Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Scanning the system for configuration compliance

Scan your RHEL configuration against specific rules defined in a compliance policy. With these checklists, you can ensure that your environment adheres to strict security requirements.

Security professionals define the compliance policy by specifying the required settings for a computing environment, often in the form of a checklist.

Compliance policies can vary substantially across organizations and even across different systems within the same organization. Differences among these policies are based on the purpose of each system and its importance for the organization. Custom software settings and deployment characteristics also raise a need for custom policy checklists.

5.1. Configuration compliance tools in RHEL
Copy link

You can use tools such as OpenSCAP and the SCAP Security Guide (SSG) in RHEL to audit system security and maintain compliance with established security baselines.

RHEL 10 provides a set of configuration-compliance tools for performing a fully automated compliance audit. These tools are based on the Security Content Automation Protocol (SCAP) standard and are designed for automated tailoring of compliance policies.

OpenSCAP

The OpenSCAP library, with the accompanying oscap command-line utility, is designed to perform configuration scans on a local system, to validate configuration compliance content, and to generate reports and guides based on these scans and evaluations. With oscap, you can scan systems to assess their alignment with security policies contained in scap-security-guide. You can also perform an automated remediation that configures the system into a state that is aligned with a selected policy.

Important

You can experience memory-consumption problems while using OpenSCAP, which can cause stopping the program prematurely and prevent generating any result files. See the OpenSCAP memory-consumption problems Knowledgebase article for details.

SCAP Security Guide (SSG)
The scap-security-guide package provides collections of security policies for Linux systems. The guidance consists of a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines.
Script Check Engine (SCE)
With SCE, which is an extension to the SCAP protocol, administrators can write their security content by using a scripting language, such as Bash, Python, and Ruby. The SCE extension is provided in the openscap-engine-sce package. The SCE itself is not part of the SCAP standard.

Alternatively, you can perform automated compliance audits on multiple systems remotely by using the OpenSCAP solution for Red Hat Satellite.

5.2. Configuration compliance scanning
Copy link

Verify if your Red Hat Enterprise Linux systems adhere to security baselines, such as industry standards or internal policies, by performing a configuration compliance scan. You can scan local and remote systems, containers, and container images using OpenSCAP and the SCAP Security Guide.

5.2.1. Configuration compliance in RHEL
Copy link

Use configuration compliance scanning to conform to a baseline defined by a specific organization. For example, if you are a payment processor, you can align your systems with the Payment Card Industry Data Security Standard (PCI-DSS). You can also perform scanning to harden your system security.

Follow the Security Content Automation Protocol (SCAP) content provided in the SCAP Security Guide package because it is in line with Red Hat best practices for affected components.

The SCAP Security Guide package provides content which conforms to the SCAP 1.2 and SCAP 1.3 standards. The openscap scanner utility is compatible with both SCAP 1.2 and SCAP 1.3 content provided in the SCAP Security Guide package.

Important

Performing a configuration compliance scanning does not guarantee the system is compliant.

The SCAP Security Guide suite provides profiles for several platforms in the form of data stream documents. A data stream is a file that contains definitions, benchmarks, profiles, and individual rules. Each rule specifies the applicability and requirements for compliance. RHEL provides several profiles for compliance with security policies. In addition to the industry standard, Red Hat data streams also contain information for remediation of failed rules. The data streams use the following structure of compliance scanning resources: 

Data stream
   ├── xccdf
   |      ├── benchmark
   |            ├── profile
   |            |    ├──rule reference
   |            |    └──variable
   |            ├── rule
   |                 ├── human readable data
   |                 ├── ocil reference
   ├── ocil          ├── cpe reference
   └── cpe           └── remediation
Copy to Clipboard Toggle word wrap

A profile is a set of rules based on a security policy, such as PCI-DSS and Health Insurance Portability and Accountability Act (HIPAA). After you select a profile, you can then perform an automated audit of the system for compliance with that profile.

