Back by popular demand, we’ll again be posting a series of blogs leading up to the Fedora 14 “Laughlin” release, which highlight some of the cool new features planned in the latest Fedora distribution. Up first is a feature that boosts security in Fedora 14: OpenSCAP.
Staying true to its motto of “Freedom, Friends, Features, First,” the Fedora Project always looks to implement the latest open source technologies. The release of Fedora 14 is expected to mark a “first” with inclusion of support for the SCAP (Security Content Automation Protocol) 1.0 standard – a first across all distributions.
SCAP is a line of standards managed by the National Institute of Standards and Technology (NIST). It provides a standardized approach to maintaining the security of systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise. With OpenSCAP, the open source community is leveraging many different components from the security standards ecosystem.
The SCAP suite contains multiple complex data exchange formats used to transmit important vulnerability, configuration, and other security data so that other SCAP tools can interoperate. Historically, this information has been locked away in proprietary tools with proprietary file formats. The lack of interoperable tools means that you cannot assemble a best of breed set of tools where you have the best editor, scanner, analysis, or visualization tool from different authors working together. The SCAP specification is challenging to implement, and as such, only an incomplete reference implementation for two of the standards is available to the open source community. This lack of tools makes the barrier to entry high and discourages adoption of these protocols by the open source community. The goal of the OpenSCAP project is to create a framework of libraries to improve the accessibility of SCAP and enhance the usability of the information it represents.
The libraries available through the OpenSCAP project are designed to enable users to jump more quickly from idea to prototype when developing security tools. If you have a neat idea for a security tool, you don’t have to figure out SCAP and start a project by writing a parser. Instead, you can jump right to using Python, Perl, or C to experiment and see if the idea is worth pursuing to make into a more comprehensive tool. With support from the developer community, the OpenSCAP project hopes to make more tools available in the future.
Fedora 14 is expected to include a number of tools based on the OpenSCAP library:
- oscap-scan: command line scanner driven by OVAL®/XCCDF content.
- secstate: tool that attempts to streamline the certification and accreditation (C&A) process of Linux systems by providing a mechanism to verify, validate, and provide remediation to security relevant configuration items.
- firstaidkit-plugin-openscap: Plugin for FirstAidKit which allows the user to perform basic automated security audit and evaluate the results in text or graphical environment.
- Scap-workbench: a soon to be released GUI tool that allows for content tailoring, on-demand scanning, and presentation of scan results.
OpenSCAP is a big change to the way that companies can do compliance and vulnerability auditing and allows them to prevent vendor lock-in. Red Hat has been an early adopter of this technology, with its Security Response Team issuing Open Vulnerability Assessment Language (OVAL) content for Security Errata, and also using Common Vulnerabilities and Exposures (CVE) notation to enumerate software vulnerabilities. Red Hat’s commitment has improved the creation of the OpenSCAP library with content for use with Fedora 14 to enable a basic security scan. The OpenSCAP project adds software support for OVAL and CVE and the rest of the SCAP standards such as:
- Common Vulnerability Scoring System (CVSS)
- Common Platform Enumeration (CPE)
- Common Configuration Enumeration (CCE)
- Extensible Configuration Checklist Description Format (XCCDF)
Support for these recognized standards enhances an organization’s ability to check compliance, patch level, do inventory, prioritize system updates, and improve situational awareness.
Be one of the first to try out OpenSCAP in Fedora 14. Download the Fedora 14 Beta here and look for the final release in early November.
–OVAL and CVE are registered trademarks, and CCE, CPE, and OCIL are trademarks, of The MITRE Corporation.
–XCCDF and SCAP are trademarks of the National Institute of Standards and Technology (NIST).
執筆者紹介
類似検索
チャンネル別に見る
自動化
テクノロジー、チームおよび環境に関する IT 自動化の最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
オリジナル番組
エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー
製品
ツール
試用、購入、販売
コミュニケーション
Red Hat について
エンタープライズ・オープンソース・ソリューションのプロバイダーとして世界をリードする Red Hat は、Linux、クラウド、コンテナ、Kubernetes などのテクノロジーを提供しています。Red Hat は強化されたソリューションを提供し、コアデータセンターからネットワークエッジまで、企業が複数のプラットフォームおよび環境間で容易に運用できるようにしています。
言語を選択してください
Red Hat legal and privacy links
- Red Hat について
- 採用情報
- イベント
- 各国のオフィス
- Red Hat へのお問い合わせ
- Red Hat ブログ
- ダイバーシティ、エクイティ、およびインクルージョン
- Cool Stuff Store
- Red Hat Summit