Collateral and References

Public listing of presentations, whitepapers, and other collateral relating to SSG. Feel free to add links to your presentations!

Videos (Tutorials, Trainings, Overviews)

• Using SCAP Workbench [YouTube]
• RHEL7 SCAP Installer Add-on [YouTube]
• SCAP Integration with RHN Satellite [YouTube]
• Red Hat Satellite 6.1 Feature Overview: OpenSCAP [YouTube]

Conference Presentations

• 28-JUNE-2016: Red Hat Summit, "Practical OpenSCAP: Security, standard compliance, and reporting" by Robin Price and Martin Preisler [LAB]

• 17-FEB-2016: Red Hat Secure Foundations 2016, "Security Compliance with OpenSCAP" by Martin Preisler [PDF]

• 07-FEB-2016: DevConf 2016, "Security for the Cloud with SCAP" by Martin Preisler and Jan Lieskovsky [PDF]

• 11-NOV-2015: USENIX LISA 15, "Automated Security Compliance Evaluation of Your Infrastructure with SCAP" by Martin Preisler [PDF]

• 25-JUNE-2015: Red Hat Summit, "Security compliance made easy with OpenSCAP" by Robin Price and Shawn Wells [LAB] [PRESENTATION]

• 25-JUNE-2015: Red Hat Summit, "Security compliance automation with Red Hat Satellite" by Matt Micene [YouTube]

• 25-JUNE-2015: Red Hat Summit, "Security Compliance Made Easy(er): Entering the SCAP Renaissance" by Shawn Wells, Jeff Blank, Sarah Storms, Josh Koontz [PDF]

• 12-MAY-2015: PuppetCamp DC, "Distributed OpenSCAP Compliance Validation with MCollective" by Trevor Vaughan [PDF]

• 07-FEB-2015: DevConf.cz, "Compliance Center & project SCAPtimony" by Šimon Lukašík [PDF]

• 21-JAN-2015: Tel Aviv, "OpenSCAP Ecosystem" by Šimon Lukašík [PDF]

• 03-NOV-2014: OpenAlt, "SCAP: Otevřený standard pro bezpečnostní audit" by Šimon Lukašík [PDF]

• 14-APR-2014: Red Hat Summit, "Applied SCAP" by Shawn Wells & Jeff Blank [PDF]

• 21-JUL-2013: MITRE SCAP Developer Day, "SCAP & Remediation: Lessons Learned & Path Ahead" by Shawn Wells [PDF]

• 12-JUN-2013: Red Hat Summit, "Compliance Made Easy" by Shawn Wells [PDF]

• 16-OCT-2012: Mil-OSS, "SCAP Security Guide Overview" by Shawn Wells [PDF]

Interesting Press/Blogs/Articles

To keep things tidy, lets try MLA(ish) format:

Last, First M. "Article Title [as a link]." Newspaper Title Date Month Year Published: Page(s). Website Title.

• Egts, Dave. "Why Agencies Must Take A 'Security First' Approach in 2016" NextGov 26 Jan 2016

• Hellekson, Gunnar. "A Word from Our Sponsor" Dave & Gunnar Show 1 April 2014

• Kenyon, Henry. "Agencies Widen Open-Source Use" Information Week 15 November 2013

• Preisler, Martin. "XCCDF Tailoring" 5 November 2013

• Kramer, Tim. "Red Hat's OpenShift and SCAP - PaaS Security At Its Best" OpenShift Dev Center 25 September 2012

• Hellekson, Gunnar. "SCAP: computer security for the rest of us" opensource.com 21 September 2010

• Scherf, Thorsten. "OpenSCAP: Security Compliance with OpenSCAP" Admin Magazine

• Nunuz, Luis. "Using XCCDF for Remediation: Best Current Practice" MITRE

References

While the SCAP Security Guide project was initially started to author content for the U.S. Military and Intelligence communities, usage has greatly expanded into healthcare, aviation, telecom, and several other industries. While not comprehensive, below is a listing of known uses:

• Red Hat uses SSG for continuous monitoring of their openshift.com infrastructure, and has since 2012. Here's a blog posting from Tim Kramer, the OpenShift Security Lead.

• In 2013, Red Hat joined Lockheed Martin's Cyber Alliance. Together, LMCO and Red Hat open sourced the previously classified RHEL6 baseline for the DoD Centralized Super Computing Facility, which received an ATO under the ICD 503 process, utilizing the CNSSI 1253 cross domain overlay. The code was put into the CSCF-RHEL6-MLS profile.

• Through collaboration with DISA FSO, NSA's Information Assurance Directorate, and Red Hat, SSG serves as Red Hat's upstream for U.S. Department of Defense Security Technical Implementation Guides (STIGs). Backstory is available on Shawn Wells' blog.

• A few university students have started receiving homework to install & scan systems via SSG.

• Red Hat is using SSG in its courseware for the Red Hat Server Hardening (RH413) class.

• Through sponsorship from the U.S. Navy, SSG serves as the upstream of the U.S. Government's implementation guide to JBoss EAP5.

• Working with Amazon, SSG open sourced the RHEL6 baseline for CIA's C2S environment. This profile was based off the Center for Internet Security's Red Hat Enterprise Linux 6 Benchmark, v1.2.0, and while built for a U.S. Intelligence deployment, is applicable to all commercial entities who follow CIS v1.2.0. The code can be found here.

• A number of other IC and DoD entities have developed customized XCCDF profiles based off of SSG for their RHEL6 baselines and security compliance verification.

• A European airline utilizes SSG to verify security compliance of their in-seat entertainment systems.

• A US-based financial services firm performs continuous monitoring with SSG, utilizing the STIG profile, ensuring their trade systems remain in compliance with their security policy.