SUSE Multi-Linux Support

Running OpenSCAP compliance scans for SUSE Multi-Linux Support 7

Publication Date: March 27, 2025

This guide explains how to use OpenSCAP to run compliance scans on Enterprise Linux systems registered with SUSE Multi-Linux Support 7.

Revision History: Running OpenSCAP compliance scans for SUSE Multi-Linux Support 7

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

For SUSE trademarks, see https://www.suse.com/company/legal/. All third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof.

Important: Disclaimer

SUSE seeks to provide customers with quick and easy guides that can assist them in maintaining security compliance. Implementation of the settings contained within this guide without its prior testing in a non-operational environment is highly discouraged. The developers of these profiles and documentation have made reasonable efforts to ensure overall compliance. They assume no responsibility for its use by other parties, and make no guarantee, expressed or implied, about its quality, reliability or any other characteristic.

Important: End of general support

SUSE Multi-Linux Support 7 has reached the end of general support and is now in LTSS (Long Term Service Support).

If you have a SUSE Multi-Linux Support subscription but do not have an LTSS subscription, you can continue to use your systems. However, registering new RHEL 7 or CentOS Linux 7 systems with the general subscription is no longer supported.

To register new RHEL 7 or CentOS Linux 7 systems, and to continue receiving new updates for existing systems, you must use an LTSS subscription.

1 Introduction #

SUSE Multi-Linux Support is a technology and support solution for mixed Linux environments. With a SUSE Multi-Linux Support subscription, you can register and update Red Hat Enterprise Linux and CentOS Linux.

Because SUSE Multi-Linux Support uses its own branding and paths that are different from RHEL and CentOS Linux, it also uses different profiles for running compliance scans with OpenSCAP.

SCAP is a framework of specifications that support automated configuration, vulnerability scanning, and policy compliance evaluation of systems deployed in an organization. OpenSCAP is a collection of open source tools that implement the SCAP framework for Linux.

SUSE Multi-Linux Support provides the following components in its software update repositories:

The OpenSCAP scanner and utilities.
The SCAP Security Guide, a collection of security guidance and baselines from https://github.com/ComplianceAsCode/content to apply against systems for compliance.
SCAP Workbench, a utility with a graphical user interface for SCAP content tailoring, editing, and validation.

This guide describes running compliance scans locally using the oscap command-line tool. To run scans remotely or with the SCAP Workbench GUI tool, see the list of Related information.

Important: Third-party compliance tools are not supported

Third-party compliance tools, such as proprietary security scanners and upstream builds of ComplianceAsCode content, might not recognize SUSE Multi-Linux Support properly and are not currently supported.

Overview of procedures #

Review Section 2, “Requirements” to make sure your system has the registration and packages required to run compliance scans with SUSE Multi-Linux Support profiles.
Choose a profile for running compliance scans in Section 3, “Choosing an OpenSCAP compliance profile”.
Run the compliance scan, as described in Section 4, “Running an OpenSCAP compliance scan”. If you need to include remote resources in the compliance scan, use Section 5, “Including remote resources in an OpenSCAP scan” instead.
Review the report generated by the compliance scan. Section 6, “Reviewing the OpenSCAP evaluation report” shows examples of the main sections of the report.

Note: SUSE Multi-Linux Support and SUSE Liberty Linux or Expanded Support

SUSE Multi-Linux Support was previously named SUSE Liberty Linux and SUSE Linux Enterprise Server with Expanded Support. During the transition period, some components might still use one of these names.

2 Requirements #

Before running compliance scans, make sure your system meets the following requirements:

You can log in to the target system as either the root user or a user with sudo privileges. Without root access, some tests in the compliance scan might not run correctly.
The target system is registered with SUSE Multi-Linux Support, as described in one of the following guides:
- Registering RHEL 7 or CentOS Linux 7 with RMT
- Registering RHEL 7 or CentOS Linux 7 with SUSE Manager
The most recent versions of the following packages are installed:
- sles_es-release-server
- openscap
- openscap-scanner
- scap-security-guide
Important: Supported scap-security-guide version
RHEL 7 and its clones are no longer supported by the upstream ComplianceAsCode project. Therefore, the most recent version of scap-security-guide available from the SUSE Multi-Linux Support LTSS 7 repository is scap-security-guide-0.1.73-1.el7_9.
Installing these packages might also install additional dependencies.
The installed packages are provided by SUSE. You can use rpm -qi to check the vendor. For example:
```
# rpm -qi openscap-scanner | grep -i vendor
Vendor      : SUSE LLC <https://www.suse.com/>
```
You can also check the distribution name. For example:
```
# rpm -q --queryformat '%{DISTRIBUTION}\n' openscap
SLES Expanded Support platform
```
If the vendor or distribution is different from the output shown above, reinstall the packages from the SUSE Multi-Linux Support LTSS 7 repository, and make sure no other repository overrides SUSE Multi-Linux Support.

Tip: SCAP Workbench

The optional package scap-workbench is also available, but is not required to run scans locally from the command line.

As a security best practice, avoid installing an application software such as SCAP Workbench on the target system. Instead, install SCAP Workbench on a client machine and scan the target system remotely.

3 Choosing an OpenSCAP compliance profile #

The SCAP Security Guide contains the latest set of security polices for Linux systems. Each security policy includes multiple compliance profiles, which contain sets of rules to test the system against. Before you can run a compliance scan, you must choose the appropriate compliance profile for your system.

Tip: Security policy compatibility

The security policies are installed in /usr/share/xml/scap/ssg/content/. For compatibility, builds of the SCAP Security Guide for SUSE Multi-Linux Support also provide RHEL policies in the same location.

