|Index|Hardening SUSE Linux with OpenSCAP
SUSE Linux 16.0

Hardening SUSE Linux with OpenSCAP

Publication Date: 09 Jul 2026
WHAT?

OpenSCAP is an open source toolset that implements the Security Content Automation Protocol (SCAP) framework. Combined with the SCAP Security Guide (SSG), it enables automated security auditing and hardening of SUSE Linux.

WHY?

Automated scanning and remediation reduce manual effort, ensure consistent policy enforcement across systems, and support compliance with regulations such as HIPAA, PCI-DSS v4 and ANSSI-BP-028.

EFFORT

Reading time: approximately 30 minutes. A full scan and remediation cycle takes 1–2 hours depending on the number of rules and the initial state of the target system. Familiarity with the Linux command line is required.

GOAL

After completing this article, you can install the required packages, select a security profile, scan your system for policy violations, and remediate identified issues automatically or manually.

REQUIREMENTS
  • A running installation of SUSE Linux.

  • root or sudo privileges on the target system.

  • Access to SUSE repositories for package installation, or an offline package source.

  • A non-production test environment for validating remediation before applying it to production systems.

1 Auditing and hardening SUSE Linux with OpenSCAP

This article explains how to use OpenSCAP and SSG to audit and harden SUSE Linux systems against recognized security baselines.

The following sections describe how to prepare your environment, install the required packages, select a security profile, scan your system for policy violations, and remediate any issues found. The sections are arranged in the order of a typical hardening workflow, but the scanning and remediation steps can also be performed independently once the prerequisites are in place.

2 SCAP and OpenSCAP

SCAP is a framework of specifications for automating security compliance. OpenSCAP implements this framework for Linux, and together with the SCAP Security Guide, enables automated auditing and hardening of SUSE Linux.

2.1 What is SCAP?

SCAP stands for Security Content Automation Protocol. It is a framework of specifications developed and maintained by the National Institute of Standards and Technology (NIST) that supports automated configuration, vulnerability scanning, and policy compliance evaluation of systems in an organization. SCAP also standardizes how vulnerabilities and security configurations are communicated, both to machines and to human beings.

2.2 What is OpenSCAP?

OpenSCAP is a collection of open source tools that implement the SCAP framework for Linux. It received the SCAP 1.2 certification from NIST in 2014. OpenSCAP works together with the SCAP Security Guide (SSG), which implements security guidelines recommended by respected authorities in a machine-readable format. This allows OpenSCAP to automatically audit and harden your SUSE Linux system against recognized security baselines.

2.3 Key SCAP components

SCAP consists of the following components, which interact to describe, evaluate and report on the security state of a system.

Open Vulnerability and Assessment Language (OVAL)

An XML format for testing the presence of a specific state on a system.

Extensible Configuration Checklist Description Format (XCCDF)

An XML format that specifies security checklists, benchmarks, and configuration documentation. An XCCDF file contains a benchmark consisting of different profiles, where each profile is a set of rules with OVAL definitions. Profiles correspond to security practices such as HIPAA, PCI-DSS, and ANSSI-BP-028.

Common Platform Enumeration (CPE)

A structured naming scheme maintained by NIST for identifying IT systems, platforms, and software packages. A CPE name has the following format: cpe:/part:vendor:product:version:update:edition:language

DataStream (DS)

An XML format that bundles multiple SCAP components (CPE, XCCDF, OVAL) into a single file for distribution over a network. DataStream files are the primary input format for OpenSCAP when hardening and auditing a SUSE Linux system.

Common Configuration Enumeration (CCE)

Unique identifiers assigned to security-related system configuration issues, used to track individual rules across profiles and tools.

2.4 What is the SCAP Security Guide?

The SCAP Security Guide is an open source project that provides machine-readable security policies for Linux systems. It translates established security benchmarks, such as Defense Information Systems Agency (DISA) STIGs and Center for Internet Security (CIS) benchmarks, into SCAP content that can be automatically applied and verified. The SCAP Security Guide delivers XCCDF checklists, OVAL checks, and ready-to-use remediation scripts in the form of Ansible playbooks and Bash scripts.

2.5 Benefits of using OpenSCAP with the SCAP Security Guide

Using OpenSCAP together with the SCAP Security Guide provides the following benefits:

  • Security guidelines from recognized authorities are transformed into a machine-readable format, removing the need for manual interpretation.

