From Fedora Project Wiki

(Imported content from Feature 14)
(corrected typo)
(69 intermediate revisions by 14 users not shown)
Line 1: Line 1:
{{header|docs}}
{{header|docs}}{{Docs_beat_open}}
{{Docs_beat_open}}


= OpenSCAP =
<title>Crypto Policy</title>


== Abstract ==
<para>Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems. Users that must meet certain cryptographic standards can make the policy change in <filename>//etc/crypto-policies/config</filename>, and run update-crypto-policies. At this point applications that utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.</para>
Fedora 14 brings in support of the SCAP (Security Content Automation Protocol). A library called '''OpenSCAP''' that provides development framework and several SCAP scanning tools are included in the distribution. OVAL and XCCDF contents specific for Fedora 14 that can be used for automated system configuration checking are also provided.


== Description ==
<para>The available options are: (1) <literal>LEGACY</literal>, which ensures compatibility with legacy systems - 64-bit security, (2) <literal>DEFAULT</literal>, a reasonable default for today's standards - 80-bit security, and (3) <literal>FUTURE</literal>, a conservative level that is believed to withstand any near-term future attacks - 128-bit security. These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.</para>
'''OpenSCAP''' is an open-source framework for SCAP developers.
SCAP is a line of standards managed by [http://scap.nist.gov/index.html NIST] (National Institute of Standards and Technology). It was created to provide a standardized approach ''to maintaining the security'' of systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.
 
The SCAP suite contains multiple complex data exchange formats that are to be used to transmit important vulnerability, configuration, and other security data. Historically, there have been few tools that provide a way to query this data in the needed format. The OpenSCAP project aims to create a framework of libraries to improve the accessibility of SCAP and enhance the usability of the information it represents.
 
The tools based on OpenSCAP library which are included in this Fedora feature are:
* oscap-scan - command line scanner driven by OVAL/XCCDF content
* secstate - tool that attempts to streamline the Certification and Accreditation (C&A) process of Linux systems by providing a mechanism to verify, validate, and provide remediation to security relevant configuration items.
* firstaidkit-plugin-openscap - Plugin for [[Features/FirstAidKit | FirstAidKit]] which allows user to perform basic automated security audit and evaluate the results in text or graphical environment.
 
With this feature installed, the user can use different ways to perform automatic scan of his system and make sure the system is in compliance with defined security configuration. The user is enabled to automatically remediate the system.
 
== References ==
* [https://fedoraproject.org/wiki/Features/OpenSCAP OpenSCAP] on Fedora wiki
* [http://www.open-scap.org/page/Documentation Documentations] on project site
* [http://www.open-scap.org/doc/ open-scap] library documentations on project site
* [https://fedorahosted.org/secstate/ secstate] (Security State) on Fedora Hosted
* [https://fedoraproject.org/wiki/Features/FirstAidKit FirstAidKit] on Fedora wiki


<para>Additional information on this new feature can be found on the <ulink url="https://fedoraproject.org/wiki/Changes/CryptoPolicy">CryptoPolicy Changes wiki page</ulink>.</para>




Revision as of 07:03, 4 June 2014

DocsProject Header docTeam1.png
Note.png
Beat is open
This beat is now ready to have Fedora 25 content added by the beat writer


<title>Crypto Policy</title>

<para>Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems. Users that must meet certain cryptographic standards can make the policy change in <filename>//etc/crypto-policies/config</filename>, and run update-crypto-policies. At this point applications that utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.</para>

<para>The available options are: (1) <literal>LEGACY</literal>, which ensures compatibility with legacy systems - 64-bit security, (2) <literal>DEFAULT</literal>, a reasonable default for today's standards - 80-bit security, and (3) <literal>FUTURE</literal>, a conservative level that is believed to withstand any near-term future attacks - 128-bit security. These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.</para>

<para>Additional information on this new feature can be found on the <ulink url="https://fedoraproject.org/wiki/Changes/CryptoPolicy">CryptoPolicy Changes wiki page</ulink>.</para>

Retrieved from "https://fedoraproject.org/w/index.php?title=Documentation_Security_Beat&oldid=379227"