diff --git a/docs/index.rst b/docs/index.rst
index da69de9b002..40277fc5bab 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -2,6 +2,15 @@
ComplianceAsCode/content
========================
+.. toctree::
+ :maxdepth: 2
+ :glob:
+ :caption: User Guide
+ :name: User Guide
+
+ manual/user/*
+
+
.. toctree::
:maxdepth: 2
:glob:
diff --git a/docs/manual/developer/01_introduction.md b/docs/manual/developer/01_introduction.md
index 7a5742daf20..fa8a44b63e4 100644
--- a/docs/manual/developer/01_introduction.md
+++ b/docs/manual/developer/01_introduction.md
@@ -88,7 +88,7 @@ Products may be subject to removal from the project if at **least one** of the f
The following process shall be used to start the removal of the product:
1. A GitHub issue is created proposing the removal of the product.
The issue must contain the following:
- 1. The end date and time (in UTC) of the comment period
+ 1. The end date and time (in UTC) of the comment period
1. A mention of the last contributor to the product, more than one is preferred
1. The reason for removal (lack of contributions or product EOL)
1. A comment period of **21 days** shall be observed.
@@ -101,6 +101,7 @@ The pull request removing the product should include the removal of
1. the product from all `prodtype`
1. any product specific checks or remediatons
1. any product specific templates
+1. The removal must be documented in the [user guide](../user/30_content_notes.md#deprecated-content).
All issues and pull requests for product removal must use the [product-removal](https://github.com/ComplianceAsCode/content/labels/product-removal) label.
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
index 117fd811bde..aeaf336b56a 100644
--- a/docs/manual/developer_guide.adoc
+++ b/docs/manual/developer_guide.adoc
@@ -1,6 +1,6 @@
# ComplianceAsCode Developer Guide
-WARNING: This guide has been deprecated. Please check the latest link:https://complianceascode.readthedocs.io/[ComplianceAsCode Developer Documentation].
+WARNING: This guide has been deprecated. Please check the latest link:https://complianceascode.readthedocs.io/[ComplianceAsCode Documentation].
To contribute to the new documentation (or to read it offline), check the
files in the `developer/` folder. Commits into those documents will be
diff --git a/docs/manual/user/01_introduction.md b/docs/manual/user/01_introduction.md
new file mode 100644
index 00000000000..5017a5d4c66
--- /dev/null
+++ b/docs/manual/user/01_introduction.md
@@ -0,0 +1,8 @@
+# Introduction
+
+The ComplianceAsCode ([historical called the SCAP Security Guide](../developer/09_legacy_notice.md)) project delivers security guidance, baselines and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP). ComplianceAsCode provides content for Red Hat Enterprise Linux.
+In addition to hardening advice, ComplianceAsCode links back to compliance requirements in order to ease deployment activities, such as certification and accreditation.
+These include requirements in the U.S. Government (Federal, Defense, and Intelligence Community) as well as of the financial services and health care industries.
+For example, high-level and widely-accepted policies such as NIST 800-53 provide prose stating that System Administrators must audit "privileged user actions," but do not define what "privileged actions" are.
+The ComplianceAsCode bridges the gap between generalized policy requirements and specific implementation guidance, in SCAP formats to support automation whenever possible.
+The project homepage is [https://www.open-scap.org/security-policies/scap-security-guide](https://www.open-scap.org/security-policies/scap-security-guide).
diff --git a/docs/manual/user/10_install.md b/docs/manual/user/10_install.md
new file mode 100644
index 00000000000..9469203b28f
--- /dev/null
+++ b/docs/manual/user/10_install.md
@@ -0,0 +1,37 @@
+# Installing
+
+By installing distribution packages, you will get the built content.
+For example, on Red Hat-based distributions, those will be files under the `/usr/share/xml/scap/ssg/content/` directory.
+What files will that be depends on the distribution, but for example on Fedora, you will get the Fedora datastream at `/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml`.
+
+
+## Installing from distribution packages
+
+### Red Hat Enterprise Linux 7
+
+```
+$ sudo yum -y install scap-security-guide
+```
+
+### Fedora / Red Hat Enterprise Linux 8+
+```
+$ sudo dnf -y install scap-security-guide
+```
+
+### Debian
+```
+$ sudo apt install ssg-debian # for Debian guides
+$ sudo apt install ssg-debderived # for Debian-based distributions (e.g. Ubuntu) guides
+$ sudo apt install ssg-nondebian # for other distributions guides (RHEL, Fedora, etc.)
+$ sudo apt install ssg-applications # for application-oriented guides (Firefox, JBoss, etc.)
+```
+
+## Installing content from upstream
+
+If you need to use upstream content rather than what is shipped in the distribution, you can download the nightly build, or build it yourself.
