Red Hat-based systems must often be configured to comply with various regulatory compliance policies, such as NIST 800-53 within the U.S. Government and CIP within the U.S. Energy market. Unfortunately language which translates thematic policies into specific deployment actions is largely unwritten and often vague.Representing a comprehensive catalog of security controls, the SCAP Security Guide project delivers practical security guidance, baselines, and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP). The SCAP Security Guide project allows customers to rapidly deploy systems and verify their compliance against regulatory compliance policies, with pre-created “profiles” aligning to popular policies such as NIST 800-53 as used within the U.S. Government. This session will step through the SCAP Security Guide, and then allow attendees to install the software on a Red Hat Enterprise Linux 6 machine and perform automated security scans against the Defense Information Systems Agency (DISA) STIG for RHEL6. We will be covering: - What is the SCAP Security Guide? How can it be used for security automation?- What are the pieces of SCAP -- XCCDF, OVAL, CPE?- How do I author my own content?- How do I use the SSG today?
Sunday, April 28, 2013 - 11:00 to 12:00