OpenSCAP

Šimon Lukašík

Agenda

● Compliance Audit

● Why we are doing it

● What is SCAP

● OpenSCAP ecosystem

● Future challenges

appetizer

Compliance Audit

● Proactive security

● Security Policy

● Why?– Military (stig)

– Government regulations (cc, usgcb)

– FISMA Act.

– ISO/EIC 27000 standard series

– Card industry (pci dss)

1/21/15

demo

What is SCAP

● Group of many standards● Automated compliance checking● Governed by NIST

– http://scap.nist.gov/

– Industry standard

● Current version: 1.2

SCAP Components

XCCDF

Checklist

CVECCE CPEEnumeration

OVAL SCEOCIL

Assessment Language

SCAP 1.1 Document Formats

SCAP 1.2 Document Formats

SCAP Component Standards

OVAL Definitions

Shell Scripts

XCCDF Benchmark

CVE Feed

OCIL Questionare

OVAL Results

CPE Dictionary

CCE List

use

Asset Reporting Format

Source DataStream

1/21/15

1/21/15

open-scap.org

1/21/15

github.com/OpenSCAP/scap-security-guide

demo

1/21/15

github.com/OpenSCAP/scap-workbench

1/21/15

spacewalk.redhat.com

1/21/15

fedorahosted.org/oscap-anaconda-addon

1/21/15

github.com/OpenSCAP/foreman_openscap

1/21/15

1/21/15

Scale SCAP

● vendor neutral and centralized SW inventory● vendor neutral CI compliance monitoring● vendor neutral threat life-cycle management● organization defined targeting ● better understanding of given system's purpose by auditing

infrastructure

3/17/13

github.com/OpenSCAP/scaptimony

1/21/15

Thanks!

isimluk.livejournal.comtwitter.com/openscap