Hardening SUSE Linux with OpenSCAP
- WHAT?
OpenSCAP is an open source toolset that implements the Security Content Automation Protocol (SCAP) framework. Combined with the SCAP Security Guide (SSG), it enables automated security auditing and hardening of SUSE Linux.
- WHY?
Automated scanning and remediation reduce manual effort, ensure consistent policy enforcement across systems, and support compliance with regulations such as HIPAA, PCI-DSS v4 and ANSSI-BP-028.
- EFFORT
Reading time: approximately 30 minutes. A full scan and remediation cycle takes 1–2 hours depending on the number of rules and the initial state of the target system. Familiarity with the Linux command line is required.
- GOAL
After completing this article, you can install the required packages, select a security profile, scan your system for policy violations, and remediate identified issues automatically or manually.
- REQUIREMENTS
A running installation of SUSE Linux.
rootorsudoprivileges on the target system.Access to SUSE repositories for package installation, or an offline package source.
A non-production test environment for validating remediation before applying it to production systems.
1 Auditing and hardening SUSE Linux with OpenSCAP #
This article explains how to use OpenSCAP and SSG to audit and harden SUSE Linux systems against recognized security baselines.
The following sections describe how to prepare your environment, install the required packages, select a security profile, scan your system for policy violations, and remediate any issues found. The sections are arranged in the order of a typical hardening workflow, but the scanning and remediation steps can also be performed independently once the prerequisites are in place.
2 SCAP and OpenSCAP #
SCAP is a framework of specifications for automating security compliance. OpenSCAP implements this framework for Linux, and together with the SCAP Security Guide, enables automated auditing and hardening of SUSE Linux.
2.1 What is SCAP? #
SCAP stands for Security Content Automation Protocol. It is a framework of specifications developed and maintained by the National Institute of Standards and Technology (NIST) that supports automated configuration, vulnerability scanning, and policy compliance evaluation of systems in an organization. SCAP also standardizes how vulnerabilities and security configurations are communicated, both to machines and to human beings.
2.2 What is OpenSCAP? #
OpenSCAP is a collection of open source tools that implement the SCAP framework for Linux.
It received the SCAP 1.2 certification from NIST in 2014. OpenSCAP works together with the
SCAP Security Guide (SSG), which implements security guidelines recommended by respected
authorities in a machine-readable format. This allows OpenSCAP to automatically audit and
harden your SUSE Linux system against recognized security baselines.
2.3 Key SCAP components #
SCAP consists of the following components, which interact to describe, evaluate and report on the security state of a system.
- Open Vulnerability and Assessment Language (OVAL)
An XML format for testing the presence of a specific state on a system.
- Extensible Configuration Checklist Description Format (XCCDF)
An XML format that specifies security checklists, benchmarks, and configuration documentation. An XCCDF file contains a benchmark consisting of different profiles, where each profile is a set of rules with OVAL definitions. Profiles correspond to security practices such as HIPAA, PCI-DSS, and ANSSI-BP-028.
- Common Platform Enumeration (CPE)
A structured naming scheme maintained by NIST for identifying IT systems, platforms, and software packages. A CPE name has the following format:
cpe:/part:vendor:product:version:update:edition:language- DataStream (DS)
An XML format that bundles multiple SCAP components (CPE, XCCDF, OVAL) into a single file for distribution over a network. DataStream files are the primary input format for OpenSCAP when hardening and auditing a SUSE Linux system.
- Common Configuration Enumeration (CCE)
Unique identifiers assigned to security-related system configuration issues, used to track individual rules across profiles and tools.
2.4 What is the SCAP Security Guide? #
The SCAP Security Guide is an open source project that provides machine-readable
security policies for Linux systems. It translates established security benchmarks, such as
Defense Information Systems Agency (DISA)
STIGs and
Center for
Internet Security (CIS)
benchmarks, into SCAP content that can be automatically applied and verified. The
SCAP Security Guide delivers XCCDF checklists, OVAL checks, and ready-to-use remediation
scripts in the form of Ansible playbooks and Bash scripts.
2.5 Benefits of using OpenSCAP with the SCAP Security Guide #
Using OpenSCAP together with the SCAP Security Guide provides the following benefits:
Security guidelines from recognized authorities are transformed into a machine-readable format, removing the need for manual interpretation.
