README.adoc

Creating Customized Security Policy Content to Automate Security Compliance

Presenters/Lab Developers

Matej Tyc, Software Engineer and Tech Lead - Security Compliance in Red Hat^® Enterprise Linux^® (RHEL) Security, Red Hat

Marek Haicman, Senior Quality Engineer and Product Owner - Security Compliance in RHEL Security, Red Hat

Lucy Kerner, Senior Principal Security Global Technical Evangelist and Strategist, Red Hat

Additional Lab Developers

Jan Cerny, Software Engineer - Security Compliance in RHEL Security, Red Hat

Watson Sato, Software Engineer - Security Compliance in RHEL Security, Red Hat

Gabriel Gaspar Becker, Software Engineer - Security Compliance in RHEL Security, Red Hat

Matúš Marhefka, Quality Engineer - Security Compliance in RHEL Security, Red Hat

Overview and Prerequisites

This lab introduces you to the ComplianceAsCode project, a comprehensive tool that creates content for automated security tools. The project contains over 1,000 rules—​elements of security policies. Rules have descriptions, justifications, and references to existing security standards. They also have Open Vulnerability and Assessment Language (OVAL) checks, bash remediations, and Red Hat® Ansible® Automation content to a varying degree.

ComplianceAsCode enables automated evaluation and fast and efficient remediations against security controls for compliance with regulatory or custom profiles, and for automated configuration compliance. It allows you to produce a tailor-made security policy for your company with minimal effort, and the OpenSCAP ecosystem can do the scanning and support for problem resolution. Specifically, OpenSCAP is a National Institute of Standards and Technology (NIST) certified scanner designed to perform configuration and vulnerability scans on a system, validate security compliance content, generate reports and guides based on these scans and evaluations, and allows users to automatically remediate systems that have been found in a non-compliant state.

Red Hat Enterprise Linux provides tools that allow for fully automated compliance audits. These tools are based on ComplianceAsCode and the Security Content Automation Protocol (SCAP) standard and are designed for automated tailoring of compliance policies.

This lab is geared toward system administrators, cloud administrators and operators, architects, and others working on infrastructure operations management who are interested in learning how to automate security compliance using Red Hat provided tooling for compliance against both industry standard and custom policies.

The prerequisites for this lab include basic Linux skills gained from a Red Hat Certified System Administrator (RHCSA^®) certification or equivalent system administration skills.

What Attendees Will Learn In This Lab:

• How to use the OpenSCAP scanner to scan systems and perform security fixes as needed.

• How to navigate among existing rules and learn how to modify them and take advantage of parametrization.

• How to create new security profiles and populate them with existing rules.

• How to create new rules from scratch and add them to security profiles.

• How to write OVAL checks with minimal effort and ensure correctness.

• How to create Ansible Automation content for remediations of systems.

Lab Environment

Your entire lab environment is hosted online and includes Red Hat Enterprise Linux and Red Hat Ansible Automation.

You are provided with a unique GUID, which you will use to access your own instance of these Red Hat products for the lab exercises.

Table of Contents

• Lab Exercise 0: Setup Steps

• Lab Exercise 1: Say Hello to ComplianceAsCode

• Lab Exercise 2: Automated Security Scanning Using ComplianceAsCode

• Lab Exercise 3: Create Your Own Security Policy from Scratch

• Lab Exercise 4: Using Ansible in ComplianceAsCode

• Lab Exercise 5: The Art of OVAL Checks