Security State (SecState)
SecState is a tool that streamlines security lockdown and monitoring on Linux systems. It provides auditing of a system against security requirements and, optionally, remediating a system to meet those requirements. SecState uses the OpenSCAP library to perform system auditing using SCAP language content. SecState also aims to automate remediation of security issues; this functionality is currently pending some community discussion regarding the approach to the issue of remediation content authorship and integration.
The goal of SecState is to simplify the process of maintaining security compliance over the lifetime of a system, and in doing so help ease the burden of generating Certification and Accreditation (C&A) evidence by producing automated, tailorable reports about a system’s security posture.
Standards Based Approach
SecState adheres to the Security Content Automation Protocol (SCAP) line of standards for verification of security requirements. This is done by utilizing openscap as the backend library to manipulate the security content and probe the target system.
Verifying the security state of the system can be accomplished using XCCDF benchmarks and/or stand-alone OVAL definitions. Remediating security vulnerabilities is achieved by using XCCDF benchmarks with <fix> rules conforming to a SecState recognized format. We have a brief guide on how to write remediation content for use with SecState.
The current SecState release (0.6.0) is targeted at and tested on RHEL 6.2. SecState leverages OpenSCAP 0.9.1; we have had to move beyond the base version available on RHEL 6.2 in order to pull in OpenSCAP bugfixes. The OVAL content being used for test is compliant with OVAL 5.8, the version to which all of the current USGCB content has been written.
The current release supports bash-script remediation. The legacy Puppet remediation mechanism has been removed from SecState. The community is rapidly maturing in regards to addressing remediation content authorship, and as the picture of how audit and remediation content will coexist becomes clearer the SecState remediation mechanisms will need to be updated accordingly. Our team is engaged in discussions with the scap-security-guide and the Aqueduct communities regarding the path-forward for remediation content and for linking audit and remediation content together.
The SecState repo provides a chroot-based automated test infrastructure and some simple SCAP content. We have updated all of the tests for general usage, auditing, and remediation. While this has been primarily used in-house for developer testing, we intend to produce some documentation regarding the test harness to support other interested developers in using the SecState codebase.
Unfortunately, due to a lapse in activity our old mailing lists were temporarily inactive. They are now back up and operational.