Chapter 6. OpenSCAP
SCAP is a standardized compliance checking solution for enterprise-level Linux infrastructure. It is a line of specifications maintained by the National Institute of Standards and Technology (NIST) for maintaining system security for enterprise systems.
In RHN Satellite Server 5.5, SCAP is implemented by the OpenSCAP application. OpenSCAP is an auditing tool that utilizes the Extensible Configuration Checklist Description Format (XCCDF). XCCDF is a standard way of expressing checklist content and defines security checklists. It also combines with other specifications such as CPE, CCE, and OVAL, to create a SCAP-expressed checklist that can be processed by SCAP-validated products.
6.1. OpenSCAP Features
OpenSCAP verifies the presence of patches by using content produced by the Red Hat Security Response Team (SRT), checks system security configuration settings and examines systems for signs of compromise by using rules based on standards/specifications.
To effectively use OpenSCAP, there are two requirements:
- A tool to verify a system confirms to a standardRHN Satellite Server has integrated OpenSCAP as an auditing feature from version 5.5. It allows you to schedule and view compliance scans for the system through the web interface.
- SCAP contentSCAP content can be created from scratch if you have an understanding of at least XCCDF or OVAL. Alternatively, another option exists. XCCDF content is frequently published online under open source licenses and this content may be customized to suit your needs instead.
NoteRed Hat supports the use of templates to evaluate your systems. However, custom content authoring of these templates is not supported.Some examples of these groups are:
- The United States Government Configuration Baseline (USGCB) for RHEL5 Desktop — Official SCAP content for desktops within federal agencies that has been developed at NIST in collaboration with Red Hat, Inc. and the United States Department of Defense (DoD) using OVAL.
- Community-provided content
- SCAP Security Guide for RHEL6 — Active community-run content that sources from the USGCB requirements and widely-accepted policies and contains profiles for desktop, server, and ftp server.
- OpenSCAP Content for RHEL6 — The openscap-content package from the Red Hat Enterprise Linux 6 Optional Channel also provides default content guidance for Red Hat Enterprise Linux 6 systems via a template.
As SCAP was made to maintain system security, the standards that are used continually change to meet the needs of the community and enterprise businesses. New specifications are governed by NIST's SCAP Release cycle in order to provide a consistent and repeatable revision workflow.