Collateral and References

Public listing of presentations, whitepapers, and other collateral relating to SSG. Feel free to add links to your presentations!

Videos (Tutorials, Trainings, Overviews)

• Using SCAP Workbench [YouTube]
• RHEL7 SCAP Installer Add-on [YouTube]
• SCAP Integration with RHN Satellite [YouTube]

Conference Presentations

• 12-MAY-2015: PuppetCamp DC, "Distributed OpenSCAP Compliance Validation with MCollective" by Trevor Vaughan [PDF]

• 07-FEB-2015: DevConf.cz, "Compliance Center & project SCAPtimony" by Šimon Lukašík [PDF]

• 21-JAN-2015: Tel Aviv, "OpenSCAP Ecosystem" by Šimon Lukašík [PDF]

• 03-NOV-2014: OpenAlt, "SCAP: Otevřený standard pro bezpečnostní audit" by Šimon Lukašík [PDF]

• 14-APR-2014: Red Hat Summit, "Applied SCAP" by Shawn Wells & Jeff Blank [PDF]

• 21-JUL-2013: MITRE SCAP Developer Day, "SCAP & Remediation: Lessons Learned & Path Ahead" by Shawn Wells [PDF]

• 12-JUN-2013: Red Hat Summit, "Compliance Made Easy" by Shawn Wells [PDF]

• 16-OCT-2012: Mil-OSS, "SCAP Security Guide Overview" by Shawn Wells [PDF]

Interesting Press/Blogs/Articles

To keep things tidy, lets try MLA(ish) format:

Last, First M. "Article Title [as a link]." Newspaper Title Date Month Year Published: Page(s). Website Title.

• Hellekson, Gunnar. "A Word from Our Sponsor" Dave & Gunnar Show 1 April 2014

• Kenyon, Henry. "Agencies Widen Open-Source Use" Information Week 15 November 2013

• Preisler, Martin. "XCCDF Tailoring" 5 November 2013

• Kramer, Tim. "Red Hat's OpenShift and SCAP - PaaS Security At Its Best" OpenShift Dev Center 25 September 2012

• Hellekson, Gunnar. "SCAP: computer security for the rest of us" opensource.com 21 September 2010

• Scherf, Thorsten. "OpenSCAP: Security Compliance with OpenSCAP" Admin Magazine

• Nunuz, Luis. "Using XCCDF for Remediation: Best Current Practice" MITRE

References

While the SCAP Security Guide project was initially started to author content for the U.S. Military and Intelligence communities, usage has greatly expanded into healthcare, aviation, telecom, and several other industries. While not comprehensive, below is a listing of known uses:

• Red Hat uses SSG for continuous monitoring of their openshift.com infrastructure, and has since 2012. Here's a blog posting from Tim Kramer, the OpenShift Security Lead.

• In 2013, Red Hat joined Lockheed Martin's Cyber Alliance. Together, LMCO and Red Hat open sourced the previously classified RHEL6 baseline for the DoD Centralized Super Computing Facility, which received an ATO under the ICD 503 process, utilizing the CNSSI 1253 cross domain overlay. The code was put into the CSCF-RHEL6-MLS profile.

• Through collaboration with DISA FSO, NSA's Information Assurance Directorate, and Red Hat, SSG serves as Red Hat's upstream for U.S. Department of Defense Security Technical Implementation Guides (STIGs). Backstory is available on Shawn Wells' blog.

• A few university students have started receiving homework to install & scan systems via SSG.

• Red Hat is using SSG in its courseware for the Red Hat Server Hardening (RH413) class.

• Through sponsorship from the U.S. Navy, SSG serves as the upstream of the U.S. Government's implementation guide to JBoss EAP5.

• Working with Amazon, SSG open sourced the RHEL6 baseline for CIA's C2S environment. This profile was based off the Center for Internet Security's Red Hat Enterprise Linux 6 Benchmark, v1.2.0, and while built for a U.S. Intelligence deployment, is applicable to all commercial entities who follow CIS v1.2.0. The code can be found here.

• A number of other IC and DoD entities have developed customized XCCDF profiles based off of SSG for their RHEL6 baselines and security compliance verification.

• A European airline utilizes SSG to verify security compliance of their in-seat entertainment systems.

• A US-based financial services firm performs continuous monitoring with SSG, utilizing the STIG profile, ensuring their trade systems remain in compliance with their security policy.