National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

The United States Government Configuration Baseline (USGCB) - FAQ

Frequently Asked Questions

General FAQ

USGCB Red Hat Enterprise Linux 5 (RHEL5) Desktop FAQ




USGCB FAQ

  1. What is the USGCB?
  2. What is the objective of USGCB?
  3. How were the USGCB settings for Windows and Internet Explorer 8 developed?
  4. Will I have a chance to comment on the candidate USGCB settings?
  5. Where can I comment and provide feedback on USGCB?
  6. How should agencies implement USGCB?
  7. What if I want to implement settings that I consider more secure?
  8. How does USGCB relate to FDCC?
  9. What platforms will USGCB Address?
  10. Is NIST endorsing or mandating the use of the Windows or Internet Explorer?
  11. Is NIST working exclusively with Microsoft on Security Content Automation Protocol (SCAP)?
  12. Where can I obtain help in assessing and implementing the USGCB settings?
  13. Where can I obtain security configuration information for operating systems and application other than Windows and Internet Explorer?
  14. Are FDCC checklists no longer applicable?
  15. Are USGCB settings applicable to special purpose (e.g., scientific, medical, process control, and experimental systems) computers?
  16. Am I required to report compliance according to USGCB?
  17. Are the FDCC and USGCB applicable to contractor computers?
  18. Where can I find a centralized list of USGCB compliant applications?
  19. How are vendors required to prove USGCB compliance?
  20. What are the differences between "Not Applicable", "Not Defined" and "Not Configured" in the settings spreadsheet?
  21. I have tried several scanners, none seem to be able to accurately detect user-specific settings.
  22. Why do the Windows XP checks for several user rights fail after I delete the SUPPORT_388945a0 account?
  23. I scanned a NIST provided VHD with an SCAP Validated USGCB Scanner, but several patches were missing. What does this mean?

General SCAP Questions

  1. What is SCAP?
  2. How is SCAP related to USGCB?

SCAP 1.0 Content Support Questions

  1. What are the current releases of SCAP content? Which ones are still supported?
  2. When does the maintenance of the SCAP 1.0 content end?
  3. Will monthly USGCB patch updates continue after the expiration of SCAP 1.0 content?
  4. How long was NIST required to maintain the SCAP 1.0 content?
  5. Will the SCAP 1.2 content continue to be supported?
  6. Is the maintenance of the SCAP 1.0 content related to end of support for Microsoft Windows XP?
  7. Have all checks from SCAP 1.0 content been converted to SCAP 1.2?
  8. Can Federal agencies still use the SCAP 1.0 content after its expiration date?
  9. Will the SCAP 1.0 content still be available for download after its expiration date?
  10. Can the SCAP community still create and maintain SCAP 1.0 and 1.1 compatible content?
  11. When and why were the SCAP 1.0 FDCC and USGCB content converted to SCAP 1.2?

SCAP Validated Product Questions

  1. What is Security Content Automation Protocol (SCAP)-validation?
  2. How do I know if a Tool is Security Content Automation Protocol (SCAP)-validated?
  3. Will my SCAP validated product scan Windows, IE, and Windows Firewall?
  4. How can agencies use Security Content Automation Protocol (SCAP) USGCB content to automate FISMA compliance of technical controls?

USGCB Agency Testing Questions

  1. What is Microsoft Hyper-V, and what is the difference between a VPC and a Virtual Hard Disk (VHD)?
  2. Why are VHDs beneficial?
  3. When will VHDs expire, and how often will they be updated?
  4. What is the license status of the Windows VHDs?
  5. What can be downloaded from the USGCB technical site?
  6. Must I use WinZip to reassemble the segmented VHD files? What if I don't have WinZip?
  7. Can I use the VHDs, GPOs, .inf, and Security Content Automation Protocol (SCAP) content in an operational environment?
  8. I receive an error message when I try to import the Windows Computer Settings GPO.
  9. What are the accounts and passwords that I can use to log on to the USGCB test VPCs?
  10. How do I use the VHDs?
  11. What should I consider before I run the VHDs?
  12. Who produces the VHDs?
  13. Does the Security Content Automation Protocol (SCAP) Content & GPOs for USGCB cover 100% of the USGCB settings? If not what is missing and why?
  14. I am responsible for implementing USGCB in my organization. I have many questions and concerns. Who is the correct person for me to call?
  15. I scanned a NIST provided VHD with an SCAP Scanner, but several patches were missing. What does this mean?
  16. What if I use a browser other than Internet Explorer?
  17. Were any Microsoft Office security configurations of the USGCB tested?
  18. To comply with the USGCB, are Federal organizations required to use the Microsoft Windows Firewall?
  19. Some settings listed in the spreadsheet do not appear in the group policy editor.
  20. What are some settings that will impact system functionality that I should test before I deploy the OMB mandated USGCB Security Content Automation Protocol (SCAP) in an operational environment?
  21. What is the envisioned deployment method for USGCB?
  22. How should I deploy the USGCB settings? With the VHDs or the GPOs?
  23. How do I apply Microsoft GPOs to one of several different operating systems I manage through the Group Policy Management Console (GPMC)?
  24. What does the numbering system for the SCAP content mean?
  25. How can I update the Group Policy management tools to display the MSS: settings?
  26. What is NIST's official recommendation for changing settings that break business applications?
  27. How can I apply the USGCB settings to a standalone system using the corresponding USGCB GPOs?
  28. What's a relatively quick way to set up my own Windows test lab?
  29. How do vendors prove compliance with the FDCC and USGCB?
  30. How might the new power management settings impact my environment?
  31. Will all PCs "wake up" if the new power management settings are applied?
  32. Should the configuration of network devices be modified to allow "wake up" traffic to all PCs?
  33. What enterprise management tools are capable of sending magic packets to wake up managed PCs?
  34. Is it possible to wake up laptops or PCs of mobile users?
  35. Will power management settings impact computers that are processing long running jobs?

General USGCB for RHEL5 Questions

  1. How were USGCB settings for RHEL5 developed?
  2. What packages should be installed on a RHEL5 desktop?
  3. These USGCB settings are for a desktop system, but Red Hat Enterprise Linux is often used as a server operating system. What exactly is the distinction between a desktop and a server?
  4. If I'm running Red Hat Enterprise Linux as a server system, does this USGCB apply to me?

RHEL5 Desktop Settings Questions

  1. Are all RHEL5 Desktop USGCB settings applicable to all environments?

RHEL5 Desktop Content Questions

  1. Are all configuration settings supported by the SCAP content?
  2. Do regular expressions use POSIX or PCRE (Perl Compatible Regular Expressions) regex syntax?
  3. What OVAL versions are supported?
  4. Is root login required for scanning?
  5. Have issues been reported that may affect my ability to use the RHEL5 USGCB content with SCAP 1.0 validated tools?
  6. How is patch content handled for Red Hat?

RHEL5 Desktop Kickstart Questions

  1. Who created the kickstart script available on the usgcb.nist.gov website?
  2. Where should I send questions about the RHEL5 USGCB materials?
  3. How do I use the supporting files to set up a test environment?
  4. Does the kickstart script need to be customized by my environment?
  5. Is the kickstart script appropriate for use in an operational environment?
  6. What is the bootloader password on a system installed and configured with the kickstart script?
  7. What is the root password on a system installed and configured with the kickstart script?