Scanning and remediation can be automated and run repeatedly, ensuring consistent policy enforcement across all systems in your infrastructure.
Results are stored in standardized XML formats and can be rendered as human-readable HTML reports for audit and compliance purposes.
Multiple security profiles are available out of the box, covering regulations such as HIPAA, PCI-DSS v4, and ANSSI-BP-028, reducing the effort required to achieve and demonstrate compliance.
3 Preparing the IT infrastructure #
Before installing and applying the SCAP Security Guide, prepare your IT infrastructure to ensure a controlled and repeatable hardening process.
3.1 Introduction #
Applying security hardening without prior planning can lead to service disruptions, misconfigurations, and incomplete compliance. The steps below help you assess your environment, define the scope of hardening, and set up a safe testing workflow before touching production systems.
3.2 What pre-hardening steps should you follow? #
Create an inventory of the hosts on which the SCAP Security Guide will be installed.
Create an inventory of the IT and business services that will be in scope for the installation.
Divide the inventory into groups. Hosts within the same group will share an identical configuration.
Select the security standard or profile you plan to implement. For SUSE Linux, the available profiles include ANSSI-BP-028 (at four levels), HIPAA, and PCI-DSS v4. For the full list of supported profiles, refer to Section 5, “SSG Content, directories and profiles”.
For each group, create a list of rules and recommendations you plan to implement. Consider the following for each rule:
Preconditions required by the rule
Configuration parameters, if any
Whether the rule will be applied manually or automatically
Rules to be excluded, and the additional security controls that will compensate for each exclusion
Set up a test environment that closely mirrors your production environment. Use it to validate hardening before applying it to production. Keep the following in mind:
Run remediation more than once. Rules are applied in alphabetical order. Dependencies exist between some rules, and a system restart is required after each pass.
A 100% pass rate is not achievable in practice. Define an acceptable number of non-passing rules for each group, document them, and apply compensating security controls.
Use the test environment to validate new patches and updated versions of the SCAP Security Guide before rolling them out.
If a rule fails during remediation, consider one of the following approaches:
Apply the rule manually.
Exclude the rule using a tailoring file and apply a compensating security control instead.
File a bug report, including the SCAP Security Guide version, execution logs, and the steps you performed.
Create an implementation plan covering your production environment.
Create backups of all target systems before proceeding.
4 Installing OpenSCAP and the SCAP Security Guide #
Install the core packages required to scan and remediate SUSE Linux with OpenSCAP and the SCAP Security Guide, and optionally install the graphical SCAP Workbench for a GUI-based workflow.
4.1 Installing the core packages #
The following two packages are required for all scanning and remediation workflows described in this article:
openscap-utils: provides the
oscapandoscap-sshcommand-line tools.scap-security-guide: provides the SCAP Security Guide security content, including DataStream files, profiles, fix scripts, and Ansible playbooks.
Install both packages with the following command:
>sudozypper install openscap-utils scap-security-guide
4.2 Installing optional packages #
The following packages are optional and extend the core workflow:
scap-workbench: a graphical utility for performing common
oscaptasks, including scanning and profile customization. Available only for desktop installations of SUSE Linux.ssg-apply: used together with SCAP Workbench to conveniently apply a tailoring file for customized hardening.
>sudozypper install scap-workbench ssg-apply
Avoid installing SCAP Workbench on the target system you plan to harden. Instead, install it on a separate client machine and apply hardening to the target system remotely, maintaining an air gap until the target is connected to a potentially insecure network.
5 SSG Content, directories and profiles #
Reference information on the SCAP Security Guide directory layout, the content available after installation, and the security profiles supported for SUSE Linux.
5.1 SSG directories and files #
After installing the scap-security-guide package, the SSG security content is available in the following directories:
/usr/share/xml/scap/ssg/content/Contains the SSG security content in XML format. All files are named according to the SCAP component and the product they apply to. To list all available DataStream files, run:
>ls -l /usr/share/xml/scap/ssg/content/ssg-*-ds.xml/usr/share/doc/scap-security-guide/guides/Contains human-readable HTML versions of the profiles. Each guide describes the rules included in a profile, the rationale behind each rule, severity levels, CCE identifiers, and available remediation options. To list all available guides, run:
>ls -l /usr/share/doc/scap-security-guide/guides/ssg*.htmlTo view a specific guide in a web browser, for example the
anssi_bp28_highprofile for SUSE Linux, run:>firefox /usr/share/doc/scap-security-guide/guides/ssg-sle16-guide-anssi_bp28_high.htmlThe same content is also available online as static HTML pages at https://complianceascode.github.io/content-pages/guides/index.html.
