SCAP Security Guide
A presentation at Praxis Security Day in in Columbia, MD, USA by Shawn Wells
UNCLASSIFIED SCAP Security Guide https://github.com/OpenSCAP SHAWN WELLS, RED HAT SHAWN@REDHAT.COM WELLSHAW@NRO.IC.GOV 443-534-0130 UNCLASSIFIED
2
UNCLASSIFIED 30 MINUTES, 3 GOALS • Detail Security Automation Technology + Initiatives – – – • Native Tooling Configuration Compliance Remediation & Tailoring [ [ [ OpenSCAP ] SCAP Security Guide ] currently scripts, future Ansible ] Live Demo – – Configuration Compliance Scanning C&A Paperwork generation 3 UNCLASSIFIED
UNCLASSIFIED OVERVIEW • Delivers practical security guidance, baselines, and associated validation mechanisms using the Secure Content Automation Protocol (SCAP) – – • Current content for Red Hat Enterprise Linux ,JBoss, JRE…. Prioritizing future content based on community input Current upstream source for STIG and SNAC Guides – – – – DISA JBoss Enterprise Application Platform STIG DISA Red Hat Enterprise Linux 6 & 7 STIGs National Security Agency SNAC Guide Department of Justice CJIS Baselines 4 UNCLASSIFIED
UNCLASSIFIED OVERVIEW • The SSG represents a comprehensive catalog of security controls • Metadata maps specific rules to formalized policies – – – • NIST 800-53 DISA OS SRG CCE’s XSL Transformations generate profiles – – “Show me all the rules tagged with DISA OS SRG so I can make a STIG” “Show me all the rules I need for a NIST 800-53 H/L/L system” 5 UNCLASSIFIED
UNCLASSIFIED OPEN SOURCE BENEFITS • Powerful collaboration tools available – – – • Wiki, mailing list, ticketing system, versioning systems Permit and encourage internet-wide collaboration Change is transparent, and accountable Enables transparent collaboration – – – Direct vendor, system Integrator, and industry partner involvement Speeds content development and testing Reduces government waste, centralizes baseline development 6 UNCLASSIFIED
UNCLASSIFIED YES, GOVERNMENT CAN CONTRIBUTE! • Worked with NSA General Council and Red Hat to update Fedora Contributor Agreement 7 UNCLASSIFIED
UNCLASSIFIED SSG COMMUNITY 8 UNCLASSIFIED
UNCLASSIFIED SSG COMMUNITY • In a Nutshell, the community….. – – – …. Has had 3,208 commits from 107 contributors, representing over 1.2M lines of code …. Has participation from all cabnet-level agencies …. Commercially shipping in Enterprise Linux 9 UNCLASSIFIED
UNCLASSIFIED SSG DEVELOPMENT ROADMAP 10 UNCLASSIFIED
UNCLASSIFIED DISA STIG, VERSION 1, RELEASE 2, SECTION 1.1: “The consensus content was developed using an open source project called SCAP Security Guide. The project’s website is https://fedorahosted.org/scap-security-guide/. Except for differences in formatting to accommodate the DISA STIG publishing process, the content of the RHEL6 STIG should mirror the SCAP Security Guide content with only minor divergences as updates from multiple sources work through the consensus process” 11 UNCLASSIFIED
UNCLASSIFIED 12 UNCLASSIFIED
Review of the SCAP Security Guide project at Praxis’ Security Day.