RHEL5 Desktop Puppet Questions

  1. Who created the Puppet manifests available on the usgcb.nist.gov website?
  2. Where should I send questions about the Puppet manifests?
  3. How do I use the Puppet manifests?
  4. Do the Puppet manifests require customization for my environment?
  5. Are the Puppet manifests appropriate for use in an operational environment?
  6. What is the bootloader password on a system configured with Puppet?
  7. What is the root password on a system configured with Puppet?
  8. How could I use the Puppet manifests with the kickstart script?



  1. What is the USGCB?
    The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration (FDCC)mandate. While not addressed specifically as the FDCC, the process (now termed the USGCB process) for creating, vetting, and providing baseline configurations settings was originally described in a 22 March 2007 memorandum from OMB to all Federal agencies and department heads and a corresponding memorandum from OMB to all Federal agency and department Chief Information Officers (CIO).
    Back to Top
  2. What is the objective of USGCB?
    The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain effective configuration settings focusing primarily on security.
    Back to Top
  3. How were the USGCB settings for Windows and Internet Explorer 8 developed?
    The Department of Defense (DoD), with NIST assistance and IT vendor consultation, developed the Windows, IE, and Red Hat USGCB configuration settings. They field-tested these settings on typical enterprise-connected desktop and laptop computers, and submitted the configuration settings to the NIST National Checklist Program (NCP) as the DoD Consensus Security Configuration Checklist for Microsoft IE Revision 1.0, the DoD Consensus Security Configuration Checklist for Microsoft Windows 7 Revision 1.0, and the DoD Consensus Security Configuration Checklist for Red Hat Enterprise Linux 5. These checklists were posted to checklists.nist.gov according to the process detailed in NIST SP800-70 Revision 2. NIST, at the request of the Federal CIO Council's Architecture and Infrastructure Committee's (AIC) Technology Infrastructure Subcommittee (TIS), evaluated these settings for Federal civilian agency use, normalized them with existing recommendations for Windows platforms, and recommend them to the TIS of what should be considered for Federal-wide adoption.
    Back to Top
  4. Will I have a chance to comment on the candidate USGCB settings?
    NIST releases USGCB candidates for a 30-day public comment. During this time, NIST collects and consolidates public comments and submits them to the TIS for consideration. If changes from the original settings are required, NIST posts the final candidate USGCB settings for an additional 30-day public comment period.
    Back to Top
  5. Where can I comment and provide feedback on USGCB?
    Please provide comments to the National Institute of Standards and Technology (NIST) at usgcb@nist.gov.
    Back to Top
  6. How should agencies implement USGCB?
    Agencies are ultimately responsible for ensuring that proper procedures for testing and implementing the USGCB settings are followed within their organization. Agencies should make risk-based decisions as they customize the baseline to support functional requirements in their operational environment and document any changes to the USGCB settings.
    Back to Top
  7. What if I want to implement settings that I consider more secure?
    The USGCB is a baseline recommendation of security settings. It is an agency's prerogative to have stricter settings.
    Back to Top
  8. How does USGCB relate to FDCC?
    The Federal CIO Council created the Technology Information Subcommittee (TIS) at the direction of OMB to govern, among other federal activities, the FDCC initiative. The TIS, based on federal agency input, selects platforms and application configuration settingss for federal implementation. The TIS also is the Change Control Board (CCB) for configuration settings. As stated in the Federal CIO Council Memo to federal agencies, "The USGCB settings replace the Federal Desktop Core Configuration (FDCC) settings and provide the recommended security baselines for Information Technology products widely deployed across agencies".
    Back to Top
  9. What platforms will USGCB Address?
    The platforms addressed by USGCB are Microsoft's Windows 7, Windows 7 Firewall, Windows Vista, Windows Vista Firewall, Windows XP, Windows XP Firewall, Internet Explorer 7, Internet Explorer 8, and Red Hat Enterprise Linux 5. Additional platforms may be introduced at the TIS' direction. New platforms will follow the USGCB process as defined in SP800-70 Revision 2
    Back to Top
  10. Is NIST endorsing or mandating the use of the Windows or Internet Explorer?
    No. NIST does not endorse the use of any particular product or system. NIST is not mandating the use of Windows, Red Hat Linux, or any application. Nor is NIST establishing conditions or prerequisites for Federal agency procurement or deployment of any system. NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software for which NIST has not developed a publication, security configuration checklist, or virtual testing environment.
    Back to Top
  11. Is NIST working exclusively with Microsoft on Security Content Automation Protocol (SCAP)?
    No. NIST is currently working with a number of IT vendors on standardizing security settings and their expression in SCAP for a wide variety of IT products and environments. NIST does this through the NIST Security Configuration Checklists Program for IT Products. The NIST process for creating, vetting, and making security checklists available for public use is documented in NIST SP 800-70 Revision 2- Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developers. For more information about the National Checklist Program, visit http://checklists.nist.gov/. If IT vendors would like to standardize additional security settings with NIST, please contact checklists@nist.gov.
    Back to Top
  12. Where can I obtain help in assessing and implementing the USGCB settings?
    To assist in implementation, NIST is working with vendors to provide automated methods for assessing and implementing USGCB settings (SCAP content). The USGCB baselines and supporting content are available at http://usgcb.nist.gov.
    Back to Top
  13. Where can I obtain security configuration information for operating systems and application other than Windows and Internet Explorer?

    In accordance with SP800-70 Revision 2 Executive Summary page 2 (ES-2), users from Federal civilian agencies should first search for USGCB checklists hosted by NIST at http://usgcb.nist.gov. If no USGCB checklist is available, the agencies are encouraged to use the following checklists, starting with the top of the list and moving to the next checklist only if it is not available.

    • NIST-produced checklists tailored for civilian agency use
    • Checklists created by the Defense Information Systems Agency (DISA) or the National Security Agency (NSA)
    • Vendor-produced checklists
    • Checklists from other trusted third parties

    These types of checklists are available at the National Checklist Program Repository at http://checklists.nist.gov.

