Chapter 8. Compliance and Vulnerability Scanning with OpenSCAP
8.1. Security Compliance in Red Hat Enterprise Linux
A compliance audit is a process of figuring out whether a given object follows all the rules written out in a compliance policy. The compliance policy is defined by security professionals who specify desired settings, often in the form of a checklist, that are to be used in the computing environment.
The compliance policy can vary substantially across organizations and even across different systems within the same organization. Differences among these policies are based on the purpose of these systems and its importance for the organization. The custom software settings and deployment characteristics also raise a need for custom policy checklists.
Red Hat Enterprise Linux provides tools that allow for fully automated compliance audit. These tools are based on the Security Content Automation Protocol (SCAP) standard and are designed for automated tailoring of compliance policies.
Security Compliance Tools Supported on Red Hat Enterprise Linux 6
- OpenSCAP — The oscap command-line utility is designed to perform configuration and vulnerability scans on a local system, to validate security compliance content, and to generate reports and guides based on these scans and evaluations.
- Script Check Engine (SCE) — SCE is an extension to SCAP protocol that allows content authors to write their security content using a scripting language, such as Bash, Python or Ruby. The SCE extension is provided with the openscap-engine-sce package.
- SCAP Security Guide (SSG) — The scap-security-guide package provides the latest collection of security polices for Linux systems.
If you require performing automated compliance audits on multiple systems remotely, you can utilize OpenSCAP solution for Red Hat Satellite. For more information see Section 8.5, “Using OpenSCAP with Red Hat Satellite” and Section 8.8, “Additional Resources”.
Note that Red Hat does not provide any default compliance policy along with the Red Hat Enterprise Linux 6 distribution. The reasons for that are explained in Section 8.2, “Defining Compliance Policy”.