.profile
|
|
|
575137 |
@@ -3,8 +3,7 @@ documentation_complete: true
|
|
|
575137 |
title: 'Server Baseline'
|
|
|
575137 |
|
|
|
575137 |
description: |-
|
|
|
575137 |
- This profile is for Red Hat Enterprise Linux 6
|
|
|
575137 |
- acting as a server.
|
|
|
575137 |
+ This profile is for Red Hat Enterprise Linux 6 acting as a server.
|
|
|
575137 |
|
|
|
575137 |
extends: standard
|
|
|
575137 |
|
|
|
575137 |
diff --git a/rhel6/profiles/usgcb-rhel6-server.profile b/rhel6/profiles/usgcb-rhel6-server.profile
|
|
|
575137 |
index 5de5ece862..893de33b17 100644
|
|
|
575137 |
--- a/rhel6/profiles/usgcb-rhel6-server.profile
|
|
|
575137 |
+++ b/rhel6/profiles/usgcb-rhel6-server.profile
|
|
|
575137 |
@@ -3,8 +3,7 @@ documentation_complete: true
|
|
|
575137 |
title: 'United States Government Configuration Baseline (USGCB)'
|
|
|
575137 |
|
|
|
575137 |
description: |-
|
|
|
575137 |
- This profile is a working draft for a USGCB submission against
|
|
|
575137 |
- RHEL6 Server.
|
|
|
575137 |
+ This profile is a working draft for a USGCB submission against RHEL6 Server.
|
|
|
575137 |
|
|
|
575137 |
selections:
|
|
|
575137 |
- kernel_disable_entropy_contribution_for_solid_state_drives
|
|
|
575137 |
diff --git a/rhel7/profiles/docker-host.profile b/rhel7/profiles/docker-host.profile
|
|
|
575137 |
index b4de74743e..98fd5ecb51 100644
|
|
|
575137 |
--- a/rhel7/profiles/docker-host.profile
|
|
|
575137 |
+++ b/rhel7/profiles/docker-host.profile
|
|
|
575137 |
@@ -2,11 +2,12 @@ documentation_complete: false
|
|
|
575137 |
|
|
|
575137 |
title: 'DRAFT - Standard Docker Host Security Profile'
|
|
|
575137 |
|
|
|
575137 |
-description: "This profile contains rules to ensure standard security \n
|
|
|
575137 |
- \ baseline of Red Hat Enterprise Linux 7 system running the docker \n
|
|
|
575137 |
- \ \n
|
|
|
575137 |
- \ This discussion is currently being held on open-scap-list@redhat.com \n
|
|
|
575137 |
- \ and scap-security-guide@lists.fedorahosted.org."
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ This profile contains rules to ensure standard security
|
|
|
575137 |
+ baseline of Red Hat Enterprise Linux 7 system running the docker
|
|
|
575137 |
+
|
|
|
575137 |
+ This discussion is currently being held on open-scap-list@redhat.com
|
|
|
575137 |
+ and scap-security-guide@lists.fedorahosted.org.
|
|
|
575137 |
|
|
|
575137 |
selections:
|
|
|
575137 |
- service_docker_enabled
|
|
|
575137 |
diff --git a/rhel7/profiles/nist-800-171-cui.profile b/rhel7/profiles/nist-800-171-cui.profile
|
|
|
575137 |
index 279d061bc9..966c2a2a75 100644
|
|
|
575137 |
--- a/rhel7/profiles/nist-800-171-cui.profile
|
|
|
575137 |
+++ b/rhel7/profiles/nist-800-171-cui.profile
|
|
|
575137 |
@@ -2,13 +2,24 @@ documentation_complete: true
|
|
|
575137 |
|
|
|
575137 |
title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
|
|
|
575137 |
|
|
|
575137 |
-description: "From NIST 800-171, Section 2.2:\nSecurity requirements for protecting the confidentiality of CUI in nonfederal\
|
|
|
575137 |
- \ \ninformation systems and organizations have a well-defined structure that \nconsists of:\n\n(i) a basic security requirements\
|
|
|
575137 |
- \ section;\n(ii) a derived security requirements section.\n\nThe basic security requirements are obtained from FIPS Publication\
|
|
|
575137 |
- \ 200, which\nprovides the high-level and fundamental security requirements for federal\ninformation and information systems.\
|
|
|
575137 |
- \ The derived security requirements, which\nsupplement the basic security requirements, are taken from the security controls\n\
|
|
|
575137 |
- in NIST Special Publication 800-53.\n\nThis profile configures Red Hat Enterprise Linux 7 to the NIST Special\nPublication\
|
|
|
575137 |
- \ 800-53 controls identified for securing Controlled Unclassified\nInformation (CUI)."