    Back to Top
  14. Are FDCC checklists no longer applicable?
    The FDCC mandated use of the SCAP checklists for Windows XP, Windows Vista, Windows XP Firewall, Windows Vista Firewall, and Internet Explorer 7. This mandate remains in effect and includes additional SCAP checklists derived from the USGCB process.
    Back to Top
  15. Are USGCB settings applicable to special purpose (e.g., scientific, medical, process control, and experimental systems) computers?
    USGCB settings were developed and tested on enterprise-connected laptops and desktop computers. The primary targets of USGCB are general-purpose systems such as managed desktops and laptops. Embedded computers, process control systems, specialized scientific or experimental systems, and similar systems are outside the scope of USGCB. Of course, such systems still require appropriate protection and application of sound risk management principles. For such systems, agencies should examine the USGCB security configuration for applicability where feasible and appropriate.
    Back to Top
  16. Am I required to report compliance according to USGCB?
    OMB may require compliance reporting of USGCB implementation as part of their standard operating procedures. This FAQ will be updated should we receive any information about future data calls.
    Back to Top
  17. Are the FDCC and USGCB applicable to contractor computers?
    Yes. Windows 7, Windows XP and Vista computers that are owned or operated by a contractor on behalf of or for the USG or are integrated into a Federal system are subject to FDCC.
    Back to Top
  18. Where can I find a centralized list of USGCB compliant applications?
    IT product vendors are actively testing their applications for compliance with the USGCB Security Content Automation Protocol (SCAP), and information on compliance will be made available at the vendors' sites. Agencies are welcome to share USGCB compliance testing information with the understanding that each individual CIO is responsible for fulfilling the requirements in OMB Memorandum M-07-18.
    Back to Top
  19. How are vendors required to prove USGCB compliance?
    There is no formal compliance process; vendors of information technology products must self-assert USGCB compliance. They are expected to ensure that their products function correctly with computers configured with the USGCB settings. The product installation process must make no changes to the USGCB settings. Applications must work with users who do not have administrative privileges, the only acceptable exception being information technology management tools. Vendors must test their products on systems configured with the USGCB settings, they must use SCAP validated tools with USGCB Scanner capability to certify their products operate correctly with USGCB configurations and do not alter USGCB settings. The OMB provided suggested language in OMB Memorandum M-07-18; vendors are likely to encounter similar language when negotiating with agencies.
    Back to Top
  20. What are the differences between "Not Applicable", "Not Defined" and "Not Configured" in the settings spreadsheet?
    "Not Applicable" means that the setting is not available in that version of Windows. For example, there are many new settings in Windows Vista that will have no effect on computers running Windows XP including the settings for the Windows Firewall with Advanced Security. "Not Defined" and "Not Configured" are functionally equivalent, they mean that the USGCB does not require any specific value for that setting and agencies are free to configure it however they wish.
    Back to Top
  21. I have tried several scanners, none seem to be able to accurately detect user-specific settings.
    The USGCB includes both machine settings and user settings; the latter are stored in each user's profile. When a user logs in Windows loads their profile and maps the user-specific registry settings to the HKEY_Current_User hive, commonly referred to as HKCU. For automated scanners it is exceedingly difficult to determine whether user settings such as the screen saver time out and AutoComplete settings for Internet Explorer are configured correctly. If no user is logged on then HKCU will not exist; the scanner could attempt to examine all of the user profiles stored on the computer, however these may include some that do not need the USGCB settings. Vendors may attempt to address this situation in various ways, however in many cases the administrator will have to manually verify the user-specific settings.
    Back to Top
  22. Why do the Windows XP checks for several user rights fail after I delete the SUPPORT_388945a0 account?
    The SUPPORT_388945a0 account is a special account built into Windows XP that is used for the Remote Assistance feature. The USGCB settings require the following user rights be assigned to this account: "Denied Access To This Computer From The Network", "Denied Logon As A Batch Job", and "Denied Logon Locally." If the account is deleted then there is no reason to assign these rights to it. In other cases where the the SCAP content checks to see whether an account does or does not have a specific user right a well-known security identifier (SID) is used. A SID is a numerical identifier that maps to the user-friendly name of the account. Many built-in accounts such as the Administrators group and the Guest account have the same SID on every computer running Windows, but the SUPPORT_388945a0 account is assigned a random SID during the installation of Windows XP. This means that the SCAP content checks for the literal existence of the SUPPORT_388945a0 account name in the list of accounts for each of these user rights, there is no way for the SCAP content to distinguish between the deletion of the account and renaming of the account.
    Back to Top
  23. I scanned a NIST provided VHD with an SCAP Validated USGCB Scanner, but several patches were missing. What does this mean?
    VHD's include all patches available prior to being posted on http://usgcb.nist.gov.. for download. Subsequent patches released by Microsoft are included the next time the VHD is updated, which may be several months. As a result, these patches are not present on the VHD and will therefore show up as missing during the scan. This is expected behavior and does not indicate a deficiency in the product used to scan the VHD.
    Back to Top
  24. What is SCAP?
    The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information. For more information about SCAP please see NIST SP 800-117 and SP 800-126.
    Back to Top
  25. How is SCAP related to USGCB?
    SCAP expressed content encapsulates both the settings and methods for assessing those settings through SCAP validated products. In practice, an organization can produce well-formed SCAP content and expect the content to execute properly in SCAP validated tools. The USGCB, like its predecessor FDCC, uses SCAP-based technology to assess that systems are properly configured according to the recommended USGCB baseline settings.
    Back to Top
  26. What are the current releases of SCAP content? Which ones are still supported?
    The following table lists the current releases of the SCAP content and their expiration date:
    SCAP Content SCAP Version Platforms Release Date Expiration Date
    USGCB-Major-Version-1.2.0.0 SCAP 1.0 OVAL 5.4 data stream IE8, Win7, Win7-Energy, Win7-Firewall January 2008 December 31st, 2013
