OpenSCAP Security Compliance Scanning Guide

OpenSCAP is an open-source framework for security compliance scanning, vulnerability assessment, and configuration auditing. This guide covers installation, usage, report interpretation, and remediation on Ubuntu 24.04.

Table of Contents

1. Introduction
2. Installation
3. Available Security Profiles
4. Running Security Scans
5. Understanding Scan Reports
6. Generating Remediation Scripts
7. GitLab CI Integration

---

Introduction

What is SCAP?

SCAP (Security Content Automation Protocol) is a suite of specifications maintained by NIST for expressing and manipulating security data in standardized ways. It enables automated vulnerability management, measurement, and policy compliance evaluation.

What is OpenSCAP?

OpenSCAP is an open-source implementation of SCAP that provides:

• Security compliance scanning
• Vulnerability assessment
• Configuration auditing
• Automated remediation script generation

Source Code: github.com/OpenSCAP/op…

Key Concepts

Term	Description
XCCDF	Extensible Configuration Checklist Description Format - defines security checklists
OVAL	Open Vulnerability and Assessment Language - describes system states and vulnerabilities
CPE	Common Platform Enumeration - standardized naming for IT systems
DataStream	A single file containing all SCAP components (XCCDF, OVAL, CPE)
Profile	A predefined set of security rules (e.g., CIS Level 1 Server)

Use Cases

• Compliance Auditing: Verify systems meet CIS, STIG, or organizational security standards
• Security Hardening: Identify and fix security misconfigurations
• Continuous Monitoring: Automated periodic security assessments
• Audit Preparation: Generate compliance reports for auditors

---

Installation

Prerequisites

• Ubuntu 24.04 LTS (Noble Numbat)
• Root or sudo access
• Internet connectivity for downloading SCAP content

Install OpenSCAP Packages

sudo apt-get update
sudo apt-get install -y openscap-scanner openscap-utils openscap-common libopenscap25t64

Verify Installation

oscap --version

Expected output:

OpenSCAP command line tool (oscap) 1.3.9
Copyright 2009--2023 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
SCAP Version: 1.3
XCCDF Version: 1.2
OVAL Version: 5.11.1
...

Download SCAP Security Guide

The SCAP Security Guide (SSG) provides security policies for various operating systems including Ubuntu.

Source Code: github.com/ComplianceA…

cd /tmp
wget -q https://github.com/ComplianceAsCode/content/releases/download/v0.1.79/scap-security-guide-0.1.79.zip
sudo unzip -o scap-security-guide-0.1.79.zip -d /usr/share/scap-security-guide
rm scap-security-guide-0.1.79.zip

Verify Available Content

ls /usr/share/scap-security-guide/scap-security-guide-0.1.79/ | grep -i ubuntu

Output:

ssg-ubuntu1604-ds.xml
ssg-ubuntu1804-ds.xml
ssg-ubuntu2004-ds.xml
ssg-ubuntu2204-ds.xml
ssg-ubuntu2404-ds.xml

---

Available Security Profiles

List Profiles for Ubuntu 24.04

oscap info /usr/share/scap-security-guide/scap-security-guide-0.1.79/ssg-ubuntu2404-ds.xml

Available Profiles

Profile	Profile ID	Description
CIS Level 1 - Server	xccdf_org.ssgproject.content_profile_cis_level1_server	Basic security for servers, minimal performance impact
CIS Level 1 - Workstation	xccdf_org.ssgproject.content_profile_cis_level1_workstation	Basic security for workstations
CIS Level 2 - Server	xccdf_org.ssgproject.content_profile_cis_level2_server	Enhanced security for servers, may impact functionality
CIS Level 2 - Workstation	xccdf_org.ssgproject.content_profile_cis_level2_workstation	Enhanced security for workstations
STIG	xccdf_org.ssgproject.content_profile_stig	DoD Security Technical Implementation Guide

Profile Selection Guide

• CIS Level 1 Server: Recommended starting point for production servers
• CIS Level 2 Server: For high-security environments, test thoroughly before applying
• STIG: Required for US government/DoD systems

---

Running Security Scans

Basic Scan Command

sudo oscap xccdf eval \
    --profile <PROFILE_ID> \
    --results <RESULTS_FILE.xml> \
    --report <REPORT_FILE.html> \
    <DATASTREAM_FILE.xml>