You can also modify, or tailor, a profile to customize certain rules, for example, password length. For more information about profile tailoring, see Customizing a security profile with autotailor.

5.2.2. Possible results of an OpenSCAP scan
Copy link

Understand the possible results, such as Pass, Fail, or Not Applicable, generated when running an OpenSCAP scan. This helps you interpret compliance reports accurately.

Depending on the data stream and profile applied to an OpenSCAP scan and the various properties of your system, each rule produces a specific result:

Pass
The scan did not find any conflicts with this rule.
Fail
The scan found a conflict with this rule.
Not checked
OpenSCAP does not perform an automatic evaluation of this rule. Check whether your system conforms to this rule manually.
Not applicable
This rule does not apply to the current configuration.
Not selected
This rule is not part of the profile. OpenSCAP does not evaluate this rule and does not display these rules in the results.
Error
The scan encountered an error. For additional information, you can enter the oscap command with the --verbose DEVEL option. File a support case on the Red Hat Customer Portal or open a ticket in the RHEL project in Red Hat Jira.
Unknown
The scan encountered an unexpected situation. For additional information, you can enter the oscap command with the --verbose DEVEL option. File a support case on the Red Hat Customer Portal or open a ticket in the RHEL project in Red Hat Jira.

Before you decide to use profiles for scanning or remediation, you can list them and check their detailed descriptions by using the oscap info subcommand.

Prerequisites

  • The openscap-scanner and scap-security-guide packages are installed.

Procedure

  1. List all available files with security compliance profiles provided by the SCAP Security Guide project: 

    $ ls /usr/share/xml/scap/ssg/content/
ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

  2. Display detailed information about a selected data stream by using the oscap info subcommand. XML files containing data streams are indicated by the -ds string in their names. In the Profiles section, you can find a list of available profiles and their IDs: 

    $ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
Profiles:
…
  Title: Australian Cyber Security Centre (ACSC) ISM Official - Top Secret
		Id: xccdf_org.ssgproject.content_profile_ism_o_top_secret
	Title: PCI-DSS v4.0.1 Control Baseline for Red Hat Enterprise Linux 10
		Id: xccdf_org.ssgproject.content_profile_pci-dss
	Title: Red Hat STIG for Red Hat Enterprise Linux 10
		Id: xccdf_org.ssgproject.content_profile_stig

…
    Copy to Clipboard Toggle word wrap

  3. Select a profile from the data stream file and display additional details about the selected profile. To do so, use oscap info with the --profile option followed by the last section of the ID displayed in the output of the previous command. For example, the ID of the HIPPA profile is xccdf_org.ssgproject.content_profile_hipaa, and the value for the --profile option is hipaa: 

    $ oscap info --profile hipaa /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
…
Profile
	Title: Health Insurance Portability and Accountability Act (HIPAA)

	Description: The HIPAA Security Rule establishes U.S. national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity.
…
    Copy to Clipboard Toggle word wrap

You can determine whether your system or a remote system conforms to a specific baseline, and save the results in a report by using the oscap command-line tool.

Prerequisites

  • The openscap-scanner and scap-security-guide packages are installed.
  • You know the ID of the profile within the baseline with which the system should comply. To find the ID, see the Viewing profiles for configuration compliance section.

Procedure

  1. Scan the local system for compliance with the selected profile and save the scan results to a file: 

    $ oscap xccdf eval --report <scan_report.html> --profile <profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace:

    • <scan_report.html> with the file name where oscap saves the scan results.
    • <profile_ID> with the profile ID with which the system should comply, for example, hipaa.

  2. Optional: Scan a remote system for compliance with the selected profile and save the scan results to a file: 

    $ oscap-ssh <username>@<hostname> <port> xccdf eval --report <scan_report.html> --profile <profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace:

    • <username>@<hostname> with the user name and hostname of the remote system.
    • <port> with the port number through which you can access the remote system.
    • <scan_report.html> with the file name where oscap saves the scan results.
    • <profile_ID> with the profile ID with which the system should comply, for example, hipaa.