+
+The nightly builds are performed by [GitHub Actions](https://docs.github.com/en/actions) nightly. Below is a direct link to the latest build:
+
+* [https://nightly.link/ComplianceAsCode/content/workflows/nightly_build/master/Nightly%20Build.zip](https://nightly.link/ComplianceAsCode/content/workflows/nightly_build/master/Nightly%20Build.zip)
+
+If you wish to build the content yourself, please, refer to the [Developer Guide](../developer/02_building_complianceascode.md#building-complianceascode).
diff --git a/docs/manual/user/20_scanning.md b/docs/manual/user/20_scanning.md
new file mode 100644
index 00000000000..525ef971509
--- /dev/null
+++ b/docs/manual/user/20_scanning.md
@@ -0,0 +1,192 @@
+# Scanning
+## Running a Scan with OpenSCAP
+
+#### Command Line Interface (CLI)
+This document outlines the usage of OpenSCAP, a command-line utility packaged within Fedora and Red Hat Enterprise Linux which allows users to load, scan, validate, edit, and export SCAP documents.
+
+See also [OpenSCAP User Manual](https://static.open-scap.org/openscap-1.3/oscap_user_manual.html) for instructions how to use OpenSCAP.
+Additional details regarding OpenSCAP can be found on the project homepage located at [open-scap.org](http://open-scap.org/).
+
+Five arguments to OpenSCAP are needed to perform a system scan against the upstream a profile:
+
+* `--profile`
+ * Mandatory, identifies which profile to scan against
+
+* `--results`
+ * Optional, indicates location to place ARF XML formatted results
+
+* `--report`
+ * Optional, indicates location to place HTML formatted results
+
+* datastream location
+ * Mandatory, identifies location of SCAP Source Datastream file
+
+Putting these arguments together, a properly formatted command would be:
+
+```
+$ sudo oscap xccdf eval --profile stig \
+--results /tmp/results.xml \
+--report /tmp/report.html \
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
+```
+
+While the scan is running, you will see output similar to the following on your screen:
+
+```
+Title Install AIDE
+Rule package_aide_installed
+Ident CCE-83457-2
+Result fail
+
+Title Configure Periodic Execution of AIDE
+Rule aide_periodic_cron_checking
+Ident CCE-83437-4
+Result notchecked
+
+Title Verify File Permissions with RPM
+Rule rpm_verify_permissions
+Ident CCE-90840-0
+Result fail
+
+Title Verify File Hashes with RPM
+Rule rpm_verify_hashes
+Ident CCE-90841-8
+Result pass
+```
+
+### Results Interpretation
+
+#### HTML Results
+
+Just open the `/tmp/report.html` file in your favorite browser.
+
+#### XML Results
+
+Looking at the `/tmp/results.xml` file, you will notice lines similar to those below:
+
+```xml
+
+ pass
+ CCE-83457-2
+
+
+
+
+ ......
+
+ pass
+ CCE-90843-4
+
+ yum -y install aide
+
+
+
+
+
+```
+
+The XML above can be parsed as follows:
+
+XCCDF Rule Elements
+
+| XML Tag | Meaning |
+|:---------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `` | Identifies which XCCDF rule the result reflects |
+| `` | Pass/Fail/Not Applicable |
+| `` | Remediation actions, in bash, which will configure the system to be in compliance with the XCCDF rule. |
+| `` | Identifies which version of OVAL the check was authored against. |
+| `` | Corresponding OVAL check name (`name`) and source OVAL file (`href`) this check came from. For general purpose users, this information can be ignored. |
+
+### Remediation
+
+#### Bash Scripts
+
+A Bash remediation script for each profile is shipped in `scap-security-guide` package.
+The scripts can be found in `/usr/share/scap-security-guide/bash/` or if you build the project from source in `./build/bash`.
+
+Moreover, ComplianceAsCode embeds bash remediation scripts into the SCAP content. This allows for SCAP compatible tools to extract these remediation scripts to aid in potential remediation of system misconfigurations.
+
+OpenSCAP, the CLI delivered with Fedora, Red Hat Enterprise Linux systems and other Linux distributions, contains the ability to transform XML results into an executable script.
