COMPLIANCE MADE EASY SHAWN WELLS unclass: shawn@redhat.com JWICS: wellsha@nro.ic.gov NSA: sdwell2@nsa.ic.gov (+1) 443-534-0130 UNCLASSIFIED 1

60 MINUTES, 2 GOALS 1. Review compliance tech + initiatives • Upstream: SCAP Security Guide (SSG) • Downstream: NSA SNAC Guides & STIGs 2. SCAP Demo • OpenSCAP + SSG • C&A Document Generation 2

NSA C63 (aka NIAP) & Red Hat: where we’ve been… and next stop 3

Microsoft Windows Server 2008 Hyper-V Role with HotFix KB950050 Red Hat Enterprise Linux 6 with KVM Red Hat Enterprise Linux 5.6 with KVM IBM z/VM Version 5 Release 3 (for IBM System z Mainframes) 2012-10-08 2012-04-20 2008-08-06 2012-05-18 2010-12-15 2009-07-24 EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ CAPP YES YES YES NO NO NO RBAC YES YES NO NO NO NO LSPP YES YES YES NO NO NO Certification Date EAL Level VMWare vSphere 5.0 VMWare ESXi 4.1 CAPP: Users control data access’ RBAC: Users classified into roles (“BackupAdm,” “AuditAdm”…) LSPP: Compartmentalizes users and applications from each other. Enables MLS. 4

5

Beta Programs + Customer Advisory Panels 6

FIPS Certs 7

docs.redhat.com 8

“Core” Red Hat Subscription Value 9

Atsec 10

Common Criteria != Compliance Policy 11

STIG == Compliance Policy 12

SCAP Security Guide Project (SSG) 13

SCAP Security Guide 14

In a Nutshell, SCAP Security Guide: … has had 1,943 commits from 24 contributors, representing 164,355 lines of source … took an estimated 43 years of effort (COCOMO model) … has become upstream for DISA RHEL6 STIG, NIST NVD for JBoss EAP, NSA SNAC guide in progress

RHEL5 STIG Delay: 1,988 days 16

RHEL5 STIG Delay: 1,988 days RHEL6 STIG Delay: 932 days 17

STIG Version 1, Release 2, Section 1.1: “The consensus content was developed using an open source project called SCAP Security Guide. The project’s website is https://fedorahosted.org/scapsecurity-guide/. Except for differences in formatting to accommodate the DISA STIG publising process, the content of the RHEL6 STIG should mirror the SCAP Security Guide content with only minor divergences as updates from multiple sources work through the consensus process” 18

19

SCAP Security Guide • Guidance broken into profiles: • RHEL6 STIG • CS2 • NIST NVD (JBoss only) 20

21

22

23

Remediation During Provisioning