Automated Security Compliance Evaluation of Your Infrastructure with SCAP

Mini Tutorial
Wednesday, November 11, 2015 - 4:00pm-5:30pm

Martin Preisler, Red Hat, Inc.

Martin Preisler, Red Hat, Inc.

Martin Preisler works as a software engineer at Red Hat, Inc. He works on the Security Technologies team, focusing on security compliance using Security Content Automation Protocol. He is the principal author of SCAP Workbench, a frequent contributor to OpenSCAP and SCAP Security Guide, and a contributor to the SCAP standard specifications. Outside of Red Hat, he likes to work on open source projects related to real-time 3D rendering and game development.

BibTeX
@conference {208708,
author = {Martin Preisler},
title = {Automated Security Compliance Evaluation of Your Infrastructure with {SCAP}},
year = {2015},
address = {Washington, D.C.},
publisher = {USENIX Association},
month = nov,
}
Download
Description: 

SCAP is a set of specifications related to security compliance. The primary use-case is to ensure a system is configured according to a predefined policy. It is heavily used in government, defense, and finance industries.

In this tutorial we will go through all the necessary steps towards a continuous compliance setup of an infrastructure. We will start by installing the tools and preparing the SCAP content. Then we will proceed to scan a single machine for compliance, further refining the content. After that we will explore how to scan it continuously and how to scan multiple machines at once.

Note: Fedora 22 or a Fedora 22 VM recommended. RHEL6, RHEL7, CentOS6, and CentOS7 have older versions of the packages but an additional repository can be enabled to get the latest versions. Other distributions may or may not work, depending on packaging status of the SCAP tools.

Who should attend: 

System administrators, especially government, defense, telecommunication, finance and payment processing decision-makers that are thinking about adopting SCAP or improving proactive security.

Take back to work: 
  • What is SCAP? Where can it be used?
  • Where do I get SCAP content? Where do I get the tools?
  • Ability to customize existing SCAP content for my needs
  • How to deploy customized SCAP content for a single machine and multiple machines
Topics include: 
  • SCAP, XCCDF, and OVAL
  • OpenSCAP
  • SCAP Workbench
  • oscap
  • oscap-ssh
  • oscap-docker
  • security policy tailoring/customization
  • SCE
  • Spacewalk/Satellite 5 SCAP integration
  • Foreman/Satellite 6 SCAP integration
  • USGCB, PCI-DSS, DISA STIG compliance