  • Scanning and remediation can be automated and run repeatedly, ensuring consistent policy enforcement across all systems in your infrastructure.

  • Results are stored in standardized XML formats and can be rendered as human-readable HTML reports for audit and compliance purposes.

  • Multiple security profiles are available out of the box, covering regulations such as HIPAA, PCI-DSS v4, and ANSSI-BP-028, reducing the effort required to achieve and demonstrate compliance.

3 Preparing the IT infrastructure

Before installing and applying the SCAP Security Guide, prepare your IT infrastructure to ensure a controlled and repeatable hardening process.

3.1 Introduction

Applying security hardening without prior planning can lead to service disruptions, misconfigurations, and incomplete compliance. The steps below help you assess your environment, define the scope of hardening, and set up a safe testing workflow before touching production systems.

3.2 What pre-hardening steps should you follow?

  1. Create an inventory of the hosts on which the SCAP Security Guide will be installed.

  2. Create an inventory of the IT and business services that will be in scope for the installation.

  3. Divide the inventory into groups. Hosts within the same group will share an identical configuration.

  4. Select the security standard or profile you plan to implement. For SUSE Linux, the available profiles include ANSSI-BP-028 (at four levels), HIPAA, and PCI-DSS v4. For the full list of supported profiles, refer to Section 5, “SSG Content, directories and profiles”.

  5. For each group, create a list of rules and recommendations you plan to implement. Consider the following for each rule:

    • Preconditions required by the rule

    • Configuration parameters, if any

    • Whether the rule will be applied manually or automatically

    • Rules to be excluded, and the additional security controls that will compensate for each exclusion

  6. Set up a test environment that closely mirrors your production environment. Use it to validate hardening before applying it to production. Keep the following in mind:

    • Run remediation more than once. Rules are applied in alphabetical order. Dependencies exist between some rules, and a system restart is required after each pass.

    • A 100% pass rate is not achievable in practice. Define an acceptable number of non-passing rules for each group, document them, and apply compensating security controls.

  7. Use the test environment to validate new patches and updated versions of the SCAP Security Guide before rolling them out.

  8. If a rule fails during remediation, consider one of the following approaches:

    • Apply the rule manually.

    • Exclude the rule using a tailoring file and apply a compensating security control instead.

    • File a bug report, including the SCAP Security Guide version, execution logs, and the steps you performed.

  9. Create an implementation plan covering your production environment.

  10. Create backups of all target systems before proceeding.

4 Installing OpenSCAP and the SCAP Security Guide

Install the core packages required to scan and remediate SUSE Linux with OpenSCAP and the SCAP Security Guide, and optionally install the graphical SCAP Workbench for a GUI-based workflow.

4.1 Installing the core packages

The following two packages are required for all scanning and remediation workflows described in this article:

  • openscap-utils: provides the oscap and oscap-ssh command-line tools.

  • scap-security-guide: provides the SCAP Security Guide security content, including DataStream files, profiles, fix scripts, and Ansible playbooks.

Install both packages with the following command:

> sudo zypper install openscap-utils scap-security-guide

4.2 Installing optional packages

The following packages are optional and extend the core workflow:

  • scap-workbench: a graphical utility for performing common oscap tasks, including scanning and profile customization. Available only for desktop installations of SUSE Linux.

  • ssg-apply: used together with SCAP Workbench to conveniently apply a tailoring file for customized hardening.

> sudo zypper install scap-workbench ssg-apply
Tip
Tip: Security best practice for SCAP Workbench

Avoid installing SCAP Workbench on the target system you plan to harden. Instead, install it on a separate client machine and apply hardening to the target system remotely, maintaining an air gap until the target is connected to a potentially insecure network.

5 SSG Content, directories and profiles

Reference information on the SCAP Security Guide directory layout, the content available after installation, and the security profiles supported for SUSE Linux.