Assess the compliance of a container or container image in RHEL with security baselines, such as Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act (HIPAA), to identify vulnerabilities and ensure adherence to security standards.

Prerequisites

  • The openscap-utils and scap-security-guide packages are installed.
  • You have root access to the system.

Procedure

  1. Find the ID of a container or a container image:

    1. To find the ID of a container: 

      # podman ps -a
      Copy to Clipboard Toggle word wrap

    2. To find the ID of a container image: 

      # podman images
      Copy to Clipboard Toggle word wrap

  2. Evaluate the compliance of the container or container image with a profile and save the scan results into a file: 

    # oscap-podman <ID> xccdf eval --report <scan_report.html> --profile <profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace:

    • <ID> with the ID of your container or container image
    • <scan_report.html> with the file name where oscap saves the scan results
    • <profile_ID> with the profile ID with which the system should comply, for example, hipaa or pci-dss

Verification

  • Check the results in a browser of your choice, for example: 

    $ firefox <scan_report.html> &
    Copy to Clipboard Toggle word wrap
Note

The rules marked as notapplicable apply only to bare metal and virtual systems and not to containers or container images.

5.3. Configuration compliance remediation
Copy link

To automatically align your system with a specific profile, you can perform a remediation. You can remediate the system to align with any profile provided by the SCAP Security Guide.

Remediate your RHEL system to align with a specific security baseline by using the oscap xccdf eval --remediate command. This automatically fixes configuration rules defined in the SCAP Security Guide.

For details on listing available profiles, see the Viewing profiles for configuration compliance section.

Warning

Remediations are supported on RHEL systems in the default configuration. Remediating a system that has been altered after installation might render the system nonfunctional or noncompliant with the required security profile. Red Hat does not provide any automated method to revert changes made by security-hardening remediations.

Test the effects of the remediation before applying it on production systems.

Prerequisites

  • The openscap-scanner and scap-security-guide packages are installed.

Procedure

  1. Remediate the system: 

    # oscap xccdf eval --profile <profile_ID> --remediate /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace <profile_ID> with the profile ID with which the system should comply, for example, hipaa.

  2. Restart your system.

Verification

  1. Evaluate compliance of the system with the profile, and save the scan results to a file: 

    $ oscap xccdf eval --report <scan_report.html> --profile <profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace:

    • <scan_report.html> with the file name where oscap saves the scan results.
    • <profile_ID> with the profile ID with which the system should comply, for example, hipaa.

Use an Ansible Playbook provided by the SCAP Security Guide project to remediate your system against a specific security baseline. This helps ensure consistency and automation across multiple systems.

Warning

Remediations are supported on RHEL systems in the default configuration. Remediating a system that has been altered after installation might render the system nonfunctional or noncompliant with the required security profile. Red Hat does not provide any automated method to revert changes made by security-hardening remediations.

Test the effects of the remediation before applying it on production systems.

Prerequisites

Procedure

  1. Remediate your system to align with a selected profile by using Ansible: 

    # ANSIBLE_COLLECTIONS_PATH=/usr/share/rhc-worker-playbook/ansible/collections/ansible_collections/ ansible-playbook -i "localhost," -c local /usr/share/scap-security-guide/ansible/rhel10-playbook-<profile_ID>.yml
    Copy to Clipboard Toggle word wrap

    The ANSIBLE_COLLECTIONS_PATH environment variable is necessary for the command to run the playbook.

    Replace <profile_ID> with the profile ID of the selected profile.

  2. Restart the system.

Verification

  • Evaluate the compliance of the system with the selected profile, and save the scan results to a file: 

    # oscap xccdf eval --profile <profile_ID> --report <scan_report.html> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace <scan_report.html> with the file name where oscap saves the scan results.

You can create an Ansible Playbook containing only the remediations required to align your system with a specific baseline. This playbook is smaller because it does not cover requirements that are already satisfied.

