30
OpenSCAP Šimon Lukašík
OpenSCAP
Šimon Lukašík
Agenda
● Compliance Audit
● Why we are doing it
● What is SCAP
● OpenSCAP ecosystem
● Future challenges
Compliance Audit
● Proactive security
● Security Policy
● Why?– Military (stig)
– Government regulations (cc, usgcb)
– FISMA Act.
– ISO/EIC 27000 standard series
– Card industry (pci dss)
What is SCAP
● Group of many standards● Automated compliance checking● Governed by NIST
– http://scap.nist.gov/
– Industry standard
● Current version: 1.2
SCAP Components
XCCDF
Checklist
CVECCE CPEEnumeration
OVAL SCEOCIL
Assessment Language
SCAP 1.1 Document Formats
SCAP 1.2 Document Formats
SCAP Component Standards
OVAL Definitions
Shell Scripts
XCCDF Benchmark
CVE Feed
OCIL Questionare
OVAL Results
CPE Dictionary
CCE List
use
Asset Reporting Format
Source DataStream
1/21/15
1/21/15
open-scap.org
1/21/15
github.com/OpenSCAP/scap-security-guide
demo
1/21/15
github.com/OpenSCAP/scap-workbench
1/21/15
spacewalk.redhat.com
1/21/15
fedorahosted.org/oscap-anaconda-addon
1/21/15
github.com/OpenSCAP/foreman_openscap
1/21/15
1/21/15
Scale SCAP
● vendor neutral and centralized SW inventory● vendor neutral CI compliance monitoring● vendor neutral threat life-cycle management● organization defined targeting ● better understanding of given system's purpose by auditing
infrastructure
3/17/13
github.com/OpenSCAP/scaptimony
1/21/15
Thanks!
isimluk.livejournal.comtwitter.com/openscap