5.1 SSG directories and files

After installing the scap-security-guide package, the SSG security content is available in the following directories:

/usr/share/xml/scap/ssg/content/

Contains the SSG security content in XML format. All files are named according to the SCAP component and the product they apply to. To list all available DataStream files, run:

> ls -l /usr/share/xml/scap/ssg/content/ssg-*-ds.xml
/usr/share/doc/scap-security-guide/guides/

Contains human-readable HTML versions of the profiles. Each guide describes the rules included in a profile, the rationale behind each rule, severity levels, CCE identifiers, and available remediation options. To list all available guides, run:

> ls -l /usr/share/doc/scap-security-guide/guides/ssg*.html

To view a specific guide in a web browser, for example the anssi_bp28_high profile for SUSE Linux, run:

> firefox /usr/share/doc/scap-security-guide/guides/ssg-sle16-guide-anssi_bp28_high.html

The same content is also available online as static HTML pages at https://complianceascode.github.io/content-pages/guides/index.html.

/usr/share/scap-security-guide/

Contains fix scripts for remediating vulnerabilities found during a scan, in the following formats:

  • Shell scripts: bash/*.sh

  • Ansible playbooks: ansible/*.yml

5.2 Supported profiles for SUSE Linux

The following security profiles are supported by SUSE for SUSE Linux. The profiles are maintained in the ComplianceAsCode repository.

Table 1: Supported SCAP Security Guide profiles for SUSE Linux
Profile nameProfile ID
ANSSI-BP-028 (minimal)xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
ANSSI-BP-028 (intermediary)xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
ANSSI-BP-028 (enhanced)xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
ANSSI-BP-028 (high)xccdf_org.ssgproject.content_profile_anssi_bp28_high
Health Insurance Portability and Accountability Act (HIPAA)xccdf_org.ssgproject.content_profile_hipaa
PCI-DSS v4 Control Baseline for SUSE Linuxxccdf_org.ssgproject.content_profile_pci-dss

To view the full list of profiles available in the DataStream file, including their IDs, run:

> oscap info /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml

6 Scanning the system for vulnerabilities

Use oscap to evaluate your SUSE Linux system against a security profile and generate a report of the results.

6.1 Introduction

The oscap xccdf eval command evaluates a system against the rules defined in a security profile and produces results in XML format. An HTML report can be generated alongside the XML results for human review. The evaluation typically takes a few minutes, depending on the number of rules in the selected profile.

Before scanning, ensure that the openscap-utils and scap-security-guide packages are installed as described in Section 4, “Installing OpenSCAP and the SCAP Security Guide”, and that you have selected a profile as described in Section 5, “SSG Content, directories and profiles”.

6.2 Running a basic scan

To scan your system locally against a profile and save the results, run the following command:

> sudo oscap xccdf eval \
  --profile PROFILE-ID \
  --results /tmp/results.xml \
  --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml

Replace PROFILE-ID with one of the profile IDs listed in Table 1, “Supported SCAP Security Guide profiles for SUSE Linux”. For example, to scan against the HIPAA profile:

> sudo oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_hipaa \
  --results /tmp/results.xml \
  --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml

The results are saved to /tmp/results.xml and the HTML report to /tmp/report.html. Open the report in a web browser to review the evaluation results.

6.3 Using remote resources during a scan

Some SCAP Security Guide content references external OVAL files, for example, to check whether the system is patched against known CVEs. By default, OpenSCAP skips these remote resources and displays a warning. The following options control this behavior.

Fetching remote resources automatically

If the target system has Internet access and you trust the remote content, use the --fetch-remote-resources option to download referenced files automatically during the scan:

> sudo oscap xccdf eval \
  --fetch-remote-resources \
  --profile xccdf_org.ssgproject.content_profile_hipaa \
  --results /tmp/results.xml \
  --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml
Using locally downloaded remote resources

On systems without Internet access, or in security-sensitive deployments, download the required remote files in advance and pass them to oscap using the --local-files option:

  1. Create a directory for storing the downloaded files:

    > mkdir ~/scap-files
  2. Download the required remote resource:

    > wget -O ~/scap-files/pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2 \
      https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2
    Tip
    Tip

    Use the most specific file available for your product version to reduce resource usage and scan time. For example, if you are interested only in a specific service pack, use the corresponding SP-specific file from https://ftp.suse.com/pub/projects/security/oval/.

