Benchmarks


Introduction

Benchmarks provide security recommendations for your computers, utilising the OpenSCAP tools and policies.

From the OpenSCAP homepage: In the ever-changing world of computer security where new vulnerabilities are being discovered and patched every day, enforcing security compliance must be a continuous process. It also needs to include a way to make adjustments to policies, as well as periodic assessment and risk monitoring. The OpenSCAP ecosystem provides tools and customizable policies for a quick, cost-effective and flexible implementation of these processes.

The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines including a wide variety of hardening guides and configuration baselines developed by the open source community, ensuring that you can choose a security policy which best suits the needs of your organization, regardless of its size.

Security Content Automation Protocol (SCAP) is U.S. standard maintained by National Institute of Standards and Technology (NIST). The OpenSCAP project is a collection of open source tools for implementing and enforcing this standard, and has been awarded the SCAP 1.2 certification by NIST in 2014.

How Does it Work?

Benchmarks are created by providing an operating system and Version, combined with a specific guide and a list of machines to execute it upon. After creation, benchmarks are executed against the list of machines on a schedule.

You must have working SSH credentials to execute a benchmark. The following Operating Systems are currently supported: Centos 7, Debian 12, Redhat 7, Redhat 8, Redhat 9, SLES 15, Ubuntu 20.04, Ubuntu 22.04. We plan to expand on these with further releases.

Benchmark execution and processing can take a lengthy amount of time, hence the preference to schedule them and not run them ad-hoc.

Help

Not every computer will be able to successfully complete a benchmark. We have seen in some fail in testing for reasons beyond our control. The logs should help point you in the right direction for these items.

Warning

As per the OpenSCAP benchmarks - Do not attempt to implement any of the settings in this benchmark without first testing them in a non-operational environment. The creators of this benchmark assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Seriously, just don't blindly start "fixing" issues revealed after running a benchmark without first thoroughly testing in a non-production, identical environment.



Available Benchmarks

OSBenchmark
CentOS 7C2S for Red Hat Enterprise Linux 7
CentOS 7ANSSI-BP-028 (enhanced)
CentOS 7ANSSI-BP-028 (high)
CentOS 7ANSSI-BP-028 (intermediary)
CentOS 7ANSSI-BP-028 (minimal)
CentOS 7CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
CentOS 7CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
CentOS 7CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation
CentOS 7CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation
CentOS 7Criminal Justice Information Services (CJIS) Security Policy
CentOS 7Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
CentOS 7Australian Cyber Security Centre (ACSC) Essential Eight
CentOS 7Health Insurance Portability and Accountability Act (HIPAA)
CentOS 7NIST National Checklist Program Security Guide
CentOS 7OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
CentOS 7PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7
CentOS 7RHV hardening based on STIG for Red Hat Enterprise Linux 7
CentOS 7VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization
CentOS 7Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
CentOS 7Standard System Security Profile for Red Hat Enterprise Linux 7
CentOS 7DISA STIG for Red Hat Enterprise Linux 7
CentOS 7DISA STIG with GUI for Red Hat Enterprise Linux 7


Debian 12ANSSI-BP-028 (enhanced)
Debian 12ANSSI-BP-028 (high)
Debian 12ANSSI-BP-028 (intermediary)
Debian 12ANSSI-BP-028 (minimal)
Debian 12Profile for ANSSI DAT-NT28 Average (Intermediate) Level
Debian 12Profile for ANSSI DAT-NT28 High (Enforced) Level
Debian 12Profile for ANSSI DAT-NT28 Minimal Level
Debian 12Profile for ANSSI DAT-NT28 Restrictive Level
Debian 12Standard System Security Profile for Debian 12


RedHat 7C2S for Red Hat Enterprise Linux 7
RedHat 7ANSSI-BP-028 (enhanced)
RedHat 7ANSSI-BP-028 (high)
RedHat 7ANSSI-BP-028 (intermediary)
RedHat 7ANSSI-BP-028 (minimal)
RedHat 7CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
RedHat 7CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
RedHat 7CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation
RedHat 7CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation
RedHat 7Criminal Justice Information Services (CJIS) Security Policy
RedHat 7Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
RedHat 7Australian Cyber Security Centre (ACSC) Essential Eight
RedHat 7Health Insurance Portability and Accountability Act (HIPAA)
RedHat 7NIST National Checklist Program Security Guide
RedHat 7OSPP - Protection Profile for General Purpose Operating Systems v4.2.1
RedHat 7PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7
RedHat 7RHV hardening based on STIG for Red Hat Enterprise Linux 7
RedHat 7VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization
RedHat 7Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
RedHat 7Standard System Security Profile for Red Hat Enterprise Linux 7
RedHat 7DISA STIG for Red Hat Enterprise Linux 7
RedHat 7DISA STIG with GUI for Red Hat Enterprise Linux 7