/usr/share/scap-security-guide/Contains fix scripts for remediating vulnerabilities found during a scan, in the following formats:
Shell scripts:
bash/*.shAnsible playbooks:
ansible/*.yml
5.2 Supported profiles for SUSE Linux #
The following security profiles are supported by SUSE for SUSE Linux. The profiles are maintained in the ComplianceAsCode repository.
| Profile name | Profile ID |
|---|---|
| ANSSI-BP-028 (minimal) | xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
|
| ANSSI-BP-028 (intermediary) | xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
|
| ANSSI-BP-028 (enhanced) | xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
|
| ANSSI-BP-028 (high) | xccdf_org.ssgproject.content_profile_anssi_bp28_high
|
| Health Insurance Portability and Accountability Act (HIPAA) | xccdf_org.ssgproject.content_profile_hipaa
|
| PCI-DSS v4 Control Baseline for SUSE Linux | xccdf_org.ssgproject.content_profile_pci-dss
|
To view the full list of profiles available in the DataStream file, including their IDs, run:
>oscap info /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml
6 Scanning the system for vulnerabilities #
Use oscap to evaluate your SUSE Linux system against a security profile
and generate a report of the results.
6.1 Introduction #
The oscap xccdf eval command evaluates a system against the rules defined
in a security profile and produces results in XML format. An HTML report can be generated
alongside the XML results for human review. The evaluation typically takes a few minutes,
depending on the number of rules in the selected profile.
Before scanning, ensure that the openscap-utils and scap-security-guide packages are installed as described in Section 4, “Installing OpenSCAP and the SCAP Security Guide”, and that you have selected a profile as described in Section 5, “SSG Content, directories and profiles”.
6.2 Running a basic scan #
To scan your system locally against a profile and save the results, run the following command:
>sudooscap xccdf eval \ --profile PROFILE-ID \ --results /tmp/results.xml \ --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml
Replace PROFILE-ID with one of the profile IDs listed in Table 1, “Supported SCAP Security Guide profiles for SUSE Linux”. For example, to scan against the HIPAA profile:
>sudooscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_hipaa \ --results /tmp/results.xml \ --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml
The results are saved to /tmp/results.xml and the HTML report to
/tmp/report.html. Open the report in a web browser to review the
evaluation results.
6.3 Using remote resources during a scan #
Some SCAP Security Guide content references external OVAL files, for example, to check whether the system is patched against known CVEs. By default, OpenSCAP skips these remote resources and displays a warning. The following options control this behavior.
- Fetching remote resources automatically
If the target system has Internet access and you trust the remote content, use the
--fetch-remote-resourcesoption to download referenced files automatically during the scan:>sudooscap xccdf eval \ --fetch-remote-resources \ --profile xccdf_org.ssgproject.content_profile_hipaa \ --results /tmp/results.xml \ --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml- Using locally downloaded remote resources
On systems without Internet access, or in security-sensitive deployments, download the required remote files in advance and pass them to
oscapusing the--local-filesoption:Create a directory for storing the downloaded files:
>mkdir ~/scap-filesDownload the required remote resource:
>wget -O ~/scap-files/pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2 \ https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2TipUse the most specific file available for your product version to reduce resource usage and scan time. For example, if you are interested only in a specific service pack, use the corresponding SP-specific file from https://ftp.suse.com/pub/projects/security/oval/.
Run the scan using the locally downloaded files:
>sudooscap xccdf eval \ --local-files ~/scap-files \ --profile xccdf_org.ssgproject.content_profile_hipaa \ --results /tmp/results.xml \ --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xmlOptionally, generate an HTML report separately from the XML results file:
>oscap xccdf generate report /tmp/results.xml > /tmp/report.htmlTipSeparating the scan and the report generation steps reduces resource usage on the target system during the scan itself.
