1. Using OpenSCAP for Security Compliance
  2. About SCAP

1 About SCAP

The Security Content Automation Protocol (SCAP) provides an automated, standardized method for evaluating a system's compliance against security standards. SCAP helps automate monitoring a system for vulnerabilities and make sure the system is in compliance with security policies, such as the Federal Information Security Management Act (FISMA). The U.S. government content repository for SCAP standards is the National Vulnerability Database (NVD), which is managed by the National Institute of Standards and Technology (NIST).

All SCAP files are released in XML format so that they can be parsed easily and can be modified for custom requirements.

OpenSCAP (OSCAP) is an open-source utility that can use a SCAP Security Guide (SSG) profile as a basis for testing security compliance. You can use the OSCAP utilities with Oracle Linux to automate compliance testing.

OSCAP facilitates scanning a system against a SCAP Security Guide profile which is usually available as an Extensible Configuration Checklist Description Format (XCCDF) file or within a SCAP data stream file. An XCCDF file contains a structured collection of security configuration rules that can be applied to meet certain security recommendations or requirements. Each XCCDF file can contain multiple profiles that apply to different use cases. A profile contains generic security recommendations that apply to all Oracle Linux installations and additional security recommendations that are specific to the intended usage of a particular system. Commonly used XCCDF files that are intended for use with Oracle Linux are included within the SCAP packages and are available for use immediately after install. XCCDF profiles are often used to assess whether a system's security configuration aligns with the Security Technical Implementation Guide (STIG) that is released by the Defense Information Systems Agency (DISA) and to provide remediation steps to help bring a system in line with a particular recommendation.

The Oracle Linux installer also provides options to install the operating system to match a specific security profile or policy as defined by the XCCDF profiles available in the the scap-security-guide package. By enforcing a policy at install time, you can make sure that your system starts running with a compliant base. See Oracle Linux 8: Installing Oracle Linux for more information.

OSCAP enables auditing your systems against Open Vulnerability and Assessment Language (OVAL) definition files that are used to test whether a system may be vulnerable to publicly known vulnerabilities or configuration issues. Oracle releases OVAL definitions for all errata on the Unbreakable Linux Network (ULN).

SCAP artifacts such as XCCDF profiles can be bundled into a single SCAP data stream file, usually named with the file name suffix .ds. OSCAP can process data stream files similarly to XCCDF files. Oracle recommends using data stream files whenever possible as they help to reduce overhead and can contain references to external resources that can be kept current.