Benchmarks
- Mark Unwin
Introduction
Benchmarks provide security recommendations for your computers, utilising the OpenSCAP tools and policies.
From the OpenSCAP homepage: In the ever-changing world of computer security where new vulnerabilities are being discovered and patched every day, enforcing security compliance must be a continuous process. It also needs to include a way to make adjustments to policies, as well as periodic assessment and risk monitoring. The OpenSCAP ecosystem provides tools and customizable policies for a quick, cost-effective and flexible implementation of these processes.
The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines including a wide variety of hardening guides and configuration baselines developed by the open source community, ensuring that you can choose a security policy which best suits the needs of your organization, regardless of its size.
Security Content Automation Protocol (SCAP) is U.S. standard maintained by National Institute of Standards and Technology (NIST). The OpenSCAP project is a collection of open source tools for implementing and enforcing this standard, and has been awarded the SCAP 1.2 certification by NIST in 2014.
How Does it Work?
Benchmarks are created by providing an operating system and Version, combined with a specific guide and a list of machines to execute it upon. After creation, benchmarks are executed against the list of machines on a schedule.
You must have working SSH credentials to execute a benchmark. The following Operating Systems are currently supported: Centos 7, Debian 12, Redhat 7, Redhat 8, Redhat 9, SLES 15, Ubuntu 20.04, Ubuntu 22.04. We plan to expand on these with further releases.
Benchmark execution and processing can take a lengthy amount of time, hence the preference to schedule them and not run them ad-hoc.
Help
Not every computer will be able to successfully complete a benchmark. We have seen in some fail in testing for reasons beyond our control. The logs should help point you in the right direction for these items.
Warning
As per the OpenSCAP benchmarks - Do not attempt to implement any of the settings in this benchmark without first testing them in a non-operational environment. The creators of this benchmark assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.
Seriously, just don't blindly start "fixing" issues revealed after running a benchmark without first thoroughly testing in a non-production, identical environment.
Available Benchmarks
| OS | Benchmark |
|---|---|
| CentOS 7 | C2S for Red Hat Enterprise Linux 7 |
| CentOS 7 | ANSSI-BP-028 (enhanced) |
| CentOS 7 | ANSSI-BP-028 (high) |
| CentOS 7 | ANSSI-BP-028 (intermediary) |
| CentOS 7 | ANSSI-BP-028 (minimal) |
| CentOS 7 | CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server |
| CentOS 7 | CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server |
| CentOS 7 | CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation |
| CentOS 7 | CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation |
| CentOS 7 | Criminal Justice Information Services (CJIS) Security Policy |
| CentOS 7 | Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) |
| CentOS 7 | Australian Cyber Security Centre (ACSC) Essential Eight |
| CentOS 7 | Health Insurance Portability and Accountability Act (HIPAA) |
| CentOS 7 | NIST National Checklist Program Security Guide |
| CentOS 7 | OSPP - Protection Profile for General Purpose Operating Systems v4.2.1 |
| CentOS 7 | PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7 |
| CentOS 7 | RHV hardening based on STIG for Red Hat Enterprise Linux 7 |
| CentOS 7 | VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization |
| CentOS 7 | Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) |
| CentOS 7 | Standard System Security Profile for Red Hat Enterprise Linux 7 |
| CentOS 7 | DISA STIG for Red Hat Enterprise Linux 7 |
| CentOS 7 | DISA STIG with GUI for Red Hat Enterprise Linux 7 |
| Debian 12 | ANSSI-BP-028 (enhanced) |
| Debian 12 | ANSSI-BP-028 (high) |
| Debian 12 | ANSSI-BP-028 (intermediary) |
| Debian 12 | ANSSI-BP-028 (minimal) |
| Debian 12 | Profile for ANSSI DAT-NT28 Average (Intermediate) Level |
| Debian 12 | Profile for ANSSI DAT-NT28 High (Enforced) Level |
| Debian 12 | Profile for ANSSI DAT-NT28 Minimal Level |
| Debian 12 | Profile for ANSSI DAT-NT28 Restrictive Level |
| Debian 12 | Standard System Security Profile for Debian 12 |
| RedHat 7 | C2S for Red Hat Enterprise Linux 7 |
| RedHat 7 | ANSSI-BP-028 (enhanced) |
| RedHat 7 | ANSSI-BP-028 (high) |
| RedHat 7 | ANSSI-BP-028 (intermediary) |
| RedHat 7 | ANSSI-BP-028 (minimal) |
| RedHat 7 | CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server |
| RedHat 7 | CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server |
| RedHat 7 | CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation |
| RedHat 7 | CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation |
| RedHat 7 | Criminal Justice Information Services (CJIS) Security Policy |
| RedHat 7 | Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) |