    USGCB-Major-Version-1.2.1.0 SCAP 1.0 OVAL 5.3 data stream IE8, Win7, Win7-Energy, Win7-Firewall January 2008 December 31st, 2013
    USGCB-Major-Version-1.2.7.1 SCAP 1.2 OVAL 5.10, digitally signed data stream IE8, Win7, Win7-Energy, Win7-Firewall September 21st, 2011 TBD
    USGCB-Major-Version-2.0.0.0 SCAP 1.0 OVAL 5.4 data stream IE7, WinVista, WinVista-Energy, WinVistaFirewall, WinXP, WinXP-Firewall January 2008 December 31st, 2013
    USGCB-Major-Version-2.0.1.0 SCAP 1.0 OVAL 5.3 data stream IE7, WinVista, WinVista-Energy, WinVistaFirewall, WinXP, WinXP-Firewall January 2008 December 31st, 2013
    USGCB-Major-Version-2.0.7.1 SCAP 1.2 OVAL 5.10, digitally signed data stream IE7, WinVista, WinVista-Energy, WinVistaFirewall, WinXP, WinXP-Firewall September 21st, 2011 TBD
    USGCB-Version-2.1.0.0 (Supplemental USGCB Content) SCAP 1.0 OVAL 5.4 data stream WinXP July 12th, 2013 December 31st, 2013
    USGCB-Version-1.x.5.0 SCAP 1.1 OVAL 5.8 data stream RHEL 5 Desktop February 28th, 2011 TBD
    Back to Top
  27. When does the maintenance of the SCAP 1.0 content end?
    The maintenance of the SCAP 1.0 content expires on December 31st, 2013.
    Back to Top
  28. Will monthly USGCB patch updates continue after the expiration of SCAP 1.0 content?
    No, the monthly patch updates for the SCAP 1.0 content will not continue after December 31st, 2013.
    Back to Top
  29. How long was NIST required to maintain the SCAP 1.0 content?
    NIST was required to maintain the SCAP 1.0 content for a mandatory content validity period of 39 months as detailed in the SCAP releases cycle located http://scap.nist.gov/timeline.html. The original posting of the SCAP 1.0 content was in January of 2008.
    Back to Top
  30. Will the SCAP 1.2 content continue to be supported?
    Yes, NIST will continue to provide support for USGCB / FDCC SCAP 1.2 content for at least 39 months after its release date.
    Back to Top
  31. Is the maintenance of the SCAP 1.0 content related to end of support for Microsoft Windows XP?
    No, the maintenance of the SCAP 1.0 content does not depend on the end of support for Microsoft Windows XP, which according to Microsoft is on April 8th, 2014 (http://www.microsoft.com/en-us/windows/enterprise/endofsupport.aspx).
    Back to Top
  32. Have all checks from SCAP 1.0 content been converted to SCAP 1.2?
    The SCAP 1.2 data streams provide additional number of automated checks compared with SCAP 1.0 content. For a complete list of checks please see the documentation section for USGCB Windows Settings published on http://usgcb.nist.gov/usgcb/microsoft_content.html
    Back to Top
  33. Can Federal agencies still use the SCAP 1.0 content after its expiration date?
    United States government agencies should not use expired USGCB/FDCC content.
    Back to Top
  34. Will the SCAP 1.0 content still be available for download after its expiration date?
    Yes, the USGCB/FDCC SCAP 1.0 content will be archived as expired content and accessible via the National Checklist Program Repository. It available for historical purposes, but should not be used for current configuration and patch scanning assessments to satisfy the FDCC/USGCB use case. SCAP 1.2 USGCB/FDCC content is available for the FDCC/USGCB use case.
    Back to Top
  35. Can the SCAP community still create and maintain SCAP 1.0 and 1.1 compatible content?
    Yes, authors of SCAP content/checklists may continue to produce and maintain SCAP 1.0 and 1.1 versioned content according to their technology requirements and follow the recommended least version principle for the SCAP content described in SCAP Content Conventions.
    Back to Top
  36. When and why were the SCAP 1.0 FDCC and USGCB content converted to SCAP 1.2?
    In October of 2011, the SCAP 1.0 FDCC and USGCB content was versioned to SCAP 1.2 to increase the number of automatically-checked configuration settings, improve the accuracy of configuration setting and patch application scanning, and to keep pace with technology as dictated by vendor progression in operating system and application technologies.
    Back to Top
  37. What is Security Content Automation Protocol (SCAP)-validation?
    To enable the goals originally set forth in OMB Memorandum M-07-18, it is necessary to have security configuration scanning tools that can use official SCAP content. In response, NIST established the SCAP validation program. Implemented through the NIST National Voluntary Laboratory Accreditation Program (NVLAP), independent laboratories can be accredited to perform the testing necessary to validate that security tools can accurately parse the SCAP content required for their specific functionality. Additional details on SCAP validation are available at http://scap.nist.gov/validation/.
    Back to Top
  38. How do I know if a Tool is Security Content Automation Protocol (SCAP)-validated?
    Tools that have achieved NIST SCAP-validated with authenticated configuration scanner status are listed at http://nvd.nist.gov/scapproducts.cfm. Tools are referenced by their type (configuration scanner, vulnerability scanner, etc), as well as by the vendor, tool name, and specific SCAP components in which the tool has achieved compliance.
    Back to Top
  39. Will my SCAP validated product scan Windows, IE, and Windows Firewall?
    Although NIST is in the process of establishing formal validation testing for Windows, IE, and Windows Firewall, many of the already SCAP validated products with FDCC Scanner capability may be able to process the NIST provided SCAP content for these three USGCB platforms.
    Back to Top
  40. How can agencies use Security Content Automation Protocol (SCAP) USGCB content to automate FISMA compliance of technical controls?
    The XCCDF-based SCAP content contains Common Configuration Enumeration (CCE) identifiers. The CCEs are mapped to the 800-53 controls and posted to the National Vulnerability Database (NVD) data feed located at http://nvd.nist.gov/cce.cfm. CCE to 800-53 mappings can also be obtained on a per checklist basis for Tier III checklists at checklists.nist.gov. This data can be used to demonstrate NIST Special Publication (SP) 800-53 assessment and compliance evidence.
    Back to Top
  41. What is Microsoft Hyper-V, and what is the difference between a VPC and a Virtual Hard Disk (VHD)?
    Microsoft Hyper-V is a bare metal hypervisor that allows users to run a virtual instance of an operating system (aka Virtual Hard Disk). The Virtual Hard Disk (VHD) can utilize the hardware of the computer (e.g., hard drive, Ethernet card, USB ports) in the same way the non-virtual OS does.
    Back to Top
  42. Why are VHDs beneficial?
    VHDs are very useful for both laboratory and deployment testing. While software can be installed on a VHD in the same way software is installed on normal operating systems, VHDs can be discarded and re-implemented very quickly for the purposes of ensuring a pristine testing environment or if something malfunctioned with the previous VHD. Additionally, multiple VHDs can be run over a single physical platform to achieve cost savings.
    Back to Top
  43. When will VHDs expire, and how often will they be updated?
    According to Microsoft licensing, VHD licenses expire after 120 days. USGCB test VHDs will be published quarterly and can be found at: http://usgcb.nist.gov/usgcb_content.html.
    Back to Top
  44. What is the license status of the Windows VHDs?