+The syntax to generate a remediation script is:
+
+
+```
+$ oscap xccdf generate fix \
+--result-id xccdf_org.open-scap_testresult_{profile-name} \
+/root/ssg-results.xml
+```
+
+
+Replace `{profile-name}` with the profile the system was scanned against. For example, for `stig`:
+
+```
+$ oscap xccdf generate fix \
+--result-id xccdf_org.open-scap_testresult_stig \
+/root/ssg-results.xml
+```
+
+You will receive output similar to the following:
+
+```
+$ oscap xccdf generate fix \
+--result-id xccdf_org.open-scap_testresult_stig \
+/root/ssg-results.xml
+
+#!/bin/bash
+# OpenSCAP fix generator output for benchmark: DRAFT Guide
+# to the Secure Configuration of Red Hat Enterprise Linux 8
+
+# XCCDF rule: set_sysctl_net_ipv4_conf_default_rp_filter
+# CCE-26915-9
+#
+# Set runtime for net.ipv4.conf.default.rp_filter
+#
+sysctl -q -n -w net.ipv4.conf.default.rp_filter=1
+
+#
+# If net.ipv4.conf.default.rp_filter present in
+# /etc/sysctl.conf, change value to "1"
+# else, add "net.ipv4.conf.default.rp_filter = 1" to /etc/sysctl.conf
+#
+if grep --silent ^net.ipv4.conf.default.rp_filter /etc/sysctl.conf ; then sed -i \
+ 's/^net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter \
+ = 1/g' /etc/sysctl.conf
+else
+echo "" >> /etc/sysctl.conf
+echo "# Set net.ipv4.conf.default.rp_filter to 1 per \
+ security requirements" >> /etc/sysctl.conf
+echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
+fi
+
+# XCCDF rule: uninstall_xinetd
+# CCE-27005-8
+if rpm -qa | grep -q xinetd; then
+yum -y remove xinetd
+fi
+
+# generated: 2013-07-05T13:56:30-04:00
+# END OF SCRIPT
+```
+
+This output could be redirected to a bash script, or built into your RHEL7 provisioning process (e.g. the %post section of a kickstart).
+
+#### Ansible Playbooks
+
+ComplianceAsCode embeds Ansible remediation scripts into the SCAP content.
+This allows for SCAP compatible tools to extract these remediation scripts to aid in potential remediation of system misconfigurations.
+
+You can create these playbooks by running:
+
+```
+$ oscap xccdf generate fix --profile stig --fix-type ansible /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml > ssg-rhel9-stig.yml
+```
+
+IMPORTANT: The minimum version of Ansible must be at the latest supported version.
+See [Red Hat Ansible Engine Life Cycle Page](https://access.redhat.com/support/policy/updates/ansible-engine) for information on the supported Ansible versions.
+
+## Other Scanners
+### Security Content Automation Protocol (SCAP) Compliance Checker (SCC)
+Funded by the Internal Revenue Service, the National Security Agency, and other United States government agencies Naval Information Warfare Center (NIWC) Atlantic has authored a SCAP Compliance Checker (SCC).
+The NIWC SCC tool is available to the general public.
+The NIWC SCC website is [www.niwcatlantic.navy.mil/scap](https://www.niwcatlantic.navy.mil/scap/).
+The SCC tool is available for download at [public.cyber.mil/stigs/scap](https://public.cyber.mil/stigs/scap/).
diff --git a/docs/manual/user/30_content_notes.md b/docs/manual/user/30_content_notes.md
new file mode 100644
index 00000000000..81e04a087fa
--- /dev/null
+++ b/docs/manual/user/30_content_notes.md
@@ -0,0 +1,24 @@
+# Content Notes
+
+## Deprecated Content
+Below is list of products that have been removed from the project.
+
+| Product | EOL Date | Last Release |
+|----------------------------------------------|--------------------|------------------------------------------------------------------------------------|
+| Debian 8 | June 30, 2020 | [content 0.1.52](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52) |
+| Debian 9 | June 30, 2022 | [content 0.1.65](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.65) |
+| Java Runtime Environment | - | [content 0.1.64](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.64) |
+| JBoss EAP 5 | November 30, 2016 | [content 0.1.35](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.35) |
+| JBoss EAP 6 | June 30, 2019 | [content 0.1.53](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53) |
+| JBoss Fuse 6 | January 1, 2022 | [content 0.1.64](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.64) |
+| McAfee VirusScan Enterprise for Linux (VESL) | December 31, 2021 | [content 0.1.65](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.65) |
+| Red Hat Enterprise Linux 5 | March 31, 2017 | [content 0.1.34](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.34) |
+| Red Hat Enterprise Linux 6 | June 1, 2022 | [content 0.1.52](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52) |
+| Red Hat Enterprise Virtualization Manager 3 | September 30, 2018 | [content 0.1.38](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.38) |
+| Red Hat OpenShift Container Platform 3 | June 1, 2022 | [content 0.1.52](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52) |
+| Red Hat OpenStack Platform 7 | August 5, 2018 | [content 0.1.41](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41) |
+| SUSE Enterprise Linux 11 | March 31, 2019 | [content 0.1.52](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52) |
+| Ubuntu 14.04 | April 30, 2019 | [content 0.1.52](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52) |
+| Webmin | - | [content 0.1.38](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.38) |
+| Wind River Linux 1019 | - | [content 0.1.63](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.63) |
+| Wind River Linux 8 | - | [content 0.1.63](https://github.com/ComplianceAsCode/content/releases/tag/v0.1.63) |
diff --git a/docs/manual/user_guide.adoc b/docs/manual/user_guide.adoc
index c1516f5f2d4..d7a766eb9d4 100644
--- a/docs/manual/user_guide.adoc
+++ b/docs/manual/user_guide.adoc
@@ -1,650 +1,7 @@
-= ComplianceAsCode User Guide
-:imagesdir: ./images
-:toc:
-:toc-placement: preamble
-:numbered:
+# ComplianceAsCode User Guide
-toc::[]
-
-== Introduction
-
-The ComplianceAsCode (SSG) project delivers security guidance, baselines and
-associated validation mechanisms utilizing the Security Content Automation
-Protocol (SCAP). SSG provides content for Red Hat Enterprise Linux.
