Features/OpenSCAP

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Dependencies)
(Current status)
 
(22 intermediate revisions by 3 users not shown)
Line 15: Line 15:
 
== Current status ==
 
== Current status ==
 
* Targeted release: [[Releases/14 | Fedora 14 ]]  
 
* Targeted release: [[Releases/14 | Fedora 14 ]]  
* Last updated: 22-Jun-2010
+
* Last updated: 14-Sep-2010
* Percentage of completion: 0%
+
* Percentage of completion: 100%
  
 
== Detailed Description ==
 
== Detailed Description ==
Line 26: Line 26:
 
* oscap-scan - command line '''scanner''' driven by OVAL/XCCDF content
 
* oscap-scan - command line '''scanner''' driven by OVAL/XCCDF content
 
* [https://fedorahosted.org/secstate/ secstate] - tool that attempts to streamline the Certification and Accreditation (C&A) process of Linux systems by providing a mechanism to verify, validate, and '''provide remediation''' to security relevant configuration items.
 
* [https://fedorahosted.org/secstate/ secstate] - tool that attempts to streamline the Certification and Accreditation (C&A) process of Linux systems by providing a mechanism to verify, validate, and '''provide remediation''' to security relevant configuration items.
* firstaidkit-plugin-openscap - This [https://fedoraproject.org/wiki/Features/FirstAidKit FirstAidKit] plugin interfaces the OpenSCAP library, which can be used to perform a security/configuration audit of a running machine.
+
* firstaidkit-plugin-openscap - Plugin for [https://fedoraproject.org/wiki/Features/FirstAidKit FirstAidKit] which allows user to perform basic automated security audit and evaluate the results in text or graphical environment.  
  
 
The last part of this feature a is an OVAL/XCCDF content that represent secure and consistent configuration of Fedora operating system. This content can be by any SCAP enabled tool.
 
The last part of this feature a is an OVAL/XCCDF content that represent secure and consistent configuration of Fedora operating system. This content can be by any SCAP enabled tool.
Line 37: Line 37:
  
 
== Scope ==
 
== Scope ==
 +
This feature will be delivered in several packages: openscap, secstate, firstaidkit-plugin-openscap,... .
 +
 +
== Goals ==
 +
* OpenSCAP library
 +
** all parts of library support SCAP 1.0 on Linux platform
 +
** stable high level API
 +
** documentation and tutorials available online
 +
* oscap-scan
 +
** import xccdf and oval content
 +
** select profile
 +
** scan a system and output a xccdf results in html/xml format
 +
** initscript and cron job script for oscap-scan are available
 +
* secstate
 +
** import xccdf and oval content
 +
** select and de-select rules and groups
 +
** scan a system and output a xccdf results schema
 +
** remediate problems using specially constructed Puppet content
 +
* firstaidkit-plugin-openscap
 +
** plugin package is build
 +
** Fist aid kit GUI supports showing details of SCAP results
 +
* Fedora SCAP content
 +
** repository for content is created
 +
** content is written
  
 
== How To Test ==
 
== How To Test ==
 +
# Install the system
 +
# Scan the system by many different ways
 +
# Check results and see the system is in compliance
 +
# Change the system settings
 +
# Scan again
 +
# See the system is not in compliance
  
 
== User Experience ==
 
== User Experience ==
 
+
* User can use different ways to perform automatic scan of his system and make sure the system is in compliance with defined security configuration. The user is enabled to automatically remediate the system.
  
 
== Dependencies ==
 
== Dependencies ==
Line 47: Line 76:
  
 
== Contingency Plan ==
 
== Contingency Plan ==
 
+
The are not any dependencies on this feature, therefore no contingency plan is needed.
  
