ProductsDesktop Server For Scientific Computing For IBM POWER For IBM System z For SAP Business Applications Red Hat Network Satellite ManagementExtended Update Support High Availability High Performance Network Load Balancer Resilient Storage Scalable File System Smart Management Extended Lifecycle SupportDeveloper Studio Portfolio Edition Web Framework Kit Application Platform Web Server Data Grid Portal Platform Red Hat JBoss A-MQ Red Hat JBoss Fuse SOA Platform Business Rules Management System (BRMS) Data Services Platform Messaging JBoss Operations Network JBoss Community or JBoss enterprise
SolutionsApplication development Business process management Enterprise application integration Interoperability Operational efficiency Security VirtualizationSolaris to Red Hat Enterprise Linux Migration overview Migrate from your UNIX platform How to migrate to Red Hat Enterprise Linux Upgrade to the latest Red Hat Enterprise Linux release JBoss Enterprise Middleware Benefits of migrating to Red Hat Enterprise Linux Migration services Start a conversation with Red Hat
TrainingPopular and new courses Red Hat JBoss Administration curriculum Core System Administration curriculum JBoss Middleware Development curriculum Advanced System Administration curriculum Linux Development curriculum Cloud Computing, Virtualization, and Storage curriculum
ConsultingBusiness Process Management Cloud and Virtualization Custom Software Development Enterprise Data and Storage Systems Management Migrations
Red Hat OpenSCAP Under Evaluation to Meet SCAP 1.2 NIST Standard
March 13, 2013
The Red Hat Government and Industry Standard Certifications Team
Red Hat has long recognized how important computer security is to our customers. When we learned about NIST’s SCAP (Security Content Automation Protocol), we thought it could be very useful to our customers and the broader Linux community. With SCAP, a security checklist can be created one time and all vendors supporting the standard can consume the file formats in their tools. This approach addresses problems with complexity by taking a consolidating approach and incorporating ease of management, prevents vendor lock-in and fits well with open source ideals like freedom. For this reason, more than four years ago, Red Hat started an open source community project called OpenSCAP.
OpenSCAP aims to provide a library that can parse and evaluate each part of the SCAP standard. This way, anyone wanting to create SCAP tools can simply use the library to quickly create a new tool rather than spending a lot of time learning how to parse the content. OpenSCAP provides a multi-purpose tool designed to format content into documents or scan the system from the content. This tool can use DISA STIG, NIST's USGCB, or Red Hat's Security Response Team's content (as well as anything authored to SCAP standards). The project has also been integrated with Red Hat Satellite and a content tailoring program called scap-workbench.
The SCAP standard is large. Parts of it, such as CVE (Common Vulnerability Enumeration), OVAL (Open Vulnerability Assessment Language), and CVSS (Common Vulnerability Scoring System) are familiar, but there are other important parts, including XCDDF (eXtensible Configuration Checklist Document Format), that are not quite as familiar. Red Hat actively participates in the standards process by being an editorial board member on some of the more critical standards, helping the project standards address the needs of modern Linux platforms.
So, it is with great pleasure that we are announcing that OpenSCAP is officially under evaluation to meet NIST’s SCAP 1.2 standard in the authenticated scanner category. To ensure all tools claiming conformance actually do meet the standard, all security solution vendors must undergo this certification if they intend to claim conformance to the SCAP standard. We expect Red Hat Enterprise Linux customers to soon have a certified scanner that meets the government's requirements delivered as part of the Red Hat Enterprise Linux platform. Look for another announcement in the coming months for the results of the evaluation.
You can find out more about our sustained commitment to security certifications at http://www.redhat.com/solutions/government/certifications/. For more information about SCAP, visit http://scap.nist.gov and http://www.open-scap.org.