-In addition to hardening advice, SSG links back to compliance requirements in
-order to eease deployment activities, such as certification and accreditation.
-These include requirements in the U.S. Government (Federal, Defense, and
-Intelligence Community) as well as of the financial services and health care
-industries. For example, high-level and widely-accepted policies such as NIST
-80-53 provide prose stating that System Administrators must audit "privileged
-user actions," but do not define what "privileged actions" are. The SSG bridges
-the gap between generalized policy requirements and specific implementation
-guidance, in SCAP formats to support automation whenever possible.
-The project homepage is
-https://www.open-scap.org/security-policies/scap-security-guide.
-
-=== Government/Industry Collaboration
-
-image::logos-400x400-nsa-300x300.jpg[align="left"]
-
-The https://www.nsa.gov[National Security Agency]'s
-https://www.iad.gov/iad/index.cfm[Information Assuranc Directorate] (NSA IAD)
-is presidentially mandated to protect Confidential, Secret, and Top Secret
-information that could reasonably be expected to cause damage to U.S. National
-Security. As part of this mission, NSA develops and distributes configuration
-guidance for operating systems. These guides are currently being used
-throughout the U.S. government and by numerous entities as a security baseline
-for their systems. The ComplianceAsCode project serves as NSA's upstream
-source for https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml#linux2[Red Hat Enterprise Linux operating system guidance].
-
-image::logos-400x400-disa-300x300.jpg[align="left"]
-
-The http://www.disa.mil/About/Our-Organization-Structure/OD-Field-Office/Field-Security-Operations[U.S. Defense Information Systems Agency, Field Security Operations]
-(DISA FSO) authors hardening guidance known as Security Technical
-Implementation Guides (https://public.cyber.mil/stigs/[STIGs]). These
-documents, used throughout the U.S. military to harden systems, establish
-formal security compliance baselines. The ComplianceAsCode project serves as
-the usptream development source for
-https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux[Red Hat STIG content]
-and helps DISA FSO move towards their business objective of utilizing
-SCAP-based formats to automate security compliance across U.S. military
-organizations.
-
-image::logos-400x400-nist-300x300.jpg[align="left"]
-
-NIST publishes 'National Checklists' for software, which https://nvd.nist.gov/ncp/repository[as defined directly by NIST]:
-
-“The National Checklist Program (NCP), defined by the http://csrc.nist.gov/publications/PubsSPs.html#SP-800-70-Rev.2[NIST SP 800-70 Rev. 2], is
-the U.S. Government repositiory of publicly available securiyy checklists (or
-benchmarks) that provide detailed low level guidance on setting the security
-configuration of operating systems and applications. NCP is migrating its
-repository of checklists to conform to the Security Content Automation Protocol
-(SCAP).”
-
-The ComplianceAsCode project serves as the upstream repository for
-https://nvd.nist.gov/ncp/checklist/811[Red Hat Enterprise Linux related checklists].
-
-== Installing
-
-By installing distribution packages, you will get the built content.
-For example, on Red Hat-based distributions, those will be files under the `/usr/share/xml/scap/ssg/content/` directory.
-What files will that be depends on the distribution, but for example on Fedora, you will get the Fedora datastream at `/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml`.
-
-
-=== Installing from distribution packages
-
-* Red Hat Enterprise Linux 7+
-+
-------------
-$ sudo yum -y install scap-security-guide
-------------
-
-* Fedora
-+
-------------
-$ sudo dnf -y install scap-security-guide
-------------
-
-
-=== Installing content from upstream
-
-If you need to use upstream content rather than what is shipped in the distribution, you can download the nightly build, or build it yourself.
-
-The nightly builds are performed by our link:https://jenkins.complianceascode.io/view/Maintenance%20Jobs/[Jenkins instance], in the nightly jobs. Below are direct links to the latest builds:
-
-* link:https://jenkins.complianceascode.io/view/SCAP%20Security%20Guide/job/scap-security-guide-nightly-zip/lastSuccessfulBuild/artifact/scap-security-guide-nightly.zip[nightly build with OVAL 5.11]
-
-If you wish to build the content yourself, please, refer to link:https://github.com/ComplianceAsCode/content/blob/master/docs/manual/developer_guide.adoc#3-building-complianceascode[Building Compliance as Code] section, in the link:https://github.com/ComplianceAsCode/content/blob/master/docs/manual/developer_guide.adoc[Developer Guide].
