|Index|Hardening with OpenSCAP
6.0

Hardening with OpenSCAP

Publication Date: 18 Jun 2026
WHAT?

OpenSCAP is an open source toolset that implements the Security Content Automation Protocol (SCAP) framework. Combined with the SCAP Security Guide, it enables automated security auditing and hardening of .

WHY?

Automated scanning and remediation reduces manual effort and ensures consistent policy enforcement across systems. ships with the general security profile, which provides a practical baseline for hardening immutable systems.

EFFORT

Reading time: approximately 30 minutes. A full scan and remediation cycle takes 1–2 hours depending on the number of rules and the initial state of the target system. Because is an immutable system, remediation must be run more than once with reboots between passes. Familiarity with the Linux command line is required.

GOAL

After completing this article, you can install the required packages, scan your system for policy violations against the general profile, and remediate identified issues using oscap, SCAP Security Guide shell scripts, or Ansible playbooks.

REQUIREMENTS

  • A running installation of .

  • root or sudo privileges on the target system.

  • Access to SUSE repositories for package installation, or an offline package source.

  • A non-production test environment for validating remediation before applying it to production systems.

1 Overview

 

SCAP, the Security Content Automation Protocol, is a framework of specifications maintained by the National Institute of Standards and Technology (NIST). It standardizes how security configurations and vulnerabilities are expressed, measured, and reported across systems in an organization.

OpenSCAP is a collection of open source tools that implement the SCAP framework for Linux. Together with the SCAP Security Guide, it provides a machine-readable representation of security guidelines recommended by recognized authorities, allowing you to audit and harden your system in an automated and repeatable way.

The following sections describe how to prepare your environment, install the required packages, select a security profile, scan your system for policy violations, and remediate any issues found. The sections are arranged in the order of a typical hardening workflow, but the scanning and remediation steps can also be performed independently once the prerequisites are in place.

2 SCAP and OpenSCAP

 

SCAP is a framework of specifications for automating security compliance. OpenSCAP implements this framework for Linux, and together with the SCAP Security Guide, enables automated auditing and hardening of .

2.1 What is SCAP?

 

SCAP stands for Security Content Automation Protocol. It is a framework of specifications developed and maintained by the National Institute of Standards and Technology (NIST) that supports automated configuration, vulnerability scanning, and policy compliance evaluation of systems in an organization. SCAP also standardizes how vulnerabilities and security configurations are communicated, both to machines and to human beings.

2.2 What is OpenSCAP?

 

OpenSCAP is a collection of open source tools that implement the SCAP framework for Linux. It received the SCAP 1.2 certification from NIST in 2014. OpenSCAP works together with the SCAP Security Guide (SSG), which implements security guidelines recommended by respected authorities in a machine-readable format. This allows OpenSCAP to automatically audit and harden your system against recognized security baselines.

2.3 Key SCAP components

 

SCAP consists of the following components, which interact with each other to describe, evaluate, and report on the security state of a system.

Open Vulnerability and Assessment Language (OVAL)

An XML format for testing the presence of a specific state on a system.

Extensible Configuration Checklist Description Format (XCCDF)

An XML format that specifies security checklists, benchmarks, and configuration documentation. An XCCDF file contains a benchmark consisting of different profiles, where each profile is a set of rules with OVAL definitions.

Common Platform Enumeration (CPE)

A structured naming scheme maintained by NIST for identifying IT systems, platforms, and software packages. A CPE name has the following format: cpe:/part:vendor:product:version:update:edition:language

DataStream (DS)

An XML format that bundles multiple SCAP components (CPE, XCCDF, OVAL) into a single file for distribution over a network. DataStream files are the primary input format for OpenSCAP when hardening and auditing a system.

Common Configuration Enumeration (CCE)

Unique identifiers assigned to security-related system configuration issues, used to track individual rules across profiles and tools.

2.4 What is the SCAP Security Guide?

 

The SCAP Security Guide is an open source project that provides machine-readable security policies for Linux systems. It translates established security benchmarks, such as Defense Information Systems Agency (DISA) STIGs and Center for Internet Security (CIS) benchmarks, into SCAP content that can be automatically applied and verified. The SCAP Security Guide delivers XCCDF checklists, OVAL checks, and ready-to-use remediation scripts in the form of Ansible playbooks and Bash scripts.

