Back by popular demand, we’ll again be posting a series of blogs leading up to the Fedora 14 “Laughlin” release, which highlight some of the cool new features planned in the latest Fedora distribution. Up first is a feature that boosts security in Fedora 14: OpenSCAP.
Staying true to its motto of “Freedom, Friends, Features, First,” the Fedora Project always looks to implement the latest open source technologies. The release of Fedora 14 is expected to mark a “first” with inclusion of support for the SCAP (Security Content Automation Protocol) 1.0 standard – a first across all distributions.
SCAP is a line of standards managed by the National Institute of Standards and Technology (NIST). It provides a standardized approach to maintaining the security of systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise. With OpenSCAP, the open source community is leveraging many different components from the security standards ecosystem.
The SCAP suite contains multiple complex data exchange formats used to transmit important vulnerability, configuration, and other security data so that other SCAP tools can interoperate. Historically, this information has been locked away in proprietary tools with proprietary file formats. The lack of interoperable tools means that you cannot assemble a best of breed set of tools where you have the best editor, scanner, analysis, or visualization tool from different authors working together. The SCAP specification is challenging to implement, and as such, only an incomplete reference implementation for two of the standards is available to the open source community. This lack of tools makes the barrier to entry high and discourages adoption of these protocols by the open source community. The goal of the OpenSCAP project is to create a framework of libraries to improve the accessibility of SCAP and enhance the usability of the information it represents.
The libraries available through the OpenSCAP project are designed to enable users to jump more quickly from idea to prototype when developing security tools. If you have a neat idea for a security tool, you don’t have to figure out SCAP and start a project by writing a parser. Instead, you can jump right to using Python, Perl, or C to experiment and see if the idea is worth pursuing to make into a more comprehensive tool. With support from the developer community, the OpenSCAP project hopes to make more tools available in the future.
Fedora 14 is expected to include a number of tools based on the OpenSCAP library:
- oscap-scan: command line scanner driven by OVAL®/XCCDF content.
- secstate: tool that attempts to streamline the certification and accreditation (C&A) process of Linux systems by providing a mechanism to verify, validate, and provide remediation to security relevant configuration items.
- firstaidkit-plugin-openscap: Plugin for FirstAidKit which allows the user to perform basic automated security audit and evaluate the results in text or graphical environment.
- Scap-workbench: a soon to be released GUI tool that allows for content tailoring, on-demand scanning, and presentation of scan results.
OpenSCAP is a big change to the way that companies can do compliance and vulnerability auditing and allows them to prevent vendor lock-in. Red Hat has been an early adopter of this technology, with its Security Response Team issuing Open Vulnerability Assessment Language (OVAL) content for Security Errata, and also using Common Vulnerabilities and Exposures (CVE) notation to enumerate software vulnerabilities. Red Hat’s commitment has improved the creation of the OpenSCAP library with content for use with Fedora 14 to enable a basic security scan. The OpenSCAP project adds software support for OVAL and CVE and the rest of the SCAP standards such as:
- Common Vulnerability Scoring System (CVSS)
- Common Platform Enumeration (CPE)
- Common Configuration Enumeration (CCE)
- Extensible Configuration Checklist Description Format (XCCDF)
Support for these recognized standards enhances an organization’s ability to check compliance, patch level, do inventory, prioritize system updates, and improve situational awareness.
Be one of the first to try out OpenSCAP in Fedora 14. Download the Fedora 14 Beta here and look for the final release in early November.
–OVAL and CVE are registered trademarks, and CCE, CPE, and OCIL are trademarks, of The MITRE Corporation.
–XCCDF and SCAP are trademarks of the National Institute of Standards and Technology (NIST).
저자 소개
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.