On February 28, 2011, the U.S. Government Configuration Baseline (USGCB) for Red Hat Enterprise Linux 5 was released.
The long awaited Security Content Automation Protocol (SCAP) content is the next phase in supplanting the legacy Bourne shell scripts collectively known as the System Readiness Review (SRR) scripts.
In 2010, the USGCB replaced the Federal Desktop Core Configuration (FDCC) which has always been associated with Microsoft® software. The USGCB initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies.
In my previous post, “DISA UNIX STIG for Red Hat Enterprise Linux 5 and 6” I discussed the release of the “OS SRG (UNIX), Version 1.1” on February 2, 2011. The download included only benchmark documents in the XCCDF format.
On February 28, 2011, in an email to Red Hat’s gov-sec mailing list, Steve Grubb announced the availability of the alpha release of the USGCB content for Red Hat Enterprise Linux 5. He also had this to say about the project:
“The project took a long time, required getting involved in standards committees to update OVAL to understand modern Linux security mechanisms, plus lots of work from people that do content authoring and system testing. The project is looking for feedback via the official NIST channels (not this email list). Somewhere in the downloads should be some info on that.”
This release has only been tested on Red Hat Enterprise Linux Desktop 5 so, if you’ve got the time, test some Red Hat installations and provide some feedback.
I want to commend the committee and the contributors because I know it was a long and laborious process. There are still lots of challenges ahead so community involvement will certainly help mature the baselines much quicker.
I for one plan on downloading the latest version of OpenSCAP and performing some tests. I will be sharing my procedures, experiences, and test results in an upcoming blog post.
Cross posted from Security Blanket Technical Blog