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ From NIST 800-171, Section 2.2:
|
|
|
575137 |
+ Security requirements for protecting the confidentiality of CUI in nonfederal
|
|
|
575137 |
+ information systems and organizations have a well-defined structure that
|
|
|
575137 |
+ consists of:
|
|
|
575137 |
+
|
|
|
575137 |
+ (i) a basic security requirements section;
|
|
|
575137 |
+ (ii) a derived security requirements section.
|
|
|
575137 |
+
|
|
|
575137 |
+ The basic security requirements are obtained from FIPS Publication 200, which
|
|
|
575137 |
+ provides the high-level and fundamental security requirements for federal
|
|
|
575137 |
+ information and information systems. The derived security requirements, which
|
|
|
575137 |
+ supplement the basic security requirements, are taken from the security controls
|
|
|
575137 |
+ in NIST Special Publication 800-53.
|
|
|
575137 |
+
|
|
|
575137 |
+ This profile configures Red Hat Enterprise Linux 7 to the NIST Special
|
|
|
575137 |
+ Publication 800-53 controls identified for securing Controlled Unclassified
|
|
|
575137 |
+ Information (CUI).
|
|
|
575137 |
|
|
|
575137 |
extends: ospp
|
|
|
575137 |
|
|
|
575137 |
diff --git a/rhel7/profiles/pci-dss.profile b/rhel7/profiles/pci-dss.profile
|
|
|
575137 |
index dca99e79d6..13cc6ac0d6 100644
|
|
|
575137 |
--- a/rhel7/profiles/pci-dss.profile
|
|
|
575137 |
+++ b/rhel7/profiles/pci-dss.profile
|
|
|
575137 |
@@ -2,8 +2,8 @@ documentation_complete: true
|
|
|
575137 |
|
|
|
575137 |
title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7'
|
|
|
575137 |
|
|
|
575137 |
-description: 'Ensures PCI-DSS v3 related security configuration settings \n
|
|
|
575137 |
- \ are applied.'
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ Ensures PCI-DSS v3 related security configuration settings are applied.
|
|
|
575137 |
|
|
|
575137 |
selections:
|
|
|
575137 |
- var_password_pam_unix_remember=4
|
|
|
575137 |
diff --git a/rhel7/profiles/rht-ccp.profile b/rhel7/profiles/rht-ccp.profile
|
|
|
575137 |
index eb4d854807..0b44b55078 100644
|
|
|
575137 |
--- a/rhel7/profiles/rht-ccp.profile
|
|
|
575137 |
+++ b/rhel7/profiles/rht-ccp.profile
|
|
|
575137 |
@@ -2,10 +2,11 @@ documentation_complete: true
|
|
|
575137 |
|
|
|
575137 |
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
|
|
|
575137 |
|
|
|
575137 |
-description: 'This profile contains the minimum security relevant \n
|
|
|
575137 |
- \ configuration settings recommended by Red Hat, Inc for \n
|
|
|
575137 |
- \ Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified \n
|
|
|
575137 |
- \ Cloud Providers.'
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ This profile contains the minimum security relevant
|
|
|
575137 |
+ configuration settings recommended by Red Hat, Inc for
|
|
|
575137 |
+ Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified
|
|
|
575137 |
+ Cloud Providers.
