SCAP Security Guide

UNCLASSIFIED SCAP Security Guide https://github.com/OpenSCAP SHAWN WELLS, RED HAT SHAWN@REDHAT.COM WELLSHAW@NRO.IC.GOV 443-534-0130 UNCLASSIFIED

2

UNCLASSIFIED 30 MINUTES, 3 GOALS • Detail Security Automation Technology + Initiatives – – – • Native Tooling Configuration Compliance Remediation & Tailoring [ [ [ OpenSCAP ] SCAP Security Guide ] currently scripts, future Ansible ] Live Demo – – Configuration Compliance Scanning C&A Paperwork generation 3 UNCLASSIFIED

UNCLASSIFIED OVERVIEW • Delivers practical security guidance, baselines, and associated validation mechanisms using the Secure Content Automation Protocol (SCAP) – – • Current content for Red Hat Enterprise Linux ,JBoss, JRE…. Prioritizing future content based on community input Current upstream source for STIG and SNAC Guides – – – – DISA JBoss Enterprise Application Platform STIG DISA Red Hat Enterprise Linux 6 & 7 STIGs National Security Agency SNAC Guide Department of Justice CJIS Baselines 4 UNCLASSIFIED

UNCLASSIFIED OVERVIEW • The SSG represents a comprehensive catalog of security controls • Metadata maps specific rules to formalized policies – – – • NIST 800-53 DISA OS SRG CCE’s XSL Transformations generate profiles – – “Show me all the rules tagged with DISA OS SRG so I can make a STIG” “Show me all the rules I need for a NIST 800-53 H/L/L system” 5 UNCLASSIFIED

UNCLASSIFIED OPEN SOURCE BENEFITS • Powerful collaboration tools available – – – • Wiki, mailing list, ticketing system, versioning systems Permit and encourage internet-wide collaboration Change is transparent, and accountable Enables transparent collaboration – – – Direct vendor, system Integrator, and industry partner involvement Speeds content development and testing Reduces government waste, centralizes baseline development 6 UNCLASSIFIED

UNCLASSIFIED YES, GOVERNMENT CAN CONTRIBUTE! • Worked with NSA General Council and Red Hat to update Fedora Contributor Agreement 7 UNCLASSIFIED

UNCLASSIFIED SSG COMMUNITY 8 UNCLASSIFIED

UNCLASSIFIED SSG COMMUNITY • In a Nutshell, the community….. – – – …. Has had 3,208 commits from 107 contributors, representing over 1.2M lines of code …. Has participation from all cabnet-level agencies …. Commercially shipping in Enterprise Linux 9 UNCLASSIFIED

UNCLASSIFIED SSG DEVELOPMENT ROADMAP 10 UNCLASSIFIED

UNCLASSIFIED DISA STIG, VERSION 1, RELEASE 2, SECTION 1.1: “The consensus content was developed using an open source project called SCAP Security Guide. The project’s website is https://fedorahosted.org/scap-security-guide/. Except for differences in formatting to accommodate the DISA STIG publishing process, the content of the RHEL6 STIG should mirror the SCAP Security Guide content with only minor divergences as updates from multiple sources work through the consensus process” 11 UNCLASSIFIED

UNCLASSIFIED 12 UNCLASSIFIED