Home Security Policies Choosing Policy

To verify your system’s security, have a scanning tool like OpenSCAP is not enough




Choosing a Policy

There is no need to be an expert in security to deploy a security policy. You don’t even need to learn the SCAP standard to write a security policy. Many security policies are available online, in a standardized form of SCAP checklists. Unfortunately, there is no universal security policy that could be applied everywhere; each organization has different needs and different security requirements. Before applying a security policy, it is necessary to think about your needs and go through the available offerings. This page will give you a brief overview of commonly-used security policies.

From a high level point of view, a good security policy should balance security risk against your business’ needs. Security policy should be written in a pro-active way – that is, it shouldn’t describe what is forbidden, but instead what should be done, and how to do it. It is best to implement security policy using SCAP documents, for ease of automation. Security policy must incorporate any mandatory government and industry requirements, and should be regularly updated and maintained.


Security specifications

Security Technical Implementation Guides (STIGs) by The United States Department of Defense specify how government computers must be configured and managed.
The United States Government Configuration Baseline (USGCB) creates security configuration baselines for IT products widely deployed across the federal agencies. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security.
Payment Card Industry Data Security Standard (PCI DSS) must be followed by anyone who is handling credit card information and payments. It is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes.

SCAP Content

SCAP Security Guide
NIST SCAP Content at the National Checklist Program Repository of the National Vulnerability Database offers publicly available security policies for a wide range of products. Repository: web.nvd.nist.gov/view/ncp/repository
The Red Hat repository of OVAL content consists of OVAL Definitions that correspond to Red Hat Errata security advisories. Repository: redhat.com/security/data/oval/
The SUSE Linux Enterprise OVAL Information database is an index of fixed security incidents indexed by product, RPM package name and version for use in security compliance checking. Repository: ftp.suse.com/pub/projects/security/oval/

Security policies available in the SCAP Security Guide


The SCAP Security Guide is not just one security policy, but a whole number of them. For each platform, there are several profiles which provide security policies implemented according to security baselines. You can view the guide by clicking the respective link.


These guides to secure configuration of following platforms with following profiles are currently available in upstream:


Alibaba Cloud Linux 2

Alibaba Cloud Linux 3

Anolis OS 8


Debian 10

Debian 11

Amazon Elastic Kubernetes Service



Apple macOS 10.15

Red Hat OpenShift Container Platform 4

Oracle Linux 7

Oracle Linux 8

Oracle Linux 9


Red Hat Enterprise Linux CoreOS 4

Red Hat Enterprise Linux 7

Red Hat Enterprise Linux 8

Red Hat Enterprise Linux 9

Red Hat Virtualization 4

SUSE Linux Enterprise 12

SUSE Linux Enterprise 15

Ubuntu 16.04

Ubuntu 18.04

Ubuntu 20.04

Ubuntu 22.04

UnionTech OS Server 20