All of us have highly sensitive and valuable assets, such as payment and financial information, health data, and classified information, that need protection. The SCAP Security Guide, which is used in various Red Hat technologies and services, can help you make your systems compliant with a selected security baseline.
System security consists of several aspects:
-
Protection against known threats through vulnerability assessment, which helps check that the system does not contain any components with known vulnerabilities.
-
Enhanced defense against unknown threats through configuration compliance with a specific security policy. This helps decrease the attack surface of the system.
How does it work?
Policies, profiles, rules
Security policies are usually written as a set of requirements. If a system meets all mandatory requirements, it is pronounced compliant. These requirements can vary in their level of detail. They can be very exact. For example, “Ensure that the root user cannot login through SSH.” But sometimes they can be quite vague. For example, “Ensure that the root user’s ability to login in to the system is limited.”
Policies are meant to be read by humans—specifically, administrators—who perform the required configuration and auditors who check if a system is appropriately configured. However, ensuring compliance through automation is often a requirement of security policies.
SCAP Security Guide facilitates automation of configuration and subsequent auditing, and it has several benefits. SCAP content provides Red Hat’s interpretation of the particular security policy. This interpretation is consulted with policy authors and subject matter experts. Therefore, we save your time and resources because you do not need to evaluate the policy and create your own automated checks and remediations. Nonetheless, it is highly recommended to review the SCAP content and tweak it to suit your individual system setup.
To automate the implementation of a policy so that an application can perform it, we must turn it into an exact procedure, called profile. Each profile consists of one or more rules, and each rule reflects a specific requirement.
The scap-security-guide package includes HTML guides describing every profile. For every rule, they include its description as well as Open Checklist Interactive Language (OCIL) checks and eventual remediations described below.
Checking
As we said earlier, each rule represents a specific requirement. Auditors and system administrators need to check whether the system meets the requirement. Therefore, SCAP Security Guide provides automated checks that examine the target system and decide if the rule passes or fails (if the requirement is met or not). The automated checks are written in the Open Vulnerability and Assessment Language (OVAL). This standardized language describes how a scanner should probe the system and evaluate the result. OVAL can be consumed by the OpenSCAP scanner, for example, which is a National Institute of Standards and Technology (NIST) certified vulnerability scanner used to ensure compliance of Red Hat systems.
Rules are also accompanied by checks written in OCIL. This format is actually meant for humans, and it describes how to perform the check manually. It can be used in case the check cannot be automated for some reason or if there is no available software to read the checks written in OVAL language.
Fixing misconfigurations (remediating)
If a check detects that some requirement is not met (the rule fails), an action needs to be taken to bring the system into the compliant state. SCAP Security Guide can help you not only in automating the process of checking, but also the process of fixing the system. In the world of SCAP Security Guide, this process is called remediation. A rule can contain a remediation written in one of the supported languages. Currently, SCAP Security Guide supports remediations in form of Bash scripts, Ansible playbooks and Kubernetes snippets in the MachineConfig format.
These remediations can be consumed by OpenSCAP scanner which can automatically apply them, making the system compliant. We also ship Ansible playbooks and Bash scripts that remediate the whole profile at once, and these can be run independently of any scanner. Alternatively, Ansible and Bash remediations can be generated from a scan report, and these contain only the minimal needed steps to get the scanned system back to compliance.
Reporting
SCAP Security Guide provides facilities to create detailed reports in HTML, ready to be read by administrators, auditors and managers. They contain clear indications of the system's compliance with the selected policy, as well as technical details of any items that are not in accordance with the chosen standard. It is also possible to produce reports in the SCAP-standardized ARF format, which can be read by various security applications.
Covering multiple use cases
The SCAP Security Guide is integrated into several Red Hat solutions. You can choose your preferred way of working towards security compliance.
-
You can work on compliance of your Red Hat Enterprise Linux (RHEL) systems directly, because SCAP Security Guide is packaged for both RHEL 7 and RHEL 8 together with the OpenSCAP scanner. You can read more about achieving security compliance for RHEL 7 and for RHEL 8.
-
SCAP Security Guide is supported in the Anaconda installation system. You can use this to check that your systems are compliant directly after installation, before their first boot. You can read more about installing hardened RHEL 7 and RHEL 8.
-
If you manage your infrastructure with Red Hat Satellite, you can also benefit from features provided by SCAP Security Guide. You can constantly monitor compliance of your systems and get notified if a problem occurs. You can read more here.
-
Red Hat Insights integrates SCAP Security Guide as well. You can check the compliance of the managed systems, create Ansible playbooks to remediate any misconfigurations and generate reports. Read more about the Compliance service here.
-
For Red Hat OpenShift 4 clusters, there is OpenSCAP and SCAP Security Guide powered compliance-operator. More details can be found in this post.
저자 소개
Vojtěch Polášek is a software engineer working within the security compliance subsystem in Red Hat. He studied computer networks and, later, information technology security at Masaryk University in Brno, Czech Republic.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.