Enhanced SCAP Auditing (Beta)

1. Overview

SUSE Multi-Linux Manager introduces a modernized approach to SCAP (Security Content Automation Protocol) auditing, available as a beta feature. The enhanced SCAP integration streamlines compliance scanning by centralizing content management, introducing reusable policies, supporting automated remediation, and eliminating the need to pre-stage SCAP files on managed systems.

This feature is currently in beta. You must enable the beta feature flag in your user preferences before using it.

2. Enable the beta feature

To access the enhanced SCAP auditing features:

Procedure: Enabling the beta feature

Navigate to Home User Account My Preferences.

Check the Enable Beta Features checkbox.

Click Submit.

Once enabled, additional menu entries appear under Audit OpenSCAP, and the scan scheduling interface is replaced with the new beta UI.

The beta feature flag is a per-user setting. Each user who wants to use the enhanced SCAP features must enable it individually.

3. Key differences from legacy SCAP integration

Legacy integration	Enhanced integration (beta)
SCAP content files must exist on the managed system beforehand	SCAP content is transferred automatically from the server to the managed system at scan time
No centralized content management	Upload and manage SCAP content centrally via the Web UI
No tailoring file management	Dedicated UI for uploading and managing tailoring files
Scans are configured individually each time	Reusable SCAP policies combine content, profiles, and tailoring files
No built-in remediation	Apply remediation directly from scan results, or define custom remediation scripts
No recurring scan support tied to policies	Schedule recurring scans linked to policies for ongoing compliance tracking

Legacy integration

Enhanced integration (beta)

SCAP content files must exist on the managed system beforehand

SCAP content is transferred automatically from the server to the managed system at scan time

No centralized content management

Upload and manage SCAP content centrally via the Web UI

No tailoring file management

Dedicated UI for uploading and managing tailoring files

Scans are configured individually each time

Reusable SCAP policies combine content, profiles, and tailoring files

No built-in remediation

Apply remediation directly from scan results, or define custom remediation scripts

No recurring scan support tied to policies

Schedule recurring scans linked to policies for ongoing compliance tracking

4. SCAP content management

SCAP content files (DataStream and XCCDF) can be uploaded and managed centrally on the SUSE Multi-Linux Manager server.

4.1. Upload SCAP content

Procedure: Uploading SCAP content

Navigate to Audit OpenSCAP SCAP Content.

Click Create.

Provide a Name and optional Description.

Upload the files:

DataStream file: The filename must end with -ds.xml.

XCCDF file: The filename must end with -xccdf.xml.

Both files must share the same base name (for example, ssg-sle15-ds.xml and ssg-sle15-xccdf.xml).

Click Submit.

Uploaded files are stored on the server at /srv/susemanager/scap/ssg/content/.

4.2. Edit and delete SCAP content

Procedure: Editing and deleting SCAP content

Go to Audit OpenSCAP SCAP Content.

Click a content entry to edit its name, description, or replace the uploaded files.

Select one or more entries and click Delete to remove them.

Deleting SCAP content that is referenced by a policy will break that policy. Ensure no active policies depend on the content before deleting it.

4.3. OVAL files

Due to the large size of OVAL (Open Vulnerability and Assessment Language) files, they are not transferred automatically from the server to the managed system. If your SCAP evaluation requires OVAL files, you must ensure they are already present on the managed system before scheduling the scan.

You can specify OVAL file paths when creating a SCAP policy.

5. Tailoring file management

SCAP tailoring files allow you to customize the behavior of an SCAP profile without modifying the original content. The enhanced integration provides a dedicated interface for managing tailoring files.

Tailoring files are scoped per organization. Each organization manages its own set of tailoring files independently.

5.1. Upload a tailoring file

Procedure: Uploading a tailoring file

Navigate to Audit OpenSCAP Tailoring Files.

Click Create.

Provide a Name and optional Description.

Upload the tailoring file (XML format).

Click Submit.

Tailoring files are stored on the server at /srv/susemanager/scap/tailoring-files/.