 
== Documentation ==
 
== Documentation ==
 
+
* http://www.open-scap.org/page/Documentation
 +
* http://www.open-scap.org/doc/
 +
* https://fedorahosted.org/secstate/
 +
* https://fedoraproject.org/wiki/Features/FirstAidKit
  
 
== Release Notes ==
 
== Release Notes ==
 
+
Fedora 14 brings in support of the Security Content Automation Protocol (SCAP). A library called OpenSCAP that provides development framework and several SCAP scanning tools are included in the distribution. OVAL and XCCDF contents specific for fedora that can be used for automated system configuration checking are also provided
  
 
== Comments and Discussion ==
 
== Comments and Discussion ==
  
  
[[Category:FeaturePageIncomplete]]
+
[[Category:FeatureAcceptedF14]]
  
 
<!-- When your feature page is completed and ready for review -->
 
<!-- When your feature page is completed and ready for review -->

Latest revision as of 11:42, 14 September 2010


Contents

[edit] OpenSCAP

[edit] Summary

Provide open-source Security Content Automation Protocol (SCAP) framework, basic set of applications and OVAL/XCCDF security content for Fedora 14.

[edit] Owner

[edit] Current status

  • Targeted release: Fedora 14
  • Last updated: 14-Sep-2010
  • Percentage of completion: 100%

[edit] Detailed Description

SCAP is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The SCAP suite contains multiple complex data exchange formats that are to be used to transmit important vulnerability, configuration, and other security data. Historically, there have been few tools that provide a way to query this data in the needed format. This lack of tools makes the barrier to entry very high and discourages adoption of these protocols by the community. It's a goal of OpenSCAP project to create a framework of libraries to improve the accessibility of SCAP and enhance the usability of the information it represents.

The tools based on OpenSCAP library which are included in this Fedora feature are:

  • oscap-scan - command line scanner driven by OVAL/XCCDF content
  • secstate - tool that attempts to streamline the Certification and Accreditation (C&A) process of Linux systems by providing a mechanism to verify, validate, and provide remediation to security relevant configuration items.
  • firstaidkit-plugin-openscap - Plugin for FirstAidKit which allows user to perform basic automated security audit and evaluate the results in text or graphical environment.

The last part of this feature a is an OVAL/XCCDF content that represent secure and consistent configuration of Fedora operating system. This content can be by any SCAP enabled tool.

[edit] Benefit to Fedora

  • open-source framework for SCAP developers
  • security scanning/remediation tool(s) that are capable of handling with SCAP content
  • OVAL/XCCDF security content

[edit] Scope

This feature will be delivered in several packages: openscap, secstate, firstaidkit-plugin-openscap,... .

[edit] Goals

  • OpenSCAP library
    • all parts of library support SCAP 1.0 on Linux platform
    • stable high level API
    • documentation and tutorials available online
  • oscap-scan
    • import xccdf and oval content
    • select profile
    • scan a system and output a xccdf results in html/xml format
    • initscript and cron job script for oscap-scan are available
  • secstate
    • import xccdf and oval content
    • select and de-select rules and groups
    • scan a system and output a xccdf results schema
    • remediate problems using specially constructed Puppet content
  • firstaidkit-plugin-openscap
    • plugin package is build
    • Fist aid kit GUI supports showing details of SCAP results
  • Fedora SCAP content
    • repository for content is created
    • content is written

[edit] How To Test

  1. Install the system
  2. Scan the system by many different ways
  3. Check results and see the system is in compliance
  4. Change the system settings
  5. Scan again
  6. See the system is not in compliance

[edit] User Experience

  • User can use different ways to perform automatic scan of his system and make sure the system is in compliance with defined security configuration. The user is enabled to automatically remediate the system.

[edit] Dependencies

None

[edit] Contingency Plan

The are not any dependencies on this feature, therefore no contingency plan is needed.

[edit] Documentation

[edit] Release Notes

Fedora 14 brings in support of the Security Content Automation Protocol (SCAP). A library called OpenSCAP that provides development framework and several SCAP scanning tools are included in the distribution. OVAL and XCCDF contents specific for fedora that can be used for automated system configuration checking are also provided

[edit] Comments and Discussion