Command Options

Option	Description
--profile	Security profile to evaluate against
--results	XML file to store detailed scan results
--report	HTML file for human-readable report
--oval-results	Include OVAL check details in results
--fetch-remote-resources	Download remote OVAL content if needed

Example: CIS Level 1 Server Scan

sudo oscap xccdf eval \
    --profile xccdf_org.ssgproject.content_profile_cis_level1_server \
    --results /tmp/scan-results.xml \
    --report /tmp/scan-report.html \
    /usr/share/scap-security-guide/scap-security-guide-0.1.79/ssg-ubuntu2404-ds.xml

Sample Output

--- Starting Evaluation ---

Title   Package "prelink" Must not be Installed
Rule    xccdf_org.ssgproject.content_rule_package_prelink_removed
Result  pass

Title   Install AIDE
Rule    xccdf_org.ssgproject.content_rule_package_aide_installed
Result  fail

Title   Build and Test AIDE Database
Rule    xccdf_org.ssgproject.content_rule_aide_build_database
Result  fail

Title   Configure Systemd Timer Execution of AIDE
Rule    xccdf_org.ssgproject.content_rule_aide_periodic_checking_systemd_timer
Result  notapplicable

---

Understanding Scan Reports

Result Types

Result	Meaning	Action Required
pass	System meets the security requirement	None
fail	System does not meet the requirement	Remediation needed
notapplicable	Rule does not apply to this system	None
notchecked	Rule could not be evaluated	Manual review
error	Error occurred during evaluation	Investigate
unknown	Result could not be determined	Manual review

HTML Report Structure

The HTML report (scan-report.html) contains:

1. Summary Section: Overall pass/fail statistics
2. Score: Compliance percentage
3. Rule Results: Detailed list of all evaluated rules
4. Severity Levels: High, Medium, Low, Unknown

Viewing the Report

# Copy to local machine or serve via HTTP
python3 -m http.server 8080 --directory /tmp
# Access at http://<server-ip>:8080/scan-report.html

Analyzing Results with Command Line

# Count results by type
grep -c 'Result.*pass' /tmp/scan-results.xml
grep -c 'Result.*fail' /tmp/scan-results.xml

# Extract failed rules
oscap xccdf generate report --output /tmp/failed-only.html \
    --result-id "" /tmp/scan-results.xml

---

Generating Remediation Scripts

OpenSCAP can automatically generate remediation scripts to fix failed checks.

Generate Bash Remediation Script

sudo oscap xccdf generate fix \
    --fix-type bash \
    --profile xccdf_org.ssgproject.content_profile_cis_level1_server \
    --output /tmp/remediation.sh \
    /usr/share/scap-security-guide/scap-security-guide-0.1.79/ssg-ubuntu2404-ds.xml

Generate Ansible Remediation Playbook

sudo oscap xccdf generate fix \
    --fix-type ansible \
    --profile xccdf_org.ssgproject.content_profile_cis_level1_server \
    --output /tmp/remediation.yml \
    /usr/share/scap-security-guide/scap-security-guide-0.1.79/ssg-ubuntu2404-ds.xml

Generate Fix Based on Scan Results (Only Failed Items)

# First run a scan
sudo oscap xccdf eval \
    --profile xccdf_org.ssgproject.content_profile_cis_level1_server \
    --results /tmp/scan-results.xml \
    /usr/share/scap-security-guide/scap-security-guide-0.1.79/ssg-ubuntu2404-ds.xml

# Generate fix script for failed items only
sudo oscap xccdf generate fix \
    --fix-type bash \
    --result-id "" \
    --output /tmp/remediation-failed.sh \
    /tmp/scan-results.xml

Review and Apply Remediation

Warning: Always review remediation scripts before applying. Some fixes may impact system functionality.