  3. Run the scan using the locally downloaded files:

    > sudo oscap xccdf eval \
      --local-files ~/scap-files \
      --profile xccdf_org.ssgproject.content_profile_hipaa \
      --results /tmp/results.xml \
      --report /tmp/report.html \
      /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml
  4. Optionally, generate an HTML report separately from the XML results file:

    > oscap xccdf generate report /tmp/results.xml > /tmp/report.html
    Tip
    Tip

    Separating the scan and the report generation steps reduces resource usage on the target system during the scan itself.

6.4 Scanning with specific rules

By default, oscap xccdf eval evaluates all rules in the selected profile. You can narrow the scope of evaluation using the following options.

Evaluating a single rule

Use the --rule option to evaluate only a specific rule, identified by its rule ID:

> sudo oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_hipaa \
  --rule xccdf_org.ssgproject.content_rule_package_aide_installed \
  --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml
Skipping a specific rule

Use the --skip-rule option to exclude a specific rule from the evaluation:

> sudo oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_hipaa \
  --skip-rule xccdf_org.ssgproject.content_rule_package_aide_installed \
  --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml

6.5 Scanning a remote machine

To scan a remote machine over SSH, use oscap-ssh instead of oscap. The openscap-utils package must be installed on both the local and the remote machine. The interface mirrors that of oscap:

> sudo oscap-ssh user@host 22 xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_hipaa \
  --results /tmp/results.xml \
  --report /tmp/report.html \
  /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml

7 Remediating vulnerabilities

Apply fixes to bring your SUSE Linux system into compliance with a security profile using oscap, SCAP Security Guide shell scripts, or Ansible playbooks.

7.1 Introduction

After scanning your system, you can remediate identified policy violations automatically or manually. The SCAP Security Guide provides fix scripts in two formats — shell scripts and Ansible playbooks — that oscap can apply directly, or that you can review and run independently.

Important
Important: Automatic remediation not always available

Automatic remediation is not offered for fixes that are too disruptive to apply safely on a running system. Such rules must be remediated manually.

The overall remediation process is as follows:

  1. oscap scans the system and marks each failing rule as a candidate for remediation.

  2. For each failing rule, oscap locates the corresponding xccdf:fix element in the XCCDF file, prepares the environment, and executes the fix script.

  3. After executing the fix, oscap re-evaluates the rule to confirm whether the fix was successful.

  4. All remediation results are stored in an output XCCDF file.

Note
Note

Remediation must be run more than once. Rules are applied in alphabetical order. Some rules have dependencies on others, and the system may need to be restarted between passes for changes to take effect.

7.2 Remediating on the fly

The simplest approach is to scan and remediate in a single command using the --remediate option. The system is first scanned, and then oscap immediately attempts to fix each failing rule.

Warning
Warning: Usage of the --skip-rule option

Always use --skip-rule to skip the rule xccdf_org.ssgproject.content_rule_accounts_authorized_local_users unless you have explicitly configured the variable var_accounts_authorized_local_users_regex. Failing to do so may prevent sudo from working after a reboot.

> sudo oscap xccdf eval --remediate \
  --profile xccdf_org.ssgproject.content_profile_hipaa \
  --results /tmp/results.xml \
  --report /tmp/report.html \
  --skip-rule xccdf_org.ssgproject.content_rule_accounts_authorized_local_users \
  /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml

For the changes to take effect, reboot the system.

> sudo reboot

In the resulting /tmp/results.xml file, the first TestResult element contains the scan results before remediation. The second TestResult element contains the results after remediation, where a rule result of fixed indicates a successful fix, and error indicates that the fix was not successful.

7.3 Remediating after scanning

Alternatively, you can separate the scan and remediation into two steps. This allows you to review the scan results before applying any fixes.

  1. Scan the system and save the results:

    > sudo oscap xccdf eval \
      --profile xccdf_org.ssgproject.content_profile_hipaa \
      --results /tmp/results.xml \
      /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml

    The results are stored in a TestResult element in /tmp/results.xml. The system is evaluated only — no changes are made at this stage.

  2. Run remediation using the results file from the previous step as input:

    > sudo oscap xccdf remediate \
      --results /tmp/results.xml \
      /tmp/results.xml

    oscap creates a new xccdf:TestResult element in the same file, inheriting data from the first result and applying fixes only to the rules that failed in the initial scan.

7.4 Generating remediation scripts for review

To inspect the remediation instructions before applying them, use oscap xccdf generate fix to save the fix content to a file without executing it.