2.5 Benefits of using OpenSCAP with the SCAP Security Guide

 

Using OpenSCAP together with the SCAP Security Guide provides the following benefits:

  • Security guidelines from recognized authorities are transformed into a machine-readable format, removing the need for manual interpretation.

  • Scanning and remediation can be automated and run repeatedly, ensuring consistent policy enforcement across all systems in your infrastructure.

  • Results are stored in standardized XML formats and can be rendered as human-readable HTML reports for audit and compliance purposes.

  • The general security profile available for provides a practical hardening baseline suited to immutable systems, reducing the effort required to achieve and demonstrate compliance.

3 Preparing the IT Infrastructure

 

Before installing and applying the SCAP Security Guide, prepare your IT infrastructure to ensure a controlled and repeatable hardening process.

3.1 Introduction

 

Applying security hardening without prior planning can lead to service disruptions, misconfigurations, and incomplete compliance. The steps below help you assess your environment, define the scope of hardening, and set up a safe testing workflow before touching production systems.

3.2 Preparation steps

 

  1. Create an inventory of the hosts on which the SCAP Security Guide will be installed.

  2. Create an inventory of the IT and business services that will be in scope for the installation.

  3. Divide the inventory into groups. Hosts within the same group will share an identical configuration.

  4. Select the security standard or profile you plan to implement. For , the supported profile is the general profile. For details, refer to Section 5, “SSG Content, Directories, and Profiles”.

  5. For each group, create a list of rules and recommendations you plan to implement. Consider the following for each rule:

    • Preconditions required by the rule

    • Configuration parameters, if any

    • Whether the rule will be applied manually or automatically

    • Rules to be excluded, and the additional security controls that will compensate for each exclusion

  6. Set up a test environment that closely mirrors your production environment. Use it to validate hardening before applying it to production. Keep the following in mind:

    • Run remediation more than once. Rules are applied in alphabetical order, dependencies exist between some rules, and a system restart is required after each pass.

    • A 100% pass rate is not achievable in practice. Define an acceptable number of non-passing rules for each group, document them, and apply compensating security controls.

  7. Use the test environment to validate new patches and updated versions of the SCAP Security Guide before rolling them out.

  8. If a rule fails during remediation, consider one of the following approaches:

    • Apply the rule manually.

    • Exclude the rule using a tailoring file and apply a compensating security control instead.

    • File a bug report, including the SCAP Security Guide version, execution logs, and the steps you performed.

  9. Create an implementation plan covering your production environment.

  10. Create backups of all target systems before proceeding.

4 Installing OpenSCAP and the SCAP Security Guide

 

Install the core packages required to scan and remediate with OpenSCAP and the SCAP Security Guide.

4.1 Installing the core packages

 

To install the required packages, proceed as follows:

  1. Install the following packages: 

    > sudo transactional-update pkg install openscap-utils scap-security-guide

  2. Reboot the system to switch to the new snapshot: 

    > sudo reboot
Note
Note

GUI tools such as SCAP Workbench are not available on . If you need to create a tailoring file to customize a profile, do so on a separate machine and transfer the file to the system. You can then apply it using the --tailoring-file option with oscap.

5 SSG Content, Directories, and Profiles

 

Reference information on the SCAP Security Guide directory layout, the content available after installation, and the security profile supported for .

5.1 SSG directories and files

 

After installing the scap-security-guide package, the SCAP Security Guide security content is available in the following directories:

/usr/share/xml/scap/ssg/content/

Contains the SCAP Security Guide security content in XML format. All files are named according to the SCAP component and the product they apply to. To list all available DataStream files, run: 

> ls -l /usr/share/xml/scap/ssg/content/ssg-*-ds.xml
/usr/share/doc/scap-security-guide/guides/

Contains human-readable HTML versions of the profiles. Each guide describes the rules included in a profile, the rationale behind each rule, severity levels, CCE identifiers, and available remediation options. To list all available guides, run: 

> ls -l /usr/share/doc/scap-security-guide/guides/ssg*.html

To view the guide for the general profile in a web browser, run: 

> firefox /usr/share/doc/scap-security-guide/guides/ssg-slmicro6-guide-general.html

The same content is also available online as static HTML pages at https://complianceascode.github.io/content-pages/guides/index.html.

