Welcome to SCAP Security Guide
The SCAP Security Guide project (SSG) delivers security guidance, baselines, and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP).
We currently provide content for Chromium (web browser), Fedora, Java (JRE), Mozilla Firefox, Red Hat Enterprise Linux 5, 6, and 7 (RHEL5/6/7), OpenStack, JBoss Enterprise
Application Server 5 (JBoss EAP5), JBossFuse6, and Webmin.
The project provides practical security hardening advice for Red Hat products, and also links it to compliance requirements in order to ease deployment activities, such as certification and accreditation.
These include requirements in the U.S. government (Federal, Defense, and Intelligence Community) as well as of the financial services and health care industries. For example, high-level and
widely-accepted policies such as NIST 800-53 provides prose stating that System Administrators must audit "privileged user actions," but do not define what "privileged actions" are. The SSG bridges
the gap between generalized policy requirements and specific implementation guidance, in SCAP formats to support automation whenever possible.
To see how this works:
- Get the content from the Downloads page
- Read the Usage Guide
- See a Server baseline with settings
- See a Prose Guide created from all guidance available in the project
- See a Workbook created for hands-on practice of installation and configuration
Major initiatives for our SCAP content include:
- Working with DISA FSO to create a Red Hat Enterprise Linux 6 STIG and JBoss EAP 5 NIST baseline
- Submitting a profile to NIST for the United States Government Configuration Baseline (USGCB) program as a federal baseline
Join the mailing list at: https://fedorahosted.org/mailman/listinfo/scap-security-guide
Join our community calls: https://fedorahosted.org/scap-security-guide/wiki/conferenceline
Join the project as a developer: https://fedorahosted.org/scap-security-guide/wiki/becomeadeveloper
$ sudo yum install scap-security-guide
Found a bug, or got a feature request? Report them!
Experiencing issues building the content? Uncertain what concrete result of a particular rule during system scan means? Want to share experience using SCAP Security Guide content? Use our mailing list.
Interested what's new in OpenSCAP/scap-security-guide? Check it out!
- The OpenSCAP project provides an execution capability for automated checking in the SCAP formats, as well as libraries for third parties to build SCAP-supporting tools.
As part of the Red Hat Enterprise Linux operating system, it means that the platform natively possesses the ability to process SCAP content, which is unique and significant.
- The Aqueduct project provides remediation resources such as kickstarts, Puppet modules, and hardening scripts for System Administrators who wish to become compliant
with established baselines. It is important to note that SSG provides security recommendations and means for automated compliance checking/validation, but not comprehensive
- The SCAP Workbench project provides a graphical user interface (GUI) tool to perform various tasks related with processing of data in SCAP format (such as system
compliance checking/validation or XCCDF content tailoring). It is based on the OpenSCAP library and internally calls oscap executable to perform all the evaluation.
- The OSCAP Anaconda Addon project focuses on the development of an add-on for the Anaconda installer that would allow application of SCAP content during the operating
system installation process. Both approaches (specification of the targeted SCAP policy in the form of a kickstart file or its specification via graphical user interface) are supported.
- The OpenSCAP Puppet module exposes OpenSCAP primitives to puppet DSL.