-
-
-== Running a Scan
-
-=== Command Line Interface (CLI)
-This document outlines the usage of OpenSCAP, a command-line utility packaged within Fedora and Red Hat Enterprise Linux which allows users to load, scan, validate, edit, and export SCAP documents.
-
-See also https://static.open-scap.org/openscap-1.3/oscap_user_manual.html[OpenSCAP User Manual] for instructions how to use OpenSCAP.
-Additional details regarding OpenSCAP can be found on the project homepage located at http://open-scap.org/.
-
-Five arguments to OpenSCAP are needed to perform a system scan against the upstream DISA STIG profile:
-
- * --profile +
- Mandatory, identifies which profile to scan against
-
- * --results +
- Optional, indicates location to place XML formatted results
-
- * --report +
- Optional, indicates location to place HTML formatted results
-
- * datastream location +
- Mandatory, identifies location of SCAP Source Datastream file
-
-Putting these arguments together, a properly formatted command would be:
-
-----
-$ sudo oscap xccdf eval --profile stig \
---results /tmp/results.xml \
---report /tmp/report.html \
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
-----
-
-While the scan is running, you will see output similar to the following on your screen:
-
-----
-Title Install AIDE
-Rule package_aide_installed
-Ident CCE-27024-9
-Result fail
-
-Title Configure Periodic Execution of AIDE
-Rule aide_periodic_cron_checking
-Ident CCE-27222-9
-Result notchecked
-
-Title Verify File Permissions with RPM
-Rule rpm_verify_permissions
-Ident CCE-26731-0
-Result fail
-
-Title Verify File Hashes with RPM
-Rule rpm_verify_hashes
-Ident CCE-27223-7
-Result pass
-----
-
-=== Results Interpretation
-
-==== HTML Results
-
-Just open the `/tmp/report.html` file in your favorite browser.
-
-==== XML Results
-
-Looking at the `/tmp/results.xml` file, you will notice lines similar to those below:
-
-----
-
- pass
- CCE-26709-6
-
-
-
-
- ......
-
- pass
- CCE-27024-9
-
- yum -y install aide
-
-
-
-
-
-----
- The XML above can be parsed as follows:
-
-.Table XCCDF Rule Elements
-|===
-|XML Tag |Meaning
-||Identifies which XCCDF rule the result reflects
-||Pass/Fail/Not Applicable
-||Identifies corresponding CCE
-||Remediation actions, in bash, which will configure the system to be in compliance with the XCCDF rule
-||Identifies which version of OVAL the check was authored against
-||Corresponding OVAL check name (name=....) and source OVAL file (href=....) this check came from. For general purpose users, this information can be ignored.
-|===
-
-=== Remediation
-
-==== Bash Scripts
-
-A Bash remediation script for each profile is shipped in `scap-security-guide` package.
-The scripts can be found in `/usr/share/scap-security-guide/bash/` or if you build the project from source in `./build/bash`.
-
-Moreover, ComplianceAsCode embeds bash remediation scripts into the SCAP content. This allows for SCAP compatible tools to extract these remediation scripts to aide in potential remediation of system misconfigurations.
-
-OpenSCAP, the CLI delivered with Fedora and Red Hat Enterprise Linux systems, contains the ability to transform XML results into an executable script. The syntax to generate a remediation script is:
-
-----
-$ oscap xccdf generate fix \
---result-id xccdf_org.open-scap_testresult_{profile-name} \
-/root/ssg-results.xml
-----
-
-Replace {profile-name} with the profile the system was scanned against. For example, for stig-rhel6-server:
-
-----
-$ oscap xccdf generate fix \
---result-id xccdf_org.open-scap_testresult_stig \
-/root/ssg-results.xml
-----
-
-You will receive output similar to the following:
-
-----
-$ oscap xccdf generate fix \
---result-id xccdf_org.open-scap_testresult_stig \
-/root/ssg-results.xml
-
-#!/bin/bash
-# OpenSCAP fix generator output for benchmark: DRAFT Guide
-# to the Secure Configuration of Red Hat Enterprise Linux 8
-
-# XCCDF rule: set_sysctl_net_ipv4_conf_default_rp_filter
-# CCE-26915-9
-#
-# Set runtime for net.ipv4.conf.default.rp_filter
-#
-sysctl -q -n -w net.ipv4.conf.default.rp_filter=1
-
-#
-# If net.ipv4.conf.default.rp_filter present in
-# /etc/sysctl.conf, change value to "1"
-# else, add "net.ipv4.conf.default.rp_filter = 1" to /etc/sysctl.conf
-#
-if grep --silent ^net.ipv4.conf.default.rp_filter /etc/sysctl.conf ; then sed -i \
- 's/^net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter \
- = 1/g' /etc/sysctl.conf
-else
-echo "" >> /etc/sysctl.conf
-echo "# Set net.ipv4.conf.default.rp_filter to 1 per \
- security requirements" >> /etc/sysctl.conf
-echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
-fi
-
-# XCCDF rule: uninstall_xinetd
-# CCE-27005-8
-if rpm -qa | grep -q xinetd; then
-yum -y remove xinetd
-fi
-
-# generated: 2013-07-05T13:56:30-04:00
-# END OF SCRIPT
-----
-
-This output could be redirected to a bash script, or built into your RHEL7 provisioning process (e.g. the %post section of a kickstart).