5.2. Editing and deleting tailoring files

Procedure: Edit and delete tailoring files

Navigate to Audit OpenSCAP Tailoring Files list.

Click a tailoring file entry to edit its name, description, or replace the file.

Select one or more entries and click Delete to remove them.

6. SCAP policies

SCAP policies define a reusable combination of SCAP content, a specific profile, and an optional tailoring file. Policies simplify the process of scheduling consistent compliance scans across your infrastructure.

6.1. Creating a policy

Procedure: Creating a policy

Navigate to Audit OpenSCAP SCAP Policies.

Click Create.

Fill in the policy details:

Policy Name

A unique name for the policy within your organization.

Description

An optional description of the policy’s purpose.

SCAP Content

Select from the uploaded SCAP content.

XCCDF Profile

Select a profile from the chosen SCAP content. The list of available profiles is loaded dynamically from the content file.

Tailoring File

(Optional) Select a tailoring file to customize the selected profile.

Tailoring Profile

(Optional) If a tailoring file is selected, choose a profile from the tailoring file.

OVAL Files

(Optional) Comma-separated list of OVAL file paths that must exist on the managed system.

Advanced Arguments

(Optional) Additional oscap command-line arguments (for example, --fetch-remote-resources).

Fetch Remote Resources

(Optional) Enable to allow oscap to download remote XCCDF resources during evaluation.

Click Submit.

6.2. Policy details and scan history

Click on a policy name in the list to view its details, including:

The associated SCAP content, profile, and tailoring file.
A scan history showing all scans that were executed using this policy, with compliance results.

6.3. Edit and delete policies

Procedure: Editing and deleting policies

Navigate to Audit OpenSCAP SCAP Policies list.

Click the edit icon to modify a policy.

Select one or more policies and click Delete to remove them.

7. Schedule SCAP scans

7.1. Scheduling a scan for a single system

Procedure: Scheduling a scan for a single system

Navigate to Systems System Details Audit OpenSCAP Schedule.

Select a SCAP Policy to use for the scan.

Choose the scan schedule:

Run now: Execute the scan immediately.

Schedule for later: Pick a specific date and time.

Click Schedule.

7.2. Schedule scans for multiple systems (SSM)

Procedure: Scheduling scans for multiple systems (SSM)

Add the target systems to the System Set Manager (SSM).

Navigate to Systems System Set Manager Audit Schedule.

Select a SCAP Policy.

Choose the scan schedule.

Click Schedule.

7.3. Recurring scans

SCAP policies can be scheduled as recurring actions, enabling automated compliance monitoring.

To set up a recurring scan, run the procedure:

Procedure: Setting up a recurring scan

Navigate to the recurring actions configuration for a system or system group.

Select SCAP Policy Scan as the action type.

Choose the SCAP policy to apply.

Configure the recurrence schedule (for example, daily, weekly).

Optionally enable Test Mode to simulate the scan without applying changes.

Recurring scans are linked to the selected SCAP policy. If you update the policy (for example, change the profile), future recurring scans will use the updated configuration.

8. How scans work

When a scan is scheduled with the enhanced (beta) SCAP integration:

The SUSE Multi-Linux Manager server transfers the required SCAP content files (DataStream and XCCDF) from the server to the managed system using Salt’s file management.
If a tailoring file is associated with the policy, it is also transferred.
The oscap tool is executed on the managed system with the appropriate parameters (profile, rules, tailoring, etc.).
Scan results (results.xml and report.html) are collected from the managed system and stored on the server.
Results are available for review in the WebUI under the system’s audit section.

Files are transferred to /var/cache/salt/minion/scap/ on the managed system.

OVAL files are not transferred automatically due to their large size. If your scan requires OVAL files, they must be present on the managed system before the scan runs.

9. Remediation

The enhanced SCAP integration allows you to apply remediation actions directly from scan results to fix non-compliant rules.

9.1. Remediation from scan results

After reviewing scan results, you can apply remediation for individual rules that have failed.

Procedure: Applying remediation from scan results

Navigate to a completed scan’s results.

Identify the non-compliant rule.

Click the remediation action to apply the fix.

