Fedora 14 Linux Boosts Security With Openscap

Security is always a primary concern for enterprise IT managers, with a constant need to ensure that systems are kept updated and properly configured to prevent exploits. A new tool debuting in the upcoming Red Hat-sponsored Fedora 14 Linux release could prove a key ingredient in enabling properly secured systems.

Fedora 14 is set to include a technology called OpenSCAP, an open source implementation of the Security Content Automation Protocol (SCAP) framework for creating a standardized approach for maintaining secure systems. The new system builds on numerous other technologies and systems in an effort to enable IT organizations to ensure a standardized approach to security.

"There are lots of people focused on security, particularly in the U.S. government, that are worried about making sure that thousands of their systems are all up to date and aren't vulnerable to the different bugs and exploits that are out in the wild," Jared Smith, leader of the Fedora Project, told InternetNews.com.

The SCAP standards are developed by the Commerce Department's National Institute of Standards and Technology (NIST). With OpenSCAP, the open source community is leveraging a number of different components from the security standards ecosystem to enable the framework.

Smith explained that the Common Vulnerabilities and Exposures (CVE) (define) system is one such component. With CVE, vulnerabilities are assigned a common identifier so multiple vendors and researchers can call the same issue by the same name.

The Common Configuration Enumeration (CCE) is a system through which vendors try to come up with a dictionary and nomenclature of software misconfigurations and how to fix them. Another included component is the Open Vulnerability and Assessment Language (OVAL), an XML language for testing a system to see if it's vulnerable to different problems listed in CVEs.

"OpenSCAP combines those along with an expression language called XCCDF -- the Extensible Checklist Configuration Description Format -- which is basically an XML format for creating checklists," Smith said.

He explained that XCCDF essentially ensures that a system has certain elements, so it might ensure, for instance, that a password is of sufficient length and strength.

What OpenSCAP does is it puts components together so a system can automatically check and download the latest list of CVEs, run the OVAL tool and see if anything is vulnerable, then go through a checklist in the XCCDF language and make sure that everything is taken care of and has been addressed," Smith said.

Smith noted that there have been implementations of SCAP available in the past, though he cited concerns about formats and potential lock-in in those efforts.

He added that with OpenSCAP the goal is to have an open source, open-format approach. Smith said that the OpenSCAP technology inside of Fedora 14 involved both the contributions of Red Hat engineers as well as others in the open source community

Fedora 14 is currently at its beta release milestone, with general availability set for November.