Security Automation for Containers and VMs with OpenSCAP

Friday, November 03, 2017 - 2:00 pm3:30 pm

Martin Preisler and Marek Haicman, Red Hat, Inc.


SCAP is a set of specifications related to security automation. SCAP is used to improve security posture - hardening and finding vulnerabilities—as well as regulatory reasons. It is heavily used in government, defense, and finance industries. OpenSCAP is an open source implementation of the SCAP standard. The project and its various integrations allow automated scanning of large infrastructures.

The core focus of this mini-tutorial is how to do an SCAP evaluation of containers and virtual machines that are part of infrastructures deployed in production. There are two major use-cases of SCAP, both covered by our tutorial.

In the first part, we will look at scanning machines for known vulnerabilities. We will show how CVE and CVE OVAL content relate to each other. For a demo we will show vulnerability scanning of Red Hat Enterprise Linux 7 and OpenSUSE from the command-line.

In the second part, we will focus on ensuring a system is configured according to a predefined policy (i.e. compliance). This tutorial part will start with scan of single machine for compliance with one of the profiles in SCAP Security Guide. For demonstration purposes we will use PCI-DSS but the same workflow works for any profile. Customizing SCAP content to better fit the needs will follow—selecting extra rules, unchecking unsuitable rules and altering values. Using customized SCAP content, we will perform scan of bare machine, virtual machine, and container. Then we will discuss ways to scan multiple targets continuously using Satellite 6.

If time permits, we will discuss how to write new custom content using SCE—Script Check Engine.

Martin Preisler, Red Hat, Inc.

Martin Preisler works as a Software Engineer at Red Hat, Inc. He is working in the Security Technologies team, focusing on security compliance using Security Content Automation Protocol. He is the principal author of SCAP Workbench, a frequent contributor to OpenSCAP and SCAP Security Guide, and a contributor to the SCAP standard specifications. Outside of work he likes playing guitar, skiing, billiards and indoor climbing.

Marek Haicman, Red Hat, Inc.

Marek Haicman works as Quality Engineer at Red Hat, Inc. He is lead Quality Engineer of the SCAP domain in RHEL QE, working in downstream and upstream of SCAP project. Apart of catching computer bugs, he enjoys boxing and dragon boat racing.

@conference {207227,
author = {Martin Preisler and Marek Haicman},
title = {Security Automation for Containers and {VMs} with {OpenSCAP}},
year = {2017},
address = {San Francisco, CA},
publisher = {USENIX Association},
month = oct
Who should attend: 

System Administrators, Decision Makers, Security Engineers and Stakeholders

Take back to work: 
  • What is SCAP? Where can it be used? 
  • Where do I get SCAP content? Where do I get the tools? 
  • How to use SCAP for automated vulnerability scans 
  • How to use SCAP for automated security policies 
  • Customizing existing SCAP content for specific deployments
Topics include: 
  • Vulnerabilities
  • Common Vulnerability Enumeration
  • Project Atomic
  • SCAP
  • OpenSCAP
  • SCAP Workbench
  • oscap tool, oscap-ssh, oscap-docker, oscap-vm
  • atomic scan
  • SCAP Security Guide
  • tailoring/customization of SCAP content
  • Using scripting languages in SCAP content
  • Spacewalk/Satellite 5 SCAP integration
  • Foreman/Satellite 6 SCAP integration
  • USGCB, PCI-DSS, DISA STIG compliance
  • Generating Ansible Roles with OpenSCAP and SCAP Security Guide