-
-#### Ansible Playbooks
-
-ComplianceAsCode embeds ansible remediation scripts into the SCAP content. This allows for SCAP compatible tools to extract these remediation scripts to aide in potential remediation of system misconfigurations. When using OpenSCAP with
-Ansible, it is advisable to use the playbooks from https://github.com/RedHatOfficial. These playbooks are generated from the ComplianceAsCode project and are also available on Ansible Galaxy.
-
-IMPORTANT: The minimum version of Ansible must be at the latest supported version. See https://access.redhat.com/support/policy/updates/ansible-engine for information on the supported Ansible versions.
-
-## Content Notes
-
-### Note on content for Red Hat Virtualization 4
-
-As RHV moves to be based on el8, the contents of `rhv4` will also move to be based on el8.
-
-If you need content for RHV based on el7, use the Red Hat Enterprise Linux 7 (`rhel7`) content.
-
-## Deprecated Content
-
-.Deprecated or Removed Content
-|===
-|Product |EOL Date |Last Release
-
-|Debian 8
-|June 30, 2020
-| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52[content 0.1.52]
-
-|Red Hat OpenStack Platform 7
-|August 5, 2018
-| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41[content 0.1.41]
-
-|Webmin
-|-
-| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.38[SSG 0.1.38]
-
-|Red Hat Enterprise Virtualization Manager 3
-|September 30, 2018
-| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.38[SSG 0.1.38]
-
-|JBoss EAP 5
-|November 30, 2016
-| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.35[SSG 0.1.35]
-
-|JBoss EAP 6
-|June 30, 2019
-| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53[content 0.1.53]
-
-JBoss Fuse 6
-|January 1, 2022
-| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.64[content 0.1.64]
-
-|Red Hat Enterprise Linux 5
-|March 31, 2017
-| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.34[SSG 0.1.34]
-
-|Ubuntu 14.04
-|April 30, 2019
-| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52[content 0.1.52]
-
-|SUSE Enterprise Linux 11
-|March 31, 2019
-| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52[content 0.1.52]
-
-|Red Hat OpenShift Container Platform 3
-|June 1, 2022
-| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52[content 0.1.52]
-
-|Red Hat Enterprise Linux 6
-|November 1, 2020
-| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52[content 0.1.52]
-
-|Java Runtime Environment
-| N/A
-| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.64[content 0.1.64]
-
-|===
-
-== Alternative Scanning Tools
-
-=== NIWC SCAP Compliance Checker (SCC)
-
-Funded by the Internal Revenue Service and the National Security Agency,
-Naval Information Warfare Center (NIWC) Atlantic has authored a SCAP
-Compliance Checker (SCC). The NIWC SCC tool is available to the general
-public. The NIWC SCC website is https://www.niwcatlantic.navy.mil/scap/.
-The SCC tool is available for download at https://public.cyber.mil/stigs/scap.
-
-
-To utilize SCC with ComplianceAsCode content:
-
-1. Import SSG content into SCC through the cscc -is command
-+
-----
- [root@localhost scc]# cd /opt/scc
-
- [root@localhost scc]# ./cscc -is /home/testUser/Desktop/ssg_scc.zip
- Extracted: /opt/scc/Resources/Content/ssg-rhel6-cpe-oval.xml.
- Extracted: /opt/scc/Resources/Content/ssg-rhel6-cpe-dictionary.xml.
- Extracted: /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml.
- Extracted: /opt/scc/Resources/Content/ssg-rhel6-ocil.xml.
- Extracted: /opt/scc/Resources/Content/ssg-rhel6-oval.xml.
- SCAP Content successfully installed to the Resources/Content directory.
- Please enable content by running CSCC with the '--config' option.
-----
-+
-2. Enable the SSG content by first executing cscc --config:
-+
-----
- [root@localhost scc]# ./cscc --config
-
- SCC 3.1 RC2 configuration edit menu.
- Make menu selection:
-
- 1. Configure SCAP content
- 2. Configure SCAP profiles
- 3. Delete SCAP content
- 4. Configure OVAL content
- 5. Delete OVAL content
- 6. Configure Options
- 7. Configure SSH Options
- 8. Exit and save changes
- 9. Exit without saving changes
-
- SCAP Processing is Enabled
- - 0 of 3 SCAP streams are enabled
-
- OVAL Processing is Disabled
- - 0 of 0 OVAL streams are enabled
-
- Enter menu selection: 1
-----
-+
-You will be presented with a list of imported SCAP content. Select the option for SSG, which will be simular to option 1 shown below:
-+
-----
- SCC 3.1 RC2 Available SCAP Content
- All content paths are relative to the installation directory at: /opt/scc/Resources
-
- 1. [ ] ssg-rhel6 2013-02-01-05:00 0.1
- path: Content/
- profile: test
- 2. [ ] U_RedHat_5_V1R2_STIG_Benchmark 2013-01-17 1
- path: Content/
- profile: MAC-1_Classified
- 3. [ ] usgcb-rhel5desktop 2011-09-30 1.0.5.0
- path: Content/USGCB-RHEL5-1.0.5.0/
- profile: united_states_government_configuration_baseline
- SCAP Content 0 of 3 enabled.
