Overview
OpenSCAP is an open-source framework for SCAP (Security Content Automation Protocol) compliance assessment, vulnerability scanning, and security configuration auditing. It implements the NIST-certified SCAP standard, enabling organizations to automatically evaluate systems against security baselines defined in XCCDF (Extensible Configuration Checklist Description Format) and OVAL (Open Vulnerability and Assessment Language). OpenSCAP supports scanning against CIS Benchmarks, DISA STIGs, PCI DSS requirements, and custom security policies.
The OpenSCAP ecosystem includes the oscap command-line scanner, SCAP Workbench (a GUI frontend), and SCAP Security Guide (SSG) which provides pre-built security content for major Linux distributions. It integrates natively with Red Hat Satellite, Foreman, Ansible, and compliance-as-code pipelines. The tool can generate detailed HTML, XML, and ARF (Asset Reporting Format) reports, making it valuable for audit evidence collection and continuous compliance monitoring in enterprise environments.
Installation
Red Hat / CentOS / Fedora
# Install OpenSCAP scanner and security guide content
sudo dnf install openscap-scanner scap-security-guide
# Install SCAP Workbench (GUI)
sudo dnf install scap-workbench
# Verify installation
oscap --version
Ubuntu / Debian
# Install OpenSCAP tools
sudo apt update
sudo apt install libopenscap8 openscap-scanner ssg-debian ssg-base
# Install SCAP Workbench
sudo apt install scap-workbench
# For Ubuntu-specific content
sudo apt install ssg-ubuntu
From Source
# Install build dependencies
sudo dnf install cmake dbus-devel GConf2-devel libacl-devel \
libblkid-devel libcap-devel libcurl-devel libgcrypt-devel \
libselinux-devel libxml2-devel libxslt-devel openldap-devel \
pcre-devel perl-XML-Parser perl-XML-XPath \
python3-devel rpm-devel swig bzip2-devel
# Clone and build
git clone https://github.com/OpenSCAP/openscap.git
cd openscap
mkdir build && cd build
cmake ..
make -j$(nproc)
sudo make install
Core Commands
Basic Scanning
| Command | Description |
|---|
oscap info <datastream.xml> | Display information about SCAP content |
oscap xccdf eval --profile <profile> <datastream.xml> | Evaluate system against a profile |
oscap xccdf eval --results results.xml <datastream.xml> | Save raw results to XML |
oscap xccdf eval --report report.html <datastream.xml> | Generate HTML report |
oscap oval eval <oval-definitions.xml> | Evaluate OVAL definitions |
oscap oval collect <oval-definitions.xml> | Collect system characteristics |
# List available profiles in SCAP content
oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# Scan RHEL 9 against CIS Level 1 Server profile
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--results /tmp/cis-results.xml \
--report /tmp/cis-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# Scan Ubuntu against DISA STIG profile
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
--results /tmp/stig-results.xml \
--report /tmp/stig-report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
Vulnerability Scanning
# Download RHEL OVAL vulnerability definitions
wget https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2
bunzip2 rhel-9.oval.xml.bz2
# Scan for known vulnerabilities
sudo oscap oval eval \
--results /tmp/vuln-results.xml \
--report /tmp/vuln-report.html \
rhel-9.oval.xml
# Check specific CVE
sudo oscap oval eval --id oval:com.redhat.rhsa:def:20231234 rhel-9.oval.xml
# Generate Ansible remediation playbook
oscap xccdf generate fix \
--fix-type ansible \
--profile xccdf_org.ssgproject.content_profile_cis \
--output cis-remediation.yml \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# Generate bash remediation script
oscap xccdf generate fix \
--fix-type bash \
--profile xccdf_org.ssgproject.content_profile_cis \
--output cis-remediation.sh \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# Apply remediation during scan (auto-fix)
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--remediate \
--results /tmp/remediated-results.xml \
--report /tmp/remediated-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Available Profiles
Common SCAP Security Guide Profiles
| Profile ID | Description |
|---|
cis | CIS Benchmark Level 1 |
cis_server_l1 | CIS Benchmark Level 1 - Server |
cis_workstation_l1 | CIS Benchmark Level 1 - Workstation |
cis_server_l2 | CIS Benchmark Level 2 - Server |
stig | DISA STIG |
stig_gui | DISA STIG with GUI |
pci-dss | PCI DSS v3.2.1 |
hipaa | HIPAA Security Rule |
ospp | NIAP Protection Profile |
e8 | Australian Essential Eight |
anssi_bp28_enhanced | ANSSI BP-028 Enhanced |
# List all profiles for your system
oscap info --profiles \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Configuration
