Fedora 14 Spotlight Feature: Keeping Secure with OpenSCAP

Back by popular demand, we’ll again be posting a series of blogs leading up to the Fedora 14 “Laughlin” release, which highlight some of the cool new features planned in the latest Fedora distribution. Up first is a feature that boosts security in Fedora 14: OpenSCAP.

Staying true to its motto of “Freedom, Friends, Features, First,” the Fedora Project always looks to implement the latest open source technologies. The release of Fedora 14 is expected to mark a “first” with inclusion of support for the SCAP (Security Content Automation Protocol) 1.0 standard – a first across all distributions.

SCAP is a line of standards managed by the National Institute of Standards and Technology (NIST). It provides a standardized approach to maintaining the security of systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise. With OpenSCAP, the open source community is leveraging many different components from the security standards ecosystem.

The SCAP suite contains multiple complex data exchange formats used to transmit important vulnerability, configuration, and other security data so that other SCAP tools can interoperate. Historically, this information has been locked away in proprietary tools with proprietary file formats. The lack of interoperable tools means that you cannot assemble a best of breed set of tools where you have the best editor, scanner, analysis, or visualization tool from different authors working together. The SCAP specification is challenging to implement, and as such, only an incomplete reference implementation for two of the standards is available to the open source community. This lack of tools makes the barrier to entry high and discourages adoption of these protocols by the open source community. The goal of the OpenSCAP project is to create a framework of libraries to improve the accessibility of SCAP and enhance the usability of the information it represents.

The libraries available through the OpenSCAP project are designed to enable users to jump more quickly from idea to prototype when developing security tools. If you have a neat idea for a security tool, you don’t have to figure out SCAP and start a project by writing a parser. Instead, you can jump right to using Python, Perl, or C to experiment and see if the idea is worth pursuing to make into a more comprehensive tool. With support from the developer community, the OpenSCAP project hopes to make more tools available in the future.

Fedora 14 is expected to include a number of tools based on the OpenSCAP library:

• oscap-scan: command line scanner driven by OVAL®/XCCDF content.
• secstate: tool that attempts to streamline the certification and accreditation (C&A) process of Linux systems by providing a mechanism to verify, validate, and provide remediation to security relevant configuration items.
• firstaidkit-plugin-openscap: Plugin for FirstAidKit which allows the user to perform basic automated security audit and evaluate the results in text or graphical environment.
• Scap-workbench: a soon to be released GUI tool that allows for content tailoring, on-demand scanning, and presentation of scan results.

OpenSCAP is a big change to the way that companies can do compliance and vulnerability auditing and allows them to prevent vendor lock-in. Red Hat has been an early adopter of this technology, with its Security Response Team issuing Open Vulnerability Assessment Language (OVAL) content for Security Errata, and also using Common Vulnerabilities and Exposures (CVE) notation to enumerate software vulnerabilities. Red Hat’s commitment has improved the creation of the OpenSCAP library with content for use with Fedora 14 to enable a basic security scan. The OpenSCAP project adds software support for OVAL and CVE and the rest of the SCAP standards such as:

• Common Vulnerability Scoring System (CVSS)
• Common Platform Enumeration (CPE)
• Common Configuration Enumeration (CCE)
• Extensible Configuration Checklist Description Format (XCCDF)

Support for these recognized standards enhances an organization’s ability to check compliance, patch level, do inventory, prioritize system updates, and improve situational awareness.

Be one of the first to try out OpenSCAP in Fedora 14. Download the Fedora 14 Beta here and look for the final release in early November.

–OVAL and CVE are registered trademarks, and CCE, CPE, and OCIL are trademarks, of The MITRE Corporation.
–XCCDF and SCAP are trademarks of the National Institute of Standards and Technology (NIST).