RedHat 8ANSSI-BP-028 (enhanced)
RedHat 8ANSSI-BP-028 (high)
RedHat 8ANSSI-BP-028 (intermediary)
RedHat 8ANSSI-BP-028 (minimal)
RedHat 8CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
RedHat 8CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
RedHat 8CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation
RedHat 8CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation
RedHat 8Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
RedHat 8Australian Cyber Security Centre (ACSC) Essential Eight
RedHat 8Health Insurance Portability and Accountability Act (HIPAA)
RedHat 8Australian Cyber Security Centre (ACSC) ISM Official
RedHat 8Protection Profile for General Purpose Operating Systems
RedHat 8PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 8
RedHat 8DISA STIG for Red Hat Enterprise Linux 8
RedHat 8DISA STIG with GUI for Red Hat Enterprise Linux 8


RedHat 9ANSSI-BP-028 (enhanced)
RedHat 9ANSSI-BP-028 (high)
RedHat 9ANSSI-BP-028 (intermediary)
RedHat 9ANSSI-BP-028 (minimal)
RedHat 9Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Advanced
RedHat 9Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Basic
RedHat 9Centro Criptológico Nacional (CCN) - STIC for Red Hat Enterprise Linux 9 - Intermediate
RedHat 9CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
RedHat 9CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
RedHat 9CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
RedHat 9CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
RedHat 9DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
RedHat 9Australian Cyber Security Centre (ACSC) Essential Eight
RedHat 9Health Insurance Portability and Accountability Act (HIPAA)
RedHat 9Australian Cyber Security Centre (ACSC) ISM Official
RedHat 9Protection Profile for General Purpose Operating Systems
RedHat 9PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 9
RedHat 9DISA STIG for Red Hat Enterprise Linux 9
RedHat 9DISA STIG with GUI for Red Hat Enterprise Linux 9


SLES 15ANSSI-BP-028 (enhanced)
SLES 15ANSSI-BP-028 (high)
SLES 15ANSSI-BP-028 (intermediary)
SLES 15ANSSI-BP-028 (minimal)
SLES 15CIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server
SLES 15CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server
SLES 15CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation
SLES 15CIS SUSE Linux Enterprise 15 Benchmark Level 2 - Workstation
SLES 15Health Insurance Portability and Accountability Act (HIPAA)
SLES 15PCI-DSS v4 Control Baseline for SUSE Linux enterprise 15
SLES 15Hardening for Public Cloud Image of SUSE Linux Enterprise Server (SLES) for SAP Applications 15
SLES 15Public Cloud Hardening for SUSE Linux Enterprise 15
SLES 15Standard System Security Profile for SUSE Linux Enterprise 15
SLES 15DISA STIG for SUSE Linux Enterprise 15


Ubuntu 20.04CIS Ubuntu 20.04 Level 1 Server Benchmark
Ubuntu 20.04CIS Ubuntu 20.04 Level 1 Workstation Benchmark
Ubuntu 20.04CIS Ubuntu 20.04 Level 2 Server Benchmark
Ubuntu 20.04CIS Ubuntu 20.04 Level 2 Workstation Benchmark
Ubuntu 20.04Standard System Security Profile for Ubuntu 20.04
Ubuntu 20.04Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) V1R9


Ubuntu 22.04CIS Ubuntu 22.04 Level 1 Server Benchmark
Ubuntu 22.04CIS Ubuntu 22.04 Level 1 Workstation Benchmark
Ubuntu 22.04CIS Ubuntu 22.04 Level 2 Server Benchmark
Ubuntu 22.04CIS Ubuntu 22.04 Level 2 Workstation Benchmark
Ubuntu 22.04Standard System Security Profile for Ubuntu 22.04
Ubuntu 22.04DRAFT Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) DRAFT

Database Schema

The database schema can be found in the application is the user has database::read permission by going to menu: Admin -> Database -> List Tables, then clicking on the details button for the table.


API / Web Access

You can access the collection using the normal Open-AudIT JSON based API. Just like any other collection. Please see The Open-AudIT API documentation for further details.





Related pages