To list the profiles for SUSE Multi-Linux Support 7, query the ssg-sles_esp7-ds security policy:

# oscap info /usr/share/xml/scap/ssg/content/ssg-sles_esp7-ds.xml

You can use grep to narrow down the results. For example, to see only CIS profiles, run the following command:

# oscap info /usr/share/xml/scap/ssg/content/ssg-sles_esp7-ds.xml | grep -i cis
      Title: CIS Benchmark for Level 2 - Server
        Id: xccdf_org.ssgproject.content_profile_cis
      Title: CIS Benchmark for Level 1 - Server
        Id: xccdf_org.ssgproject.content_profile_cis_server_l1
      Title: CIS Benchmark for Level 1 - Workstation
        Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
      Title: CIS Benchmark for Level 2 - Workstation
        Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2

Select the profile to use. You will specify this profile when you run the compliance scan.

The output of oscap info also includes a WARNING if the security policy includes a reference to remote resources from https://ftp.suse.com. Using remote resources in the compliance scan is not compulsory, but can provide useful data about known security vulnerabilities. You can continue with either of the following options:

Ignore the warning and perform the compliance scan without remote resources, as described in Section 4, “Running an OpenSCAP compliance scan”.
Download the remote resources and use them in the compliance scan, as described in Section 5, “Including remote resources in an OpenSCAP scan”.

4 Running an OpenSCAP compliance scan #

After choosing a profile, run a compliance scan on the target system with the oscap xccdf eval command. Specify the profile as shown in the following example:

# oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \1
--report /tmp/report.html \2
--results-arf /tmp/results-arf.xml \3
/usr/share/xml/scap/ssg/content/ssg-sles_esp7-ds.xml4

1	The compliance profile to use for the scan.
2	Where to save the HTML report with test results and recommended remediations.
3	Where to save the XML report, which can be used later in automation and report generation.
4	The SCAP Security Guide policy file that the compliance profile belongs to.

The compliance scan collects information from the target system and evaluates it against rules set by the selected compliance profile. The scan will take some time to complete. The results are saved in the specified files and also appear on screen, as shown in this example snippet:

[...]
Title   Configure auditd Max Log File Size
Rule    xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file
Result  pass

Title   Configure auditd max_log_file_action Upon Reaching Maximum Log Size
Rule    xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
Result  fail
[...]

When the scan is complete, you can review the report by opening /tmp/report.html in a browser. See Section 6, “Reviewing the OpenSCAP evaluation report” for examples of the report.

5 Including remote resources in an OpenSCAP scan #

SUSE Multi-Linux Support provides external OVAL-formatted content for use in scans. This content is downloaded from https://ftp.suse.com/pub/projects/security/oval/ and includes information such as recently addressed security vulnerabilities. You can automatically download remote resources during a compliance scan with the --fetch-remote-resources option.

Scans using remote resources take longer to complete and generate much larger reports.

Make sure the machine you run the scan from has access to https://ftp.suse.com:

# nc -zv ftp.suse.com 21
Connection to ftp.suse.com 21 port [tcp/ftp] succeeded!

Run a compliance scan on the target system with the oscap xccdf eval command. Specify the profile and use the option --fetch-remote-resources as shown in the following example:

# oscap xccdf eval --fetch-remote-resources \1
--profile xccdf_org.ssgproject.content_profile_cis \2
--report /tmp/report.html \3
--results-arf /tmp/results-arf.xml \4
/usr/share/xml/scap/ssg/content/ssg-sles_esp7-ds.xml5

1	Downloads remote resources from https://ftp.suse.com for use in the compliance scan.
2	The compliance profile to use for the scan.
3	Where to save the HTML report with test results and recommended remediations.
4	Where to save the XML report, which can be used later in automation and report generation.
5	The SCAP Security Guide policy file that the compliance profile belongs to.

The compliance scan collects information from the target system and evaluates it against rules set by the selected compliance profile. The scan will take some time to complete. The are saved in the specified files and also appear on screen, as shown in this example snippet:

[...]
Title   Configure auditd Max Log File Size
Rule    xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file
Result  pass

Title   Configure auditd max_log_file_action Upon Reaching Maximum Log Size
Rule    xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
Result  fail
[...]

When the scan is complete, you can review the report by opening /tmp/report.html in a browser. See Section 6, “Reviewing the OpenSCAP evaluation report” for examples of the report.

6 Reviewing the OpenSCAP evaluation report #

The HTML-formatted OpenSCAP report shows the results of the compliance scan in a human-readable format. These examples show the main features of the report.

Report header: The header of the report shows information about the chosen compliance profile.
Figure 1: Header of a typical OpenSCAP report #
Compliance and Scoring: The Compliance and Scoring section shows a summary of the scan's results, including the number of passed and failed rules and the severity of the failures.
Figure 2: Summary of results in a typical OpenSCAP report #
Rule Overview: The Rule Overview section shows a list of rules included with the compliance profile, along with the severity and test result of each rule. This section is interactive. You can check and uncheck filter options, group rules by different criteria, search the list with a search bar, and click the rule names to see more details. You can also expand the details for every rule by clicking Show all result details at the bottom of the report.
Figure 3: List of rules in a typical OpenSCAP report #
Rule details and remediation: Clicking the name of a rule opens a window showing detailed information about that rule. Depending on the rule, the detail window might also include multiple remediation options. Click (show) to expand each remediation option.
Figure 4: Detailed information about a rule in a typical OpenSCAP report #