| RedHat 7 | Australian Cyber Security Centre (ACSC) Essential Eight |
| RedHat 7 | Health Insurance Portability and Accountability Act (HIPAA) |
| RedHat 7 | NIST National Checklist Program Security Guide |
| RedHat 7 | OSPP - Protection Profile for General Purpose Operating Systems v4.2.1 |
| RedHat 7 | PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7 |
| RedHat 7 | RHV hardening based on STIG for Red Hat Enterprise Linux 7 |
| RedHat 7 | VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization |
| RedHat 7 | Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) |
| RedHat 7 | Standard System Security Profile for Red Hat Enterprise Linux 7 |
| RedHat 7 | DISA STIG for Red Hat Enterprise Linux 7 |
| RedHat 7 | DISA STIG with GUI for Red Hat Enterprise Linux 7 |
| RedHat 8 | ANSSI-BP-028 (enhanced) |
| RedHat 8 | ANSSI-BP-028 (high) |
| RedHat 8 | ANSSI-BP-028 (intermediary) |
| RedHat 8 | ANSSI-BP-028 (minimal) |
| RedHat 8 | CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server |
| RedHat 8 | CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server |
| RedHat 8 | CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation |
| RedHat 8 | CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation |
| RedHat 8 | Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) |
| RedHat 8 | Australian Cyber Security Centre (ACSC) Essential Eight |
| RedHat 8 | Health Insurance Portability and Accountability Act (HIPAA) |
| RedHat 8 | Australian Cyber Security Centre (ACSC) ISM Official |
| RedHat 8 | Protection Profile for General Purpose Operating Systems |
| RedHat 8 | PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 8 |
| RedHat 8 | DISA STIG for Red Hat Enterprise Linux 8 |
| RedHat 8 | DISA STIG with GUI for Red Hat Enterprise Linux 8 |
| RedHat 9 | ANSSI-BP-028 (enhanced) |
| RedHat 9 | ANSSI-BP-028 (high) |
| RedHat 9 | ANSSI-BP-028 (intermediary) |
| RedHat 9 | ANSSI-BP-028 (minimal) |
| RedHat 9 | Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Advanced |
| RedHat 9 | Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Basic |
| RedHat 9 | Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Intermediate |
| RedHat 9 | CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server |
| RedHat 9 | CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server |
| RedHat 9 | CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation |
| RedHat 9 | CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation |
| RedHat 9 | DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) |
| RedHat 9 | Australian Cyber Security Centre (ACSC) Essential Eight |
| RedHat 9 | Health Insurance Portability and Accountability Act (HIPAA) |
| RedHat 9 | Australian Cyber Security Centre (ACSC) ISM Official |
| RedHat 9 | Protection Profile for General Purpose Operating Systems |
| RedHat 9 | PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 9 |
| RedHat 9 | DISA STIG for Red Hat Enterprise Linux 9 |
| RedHat 9 | DISA STIG with GUI for Red Hat Enterprise Linux 9 |
| SLES 15 | ANSSI-BP-028 (enhanced) |
| SLES 15 | ANSSI-BP-028 (high) |
| SLES 15 | ANSSI-BP-028 (intermediary) |
| SLES 15 | ANSSI-BP-028 (minimal) |
| SLES 15 | CIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server |
| SLES 15 | CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server |
| SLES 15 | CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation |
| SLES 15 | CIS SUSE Linux Enterprise 15 Benchmark Level 2 - Workstation |
| SLES 15 | Health Insurance Portability and Accountability Act (HIPAA) |
| SLES 15 | PCI-DSS v4 Control Baseline for SUSE Linux enterprise 15 |
| SLES 15 | Hardening for Public Cloud Image of SUSE Linux Enterprise Server (SLES) for SAP Applications 15 |
| SLES 15 | Public Cloud Hardening for SUSE Linux Enterprise 15 |
| SLES 15 | Standard System Security Profile for SUSE Linux Enterprise 15 |
| SLES 15 | DISA STIG for SUSE Linux Enterprise 15 |
| Ubuntu 20.04 | CIS Ubuntu 20.04 Level 1 Server Benchmark |
| Ubuntu 20.04 | CIS Ubuntu 20.04 Level 1 Workstation Benchmark |
| Ubuntu 20.04 | CIS Ubuntu 20.04 Level 2 Server Benchmark |
| Ubuntu 20.04 | CIS Ubuntu 20.04 Level 2 Workstation Benchmark |
| Ubuntu 20.04 | Standard System Security Profile for Ubuntu 20.04 |
| Ubuntu 20.04 | Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) V1R9 |
| Ubuntu 22.04 | CIS Ubuntu 22.04 Level 1 Server Benchmark |
| Ubuntu 22.04 | CIS Ubuntu 22.04 Level 1 Workstation Benchmark |
| Ubuntu 22.04 | CIS Ubuntu 22.04 Level 2 Server Benchmark |
| Ubuntu 22.04 | CIS Ubuntu 22.04 Level 2 Workstation Benchmark |
| Ubuntu 22.04 | Standard System Security Profile for Ubuntu 22.04 |
| Ubuntu 22.04 | DRAFT Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) DRAFT |
Database Schema
The database schema can be found in the application is the user has database::read permission by going to menu: Admin -> Database -> List Tables, then clicking on the details button for the table.
API / Web Access
You can access the collection using the normal Open-AudIT JSON based API. Just like any other collection. Please see The Open-AudIT API documentation for further details.