/usr/share/scap-security-guide/

Contains fix scripts for remediating vulnerabilities found during a scan, in the following formats:

  • Shell scripts: bash/*.sh

  • Ansible playbooks: ansible/*.yml

5.2 Supported profile for

 

The following security profile is supported by SUSE for . The profile is maintained in the ComplianceAsCode repository.

Table 1: Supported SCAP Security Guide profile for
 
Profile nameProfile ID
General profile for (SLEM) 6xccdf_org.ssgproject.content_profile_general

To view the full list of profiles available in the DataStream file, including their IDs, run: 

> oscap info /usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml

6 Scanning the System for Vulnerabilities

 

Use oscap to evaluate your system against a security profile and generate a report of the results.

6.1 Introduction

 

The oscap xccdf eval command evaluates a system against the rules defined in a security profile and produces results in XML format. An HTML report can be generated alongside the XML results for human review. The evaluation typically takes a few minutes, depending on the number of rules in the selected profile.

Before scanning, ensure that the openscap-utils and scap-security-guide packages are installed as described in Section 4, “Installing OpenSCAP and the SCAP Security Guide”, and that you have reviewed the available profile as described in Section 5, “SSG Content, Directories, and Profiles”.

6.2 Running a basic scan

 

To scan your system locally against the general profile and save the results, run the following command: 

> sudo oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_general \
  --results /tmp/results.xml \
  --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml

The results are saved to /tmp/results.xml and the HTML report to /tmp/report.html. Open the report in a web browser to review the evaluation results.

6.3 Using remote resources during a scan

 

Some SCAP Security Guide content references external OVAL files, for example to check whether the system is patched against known CVEs. By default, OpenSCAP skips these remote resources and displays a warning. The following options control this behavior.

Fetching remote resources automatically

If the target system has Internet access and you trust the remote content, use the --fetch-remote-resources option to download referenced files automatically during the scan: 

> sudo oscap xccdf eval \
  --fetch-remote-resources \
  --profile xccdf_org.ssgproject.content_profile_general \
  --results /tmp/results.xml \
  --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml
Using locally downloaded remote resources

On systems without Internet access, or in security-sensitive deployments, download the required remote files in advance and pass them to oscap using the --local-files option:

  1. Create a directory for storing the downloaded files: 

    > mkdir ~/scap-files

  2. Download the required remote resource: 

    > wget -O ~/scap-files/pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2 \
  https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2
    Tip
    Tip

    Use the most specific file available for your product version to reduce resource usage and scan time. For example, if you are interested only in a specific service pack, use the corresponding SP-specific file from https://ftp.suse.com/pub/projects/security/oval/.

  3. Run the scan using the locally downloaded files: 

    > sudo oscap xccdf eval \
  --local-files ~/scap-files \
  --profile xccdf_org.ssgproject.content_profile_general \
  --results /tmp/results.xml \
  --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml

  4. Optionally, generate an HTML report separately from the XML results file: 

    > oscap xccdf generate report /tmp/results.xml > /tmp/report.html
    Tip
    Tip

    Separating the scan and the report generation steps reduces resource usage on the target system during the scan itself.

6.4 Scanning with specific rules

 

By default, oscap xccdf eval evaluates all rules in the selected profile. You can narrow the scope of evaluation using the following options.

Evaluating a single rule

Use the --rule option to evaluate only a specific rule, identified by its rule ID: 

> sudo oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_general \
  --rule xccdf_org.ssgproject.content_rule_package_aide_installed \
  --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml
Skipping a specific rule

Use the --skip-rule option to exclude a specific rule from the evaluation: 

> sudo oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_general \
  --skip-rule xccdf_org.ssgproject.content_rule_package_aide_installed \
  --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml

6.5 Scanning a remote machine

 

To scan a remote machine over SSH, use oscap-ssh instead of oscap. The openscap-utils package must be installed on both the local and the remote machine. The interface mirrors that of oscap: 

> sudo oscap-ssh user@host 22 xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_general \
  --results /tmp/results.xml \
  --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml

7 Remediating Vulnerabilities

 

Apply fixes to bring your system into compliance with the general security profile using oscap, SCAP Security Guide shell scripts, or Ansible playbooks.

