Fedora 14 Linux Boosts Security with OpenSCAP

In-development Fedora 14 community Linux release includes open source Security Content Automation Protocol (SCAP) framework. So what is it and why does it matter?


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

Security is always a primary concern for enterprise IT managers, with a constant need to ensure that systems are kept updated and properly configured to prevent exploits. A new tool debuting in the upcoming Red Hat-sponsored Fedora 14 Linux release could prove a key ingredient in enabling properly secured systems.

Fedora 14 is set to include a technology called OpenSCAP, an open source implementation of the Security Content Automation Protocol (SCAP) framework for creating a standardized approach for maintaining secure systems. The new system builds on numerous other technologies and systems in an effort to enable IT organizations to ensure a standardized approach to security.

"There are lots of people focused on security, particularly in the U.S. government, that are worried about making sure that thousands of their systems are all up to date and aren't vulnerable to the different bugs and exploits that are out in the wild," Jared Smith, leader of the Fedora Project, told InternetNews.com.

The SCAP standards are developed by the Commerce Department's National Institute of Standards and Technology (NIST). With OpenSCAP, the open source community is leveraging a number of different components from the security standards ecosystem to enable the framework.

Smith explained that the Common Vulnerabilities and Exposures (CVE) system is one such component. With CVE, vulnerabilities are assigned a common identifier so multiple vendors and researchers can call the same issue by the same name.

The Common Configuration Enumeration (CCE) is a system through which vendors try to come up with a dictionary and nomenclature of software misconfigurations and how to fix them. Another included component is the Open Vulnerability and Assessment Language (OVAL), an XML language for testing a system to see if it's vulnerable to different problems listed in CVEs.

"OpenSCAP combines those along with an expression language called XCCDF -- the Extensible Checklist Configuration Description Format -- which is basically an XML format for creating checklists," Smith said.

He explained that XCCDF essentially ensures that a system has certain elements, so it might ensure, for instance, that a password is of sufficient length and strength.

"What OpenSCAP does is it puts components together so a system can automatically check and download the latest list of CVEs, run the OVAL tool and see if anything is vulnerable, then go through a checklist in the XCCDF language and make sure that everything is taken care of and has been addressed," Smith said.

Smith noted that there have been implementations of SCAP available in the past, though he cited concerns about formats and potential lock-in in those efforts.

He added that with OpenSCAP the goal is to have an open source, open-format approach. Smith said that the OpenSCAP technology inside of Fedora 14 involved both the contributions of Red Hat engineers as well as others in the open source community

Fedora 14 is currently at its beta release milestone, with general availability set for November.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Tags: Linux, security, open source tools, Fedora, Red Hat Enterprise Linux

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.