Custom Tailoring File
<?xml version="1.0" encoding="UTF-8"?>
<xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2"
id="xccdf_custom_tailoring">
<xccdf-1.2:version time="2026-01-01T00:00:00">1.0</xccdf-1.2:version>
<xccdf-1.2:Profile id="xccdf_custom_profile_cis_customized"
extends="xccdf_org.ssgproject.content_profile_cis">
<xccdf-1.2:title>Customized CIS Profile</xccdf-1.2:title>
<!-- Disable a specific rule -->
<xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_disable_prelink"
selected="false"/>
<!-- Refine a value -->
<xccdf-1.2:refine-value
idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen"
selector="16"/>
</xccdf-1.2:Profile>
</xccdf-1.2:Tailoring>
# Use tailoring file during scan
sudo oscap xccdf eval \
--profile xccdf_custom_profile_cis_customized \
--tailoring-file custom-tailoring.xml \
--report /tmp/custom-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Integration with Red Hat Satellite
# Upload SCAP content to Satellite
hammer scap-content create \
--title "RHEL 9 SCAP Content" \
--scap-file /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# Create compliance policy
hammer policy create \
--name "CIS Level 1 - Production" \
--scap-content-id 1 \
--scap-content-profile-id xccdf_org.ssgproject.content_profile_cis \
--period weekly \
--weekday monday
Advanced Usage
Scanning Container Images
# Scan a container image for compliance
sudo oscap-docker image-cve registry.example.com/app:latest \
--report /tmp/container-cve-report.html
# Scan running container
sudo oscap-docker container <container_id> xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--report /tmp/container-compliance.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# Scan container image for compliance
sudo oscap-podman registry.example.com/app:latest xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--report /tmp/podman-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Scanning Remote Systems via SSH
# Scan remote host
oscap-ssh user@remote-host 22 xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--report /tmp/remote-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# Scan with sudo on remote host
oscap-ssh --sudo user@remote-host 22 xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--results /tmp/remote-results.xml \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
CI/CD Integration
# .gitlab-ci.yml
compliance_scan:
stage: security
image: registry.access.redhat.com/ubi9/ubi
script:
- dnf install -y openscap-scanner scap-security-guide
- oscap xccdf eval
--profile xccdf_org.ssgproject.content_profile_cis
--results results.xml
--report report.html
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml || true
- oscap xccdf generate report results.xml > compliance-summary.html
artifacts:
paths:
- report.html
- results.xml
when: always
Custom OVAL Content
<?xml version="1.0" encoding="UTF-8"?>
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<definitions>
<definition id="oval:custom:def:1" version="1" class="compliance">
<metadata>
<title>Ensure SSH root login is disabled</title>
</metadata>
<criteria>
<criterion test_ref="oval:custom:tst:1"/>
</criteria>
</definition>
</definitions>
<tests>
<textfilecontent54_test id="oval:custom:tst:1" version="1"
check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<object object_ref="oval:custom:obj:1"/>
<state state_ref="oval:custom:ste:1"/>
</textfilecontent54_test>
</tests>
<objects>
<textfilecontent54_object id="oval:custom:obj:1" version="1"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<filepath>/etc/ssh/sshd_config</filepath>
<pattern operation="pattern match">^\s*PermitRootLogin\s+(\S+)</pattern>
<instance datatype="int">1</instance>
</textfilecontent54_object>
</objects>
<states>
<textfilecontent54_state id="oval:custom:ste:1" version="1"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<subexpression operation="equals">no</subexpression>
</textfilecontent54_state>
</states>
</oval_definitions>
Troubleshooting
| Issue | Solution |
|---|
Failed to import XCCDF content | Ensure SCAP content is valid: oscap xccdf validate <file> |
No profile found | Use full profile ID with xccdf_org.ssgproject.content_profile_ prefix |
Permission denied errors | Run oscap with sudo for system-level checks |
Datastream component not found | Use oscap info to list available components and their IDs |
| Missing SCAP content | Install scap-security-guide package for your distribution |
| HTML report not generated | Ensure --report path is writable and has .html extension |
| Remote scan fails | Verify SSH connectivity and that oscap is installed on the remote host |
| Remediation breaks services | Always run in --dry-run mode first to review changes |