To generate a shell script:

> oscap xccdf generate fix \
  --template urn:xccdf:fix:script:sh \
  --profile xccdf_org.ssgproject.content_profile_hipaa \
  --output my-remediation-script.sh \
  /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml

To generate an Ansible playbook:

> oscap xccdf generate fix \
  --template urn:xccdf:fix:script:ansible \
  --profile xccdf_org.ssgproject.content_profile_hipaa \
  --output my-remediation-playbook.yml \
  /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml

7.5 Remediating with SSG shell scripts

The SCAP Security Guide ships pre-built shell scripts for each supported profile. These can be used for straightforward remediation without conditions or tailoring.

  1. List the available shell scripts:

    > ls -l /usr/share/scap-security-guide/bash/

    Script names follow the format sle16-script-PROFILE-NAME.sh. The supported profile names are: anssi_bp28_minimal, anssi_bp28_intermediary, anssi_bp28_enhanced, anssi_bp28_high, hipaa, and pci-dss-4.

  2. Make the script executable:

    > sudo chmod +x sle16-script-PROFILE-NAME.sh
  3. Run the script:

    > sudo ./sle16-script-PROFILE-NAME.sh
Note
Note

Within each script, rules follow the format: # BEGIN fix (N/TOTAL) for RULE-ID through to # END fix for RULE-ID. Rules that contain a line ending with IS MISSING! have no automatic remediation and must be applied manually.

7.6 Remediating with Ansible playbooks

For each supported profile, the SCAP Security Guide also ships Ansible playbooks that you can use for remediation.

  1. Install the ansible package.

    > sudo zypper install ansible
  2. List the available Ansible playbooks:

    > ls -l /usr/share/scap-security-guide/ansible/

    Playbook names follow the format sle16-playbook-PROFILE-NAME.yml.

  3. Create an inventory file ansible_inventory.yml with the following content:

    all:
      hosts:
        localhost
      vars:
        ansible_connection: local
  4. Run the playbook:

    > sudo ansible-playbook -i ansible_inventory.yml \
      sle16-playbook-PROFILE-NAME.yml
  5. To skip specific rules during execution, use the --tags option. Find the tag for a rule by searching for it in the playbook file. For example:

    > sudo ansible-playbook -i ansible_inventory.yml \
      sle16-playbook-PROFILE-NAME.yml \
      --tags "package_aide_installed,aide_build_database"
Note
Note

You may need to repeat the remediation steps more than once. Some rules require a system restart to take effect, and rules are executed in alphabetical order, which means dependencies between rules may not be resolved in a single pass.

7.7 Customizing the SCAP Security Guide with SCAP Workbench

If the available profiles do not fully match your requirements, you can create a customized profile using SCAP Workbench and save it as a tailoring file. The tailoring file can then be applied with oscap using the --tailoring-file option.

  1. Start SCAP Workbench:

    > sudo scap-workbench
  2. Select SLE16 as the target system variant, then select Load Content.

  3. Select a base profile from the Profile drop-down list, then select Customize.

  4. Set a unique ID for the custom profile in the following format: xccdf_REVERSE-DNS_profile_PROFILE-NAME. For example: xccdf_org.mycompany_profile_server.

    Warning
    Warning

    The profile ID cannot be changed after it is set in SCAP Workbench.

  5. Deselect any rules you do not want to include, then select OK.

  6. Save the customization as a tailoring file: select Select customization file > Open > Save customization only.

  7. Apply the tailoring file with oscap:

    > sudo oscap xccdf eval \
      --profile xccdf_org.mycompany_profile_server \
      --tailoring-file ssg-sle16-ds-tailoring.xml \
      --report /tmp/report.html \
      /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml

8 For more information

9 What's next

After hardening your system, consider the following steps to maintain and improve your security posture:

  • Schedule regular scans to detect configuration drift and verify that the system remains compliant after updates or changes.

  • Use the test environment established during infrastructure preparation to validate new versions of the SCAP Security Guide before applying them to production.

  • Review and document any rules that could not be remediated automatically, and ensure compensating controls are in place for each.

  • Consider integrating OpenSCAP scanning into your CI/CD or configuration management pipeline for continuous compliance monitoring.

  • Keep the scap-security-guide package up to date to benefit from the latest security rules and profile improvements.