What are the criteria for choosing a security policy? Are you looking to bolster your proactive security? Does your business need to comply to a specific policy mandated by government regulations?
Most of the time you don’t need to write a policy from scratch. There are many affordable existing policies you can choose from and customize, and the OpenSCAP project offers many free and open source policies.
An open source project creating and providing SCAP security policies for various platforms – namely Red Hat Enterprise Linux 6 and 7, Fedora, Firefox, and others. The project is using a BSD license and the policies it provides can be used freely by anyone.
Although you can use any content, this is the content choice we recommend you start with.
After you find security content that fits your use case, you may still need to do some minor customization. Maybe you need even stricter password rules or need to enable logging in as root over SSH. Any variable can be changed and all rules can be turned on or off as necessary.
Your customized policies can be saved separately and reused even if the original content is updated!
The security policy is a crucial part of your overall compliance solution. While the choice of tools depends on how big your infrastructure is, choice of policy mainly depends on what your infrastructure is used for. For example: if you are working with the US government, you most likely need to comply with USGCB. Or, if you are a payment processor, you need to be PCI DSS compliant instead.
The SCAP standard enables you to mix and match tools and content. At first glance this just provides additional complexity, but the separation of tools and content provides a lot of additional flexibility and lowers the risk of vendor lock-in. You are free to use security policies provided by one vendor and tools to implement this policy from another.
The core of SCAP security policies are the rule titles and descriptions. These come from so called prose guides — text documents that describe security policies in a human-readable form. However, the most valuable part of an SCAP security policy is the code for automated evaluation of each rule. This code is what allows auditors to evaluate compliance without tedious manual checking.
Policies may optionally contain code for automated remediation. After remediating, your systems will be compliant to the policy. Keep in mind that automated remediation can break functionality of your infrastructure and not all rules can be automatically remediated.