    The Windows virtual hard disks are created without a license key supplied and has a 30 day evaluation period. Once this period of time lapses, "not genuine" pop-ups will appear. You can "rearm" the licensing clock using the 'slmgr /rearm' command to extend the evaluation period for another 30 days. You can rearm Windows 7 three times.

    To view the amount of time remaining in the evaluation period and remaining rearm count type the command 'slmgr /dlv.'

    Back to Top
  45. What can be downloaded from the USGCB technical site?
    The USGCB technical Web site contains policy documentation, VHD files, Group Policy Object (GPO) files, and SCAP content files for Windows, Windows Firewall, Internet Explorer.
    Back to Top
  46. Must I use WinZip to reassemble the segmented VHD files? What if I don't have WinZip?
    To enable more manageable download of the multi-gigabyte virtual images, NIST elected to provide WinZip segmented files. To the best of our knowledge, these files can only be re-assembled with WinZip. Agency/department representatives who prefer a non-segmented virtual machine image can write to usgcb@nist.gov with their affiliation and a shipping address. Once affiliation is confirmed, a non-segmented virtual machine image will be shipped on a DVD to your attention.
    Back to Top
  47. Can I use the VHDs, GPOs, .inf, and Security Content Automation Protocol (SCAP) content in an operational environment?
    It is recommended that VHDs, GPOs, .inf, and SCAP content be used in a test and evaluation environment. After careful and comprehensive testing, an organization may decide to use the GPO, .inf, and/or SCAP content in the production environment. VHDs are provided for laboratory testing purposes only and are not to be used as a deployment image.
    Back to Top
  48. I receive an error message when I try to import the Windows Computer Settings GPO.
    Yes, this is a known issue http://support.microsoft.com/kb/974639. The GPO will still work.
    Here are the steps to correct:
    1. In USGCB Window 7 Computer Settings backup GPO
    2. Go to {GPO Guid} -> Domain Sysvol -> GPO -> Machine -> microsoft -> windows nt -> secedit
    3. Open up GptTmpl.inf in notepad
    4. Go to the line starting with "SeSystemProfilePrivilege"
    5. Add "NT Service\" directly infront of "WdiServiceHost. So it should look like SeSystemProfilePrivilege = *S-1-5-32-544,NT SERVICE\WdiServiceHost
    Back to Top
  49. What are the accounts and passwords that I can use to log on to the USGCB test VPCs?
    Windows 7
    User: USGCB_Admin
    Password: P@ssw0rd123456
    Back to Top
  50. How do I use the VHDs?
    NIST suggests you first make a backup copy of the downloaded VHD files. Then install the Hyper-V Server 2008 R2 software as obtained from Microsoft. Next, import the reference Windows x86 and x64 VHDs.
    Back to Top
  51. What should I consider before I run the VHDs?
    NIST recommends that you install and configure antivirus software and set the VPC networking setting to "Local only" or "Not Connected." Consult the Virtual PC documentation for information about these settings.
    Back to Top
  52. Who produces the VHDs?
    At the request of the TIS, Microsoft produces the VHDs.
    Back to Top
  53. Does the Security Content Automation Protocol (SCAP) Content & GPOs for USGCB cover 100% of the USGCB settings? If not what is missing and why?
    No, there are a number of settings that cannot be automated at this time. Settings not checked by SCAP content can be found Known Issues spreadsheets on http://usgcb.nist.gov..
    Back to Top
  54. I am responsible for implementing USGCB in my organization. I have many questions and concerns. Who is the correct person for me to call?
    Please review the USGCB FAQs and send any unresolved inquiries to usgcb@nist.gov.
    Back to Top
  55. I scanned a NIST provided VHD with an SCAP Scanner, but several patches were missing. What does this mean?
    VHD's include all patches available prior to being posted on http://usgcb.nist.gov for download. Subsequent patches released by Microsoft are included the next time the VHD is updated, which may be several months. As a result, these patches are not present on the VHD and will therefore show up as missing during the scan. This is expected behavior and does not indicate a deficiency in the product used to scan the VHD.
    Back to Top
  56. What if I use a browser other than Internet Explorer?
    While settings for other browsers were not tested, Federal organizations are free to use other Web browser software instead of or in addition to Internet Explorer (IE). If agencies are using Internet Explorer, NIST recommends that they use IE8. When using other browsers agencies must extrapolate the USGCB settings for IE to their chosen browser whenever possible.
    Back to Top
  57. Were any Microsoft Office security configurations of the USGCB tested?
    Microsoft Office is not part of the USGCB mandate. It is not installed on the VHDs nor are Microsoft Office settings included in GPOs.
    Back to Top
  58. To comply with the USGCB, are Federal organizations required to use the Microsoft Windows Firewall?
    No. The USGCB Security Content Automation Protocol (SCAP) requires the use of a personal firewall and includes the Microsoft Windows Firewall settings, because it is enabled with the operating system installation. However, Federal organizations are free to use other desktop firewall software instead of the Microsoft Windows Firewall.
    Back to Top
  59. Some settings listed in the spreadsheet do not appear in the group policy editor.
    The USGCB includes security settings that do not appear in the default user interface for the group policy editor. The settings with the "MSS:" prefix were introduced by Microsoft in their security guides for Windows Server 2003 and Windows XP. Microsoft has published a utility that is bundled with their Security Compliance Manager (SCM) which you can use to update the user interface of the group policy management tools.
    1. Download Microsoft's Security Compliance Manager (SCM)http://www.microsoft.com/download/en/details.aspx?id=16776
    2. Install SCM, during the install you will be prompted to download and install SQL Express, the computer has to have an Internet connection or you can download the SQL Express installer manually and provide the path to it within the SCM installer.
    3. After installing SCM open the Start menu, click All Programs, click Microsoft Security Compliance Manager, then click LocalGPO.
    4. A new Explorer window will open, launch LocalGPO.msi. You can copy LocalGPO.msi to other computers in order to install the Local Group Policy Tool without having to install SCM.
    5. Open the Start menu, click All Programs, click Microsoft Security Compliance Manager,then click LocalGPO.
    6. Right-click LocalGPO Command Line, and then click Run as administrator to open a command prompt with full administrative privileges.
    7. At the command prompt, type cscript LocalGPO.wsf /ConfigSCEand then press ENTER.
    Back to Top
  60. What are some settings that will impact system functionality that I should test before I deploy the OMB mandated USGCB Security Content Automation Protocol (SCAP) in an operational environment?
    There are a number of settings that will impact system functionality and agencies should test thoroughly before they are deployed in an operational environment.
    • Running the system as a standard user - some applications may not work properly because they require administrative access to the operating system and application directories and registry keys.
    • Minimum 12 characters password and change every 60 days - this may impact system usability and interoperability with some enterprise single sign-on password management systems.
    • Wireless service - the wireless service is disabled and this will prevent the use of Wi-Fi network interfaces that depend on the built-in wireless service.
    • The System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting has been a required setting for several years, even before the USGCB mandate was announced. It is known to impact browser interoperability with Web sites that do not support the FIPS 140-2 approved algorithms. This can usually be corrected by changing the Web server configuration to support FIPS 140-2 approved algorithms. Refer to this knowledgebase article. It also affects the encryption algorithm used for the Remote Desktop Protocol (RDP), RDP is the protocol used by Terminal Services, Remote Desktop, and Remote Assistance. RDP connections will fail if both computers are not configured to use the same encryption algorithm. Computers running Windows XP can be updated to the latest version of Microsoft's RDP client in order to connect to Terminal Services servers, however, there is no update for the RDP server included with Windows XP. This means that computers running Windows XP with this setting enabled cannot support incoming Remote Desktop and Remote Assistance connections. See this knowledgebase article for more information.