# Review the script
less /tmp/remediation.sh

# Make executable and run (after review)
chmod +x /tmp/remediation.sh
sudo /tmp/remediation.sh

# Re-scan to verify fixes
sudo oscap xccdf eval \
    --profile xccdf_org.ssgproject.content_profile_cis_level1_server \
    --results /tmp/scan-results-after.xml \
    --report /tmp/scan-report-after.html \
    /usr/share/scap-security-guide/scap-security-guide-0.1.79/ssg-ubuntu2404-ds.xml

Ansible Playbook Execution

# Review the playbook
cat /tmp/remediation.yml

# Run with Ansible (dry-run first)
ansible-playbook --check /tmp/remediation.yml

# Apply changes
ansible-playbook /tmp/remediation.yml

---

GitLab CI Integration

Example .gitlab-ci.yml

stages:
  - security-scan

variables:
  SSG_VERSION: "0.1.79"
  SSG_PATH: "/usr/share/scap-security-guide/scap-security-guide-${SSG_VERSION}"
  PROFILE: "xccdf_org.ssgproject.content_profile_cis_level1_server"

openscap-scan:
  stage: security-scan
  image: ubuntu:24.04
  before_script:
    - apt-get update
    - apt-get install -y openscap-scanner openscap-utils wget unzip
    - wget -q https://github.com/ComplianceAsCode/content/releases/download/v${SSG_VERSION}/scap-security-guide-${SSG_VERSION}.zip
    - unzip -o scap-security-guide-${SSG_VERSION}.zip -d /usr/share/scap-security-guide
  script:
    - |
      oscap xccdf eval \
        --profile ${PROFILE} \
        --results scan-results.xml \
        --report scan-report.html \
        ${SSG_PATH}/ssg-ubuntu2404-ds.xml || true
    - |
      # Extract pass/fail counts
      PASS_COUNT=$(grep -c 'result="pass"' scan-results.xml || echo 0)
      FAIL_COUNT=$(grep -c 'result="fail"' scan-results.xml || echo 0)
      TOTAL=$((PASS_COUNT + FAIL_COUNT))
      if [ $TOTAL -gt 0 ]; then
        SCORE=$((PASS_COUNT * 100 / TOTAL))
        echo "Compliance Score: ${SCORE}%"
        echo "Passed: ${PASS_COUNT}, Failed: ${FAIL_COUNT}"
      fi
  artifacts:
    paths:
      - scan-results.xml
      - scan-report.html
    expire_in: 30 days
    when: always
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
    - if: $CI_PIPELINE_SOURCE == "web"
    - when: manual

Scheduled Scanning

Add a scheduled pipeline in GitLab:

1. Go to CI/CD > Schedules
2. Create new schedule (e.g., weekly)
3. Set target branch and variables

Compliance Gate Example

openscap-gate:
  stage: security-scan
  script:
    - |
      oscap xccdf eval \
        --profile ${PROFILE} \
        --results scan-results.xml \
        ${SSG_PATH}/ssg-ubuntu2404-ds.xml || true

      FAIL_COUNT=$(grep -c 'result="fail"' scan-results.xml || echo 0)
      HIGH_SEVERITY=$(grep -B5 'result="fail"' scan-results.xml | grep -c 'severity="high"' || echo 0)

      if [ $HIGH_SEVERITY -gt 0 ]; then
        echo "ERROR: ${HIGH_SEVERITY} high-severity findings detected"
        exit 1
      fi

      echo "No high-severity findings. ${FAIL_COUNT} total failures."
  allow_failure: false

---

Quick Reference

Common Commands

# View available profiles
oscap info <datastream.xml>

# Run scan with HTML report
sudo oscap xccdf eval --profile <PROFILE> --report report.html <datastream.xml>

# Generate Bash remediation script
sudo oscap xccdf generate fix --fix-type bash --profile <PROFILE> <datastream.xml>

# Generate Ansible playbook
sudo oscap xccdf generate fix --fix-type ansible --profile <PROFILE> <datastream.xml>

# Generate fix for failed items only
sudo oscap xccdf generate fix --fix-type bash --result-id "" /tmp/scan-results.xml

File Locations

File	Location
SCAP Security Guide	/usr/share/scap-security-guide/scap-security-guide-0.1.79/
Ubuntu 24.04 DataStream	ssg-ubuntu2404-ds.xml
HTML Guides	guides/ssg-ubuntu2404-guide-*.html

---

References

• OpenSCAP Official Documentation
• OpenSCAP GitHub
• SCAP Security Guide GitHub
• CIS Benchmarks
• NIST SCAP