Red Hat has announced that OpenSCAP 1.2, an open source Security Content Automation Protocol (SCAP) scanner, has been certified by the National Institute of Standards and Technology as a US government evaluated configuration and vulnerability scanner for Red Hat Enterprise Linux 6 and 7-based systems.
This certification shows that OpenSCAP can analyze and evaluate security automation content correctly and has the functionality and documentation required by NIST to run in sensitive, security-conscious environments.
A synthesis of interoperable specifications based on in-depth community collaboration, SCAP provides an overarching security format that security vendors supporting the standard can use. The standard defines common operations for security scanners, providing for security content that can be written once and run on another certified scanner, enabling repeatable security assessments to be done more quickly and continuously for policy compliance.
Created more than five years ago, OpenSCAP is an open source, joint initiative between the National Security Agency, Red Hat, and the broader open source community to address these standards.
In the US, the General Services Administration (GSA) requires that technologies included in blanket purchase agreements for vulnerability and configuration management products have formal NIST SCAP certification. Recently, this requirement has been expressed in product requirements in support of the DHS Continuous Diagnostics and Mitigation (CDM) program.
With the new NIST certification, Red Hat customers required to use SCAP for regulatory reasons, or in support of DHS CDM, no longer need to request waivers or exemptions for their Red Hat environments. The OpenSCAP certification extends across the Red Hat portfolio and encompasses:
* Red Hat Enterprise Linux: In addition to providing OpenSCAP as a system administration tool, OpenSCAP has been integrated directly into the Red Hat Enterprise Linux installer. Systems can now operate in continuous security compliance from deployment through end of their lifecycle.
* Red Hat Satellite: A lifecycle management for Red Hat Enterprise Linux-based hosts,including enterprise configuration and vulnerability scanning.
* Red Hat CloudForms: Red Hat’s award-winning hybrid cloud management platform, offering security insight across cloud deployments.
* Atomic Scan: Delivered as part of Red Hat Enterprise Linux Atomic Host, Atomic Scan is the first NIST-certified configuration and vulnerability scanner for Linux Containers. Atomic Scan is capable of scanning container registries, even when containers are offline, using container introspection.
* SCAP Workbench: A graphical utility built for system administrators and security officers to more easily tailor and customize SCAP-based security profiles, without requiring in-depth knowledge of the underlying SCAP standards.
In addition to natively providing OpenSCAP tooling in Red Hat Enterprise Linux and associated system management offerings, Red Hat provides the underlying development libraries for OpenSCAP. With these libraries, independent software vendors (ISVs) can embed NIST-certified configuration and vulnerability scanning into their applications built for Red Hat Enterprise Linux, extending these capabilities across bare metal, virtualized, and container deployments.
Security automation content, consumable by OpenSCAP and other SCAP-certified tools, is provided through the SCAP Security Guide package. Security compliance profiles are included in both Red Hat Enterprise Linux 6 and 7 for standards such as the Department of Defense Security Technical Implementation Guide (STIG), PCI compliance, and FBI Criminal Justice Information Systems (CJIS).
David Egts, chief technologist: public sector at Red Hat, omments: “Continuous, repeatable scanning processes are key to keeping modern, increasingly-complex computing environments more secure and safe, and open standards help to make these processes achievable. NIST’s new certification of OpenSCAP on the world’s leading enterprise Linux platform provides a flexible, powerful SCAP scanner built on open standards, making it easier for agencies and other organizations to add verifiable, repeatable security scanning to their repertoires.”