    • Unsigned drivers installation behavior - drivers that are not digitally signed by Microsoft cannot be installed under Windows XP.
    • Windows Firewall - the built-in firewall may prevent other applications from communicating with some applications.
    • Additional settings - refer to this knowledgebase article for additional settings that may impact system interoperability with legacy systems.
    Back to Top
  61. What is the envisioned deployment method for USGCB?
    Organizations have taken a variety of approaches. Some smaller organizations may implement local configuration through batch and *.inf files, others might employ local group policy. Larger organizations could implement the USGCB security settings using Active Directory Microsoft Group Policy Objects (GPO). Approximately 98% of all USGCB settings may be implemented through GPOs. The remaining security settings must be implemented locally through *.inf, batch, or manual methods. Other enterprise management technologies can be used instead.
    Back to Top
  62. How should I deploy the USGCB settings? With the VHDs or the GPOs?
    What works best will vary from one organization to the next. The VHDs are very useful because they already have the USGCB settings applied and you can begin testing quickly. Additionally, by keeping the original VHDs you downloaded from NIST pristine and creating copies of it for actual testing you can quickly reconstitute your test environment for each round of testing. You can also use Virtual PCs undo disks to make it easier to revert to an earlier version of your VHD. However, when you need to deploy the USGCB settings into production the VHDs won't be very useful, as there is no documented method for creating domain-based group policies from the local configuration on these stand-alone computers. On the other hand, the GPOs can be copied into whatever Active Directory test domain you already have established, and when testing is complete you can use the Group Policy Management Console to backup the final GPOs. Then you can copy these backed up files into your production environment and import them into your production Active Directory domain. Some SCAP-validated tools may also be able to enforce the mandated settings, check with the tool vendors to determine the capabilities of their tools.
    Back to Top
  63. How do I apply Microsoft GPOs to one of several different operating systems I manage through the Group Policy Management Console (GPMC)?
    As viewed through the Microsoft Group Policy Management Console (GPMC), applying GPOs to specific Windows operating systems can be accomplished using a Windows Management Instrumentation (WMI) filter (WMI filtering is only recognized on Windows Vista, Windows XP, and Windows Server 2003). More specifically, create a WMI filter that selects applicable operating systems, and link that filter to the GPO applicable for those operating systems. If computers with Windows 2000 or previous Windows operating systems are present within the enterprise, these computers must be granted exception from the group policy using the Deny Read and Deny Apply Group Policy settings. The following resources provide additional detail:
    Back to Top
  64. What does the numbering system for the SCAP content mean?
    The nomenclature for NIST's SCAP content is a bit complex in order to represent several pieces of important data. If the nomenclature is represented as w.x.y.z then each digit means the following:
    • w = USGCB major version
    • x = USGCB minor version
    • y = OVAL version, where 0=5.4, 1=5.3, 2=5.5, 3=5.6, 4=5.7, 5=5.8, 6=5.9, 7=5.10, and so on. Every version of OVAL is accounted for regardless of whether it is a subcomponent of an SCAP version
    • z = XCCDF version, 0 = 1.1.4, 1 = 1.2. Every version of XCCDF is accounted for regardless of whether it is a subcomponent of an SCAP version.
    So, 1.0.1.0 indicates that the content is USGCB Major Version 1.0, with OVAL 5.3 content.
    Back to Top
  65. How can I update the Group Policy management tools to display the MSS: settings?
    1. Download Microsoft's Security Compliance Manager(SCM)http://www.microsoft.com/download/en/details.aspx?id=16776
    2. Install SCM, during the install you will be prompted to download and install SQL Express, the computer has to have an Internet connection or you can download the SQL Express installer manually and provide the path to it within the SCM installer.
    3. After installing SCM open the Start menu, click All Programs, click Microsoft Security Compliance Manager, then click LocalGPO.
    4. A new Explorer window will open, launch LocalGPO.msi. You can copy LocalGPO.msi to other computers in order to install the Local Group Policy Tool without having to install SCM.
    5. Open the Start menu, click All Programs, click Microsoft Security Compliance Manager, then click LocalGPO.
    6. Right-click LocalGPO Command Line, and then click Run as administrator to open a command prompt with full administrative privileges.
    7. Type cscript LocalGPO.wsf /ConfigSCE and then press ENTER.
    Back to Top
  66. What is NIST's official recommendation for changing settings that break business applications?
    NIST is not able to provide an official position regarding what must and must not be implemented. That is determined by OMB Policy as published in their memos addressing FDCC and further clarified by this FAQ. We would appreciate the continued dialog to discover any technical interoperability issues; however, your choice to implement or not implement settings based on functional impact, risk-based decision, etc. is between your organization and the OMB.
    Back to Top
  67. How can I apply the USGCB settings to a standalone system using the corresponding USGCB GPOs?
    1. Download Microsoft's Security Compliance Manager (SCM)http://www.microsoft.com/download/en/details.aspx?id=16776
    2. Install SCM, during the install you will be prompted to download and install SQL Express, the computer has to have an Internet connection or you can download the SQL Express installer manually and provide the path to it within the SCM installer.
    3. After installing SCM open the Start menu, click All Programs, click Microsoft Security Compliance Manager, then click LocalGPO.
    4. A new Explorer window will open, launch LocalGPO.msi. You can copy LocalGPO.msi to other computers in order to install the Local Group Policy Tool without having to install SCM.
    5. Open the Start menu, click All Programs, click Microsoft Security Compliance Manager, then click LocalGPO.
    6. Right-click LocalGPO Command Line, and then click Run as administrator to open a command prompt with full administrative privileges.
    7. At the command prompt, type cscript LocalGPO.wsf /Path:<path> and then press ENTER where <path> is the path to the GPO backup. e.g.:cscript localgpo.wsf /path:"C:\USGCB\USGCB Account Policy\{75588BFD-8E0B-4EE0-90D3-16FF5727B575}"
    8. Repeat step 7 for each of the desired GPO backups.
    9. Reboot.
    10. The settings from all of the GPO backups should be applied, you can manually verify that that is the case by running gpedit.msc with administrator privileges.
    11. Due to the way the group policy engine processes Advanced Audit Policy settings it may be necessary to manually force the local policy to be refreshed. To do so open gpedit.msc with administrator privileges and navigate to Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policies\Audit Policies\Account Logon.
    12. Modify one of the policy settings by double-clicking on it, changing the value, and clicking OK.
    13. Return that policy setting to its original state by double-clicking on it, changing the value back to its previous value, and clicking OK.
    One final note: If more than one of the GPO backups include Advanced Audit Policy settings only the latest one will apply. This is due to the way that Advanced Audit Policies work when applied locally. This should not be an issue with the FDCC GPO backups due to the fact that only one contains audit policy settings for each version of Windows.
    Back to Top
  68. What's a relatively quick way to set up my own Windows test lab?
    Download and install an evaluation copy of the Windows 7: http://technet.microsoft.com/en-us/evalcenter/cc442495.aspx. Or install any version of Windows from your own installation media. Use the procedures described in the previous question, "How can I apply the USGCB settings to a standalone system using the corresponding USGCB GPOs?"to apply the settings to the USGCB settings.
    Back to Top
  69. How do vendors prove compliance with the FDCC and USGCB?
    To be compliant the software must operate normally without administrative privileges and without changing any of the security settings agencies are required to implement on their computers. The settings required for Windows and Internet Explorer are defined by the USGCB: http://usgcb.nist.gov.. The software may require admin privileges for installation, but it should run without admin privileges and it shouldn't require changes to the mandated settings. A notional test plan:
    1. Configure the test system with the USGCB settings and install all current Microsoft updates.
    2. Run the scanner to document that the configuration is correct.
    3. Install and configure your software product.
    4. Run the scanner to document that the configuration is still correct.
    5. Run the product through your standard test cases, or a reasonably broad subset of them.
    6. If errors occur determine root cause and update the software product to address them, repeat steps 3-5 until things work as designed.Vendors self-certify, there's no formal process. Many companies put some sort of statement on their website but others choose different methods to communicate their status to customers.
    Back to Top
  70. How might the new power management settings impact my environment?
    There are a few scenarios that would be impacted by the 4 USGCB power management settings:
    • Enterprise management, especially update management.
    • Mobile users who want to connect to their desktop PC using Remote Desktop Services (RDS).
    • Systems that process long running jobs, e.g. video rendering or modeling of complex systems.Enterprise management, especially update management.
    Back to Top
  71. Will all PCs "wake up" if the new power management settings are applied?
    Wake-on-LAN (WOL) is a feature supported by many hardware and software vendors, it uses a special network message colloquially known as magic packets to "wake up" hibernating computers. At the hardware level, WOL is implemented in the network card (NIC), motherboard, and BIOS. Although the technology has been around for many years, there are likely still some PCs deployed that do not support it. NICs that do provide WOL support a variety of different features including rudimentary security, the ability to wake a PC that is completely powered down, and TLS encryption. Agencies need to plan ahead and configure each PC to take advantage of this technology.
    Back to Top
  72. Should the configuration of network devices be modified to allow "wake up" traffic to all PCs?
    From an enterprise perspective, the magic packet is broadcast to a subnet. In most networks it will not be forwarded across subnets unless internal routers and switches are configured to allow this type of broadcast data. Haphazardly forwarding broadcast traffic exposes the network to the risk of accidental or deliberate saturation by broadcasts, so the intermediate network devices should be configured to only forward this specific type of traffic. Another way to reduce the risk of broadcast floods is to use Subnet Directed Broadcasts (SDB) so that the WOL packet is forwarded to the target subnet rather than the entire internal. Magic packets are specially formatted broadcast frames that contain the target computer's MAC address. Only the PC with the matching MAC address will wake up. WOL can be used to address the first two scenarios.
    Back to Top
  73. What enterprise management tools are capable of sending magic packets to wake up managed PCs?
    Many enterprise management tools can send a magic packet to wake up managed PCs, including most of the SCAP validated tools. The EPA site discusses how agencies can also use Windows Task Scheduler to wake up PCs and schedule a series of tasks to wake the PC, check for updates, etc. on a regular basis. See the following for more information: http://www.energystar.gov/index.cfm?c=power_mgt.pr_power_mgt_win_task.
    Back to Top
  74. Is it possible to wake up laptops or PCs of mobile users?
    For mobile users, agencies could provide remote users with a utility to wake up their office PC after they have connected to the VPN. Once their PC is awake they could then connect via RDS. The EPA collected a list of tools there are many others. See the following for more information: http://www.energystar.gov/index.cfm?c=power_mgt.pr_power_mgt_comm_packages.
    Back to Top
  75. Will power management settings impact computers that are processing long running jobs?
    For systems processing long running jobs, agencies would have to disable the hibernate settings.
    Back to Top
  76. How were USGCB settings for RHEL5 developed?
    The Department of Defense (DoD) developed the Red Hat Enterprise Linux 5 (RHEL5) configuration settings based on work represented in the National Security Agency's "Guide to the Secure Configuration of Red Hat Enterprise Linux 5". The configuration settings were designed for a system acting as a desktop and were field-tested on typical desktop computers. After field testing, the settings and content were submitted to the NIST National Checklist Program (NCP) as the DoD Consensus Security Configuration Checklist for RedHat Rel5 (1.0). This checklist was posted to checklists.nist.gov according to the process detailed in SP800-70 Revision 2. NIST, at the request of the Federal CIO Council's Architecture and Infrastructure Committee's (AIC) Technology Infrastructure Subcommittee (TIS), evaluated these settings for Federal civilian agency use, normalized them as appropriate with existing USGCB recommendations, and recommended them to the TIS for consideration for Federal-wide adoption.
    Back to Top
  77. What packages should be installed on a RHEL5 desktop?
    The RHEL5 USGCB settings were designed for a system acting as a desktop. The desktop environment tested by the DoD and NIST includes the following packages and package groups ("@" indicates a package group):
    • @admin-tools
    • @base
    • @base-x
    • @core
    • @dialup
    • @editors
    • @gnome-desktop
    • @graphical-internet
    • @graphics
    • @java
    • @legacy-software-support
    • @office
    • @printing
    • @sound-and-video
    • @text-internet
    • aide
    • emacs
    • openswan
    • postfix
    • ruby
    • rsyslog
    • vlock
    • redhat-release-5Client
    Several packages that are typically installed by default were removed:
    • dhcp
    • gnome-user-share
    • httpd
    • ipsec-tools
    • irda-utils
    • isdn4k-utils
    • krb5-workstation
    • pam-ccreds
    • rsh-server
    • rsh
    • sendmail
    • sysklogd
    • talk
    • telnet-server
    • telnet
    • tftp-server
    • vsftpd
    • xinetd
    • i386 packages are removed by the kickstart. If you have a 32-bit system, comment out the "-*.i?86" line in the kickstart.
    Back to Top
  78. These USGCB settings are for a desktop system, but Red Hat Enterprise Linux is often used as a server operating system. What exactly is the distinction between a desktop and a server?
    A desktop system operates a graphical environment and provides applications for everyday business use, such as a web browser, mail client, spreadsheet and word processor. A server does not run a graphical environment or any of those applications, but can host network services such as a web server or directory server. Systems should never be configured to act in both roles.
    Back to Top
  79. If I'm running Red Hat Enterprise Linux as a server system, does this USGCB apply to me?
    No. However, server administrators should review the recommended security settings for desktops and determine if the server could benefit from any of the security configuration decisions and practices (e.g., use of blacklisting).
    Back to Top
  80. Are all RHEL5 Desktop USGCB settings applicable to all environments?
    Some settings are 'Conditional' meaning these configurations should be applied if the technology is in use. The 'Conditional' settings are for IPv6, wireless, and kernel support for XD/NX features applicable to 32-bit systems only.
    Back to Top
  81. Are all configuration settings supported by the SCAP content?
    While nearly all configuration settings are supported via the kickstart scripts, not all of the settings can be automatically assessed using SCAP. In the alpha release, the SCAP 1.1 content supports approximately 80% of the RHEL5 Desktop USGCB settings. Additional configurations will be automated in later versions of the SCAP content.
    Back to Top
  82. Do regular expressions use POSIX or PCRE (Perl Compatible Regular Expressions) regex syntax?
    The RHEL5 USGCB content is compliant with SCAP 1.1 which uses OVAL 5.8. Regular expressions are written using Perl 5's regular expressions as indicated in the OVAL 5.8 specification.
    Back to Top
  83. What OVAL versions are supported?
    OVAL 5.8 is the only data stream available at this time.
    Back to Top
  84. Is root login required for scanning?
    Some SCAP validated tools may require root access via ssh to scan and return comprehensive results.
    Back to Top
  85. Have issues been reported that may affect my ability to use the RHEL5 USGCB content with SCAP 1.0 validated tools?
