OpenSCAP is a powerful tool for checking Linux systems against security compliance standards, but its output can feel like a black box if you don’t know how it works.
Let’s see OpenSCAP in action. Imagine you want to check if your RHEL 8 system is compliant with the CIS (Center for Internet Security) benchmark.
First, you need the necessary tools and the benchmark’s definition.
sudo dnf install openscap-scanner scap-security-guide -y
Now, you can run the scan. The oscap command is your entry point. We’ll tell it to scan a specific system (xccdf eval) using the CIS benchmark (--profile cis-rhel8) and output the results to an HTML file (--report scan-report.html).
sudo oscap xccdf eval --profile cis-rhel8 --report scan-report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml
This command will probe your system for hundreds of security settings. It checks file permissions, user accounts, network configurations, installed packages, and much more, all based on the rules defined in the CIS RHEL 8 benchmark. The --profile cis-rhel8 flag tells OpenSCAP to use the specific set of rules tailored for RHEL 8 according to the CIS standard. The ssg-rhel8-xccdf.xml file is the actual definition of these rules.
After the scan completes, you’ll have a scan-report.html file. Open this in your web browser. You’ll see a detailed breakdown of every check performed. Each rule will be marked as pass, fail, info, or notapplicable. For failed rules, it often provides remediation steps.
The core of OpenSCAP’s power lies in the Security Content Automation Protocol (SCAP). SCAP is a set of open standards that automate security configuration, vulnerability assessment, and compliance checking. OpenSCAP is the implementation of these standards on Linux. It uses two main components: XCCDF (Extensible Configuration Checklist Description Format) for defining compliance checks and OVAL (Open Vulnerability and Assessment Language) for expressing specific tests (like "is this package installed?" or "does this file have execute permissions?").
When you run oscap xccdf eval, OpenSCAP parses the XCCDF file. For each rule in the XCCDF, it finds the corresponding OVAL definitions. It then executes these OVAL checks against your system and reports the results. The --profile option in XCCDF allows you to select a subset of rules, like a specific compliance standard (CIS, STIG, etc.) or a custom set.
The --report option generates an HTML file that’s human-readable. This report is crucial for understanding your system’s security posture. It’s not just a list of failures; it’s a diagnostic tool. Clicking on a failed rule often reveals the exact command or configuration setting that’s out of compliance.
The real magic of OpenSCAP is its ability to translate complex security policies into concrete, verifiable checks. For instance, a rule might state that "SSH root login should be disabled." OpenSCAP translates this into an OVAL test that checks the PermitRootLogin parameter in /etc/ssh/sshd_config. If it’s set to yes or prohibit-password, the rule fails.
The --profile flag is more than just a label; it’s a filter. Different profiles (like cis-rhel8, stig-rhel8-server) contain different sets of XCCDF rules, each targeting a specific compliance standard or security hardening guide. This allows you to tailor your compliance checks to your organization’s requirements. You can even create your own custom XCCDF profiles.
When you see a "fail" on a rule related to file permissions, it’s because OpenSCAP’s OVAL definition checked the actual permissions against the expected values defined in the XCCDF. For example, a rule might require /etc/passwd to have permissions of rw-r--r-- (644) and be owned by root:root. If ls -l /etc/passwd shows something different, OpenSCAP flags it.
The --remediate option, used with caution, can automatically apply fixes for certain rules. However, it’s always best to understand why a rule failed and what the remediation does before blindly applying it.
The most surprising thing about OpenSCAP is how its profiles are not just static lists of checks but can be dynamically evaluated. While xccdf eval is the most common way to run checks, OpenSCAP can also be used for vulnerability scanning and asset inventory in conjunction with other SCAP tools. The XCCDF itself can contain references to external OVAL definitions or even scripts, making the compliance framework highly extensible.
The next step after mastering compliance scanning is understanding how to automate remediation and integrate OpenSCAP into a continuous compliance pipeline.