Full Article: Running OpenSCAP Compliance Checks on Oracle Linux
by Ginny Henningsen
Learn how to use the OpenSCAP compliance checker, a standardized way in Oracle Linux to evaluate security configurations and vulnerabilities.
Challenges in IT Security Management
An IT security breach—an incident of system tampering, intrusion, or data compromise—can have significant consequences. Companies can experience dramatic revenue losses, miss out on strategic business opportunities, and incur expenses associated with recovery and remediation. Government and regulatory agencies may impose legal penalties, mandate restitution, or levy fines. The potential impacts make IT system security a serious business concern.
As a part of IT security management, organizations usually define a security policy that standardizes optimal internal practices, processes, and configurations. When a company stores or processes sensitive data (including personal identity, financial data, or healthcare records), the security policy must also reflect relevant government and regulatory standards such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), and the Payment Card Industry Data Security Standard (PCI DSS). Standards often specify hardening guidelines and IT system requirements as well as required security practices. Many standards also mandate formal security reviews that must be performed by certified auditors on a regular schedule. In addition to these formal compliance assessments, IT departments typically conduct informal security reviews to detect and remedy vulnerabilities that might otherwise result in system or data compromise.
The diversity of data center systems adds to the challenge of developing effective and efficient strategies for IT security management. To help organizations automate compliance checks and implement security policy more universally across heterogeneous data centers, the US National Institute of Standards and Technology (NIST) developed the Security Content Automation Protocol (SCAP) standard. NIST created SCAP to provide a standardized approach for implementing enterprise system security and baseline profiles for compliance audits. Based on the SCAP standard, the OpenSCAP project supplies open source tools and policies to automate compliance checking and consistently apply security policy across different system types.
To automate compliance checking on Oracle Linux servers, the operating system includes packages containing an OpenSCAP framework and an implementation of the OpenSCAP interpreter,
oscap. In addition, Oracle makes SCAP content files available to evaluate Oracle Linux system configurations against a defined security policy, industry-accepted hardening guidelines, and known vulnerabilities. This article can help administrators get started using the OpenSCAP functionality in Oracle Linux. It describes the various SCAP content files available to automate compliance checks, as well as how to obtain and use security advisory content that Oracle regularly publishes. It also discusses how to use Spacewalk, a tool for Linux systems management, to run OpenSCAP audits on Spacewalk-managed Oracle Linux client systems. Spacewalk is an open source (GPLv2) project. It officially became an open source, community-driven project in June 2008; it is the upstream project for the Red Hat Satellite product....[click here to read the full article]
Don't forget to follow OTN Systems Hub by clicking the "Follow" button at the top right of the page.