Creating the playbook does not modify your system in any way, because you only prepare a file for later application.

Prerequisites

Procedure

  1. Scan the system and save the results: 

    # oscap xccdf eval --profile <profile_ID> --results <profile_results.xml> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace: * <profile_ID> with the profile ID with which the system should comply, for example, hipaa * <profile_results.xml> with the path to the file where oscap saves the results

  2. Find the value of the result ID in the file with the results: 

    # oscap info <profile_results.xml>
    Copy to Clipboard Toggle word wrap

  3. Generate an Ansible Playbook based on the file generated in step 1: 

    # oscap xccdf generate fix --fix-type ansible --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_<profile_ID> --output <profile_remediations.yml> <profile_results.xml>
    Copy to Clipboard Toggle word wrap

    Replace <profile_remediations.yml> with the path to the file where oscap saves rules that failed the scan.

  4. Review the generated <profile_remediations.yml> file.

  5. Remediate your system to align with a selected profile by using Ansible: 

    # ANSIBLE_COLLECTIONS_PATH=/usr/share/rhc-worker-playbook/ansible/collections/ansible_collections/ ansible-playbook -i "localhost," -c local <profile_remediations.yml>`
    Copy to Clipboard Toggle word wrap

    The ANSIBLE_COLLECTIONS_PATH environment variable is necessary for the command to run the playbook.

    Warning

    Remediations are supported on RHEL systems in the default configuration. Remediating a system that has been altered after installation might render the system nonfunctional or noncompliant with the required security profile. Red Hat does not provide any automated method to revert changes made by security-hardening remediations.

    Test the effects of the remediation before applying it on production systems.

Verification

  • Evaluate the compliance of the system with the selected profile, and save the scan results to a file: 

    # oscap xccdf eval --profile <profile_ID> --report <scan_report.html> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace <scan_report.html> with the file name where oscap saves the scan results.

To make your system compliant with a specific security profile, such as DISA STIG, CIS, or ANSSI, you can prepare a Kickstart file that defines the hardened configuration, customize it with a tailoring file, and run an automated installation of the hardened system.

Prerequisites

  • The openscap-scanner is installed on your system.

  • The scap-security-guide package is installed on your system and the package version corresponds to the version of RHEL that you want to install. For more information, see Supported versions of the SCAP Security Guide in RHEL. Using a different version can cause conflicts.

    Note

    If your system has the same version of RHEL as the version you want to install, you can install the scap-security-guide package directly.

Procedure

  1. Find the ID of the security profile from the data stream file: 

    $ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
Profiles:
…
  Title: Australian Cyber Security Centre (ACSC) Essential Eight
	Id: xccdf_org.ssgproject.content_profile_e8
  Title: Health Insurance Portability and Accountability Act (HIPAA)
	Id: xccdf_org.ssgproject.content_profile_hipaa
  Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 10
	Id: xccdf_org.ssgproject.content_profile_pci-dss
…
    Copy to Clipboard Toggle word wrap
  2. Optional: If you want to customize your hardening with XCCDF Tailoring file you can use the autotailor command provided in the openscap-utils package. For more information, see Customizing a security profile with autotailor.

  3. Generate the Kickstart file from the SCAP source data stream: 

    $ oscap xccdf generate fix --profile <profile_ID> --output <kickstart_file>.cfg --fix-type kickstart /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    + Replace <profile_ID> with the profile ID with which the system should comply, for example, hipaa.

    + If you are using a tailoring file, embed the tailoring file into the generated Kickstart file by using the --tailoring-file tailoring.xml option and your custom profile ID, for example:

    + 

$ *oscap xccdf generate fix --tailoring-file tailoring.xml --profile _<custom_profile_ID>_ --output _<kickstart_file>_.cfg --fix-type kickstart ./ssg-rhel10-ds.xml*
Copy to Clipboard Toggle word wrap

  1. Review and, if necessary, manually modify the generated <kickstart_file>.cfg to fit the needs of your deployment. Follow the instructions in the comments in the file.