-
- Enter content number to enable or disable content
- ('all', 'clear', or ranges N-N are allowed, type 'back' or '0' to return): 1
-----
-+
-Once selected, an [X] will be shown before the SSG SCAP content. Verify the SSG content has been enabled, then enter 0 to return to the SCC main screen:
-+
-----
- SCC 3.1 RC2 Available SCAP Content
- All content paths are relative to the installation directory at: /opt/scc/Resources
-
- 1. [X] ssg-rhel6 2013-02-01-05:00 0.1
- path: Content/
- profile: test
- 2. [ ] U_RedHat_5_V1R2_STIG_Benchmark 2013-01-17 1
- path: Content/
- profile: MAC-1_Classified
- 3. [ ] usgcb-rhel5desktop 2011-09-30 1.0.5.0
- path: Content/USGCB-RHEL5-1.0.5.0/
- profile: united_states_government_configuration_baseline
- SCAP Content 1 of 3 enabled.
-
- Enter content number to enable or disable content
- ('all', 'clear', or ranges N-N are allowed, type 'back' or '0' to return): 0
-----
-+
-3. Select SSG Profile +
-From the SCC home screen, select option 2, "Configure SCAP profiles"
-+
-----
- SCC 3.1 RC2 configuration edit menu.
- Make menu selection:
-
- 1. Configure SCAP content
- 2. Configure SCAP profiles
- 3. Delete SCAP content
- 4. Configure OVAL content
- 5. Delete OVAL content
- 6. Configure Options
- 7. Configure SSH Options
- 8. Exit and save changes
- 9. Exit without saving changes
-
- SCAP Processing is Enabled
- - 1 of 3 SCAP streams are enabled
-
- OVAL Processing is Disabled
- - 0 of 0 OVAL streams are enabled
-
- Enter menu selection: 2
-----
-+
-You will be brought to the SCAP content selection screen. Select the option for SSG, simular to option 1 shown below:
-+
-----
- Select SCAP Content to view available profiles
- 1. [X] ssg-rhel6 2013-02-01-05:00 0.1
- path: Content/
- profile: stig-rhel6-server
-
- Enter content number to view available profiles (type 'back' or '0' to return): 1
-----
-+
-You will be shown available SSG profiles. Select the numerical identifier for the profile you wish to scan against, such as stig-rhel6-server:
-+
-----
- Available Profiles for ssg-rhel6 2013-02-01-05:00 0.1
- 1. [ ] test
- 2. [ ] common
- 3. [ ] desktop
- 4. [ ] server
- 5. [ ] ftp
- 6. [ ] ftp
- 7. [X] stig-rhel6-server
- Enter profile number to set selected profile (type 'back' or '0' to return): 7
-----
-+
-You will be brought to the SCAP Content screen. Enter '0' to return to the SCC main screen:
-+
-----
- Select SCAP Content to view available profiles
- 1. [X] ssg-rhel6 2013-02-01-05:00 0.1
- path: Content/
- profile: stig-rhel6-server
-
- Enter content number to view available profiles (type 'back' or '0' to return): 0
-----
-+
-4. Configure SSC Options +
-From the SCC main screen, select option 6, "Configure Options"
-+
-----
- SCC 3.1 RC2 configuration edit menu.
- Make menu selection:
-
- 1. Configure SCAP content
- 2. Configure SCAP profiles
- 3. Delete SCAP content
- 4. Configure OVAL content
- 5. Delete OVAL content
- 6. Configure Options
- 7. Configure SSH Options
- 8. Exit and save changes
- 9. Exit without saving changes
-
- SCAP Processing is Enabled
- - 1 of 3 SCAP streams are enabled
-
- OVAL Processing is Disabled
- - 0 of 0 OVAL streams are enabled
-
- Enter menu selection: 6
-----
-+
-On the options menu, ensure the following settings are enabled (indicated by [X]). To enable/disable settings, enter their corresponding numerical identifier:
-+
-----
- SCC 3.1 RC2 Options menu.
