Security Compliance for Containers and VMs with OpenSCAP

Friday, December 9, 2016 - 11:00am12:30pm

Martin Preisler, Red Hat


The core focus of this mini-tutorial is how to do a SCAP evaluation of containers and virtual machines that are part of infrastructures deployed in production.

SCAP is a set of specifications related to security compliance. The primary use-case is to ensure a system is configured according to a predefined policy. It is heavily used in government, defense, and finance industries. In this tutorial we will go through all the necessary steps towards a continuous compliance setup of an infrastructure. We will start by installing the tools and preparing the SCAP content. Then we will proceed to scan a single machine for compliance, further refining the content. After that we will discuss differences between scanning a bare-metal machine, virtual machine, and a container. Then we will explore how to scan continuously and how to scan multiple instances at once.

For vulnerability scans we will be using Red Hat Enterprise Linux 6 and 7. For security compliance we will use United States Government Configuration Baseline and Payment Card Industry policies as examples.

Who should attend:
System administrators, especially from government contractors, defense, finance and telecommunication industries; Decision makers that need security compliance for regulatory purposes or for proactive security; Dev-ops interested in proactive security

Take back to work:

  • What is SCAP? Where can it be used?
  • Where do I get SCAP content? Where do I get the tools?
  • How to use SCAP for automated vulnerability scans
  • How to use SCAP for automated security policies
  • Customizing existing SCAP content for specific deployments

Topics include:

  • Vulnerabilities
  • Common Vulnerability Enumeration
  • Project Atomic
  • SCAP
  • OpenSCAP
  • SCAP Workbench
  • oscap tool, oscap-ssh, oscap-docker, oscap-vm
  • atomic scan
  • SCAP Security Guide
  • tailoring / customization of SCAP content
  • SCE
  • Spacewalk/Satellite 5 SCAP integration
  • Foreman/Satellite 6 SCAP integration
  • USGCB, PCI-DSS, DISA STIG compliance

Martin Preisler, Red Hat

Martin Preisler works as a software engineer at Red Hat, Inc. He works on the Security Technologies team, focusing on security compliance using Security Content Automation Protocol. He is the principal author of SCAP Workbench, a frequent contributor to OpenSCAP and SCAP Security Guide, and a contributor to the SCAP standard specifications. Outside of Red Hat, he likes to work on open source projects related to real-time 3D rendering and game development.

@conference {208462,
author = {Martin Preisler},
title = {Security Compliance for Containers and {VMs} with {OpenSCAP}},
year = {2016},
address = {Boston, MA},
publisher = {USENIX Association},
month = dec