This Friday we would like to highlight a great new OTN article: Running OpenSCAP compliance checks on Oracle Linux.
Many of you may have heard OpenSCAP, if not here are some details. SCAP is U.S. standard maintained by National Institute of Standards and Technology (NIST). SCAP is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.
As a part of IT security management, organizations usually define a security policy that standardizes optimal internal practices, processes, and configurations. When a company stores or processes sensitive data (including personal identity, financial data, or healthcare records), the security policy must also reflect relevant government and regulatory standards such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), and the Payment Card Industry Data Security Standard (PCI DSS). Standards often specify hardening guidelines and IT system requirements as well as required security practices. Many standards also mandate formal security reviews that must be performed by certified auditors on a regular schedule. In addition to these formal compliance assessments, IT departments typically conduct informal security reviews to detect and remedy vulnerabilities that might otherwise result in system or data compromise.
The diversity of data center systems adds to the challenge of developing effective and efficient strategies for IT security management. To help organizations automate compliance checks and implement security policy more universally across heterogeneous data centers, the US National Institute of Standards and Technology (NIST) developed the Security Content Automation Protocol (SCAP) standard. NIST created SCAP to provide a standardized approach for implementing enterprise system security and baseline profiles for compliance audits. Based on the SCAP standard, the OpenSCAP project supplies open source tools and policies to automate compliance checking and consistently apply security policy across different system types.
To automate compliance checking on Oracle Linux servers, the operating system includes packages containing an OpenSCAP framework and an implementation of the OpenSCAP interpreter, oscap. In addition, Oracle makes SCAP content files available to evaluate Oracle Linux system configurations against a defined security policy, industry-accepted hardening guidelines, and known vulnerabilities. This article can help administrators get started using the OpenSCAP functionality in Oracle Linux. It describes the various SCAP content files available to automate compliance checks, as well as how to obtain and use security advisory content that Oracle regularly publishes. It also discusses how to use Spacewalk, a tool for Linux systems management, to run OpenSCAP audits on Spacewalk-managed Oracle Linux client systems.
Read more in this full article: Running OpenSCAP Compliance Checks on Oracle Linux