Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Consumer to Collaborator: Re-imaging the US Gov...

Consumer to Collaborator: Re-imaging the US Government's role in Open Source

Government agencies are often hesitant to use open source tools out of concerns of security and compliance issues. This hesitancy to use open source deprives many government agencies from closely collaborating with others to create software that is finely tuned and widely available to scratch its own itch. The five-year old OpenSCAP community is helping to change that and re-imagining the US Governments role in open source through its NIST-Certified SCAP 1.2 scanning software and growing body of open source licensed SCAP content. By the OpenSCAP suite scanning and configuration management tools, government agencies looking to become high velocity organizations can automate the cumbersome process certifying a server has been properly hardened for production and begin to develop community resources for hardening of other popular open source tools. The OpenSCAP community is actively developing suite of software tools to make continuous monitoring in agile environments easier, especially for developers, who often do not realize they could be scanning their systems more collaboratively with Ops. OpenSCAP is not merely a secure piece of open source software, it is software that helps demonstrate security and compliance. The SCAP-Security-Guide Project is the only source of official configuration management SCAP and hardening content for Linux that is licensed open source and also directly reviewed by official government agencies. Initially started (and still significantly funded) by Red Hat, the OpenSCAP project has recently moved it's repository from the the Fedora Project to GitHub and has seen an increase in the pace of development.

DevOpsDays DC

June 12, 2015
Tweet

More Decks by DevOpsDays DC

Other Decks in Technology

Transcript

  1. OR, EMBED INTO KICKSTART: $ oscap xccdf eval \ --remediate

    \ --profile stig-rhel6-server-upstream \ --report /root/scan-report.html \ /usr/share/xml/scap/content.xml
  2. CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200

    / SP 800-53) IMPLEMENT CONTROLS (SP 800-70)
  3. CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200

    / SP 800-53) IMPLEMENT CONTROLS (SP 800-70) ACCESS CONTROLS (SP 800-53A)
  4. CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200

    / SP 800-53) IMPLEMENT CONTROLS (SP 800-70) ACCESS CONTROLS (SP 800-53A) AUTHORIZE (SP 800-37)
  5. CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200

    / SP 800-53) IMPLEMENT CONTROLS (SP 800-70) ACCESS CONTROLS (SP 800-53A) MONITOR (SP 800-37 / SP 800-53A) AUTHORIZE (SP 800-37)
  6. Everyone knows that SCAP is a suite of XML standards

    for creating automated checklists for configuration and vulnerability scans!
  7. Community created portfolio of tools and content to make attestations

    about known vulnerabilities https://github.com/OpenSCAP
  8. HOW TO ENGAGE OpenSCAP GitHub: https://github.com/OpenSCAP OpenSCAP References & Docs:

    https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References SCAP Content Mailing List: https://fedorahosted.org/mailman/listinfo/scap-security-guide GovReady user-friendly front-end: https://github.com/GovReady/govready Ansible-SCAP (+ Vagrant) demo. See how it all works - painlessly: https://github.com/openprivacy/ansible-scap NIST SCAP Website: https://scap.nist.gov