6.4 Scanning with specific rules #
By default, oscap xccdf eval evaluates all rules in the selected profile.
You can narrow the scope of evaluation using the following options.
- Evaluating a single rule
Use the
--ruleoption to evaluate only a specific rule, identified by its rule ID:>sudooscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_hipaa \ --rule xccdf_org.ssgproject.content_rule_package_aide_installed \ --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml- Skipping a specific rule
Use the
--skip-ruleoption to exclude a specific rule from the evaluation:>sudooscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_hipaa \ --skip-rule xccdf_org.ssgproject.content_rule_package_aide_installed \ --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml
6.5 Scanning a remote machine #
To scan a remote machine over SSH, use oscap-ssh instead of
oscap. The openscap-utils package must be installed on
both the local and the remote machine. The interface mirrors that of
oscap:
>sudooscap-ssh user@host 22 xccdf eval \ --profile xccdf_org.ssgproject.content_profile_hipaa \ --results /tmp/results.xml \ --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml
7 Remediating vulnerabilities #
Apply fixes to bring your SUSE Linux system into compliance with a security profile using
oscap, SCAP Security Guide shell scripts, or Ansible playbooks.
7.1 Introduction #
After scanning your system, you can remediate identified policy violations automatically or
manually. The SCAP Security Guide provides fix scripts in two formats — shell scripts and Ansible playbooks
— that oscap can apply directly, or that you can review and run
independently.
Automatic remediation is not offered for fixes that are too disruptive to apply safely on a running system. Such rules must be remediated manually.
The overall remediation process is as follows:
oscapscans the system and marks each failing rule as a candidate for remediation.For each failing rule,
oscaplocates the correspondingxccdf:fixelement in the XCCDF file, prepares the environment, and executes the fix script.After executing the fix,
oscapre-evaluates the rule to confirm whether the fix was successful.All remediation results are stored in an output XCCDF file.
Remediation must be run more than once. Rules are applied in alphabetical order. Some rules have dependencies on others, and the system may need to be restarted between passes for changes to take effect.
7.2 Remediating on the fly #
The simplest approach is to scan and remediate in a single command using the
--remediate option. The system is first scanned, and then
oscap immediately attempts to fix each failing rule.
--skip-rule option
Always use --skip-rule to skip the rule
xccdf_org.ssgproject.content_rule_accounts_authorized_local_users unless
you have explicitly configured the variable
var_accounts_authorized_local_users_regex. Failing to do so may prevent
sudo from working after a reboot.
>sudooscap xccdf eval --remediate \ --profile xccdf_org.ssgproject.content_profile_hipaa \ --results /tmp/results.xml \ --report /tmp/report.html \ --skip-rule xccdf_org.ssgproject.content_rule_accounts_authorized_local_users \ /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml
For the changes to take effect, reboot the system.
>sudoreboot
In the resulting /tmp/results.xml file, the first
TestResult element contains the scan results before remediation.
The second TestResult element contains the results after
remediation, where a rule result of fixed indicates a successful fix, and
error indicates that the fix was not successful.
7.3 Remediating after scanning #
Alternatively, you can separate the scan and remediation into two steps. This allows you to review the scan results before applying any fixes.
Scan the system and save the results:
>sudooscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_hipaa \ --results /tmp/results.xml \ /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xmlThe results are stored in a
TestResultelement in/tmp/results.xml. The system is evaluated only — no changes are made at this stage.Run remediation using the results file from the previous step as input:
>sudooscap xccdf remediate \ --results /tmp/results.xml \ /tmp/results.xmloscapcreates a newxccdf:TestResultelement in the same file, inheriting data from the first result and applying fixes only to the rules that failed in the initial scan.
7.4 Generating remediation scripts for review #
To inspect the remediation instructions before applying them, use oscap xccdf
generate fix to save the fix content to a file without executing it.
To generate a shell script:
>oscap xccdf generate fix \ --template urn:xccdf:fix:script:sh \ --profile xccdf_org.ssgproject.content_profile_hipaa \ --output my-remediation-script.sh \ /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml
To generate an Ansible playbook:
>oscap xccdf generate fix \ --template urn:xccdf:fix:script:ansible \ --profile xccdf_org.ssgproject.content_profile_hipaa \ --output my-remediation-playbook.yml \ /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml
7.5 Remediating with SSG shell scripts #
The SCAP Security Guide ships pre-built shell scripts for each supported profile. These can be used for straightforward remediation without conditions or tailoring.