    Note

    Some changes might affect the compliance of the systems installed by the Kickstart file. For example, some security policies require defined partitions or specific packages and services.

  2. Use the Kickstart file for your installation. For the installation program to use the Kickstart, the Kickstart can be served through a web server, provided in PXE, or embedded into the ISO image. For detailed steps, see the Semi-automated installations: Making Kickstart files available to the RHEL installer chapter in the Automatically installing RHEL document.
  3. After the installation finishes, the system reboots automatically. After the reboot, log in and review the installation SCAP report saved in the /root directory.

Verification

  • Scan the system for compliance and save the report in a HTML file for review:

    • With the original profile: 

      # oscap xccdf eval --report report.html --profile <profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
      Copy to Clipboard Toggle word wrap

    • With the tailored profile: 

      # oscap xccdf eval --report report.html --tailoring-file tailoring.xml --profile <custom_profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
      Copy to Clipboard Toggle word wrap

To align with internal security standards, you can customize a RHEL security profile by selecting or removing existing rules. While you can modify parameters such as password length, you cannot define entirely new rules during customization.

By using the autotailor utility, you create an XCCDF tailoring file that contains all of the modifications of the original profile. Then, when you are scanning, remediating, or installing a system in accordance with a SCAP profile, you pass this tailoring file to the oscap command-line utility.

Note that you cannot define new rules when customizing a profile.

Prerequisites

Procedure

  1. Create a tailoring file for your profile by using the autotailor command, for example: 

    $ autotailor \ --select=<rule_ID_1> \ --select=<rule_ID_2> \ --unselect=<rule_ID_3> \ --var-value=<value_ID_1>=<value_1> \ --var-value=<value_ID_2>=<value_2> \ --output=<tailoring.xml> \ --tailored-profile-id=<custom_profile_ID> \ /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml <profile_ID>
    Copy to Clipboard Toggle word wrap

    Where:

    • <customization_options> are the modifications of the profile. Use one or more of the following options:

      --select=<rule_ID>
      Add an existing rule to the profile.
      --unselect=<rule_ID>
      Remove a rule from the profile.
      --var-value=<value_ID>=<value>
      Override a pre-set value. For example, to set var_sshd_max_sessions to 10, use --var-value=var_sshd_max_sessions=10.
    • <tailoring.xml> is the file name where autotailor saves the tailoring.
    • <custom_profile_ID> is the profile ID within which the autotailor saves customizations, for example, custom_cis.
    • <profile_ID> is the profile ID with which the system should comply, for example, cis.
    Note

    For all profile, rule, and variable XCCDF IDs, you can use either a full namespaced identifier or a shortened ID that autotailor automatically augments with the namespace prefix. For example, cis is equivalent to xccdf_org.ssgproject.content_profile_cis.

    You can override the default namespace org.ssgproject.content by using the --id-namespace option.

  2. Optional: Create a tailoring file based on the customizations defined in the JSON Tailoring format: 

    $ autotailor --output=<tailoring.xml> --json-tailoring=<json_tailoring.json>
    Copy to Clipboard Toggle word wrap

    Replace <json_tailoring.json> with the file name with JSON Tailoring definitions.

    Note

    You can mix --json-tailoring with --select, --unselect, and --var-value command-line customizations. In that case, command-line customizations have priority over JSON Tailoring.

Review the SCAP Security Guide profiles supported in RHEL 10, such as HIPAA, STIG, and CIS. To accommodate hardening components updated with new capabilities, use only the SCAP content provided in your specific minor release.

SCAP content changes to reflect these updates, but it is not always compatible with earlier versions.

Note

You can get the information relevant for the version of scap-security-guide RPM installed on your system by using the oscap info command. For more information, see Viewing profiles for configuration compliance.

