SCAP Security Guide

A presentation at Praxis Security Day in July 2016 in Columbia, MD, USA by Shawn Wells

Slide 1

Slide 1

UNCLASSIFIED SCAP Security Guide https://github.com/OpenSCAP SHAWN WELLS, RED HAT SHAWN@REDHAT.COM WELLSHAW@NRO.IC.GOV 443-534-0130 UNCLASSIFIED

Slide 2

Slide 2

2

Slide 3

Slide 3

UNCLASSIFIED 30 MINUTES, 3 GOALS • Detail Security Automation Technology + Initiatives – – – • Native Tooling Configuration Compliance Remediation & Tailoring [ [ [ OpenSCAP ] SCAP Security Guide ] currently scripts, future Ansible ] Live Demo – – Configuration Compliance Scanning C&A Paperwork generation 3 UNCLASSIFIED

Slide 4

Slide 4

UNCLASSIFIED OVERVIEW • Delivers practical security guidance, baselines, and associated validation mechanisms using the Secure Content Automation Protocol (SCAP) – – • Current content for Red Hat Enterprise Linux ,JBoss, JRE…. Prioritizing future content based on community input Current upstream source for STIG and SNAC Guides – – – – DISA JBoss Enterprise Application Platform STIG DISA Red Hat Enterprise Linux 6 & 7 STIGs National Security Agency SNAC Guide Department of Justice CJIS Baselines 4 UNCLASSIFIED

Slide 5

Slide 5

UNCLASSIFIED OVERVIEW • The SSG represents a comprehensive catalog of security controls • Metadata maps specific rules to formalized policies – – – • NIST 800-53 DISA OS SRG CCE’s XSL Transformations generate profiles – – “Show me all the rules tagged with DISA OS SRG so I can make a STIG” “Show me all the rules I need for a NIST 800-53 H/L/L system” 5 UNCLASSIFIED

Slide 6

Slide 6

UNCLASSIFIED OPEN SOURCE BENEFITS • Powerful collaboration tools available – – – • Wiki, mailing list, ticketing system, versioning systems Permit and encourage internet-wide collaboration Change is transparent, and accountable Enables transparent collaboration – – – Direct vendor, system Integrator, and industry partner involvement Speeds content development and testing Reduces government waste, centralizes baseline development 6 UNCLASSIFIED

Slide 7

Slide 7

UNCLASSIFIED YES, GOVERNMENT CAN CONTRIBUTE! • Worked with NSA General Council and Red Hat to update Fedora Contributor Agreement 7 UNCLASSIFIED

Slide 8

Slide 8

UNCLASSIFIED SSG COMMUNITY 8 UNCLASSIFIED

Slide 9

Slide 9

UNCLASSIFIED SSG COMMUNITY • In a Nutshell, the community….. – – – …. Has had 3,208 commits from 107 contributors, representing over 1.2M lines of code …. Has participation from all cabnet-level agencies …. Commercially shipping in Enterprise Linux 9 UNCLASSIFIED

Slide 10

Slide 10

UNCLASSIFIED SSG DEVELOPMENT ROADMAP 10 UNCLASSIFIED

Slide 11

Slide 11

UNCLASSIFIED DISA STIG, VERSION 1, RELEASE 2, SECTION 1.1: “The consensus content was developed using an open source project called SCAP Security Guide. The project’s website is https://fedorahosted.org/scap-security-guide/. Except for differences in formatting to accommodate the DISA STIG publishing process, the content of the RHEL6 STIG should mirror the SCAP Security Guide content with only minor divergences as updates from multiple sources work through the consensus process” 11 UNCLASSIFIED

Slide 12

Slide 12

UNCLASSIFIED 12 UNCLASSIFIED