List the available shell scripts:
>ls -l /usr/share/scap-security-guide/bash/Script names follow the format
sle16-script-PROFILE-NAME.sh. The supported profile names are:anssi_bp28_minimal,anssi_bp28_intermediary,anssi_bp28_enhanced,anssi_bp28_high,hipaa, andpci-dss-4.Make the script executable:
>sudochmod +x sle16-script-PROFILE-NAME.shRun the script:
>sudo./sle16-script-PROFILE-NAME.sh
Within each script, rules follow the format: # BEGIN fix
(N/TOTAL) for
RULE-ID through to # END fix for
RULE-ID. Rules that contain a line ending with
IS MISSING! have no automatic remediation and must be applied manually.
7.6 Remediating with Ansible playbooks #
For each supported profile, the SCAP Security Guide also ships Ansible playbooks that you can use for remediation.
Install the ansible package.
>sudozypper install ansibleList the available Ansible playbooks:
>ls -l /usr/share/scap-security-guide/ansible/Playbook names follow the format
sle16-playbook-PROFILE-NAME.yml.Create an inventory file
ansible_inventory.ymlwith the following content:all: hosts: localhost vars: ansible_connection: localRun the playbook:
>sudoansible-playbook -i ansible_inventory.yml \ sle16-playbook-PROFILE-NAME.ymlTo skip specific rules during execution, use the
--tagsoption. Find the tag for a rule by searching for it in the playbook file. For example:>sudoansible-playbook -i ansible_inventory.yml \ sle16-playbook-PROFILE-NAME.yml \ --tags "package_aide_installed,aide_build_database"
You may need to repeat the remediation steps more than once. Some rules require a system restart to take effect, and rules are executed in alphabetical order, which means dependencies between rules may not be resolved in a single pass.
7.7 Customizing the SCAP Security Guide with SCAP Workbench #
If the available profiles do not fully match your requirements, you can create a customized
profile using SCAP Workbench and save it as a tailoring file. The tailoring file can then be
applied with oscap using the --tailoring-file option.
Start SCAP Workbench:
>sudoscap-workbenchSelect
SLE16as the target system variant, then select Load Content.Select a base profile from the Profile drop-down list, then select Customize.
Set a unique ID for the custom profile in the following format:
xccdf_REVERSE-DNS_profile_PROFILE-NAME. For example:xccdf_org.mycompany_profile_server.WarningThe profile ID cannot be changed after it is set in SCAP Workbench.
Deselect any rules you do not want to include, then select OK.
Save the customization as a tailoring file: select Select customization file > Open > Save customization only.
Apply the tailoring file with
oscap:>sudooscap xccdf eval \ --profile xccdf_org.mycompany_profile_server \ --tailoring-file ssg-sle16-ds-tailoring.xml \ --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-sle16-ds.xml
8 For more information #
The OpenSCAP project and documentation: https://www.open-scap.org/security-policies/scap-security-guide/
The OpenSCAP User Manual: https://static.open-scap.org/openscap-1.2/oscap_user_manual.html
The
SCAP Security Guideupstream repository and README: https://github.com/ComplianceAsCode/content/Online profile guides for all products: https://complianceascode.github.io/content-pages/guides/index.html
OVAL security data provided by SUSE: https://www.suse.com/support/security/oval/
9 What's next #
After hardening your system, consider the following steps to maintain and improve your security posture:
Schedule regular scans to detect configuration drift and verify that the system remains compliant after updates or changes.
Use the test environment established during infrastructure preparation to validate new versions of the SCAP Security Guide before applying them to production.
Review and document any rules that could not be remediated automatically, and ensure compensating controls are in place for each.
Consider integrating OpenSCAP scanning into your CI/CD or configuration management pipeline for continuous compliance monitoring.
Keep the scap-security-guide package up to date to benefit from the latest security rules and profile improvements.
10 Legal Notice #
Copyright© 2006– 2026 SUSE LLC and contributors. All rights reserved.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.
For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.
All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.