Expand
Table 5.1. SCAP Security Guide profiles supported in RHEL 10.1
Profile nameProfile IDPolicy version

French National Agency for the Security of Information Systems (ANSSI) BP-028 Enhanced Level

xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level

xccdf_org.ssgproject.content_profile_anssi_bp28_high

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 Intermediary Level

xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 Minimal Level

xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

2.0

CIS Red Hat Enterprise Linux 10 Benchmark for Level 2 - Server

xccdf_org.ssgproject.content_profile_cis

1.0.1

CIS Red Hat Enterprise Linux 10 Benchmark for Level 1 - Server

xccdf_org.ssgproject.content_profile_cis_server_l1

1.0.1

CIS Red Hat Enterprise Linux 10 Benchmark for Level 1 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l1

1.0.1

CIS Red Hat Enterprise Linux 10 Benchmark for Level 2 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l2

1.0.1

Australian Cyber Security Centre (ACSC) Essential Eight

xccdf_org.ssgproject.content_profile_e8

not versioned

Health Insurance Portability and Accountability Act (HIPAA)

xccdf_org.ssgproject.content_profile_hipaa

not versioned

Australian Cyber Security Centre (ACSC) ISM Official - Base

xccdf_org.ssgproject.content_profile_ism_o

not versioned

Australian Cyber Security Centre (ACSC) ISM Official - Secret

xccdf_org.ssgproject.content_profile_ism_o_secret

not versioned

Australian Cyber Security Centre (ACSC) ISM Official - Top Secret

xccdf_org.ssgproject.content_profile_ism_o_top_secret

not versioned

PCI-DSS v4.0.1 Control Baseline for Red Hat Enterprise Linux 10

xccdf_org.ssgproject.content_profile_pci-dss

4.0.1

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Enterprise Linux 10

xccdf_org.ssgproject.content_profile_stig

vendor

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) with GUI for Red Hat Enterprise Linux 10

xccdf_org.ssgproject.content_profile_stig_gui

vendor

Expand
Table 5.2. SCAP Security Guide profiles supported in RHEL 10.0
Profile nameProfile IDPolicy version

French National Agency for the Security of Information Systems (ANSSI) BP-028 Enhanced Level

xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level

xccdf_org.ssgproject.content_profile_anssi_bp28_high

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 Intermediary Level

xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 Minimal Level

xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

2.0

CIS Red Hat Enterprise Linux 10 Benchmark for Level 2 - Server

xccdf_org.ssgproject.content_profile_cis

1.0.1

CIS Red Hat Enterprise Linux 10 Benchmark for Level 1 - Server

xccdf_org.ssgproject.content_profile_cis_server_l1

1.0.1

CIS Red Hat Enterprise Linux 10 Benchmark for Level 1 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l1

1.0.1

CIS Red Hat Enterprise Linux 10 Benchmark for Level 2 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l2

1.0.1

Australian Cyber Security Centre (ACSC) Essential Eight

xccdf_org.ssgproject.content_profile_e8

not versioned

Health Insurance Portability and Accountability Act (HIPAA)

xccdf_org.ssgproject.content_profile_hipaa

not versioned

Australian Cyber Security Centre (ACSC) ISM Official - Base

xccdf_org.ssgproject.content_profile_ism_o

not versioned

Australian Cyber Security Centre (ACSC) ISM Official - Secret

xccdf_org.ssgproject.content_profile_ism_o_secret

not versioned

Australian Cyber Security Centre (ACSC) ISM Official - Top Secret

xccdf_org.ssgproject.content_profile_ism_o_top_secret

not versioned

PCI-DSS v4.0.1 Control Baseline for Red Hat Enterprise Linux 10

xccdf_org.ssgproject.content_profile_pci-dss

4.0.1

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Enterprise Linux 10

xccdf_org.ssgproject.content_profile_stig

vendor

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) with GUI for Red Hat Enterprise Linux 10

xccdf_org.ssgproject.content_profile_stig_gui

vendor

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red Hat