7.1 Introduction

 

After scanning your system, you can remediate identified policy violations automatically or manually. The SCAP Security Guide provides fix scripts in two formats — shell scripts and Ansible playbooks — that oscap can apply directly, or that you can review and run independently.

Important
Important: Automatic remediation not always available

Automatic remediation is not offered for fixes that are too disruptive to apply safely on a running system. Such rules must be remediated manually.

The overall remediation process is as follows:

  1. oscap scans the system and marks each failing rule as a candidate for remediation.

  2. For each failing rule, oscap locates the corresponding xccdf:fix element in the XCCDF file, prepares the environment, and executes the fix script.

  3. After executing the fix, oscap re-evaluates the rule to confirm whether the fix was successful.

  4. All remediation results are stored in an output XCCDF file.

Note
Note

Because is an immutable system, remediation must be run more than once with reboots between passes. The first pass uses transactional-update to apply changes to a new snapshot. After rebooting into the new snapshot, a second pass applies any remaining fixes. Rules are executed in alphabetical order and some have dependencies on others.

7.2 Remediating on the fly

 

The simplest approach is to scan and remediate in a single command using the --remediate option. The system is first scanned, and then oscap immediately attempts to fix each failing rule.

Warning
Warning: Usage of the --skip-rule option

Always use --skip-rule to skip the rule xccdf_org.ssgproject.content_rule_accounts_authorized_local_users unless you have explicitly configured the variable var_accounts_authorized_local_users_regex. Failing to do so may prevent sudo from working after a reboot.

  1. Run the first remediation pass inside a transactional update: 

    > sudo transactional-update run oscap xccdf eval --remediate \
  --profile xccdf_org.ssgproject.content_profile_general \
  --results /tmp/results_1.xml \
  --report /tmp/report_1.html \
  --skip-rule xccdf_org.ssgproject.content_rule_accounts_authorized_local_users \
  /usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml

  2. Reboot the system to switch to the new snapshot: 

    > sudo reboot

  3. Run the second remediation pass: 

    > sudo oscap xccdf eval --remediate \
  --profile xccdf_org.ssgproject.content_profile_general \
  --results /tmp/results_2.xml \
  --report /tmp/report_2.html \
  --skip-rule xccdf_org.ssgproject.content_rule_accounts_authorized_local_users \
  /usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml

  4. Reboot the system to apply the changes: 

    > sudo reboot

In the resulting results files, a rule result of fixed indicates a successful fix. A result of error indicates that the fix was not successful and the rule still does not pass evaluation.

7.3 Remediating after scanning

 

Alternatively, you can separate the scan and remediation into two steps. This allows you to review the scan results before applying any fixes.

  1. Scan the system and save the results: 

    > sudo oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_general \
  --results /tmp/results.xml \
  /usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml

    The results are stored in a TestResult element in /tmp/results.xml. The system is evaluated only — no changes are made at this stage.

  2. Run the first remediation pass inside a transactional update: 

    > sudo transactional-update run oscap xccdf remediate \
  --results /tmp/results.xml \
  /tmp/results.xml

  3. Reboot the system to switch to the new snapshot: 

    > sudo reboot

  4. Run a second remediation pass: 

    > sudo oscap xccdf remediate \
  --results /tmp/results.xml \
  /tmp/results.xml

  5. Reboot the system to apply the changes: 

    > sudo reboot

7.4 Generating remediation scripts for review

 

To inspect the remediation instructions before applying them, use oscap xccdf generate fix to save the fix content to a file without executing it.