|
|
|
575137 |
|
|
|
575137 |
selections:
|
|
|
575137 |
- var_selinux_state=enforcing
|
|
|
575137 |
diff --git a/rhel7/profiles/stig-rhel7-disa.profile b/rhel7/profiles/stig-rhel7-disa.profile
|
|
|
575137 |
index 7200e9dc8a..f751bc0857 100644
|
|
|
575137 |
--- a/rhel7/profiles/stig-rhel7-disa.profile
|
|
|
575137 |
+++ b/rhel7/profiles/stig-rhel7-disa.profile
|
|
|
575137 |
@@ -2,17 +2,19 @@ documentation_complete: true
|
|
|
575137 |
|
|
|
575137 |
title: 'DISA STIG for Red Hat Enterprise Linux 7'
|
|
|
575137 |
|
|
|
575137 |
-description: "This profile contains configuration checks that align to the \n
|
|
|
575137 |
- \ DISA STIG for Red Hat Enterprise Linux V1R4. \n
|
|
|
575137 |
- \ \n
|
|
|
575137 |
- \ In addition to being applicable to RHEL7, DISA recognizes this \n
|
|
|
575137 |
- \ configuration baseline as applicable to the operating system tier of \n
|
|
|
575137 |
- \ Red Hat technologies that are based off RHEL7, such as: \n
|
|
|
575137 |
- \ - Red Hat Enterprise Linux Server \n
|
|
|
575137 |
- \ - Red Hat Enterprise Linux Workstation and Desktop \n
|
|
|
575137 |
- \ - Red Hat Virtualization Hypervisor (RHV-H) \n
|
|
|
575137 |
- \ - Red Hat Enterprise Linux for HPC \n
|
|
|
575137 |
- \ - Red Hat Storage"
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ This profile contains configuration checks that align to the \
|
|
|
575137 |
+ DISA STIG for Red Hat Enterprise Linux V1R4.
|
|
|
575137 |
+
|
|
|
575137 |
+ In addition to being applicable to RHEL7, DISA recognizes this \
|
|
|
575137 |
+ configuration baseline as applicable to the operating system tier of \
|
|
|
575137 |
+ Red Hat technologies that are based off RHEL7, such as:
|
|
|
575137 |
+
|
|
|
575137 |
+ - Red Hat Enterprise Linux Server
|
|
|
575137 |
+ - Red Hat Enterprise Linux Workstation and Desktop
|
|
|
575137 |
+ - Red Hat Virtualization Hypervisor (RHV-H)
|
|
|
575137 |
+ - Red Hat Enterprise Linux for HPC
|
|
|
575137 |
+ - Red Hat Storage
|
|
|
575137 |
|
|
|
575137 |
selections:
|
|
|
575137 |
- login_banner_text=dod_banners
|
|
|
575137 |
diff --git a/rhel7/profiles/stig-rhvh-upstream.profile b/rhel7/profiles/stig-rhvh-upstream.profile
|
|
|
575137 |
index 63180472c6..f764db6a6c 100644
|
|
|
575137 |
--- a/rhel7/profiles/stig-rhvh-upstream.profile
|
|
|
575137 |
+++ b/rhel7/profiles/stig-rhvh-upstream.profile
|
|
|
575137 |
@@ -2,9 +2,10 @@ documentation_complete: false
|
|
|
575137 |
|
|
|
575137 |
title: 'DRAFT - STIG for Red Hat Virtualization Hypervisor'
|
|
|
575137 |
|
|
|
575137 |
-description: "This is a *draft* profile for STIG. This profile is being \n
|
|
|
575137 |
- \ developed under the DISA Vendor STIG model in coordination with \n
|
|
|
575137 |
- \ DISA FSO."
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ This is a *draft* profile for STIG. This profile is being
|
|
|
575137 |
+ developed under the DISA Vendor STIG model in coordination with
|
|
|
575137 |
+ DISA FSO.
|
|
|
575137 |
|
|
|
575137 |
extends: stig-rhel7-disa
|
|
|
575137 |
|
|
|
575137 |
diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile
|
|
|
575137 |
index ec901d84cb..a81849ac41 100644
|
|
|
575137 |
--- a/rhel8/profiles/pci-dss.profile
|
|
|
575137 |
+++ b/rhel8/profiles/pci-dss.profile
|
|
|
575137 |
@@ -2,8 +2,8 @@ documentation_complete: true
|
|
|
575137 |
|
|
|
575137 |
title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 8'
|
|
|
575137 |
|
|
|
575137 |
-description: 'Ensures PCI-DSS v3 related security configuration settings \n
|
|
|
575137 |
- \ are applied.'
|
|
|
575137 |
+description: |-
|
|
|
575137 |
+ Ensures PCI-DSS v3 related security configuration settings are applied.
|
|
|
575137 |
|
|
|
575137 |
selections:
|
|
|
575137 |
- var_password_pam_unix_remember=4
|