Secstate: Integrating SCAP and Puppet for System Lockdown
Managing Linux systems with their thousands of security critical settings is a daunting and thankless task. There are many security tools available which aim to simplify security, but they typically suffer from two problems: 1) each tool has its own custom, often complex language for configuration and reporting and 2) features to change system configuration or to perform system lockdown are intrusive, hard to maintain, and conflict with other system configuration tools.
Secstate is a new tool that addresses these issues by integrating SCAP and Puppet to create an efficient and open tool for security management. SCAP provides a NIST standard language for querying the security state of any kind of device - from desktops to routers to servers - using any tool that supports the standard. Puppet is a popular system configuration management tool. By unifying SCAP and Puppet, Secstate provides standards based security management that integrates cleanly with overall system configuration management.