- Make menu selection:
-
- Content Scan Methods
- 1. [X] Perform SCAP Scan
- 2. [ ] Perform OVAL Scan
-
- Select Reports
- 3. [X] Generate 'All Settings' report
- 4. [ ] Generate 'All Settings Summary' report
- 5. [X] Generate 'Non-Compliance' report
- 6. [ ] Generate 'Non-Compliance Summary' report
-
- Report File Types
- 7. [X] Generate reports as HTML
- 8. [ ] Generate reports as Text
-
- Logging and Debugging
- 9. [ ] Save screen logs
- 10. [ ] Save debug logs
- 11. [ ] Suppress warnings
-
- XML Results
- 12. [X] Save generated XCCDF OXML files
- 13. [X] Save generated OVAL XML files
- 14. [ ] Create ARF XML output
- 15. [ ] Validate XML output files
- 16. [ ] Save failed CPE XML results files
-
- Content Processing
- 17. [ ] Scan content directories on application load
- 18. [ ] Validate content stream(s) XML files
-
- Data Directory
- 19. /opt/scc
-
- OVAL Processing Options
- 20. [X] Ignore remote fileSystems
- 21. [X] Enable item creation threshold
- 22. Item creation threshold: 50000
- 23. [X] Ignore file extended ACL attributes
-
- Enter menu selection (type 'back' or '0' to return):
-----
-+
-Once the above options are set, return to the SCC main screen by entering 0.
-+
-5. Select option 8, "Exit and save changes":
-+
-----
- SCC 3.1 RC2 configuration edit menu.
- Make menu selection:
-
- 1. Configure SCAP content
- 2. Configure SCAP profiles
- 3. Delete SCAP content
- 4. Configure OVAL content
- 5. Delete OVAL content
- 6. Configure Options
- 7. Configure SSH Options
- 8. Exit and save changes
- 9. Exit without saving changes
-
- SCAP Processing is Enabled
- - 1 of 3 SCAP streams are enabled
-
- OVAL Processing is Disabled
- - 0 of 0 OVAL streams are enabled
-
- Enter menu selection: 8
- Saving changes.
-----
-+
-6. Execute an SCC scan. Results should end simularly to the following:
-+
-----
- localhost: Processing (391 of 411) Configure Dovecot to Use the SSL Certificate file
- localhost: Processing (392 of 411) Configure Dovecot to Use the SSL Key file
- localhost: Processing (393 of 411) Disable Plaintext Authentication - (CCE-27144-5)
- localhost: Processing (394 of 411) Disable Samba - (CCE-27143-7)
- localhost: Processing (395 of 411) Disable Root Access
- localhost: Processing (396 of 411) Disable Root Access
- localhost: Processing (397 of 411) Require Client SMB Packet Signing, if using smbclient - (CCE-26328-5)
- localhost: Processing (398 of 411) Require Client SMB Packet Signing, if using mount.cifs - (CCE-26792-2)
- localhost: Processing (399 of 411) Disable Squid - (CCE-27146-0)
- localhost: Processing (400 of 411) Uninstall squid Package - (CCE-26977-9)
- localhost: Processing (401 of 411) Disable snmpd Service - (CCE-26906-8)
- localhost: Processing (402 of 411) Uninstall net-snmp Package - (CCE-26332-7)
- localhost: Processing (403 of 411) Configure SNMP Service to Use Only SNMPv3 or Newer
- localhost: Processing (404 of 411) Ensure Default Password Is Not Used
- localhost: Processing (405 of 411) Product Meets this Requirement
- localhost: Processing (406 of 411) Product Meets this Requirement
- localhost: Processing (407 of 411) Product Meets this Requirement
- localhost: Processing (408 of 411) Guidance Does Not Meet this Requirement Due to Impracticality or Scope
- localhost: Processing (409 of 411) Implementation of the Requirement is Not Supported
- localhost: Processing (410 of 411) Guidance Does Not Meet this Requirement Due to Impracticality or Scope
- localhost: Processing (411 of 411) A process for prompt installation of OS updates must exist.
- localhost: Calculating scores
- localhost: User: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_OVAL-Results_ssg-rhel6.xml
- localhost: OCIL Schema Version: 2.0
- localhost: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_OCIL-Results_ssg-rhel6.xml
- localhost: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_OVAL-Variables_ssg-rhel6.xml
- localhost: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_XCCDF-Results_ssg-rhel6.xml
- localhost: Generating report testUser_SCC-3.1_RC2_2013-02-04_145218_All-Settings_ssg-rhel6.htm
- localhost: Generating report testUser_SCC-3.1_RC2_2013-02-04_145218_Non-Compliance_ssg-rhel6.htm
-
- localhost: Adjusted Score - 0% [RED]
- localhost: Original Score - 0% [RED]
-
-
- Total Errors: 11
- Total Warnings: 2
- Review complete.
- Results, if any, are located in the following directory:
- /opt/scc/Results
-
- Logs, if any, are located in the following directory:
- /opt/scc/Logs
-----
+WARNING: This guide has been deprecated. Please check the latest link:https://complianceascode.readthedocs.io/[ComplianceAsCode Documentation].
+To contribute to the new documentation (or to read it offline), check the
+files in the `user/` folder. Commits into those documents will be
+pushed up to `readthedocs.io`.