Introduction

The ComplianceAsCode (historical called the SCAP Security Guide) project delivers security guidance, baselines and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP). ComplianceAsCode provides content for Red Hat Enterprise Linux. In addition to hardening advice, ComplianceAsCode links back to compliance requirements in order to ease deployment activities, such as certification and accreditation. These include requirements in the U.S. Government (Federal, Defense, and Intelligence Community) as well as of the financial services and health care industries. For example, high-level and widely-accepted policies such as NIST 800-53 provide prose stating that System Administrators must audit “privileged user actions,” but do not define what “privileged actions” are. The ComplianceAsCode bridges the gap between generalized policy requirements and specific implementation guidance, in SCAP formats to support automation whenever possible. The project homepage is https://www.open-scap.org/security-policies/scap-security-guide.