To generate a shell script: 

> oscap xccdf generate fix \
  --template urn:xccdf:fix:script:sh \
  --profile xccdf_org.ssgproject.content_profile_general \
  --output my-remediation-script.sh \
  /usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml

To generate an Ansible playbook: 

> oscap xccdf generate fix \
  --template urn:xccdf:fix:script:ansible \
  --profile xccdf_org.ssgproject.content_profile_general \
  --output my-remediation-playbook.yml \
  /usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml

7.5 Remediating with SCAP Security Guide shell scripts

 

The SCAP Security Guide ships a pre-built shell script for the general profile. This can be used for straightforward remediation without conditions or tailoring.

  1. List the available shell scripts: 

    > ls -l /usr/share/scap-security-guide/bash/

    The script for follows the format slmicro6-script-PROFILE-NAME.sh. For the general profile, the script is slmicro6-script-general.sh.

  2. Make the script executable: 

    > sudo chmod +x slmicro6-script-general.sh

  3. Run the script inside a transactional update: 

    > sudo transactional-update run ./slmicro6-script-general.sh

  4. Reboot the system to switch to the new snapshot: 

    > sudo reboot

  5. Run the script again: 

    > sudo ./slmicro6-script-general.sh

  6. Reboot the system to apply the changes: 

    > sudo reboot
Note
Note

Within each script, rules follow the format: # BEGIN fix (N/TOTAL) for RULE-ID through to # END fix for RULE-ID. Rules that contain a line ending with IS MISSING! have no automatic remediation and must be applied manually.

7.6 Remediating with Ansible playbooks

 

To remediate using Ansible playbooks, perform the following procedure.

  1. The SCAP Security Guide ships an Ansible playbook for the general profile. To install the package, run: 

    > sudo transactional-update pkg install ansible

  2. Reboot the system to switch to the new snapshot: 

    > sudo reboot

  3. List the available Ansible playbooks: 

    > ls -l /usr/share/scap-security-guide/ansible/

    The playbook for follows the format slmicro6-playbook-PROFILE-NAME.yml. For the general profile, the playbook is slmicro6-playbook-general.yml.

  4. Create an inventory file ansible_inventory.yml with the following content: 

    all:
  hosts:
    localhost
  vars:
    ansible_connection: local

  5. Run the playbook inside a transactional update: 

    > sudo transactional-update run ansible-playbook -i ansible_inventory.yml \
  slmicro6-playbook-general.yml

  6. Reboot the system to switch to the new snapshot: 

    > sudo reboot

  7. Run the playbook again: 

    > sudo ansible-playbook -i ansible_inventory.yml \
  slmicro6-playbook-general.yml

  8. Reboot the system to apply the changes: 

    > sudo reboot

  9. To skip specific rules during execution, use the --tags option. Find the tag for a rule by searching for it in the playbook file. For example: 

    > sudo ansible-playbook -i ansible_inventory.yml \
  slmicro6-playbook-general.yml \
  --tags "package_aide_installed,aide_build_database"
Note
Note

You may need to repeat the remediation steps more than once. Some rules require a system restart to take effect, and rules are executed in alphabetical order, which means dependencies between rules may not be resolved in a single pass.

7.7 Applying a tailoring file

 

If you need to customize the general profile — for example, to exclude specific rules — create a tailoring file on a separate machine using SCAP Workbench, then transfer it to the system. Apply it with the --tailoring-file option: 

> sudo oscap xccdf eval --remediate \
  --profile xccdf_org.mycompany_profile_custom \
  --tailoring-file ssg-slmicro6-ds-tailoring.xml \
  --results /tmp/results.xml \
  --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-slmicro6-ds.xml

8 For More Information

 

9 What's Next

 

After hardening your system, consider the following steps to maintain and improve your security posture:

  • Schedule regular scans to detect configuration drift and verify that the system remains compliant after updates or changes.

  • Use the test environment established during infrastructure preparation to validate new versions of the SCAP Security Guide before applying them to production.

  • Review and document any rules that could not be remediated automatically, and ensure compensating controls are in place for each.

  • Consider integrating OpenSCAP scanning into your CI/CD or configuration management pipeline for continuous compliance monitoring.

  • Keep the scap-security-guide package up to date to benefit from the latest security rules and profile improvements. On , use transactional-update to update packages and reboot into the new snapshot before re-running remediation.