Red Hat has long recognized how important computer security is to our customers. When we learned about NIST’s SCAP (Security Content Automation Protocol), we thought it could be very useful to our customers and the broader Linux community. With SCAP, a security checklist can be created one time and all vendors supporting the standard can consume the file formats in their tools. This approach addresses problems with complexity by taking a consolidating approach and incorporating ease of management, prevents vendor lock-in and fits well with open source ideals like freedom. For this reason, more than four years ago, Red Hat started an open source community project called OpenSCAP.
OpenSCAP aims to provide a library that can parse and evaluate each part of the SCAP standard. This way, anyone wanting to create SCAP tools can simply use the library to quickly create a new tool rather than spending a lot of time learning how to parse the content. OpenSCAP provides a multi-purpose tool designed to format content into documents or scan the system from the content. This tool can use DISA STIG, NIST's USGCB, or Red Hat's Security Response Team's content (as well as anything authored to SCAP standards). The project has also been integrated with Red Hat Satellite and a content tailoring program called scap-workbench.
The SCAP standard is large. Parts of it, such as CVE (Common Vulnerability Enumeration), OVAL (Open Vulnerability Assessment Language), and CVSS (Common Vulnerability Scoring System) are familiar, but there are other important parts, including XCDDF (eXtensible Configuration Checklist Document Format), that are not quite as familiar. Red Hat actively participates in the standards process by being an editorial board member on some of the more critical standards, helping the project standards address the needs of modern Linux platforms.
So, it is with great pleasure that we are announcing that OpenSCAP is officially under evaluation to meet NIST’s SCAP 1.2 standard in the authenticated scanner category. To ensure all tools claiming conformance actually do meet the standard, all security solution vendors must undergo this certification if they intend to claim conformance to the SCAP standard. We expect Red Hat Enterprise Linux customers to soon have a certified scanner that meets the government's requirements delivered as part of the Red Hat Enterprise Linux platform. Look for another announcement in the coming months for the results of the evaluation.
You can find out more about our sustained commitment to security certifications at http://www.redhat.com/solutions/government/certifications/. For more information about SCAP, visit http://scap.nist.gov and http://www.open-scap.org.