    NIST has not validated any products using the USGCB RHEL5 content; however, in developing the SCAP content, NIST used a variety of reference implementations, COTS, and GOTS validated products to ensure the SCAP content was created correctly. In this SCAP content creation and testing process, it was noted that CCE-4060-0, the login banner check which checks for text in the /etc/issue file caused inconsistent behavior in some of the products. As a result, this configuration check was marked as a manual check. The "usgcb-rhel5desktop-issues" spreadsheet that is available at http://usgcb.nist.gov documents all known issues identified with RHEL5 Desktop USGCB.
    Back to Top
  86. How is patch content handled for Red Hat?
    The current content references to the Red Hat hosted patch content; therefore, the SCAPVal tool should be run with the online and maxsize options. If you need to run the content through the SCAPVal tool, in offline mode, or from a network that cannot reach the Red Hat servers, follow the instructions below:
    1. Download the latest patch file from the Red Hat server at: http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml
    2. Rename the file to: usgcb-rhel5desktop-patches.xml
    3. Place the file in the same directory as the other SCAP files
    4. Open usgcb-rhel5desktop-xccdf.xml in a text or xml editor, do not use Microsoft Word or other editors that may add special characters or formatting to the file content
    5. Search for the Rule "security_patches_up_to_date"
    6. Comment out the check content ref : <check-content-ref href="http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml"/>
      • Change <check-content-ref href="http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml"/> to <!--<check-content-ref href="http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml"/>-->
    7. Uncomment the check content ref: <!--<check-content-ref href="usgcb-rhel5desktop-patches.xml"/>-->
      • Change <!--<check-content-ref href="usgcb-rhel5desktop-patches.xml"/>--> to <check-content-ref href="usgcb-rhel5desktop-patches.xml"/>
    8. Validate the file to ensure no other changes were inadvertantly made
    9. Save the file
    Back to Top
  87. Who created the kickstart script available on the usgcb.nist.gov website?
    The kickstart available on the usgcb.nist.gov website was created by Red Hat in a collaborative effort with NIST and DoD.
    Back to Top
  88. Where should I send questions about the RHEL5 USGCB materials?
    Please send all questions regarding configuration settings, SCAP content, kickstart scripts, etc. to usgcb@nist.gov.
    Back to Top
  89. How do I use the supporting files to set up a test environment?
    Red Hat developed a kickstart script that can be used during installation to configure a RHEL5 system to be USGCB compliant. The kickstart script is meant to be used by a Red Hat administrator with experience installing and configuring RHEL5 systems. This kickstart configures a system for an IPv4 environment.
    1. Modify the site specific information in the kickstart (I.e., network information, install location of iso, and rsyslog central server).
    2. Post the kickstart script to an accessible web server (or ftp server, or add it to boot media).
    3. At the boot prompt enter : linux ks=http://<webserver ip>/<kickstart.cfg> ip=<for system being installed> netmask=255.255.255.0 gateway=<for system being installed> dns=<for system being installed>
    Note that this is applicable if the kickstart is hosted on a web server. See Red Hat kickstart guidance for additional installation instruction. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/ch-kickstart2.html
    Back to Top
  90. Does the kickstart script need to be customized by my environment?
    Yes. Site specific information should be customized. Also note that the kickstart configures a system for an IPv4 environment. It is assumed that the user of the kickstart has familiarity with installing Red Hat and using kickstart scripts.
    1. Network information ip, netmask, gateway, and nameserver
    2. Install location of the iso cdrom or url
    3. Rsyslog central log server
    4. Comment out removal of 32-bit packages if installing a 32-bit system
    Back to Top
  91. Is the kickstart script appropriate for use in an operational environment?
    The kickstart script was created to facilitate the setup of a non-operational environment where USGCB settings can be tested prior to being applied to operational systems. Although the USGCB settings have been field tested and reviewed by NIST, DoD, and Red Hat, it is not possible to test every possible site specific scenario. Always test any configuration script prior to deploying to operational systems.
    Back to Top
  92. What is the bootloader password on a system installed and configured with the kickstart script?
    The bootloader password in the kickstart script is rhel5. This should be modified to an unknown password for operational systems.
    Back to Top
  93. What is the root password on a system installed and configured with the kickstart script?
    The root password set in the kickstart script is password. This should be modified to an unknown password, or removed so the administrator must enter the password during installation.
    Back to Top
  94. Who created the Puppet manifests available on the usgcb.nist.gov website?
    The Department of Defense (DoD) created the Puppet manifest available on the usgcb.nist.gov website. As the champion agency for the RHEL5 Desktop USGCB configuration, DoD worked closely with NIST and Red Hat during the USGCB process. The intent of the Puppet manifest is to facilitate configuration and management of RHEL5 systems across an enterprise.
    Back to Top
  95. Where should I send questions about the Puppet manifests?
    The Puppet manifest on the usgcb.nist.gov website is maintained by the Department of Defense. Questions about use of Puppet for USGCB may be sent to usgcb@nist.gov. Additional information about Puppet can be found at http://docs.puppetlabs.com/.
    Back to Top
  96. How do I use the Puppet manifests?
    The Puppet manifests are intended for use by experienced Red Hat administrators with familiarity using Puppet. There are several steps for deploying Puppet across an enterprise. Detailed instructions are included with the Puppet files. To summarize the instructions distributed with the manifests: customize configuration files (see next section), set up a Puppetmaster server using these configuration files, and install Puppet on workstations, pointing them at your Puppetmaster server. Always test the configuration in a lab environment before deploying them to operational systems. Refer to Puppet documentation for additional guidance. http://docs.puppetlabs.com/
    Back to Top
  97. Do the Puppet manifests require customization for my environment?
    Yes. The following is a list of files that should be modified with appropriate site-specific settings in order to achieve maximum compliance. (all paths are relative to the root of the Puppet manifest directory)
    autosign.conf
    Set the site-specific domain SSL certificates will be signed for.
    tagmail.conf
    Put email addresses and appropriate Puppet module tags for which user will receive notifications when actions are taken.
    manifests/settings.pp
    Configure the names of local dns, ntp, and syslog servers here. Note that the $domain variable is set automatically from the local system at runtime.
    manifests/site.pp
    Contains several global site variables including filebucket which must be set to the Puppet server name.
    manifests/nodes/nodes.pp
    Configure this file appropriately for local groups of workstations and what modules they inherit.
    Back to Top
  98. Are the Puppet manifests appropriate for use in an operational environment?
    The Puppet manifests were created to manage systems in a non-operational environment where USGCB settings can be tested prior to being applied to operational systems. Although the USGCB settings have been field tested by the champion agency and reviewed by NIST, DoD, and Red Hat, it is not possible to test every possible site specific scenario. Always test any configuration script prior to deploying to operational systems.
    Back to Top
  99. What is the bootloader password on a system configured with Puppet?
    The Puppet manifest on the usgcb.nist.gov website does not set the bootloader password. Although, it is possible for Puppet to set the bootloader password, it is strongly recommended to have it set at install-time by the kickstart.
    Back to Top
  100. What is the root password on a system configured with Puppet?
    The root password must be set manually at the time of installation by an administrator, or by a kickstart script. The Puppet manifests do not modify the root password.
    Back to Top
  101. How could I use the Puppet manifests with the kickstart script?
    The Puppet manifests and the kickstart file perform distinctive tasks. The USGCB kickstart file was designed to configure a fully-compliant USGCB system right from installation while the Puppet manifests were designed to keep a system in a managed state of continual compliance. The two can thus be used in concert on a system installed using the options present in the kickstart file and then managed via Puppet to ensure it stays up-to-date.
    Back to Top