Remediation can be applied in two ways:

Bash remediation: A shell script is executed on the managed system as root. The script is derived from the SCAP content’s built-in fix elements.
Salt remediation: A Salt state is applied to the managed system. This uses the scap_beta.remediation Salt state with the remediation content passed as pillar data.

9.2. Custom remediation

If the built-in remediation from the SCAP content is insufficient or you need to tailor the fix for your environment, you can define custom remediation scripts.

Custom remediation is scoped per organization and per rule.

To save a custom remediation, follow these steps:

Procedure: Saving a custom remediation

Navigate to the rule’s remediation view.

Choose the script type:

Bash: A custom shell script.

Salt: A custom Salt state definition.

Enter or modify the remediation script.

Click Save.

Custom remediation overrides the default remediation from the SCAP content for the specific rule within your organization.

Custom remediation includes an audit trail. The system tracks which user created and last modified each custom remediation script.

9.3. Deleting custom remediation

You can delete a custom remediation to revert to the default remediation provided by the SCAP content.

Navigate to the custom remediation view and click Delete for the specific script type.

10. Navigation reference

When the beta feature is enabled, the following menu entries are available:

Menu path	Description
Audit OpenSCAP All Scans	View all SCAP scan results (available with or without beta).
Audit OpenSCAP SCAP Policies	Create and manage reusable SCAP policies. (beta only)
Audit OpenSCAP SCAP Content	Upload and manage SCAP DataStream and XCCDF files. (beta only)
Audit OpenSCAP Tailoring Files	Upload and manage SCAP tailoring files. (beta only)
Audit OpenSCAP XCCDF Diff	Compare two SCAP scan results (available with or without beta).
Audit OpenSCAP Advanced Search	Search across all SCAP scan results (available with or without beta).
Systems System Details Audit OpenSCAP Schedule	Schedule a SCAP scan for a single system (uses the new policy-based UI when beta is enabled).
Systems SSM Audit Schedule	Schedule SCAP scans for multiple systems (uses the new policy-based UI when beta is enabled).

Menu path

Description

Audit OpenSCAP All Scans

View all SCAP scan results (available with or without beta).

Audit OpenSCAP SCAP Policies

Create and manage reusable SCAP policies. (beta only)

Audit OpenSCAP SCAP Content

Upload and manage SCAP DataStream and XCCDF files. (beta only)

Audit OpenSCAP Tailoring Files

Upload and manage SCAP tailoring files. (beta only)

Audit OpenSCAP XCCDF Diff

Compare two SCAP scan results (available with or without beta).

Audit OpenSCAP Advanced Search

Search across all SCAP scan results (available with or without beta).

Systems System Details Audit OpenSCAP Schedule

Schedule a SCAP scan for a single system (uses the new policy-based UI when beta is enabled).

Systems SSM Audit Schedule

Schedule SCAP scans for multiple systems (uses the new policy-based UI when beta is enabled).

11. Workflow example

The following example demonstrates a typical workflow using the enhanced SCAP features:

Enable beta features in your user preferences.
Upload SCAP content:

Navigate to Audit OpenSCAP SCAP Content and upload a SCAP Security Guide DataStream file (for example, ssg-sle15-ds.xml and ssg-sle15-xccdf.xml).
Upload a tailoring file (optional):

Navigate to Audit OpenSCAP Tailoring Files and upload a tailoring file if you need to customize a profile.
Create a SCAP policy:

Navigate to Audit OpenSCAP SCAP Policies and create a policy that references the uploaded content, selects a profile (for example, CIS Benchmark Level 1), and optionally includes the tailoring file.
Schedule a scan:

Navigate to a system’s Audit OpenSCAP Schedule tab, select the policy, and schedule the scan.
Review results:

After the scan completes, review the results under the system’s Audit OpenSCAP List Scans tab.
Apply remediation:

For any non-compliant rules, apply the built-in remediation or define custom remediation scripts tailored to your environment.
Set up recurring scans:

Configure recurring scans using the SCAP policy to maintain ongoing compliance monitoring.