Link Search Menu Expand Document

OpenSCAP Cheat Sheet


Get XCCDF ruleset infos

oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
oscap info /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml

Use the printed profile names as input for --profile for xccdf eval runs

Output control

--report <file>          # For HTML table output
--results <file>         # For XML result output

XCCDF evaluation example

# Fedora
oscap xccdf eval \
    --report report.html \
    --profile xccdf_org.ssgproject.content_profile_pci-dss \

# Redhat
oscap xccdf eval \
    --report report.html \
    --profile xccdf_org.ssgproject.content_profile_pci-dss \

Evaluate and remediate

oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml

Generate remediation shell script for review

oscap xccdf generate fix --template urn:xccdf:fix:script:sh --profile xccdf_org.ssgproject.content_profile_rht-ccp --output /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml

OVAL evaluation example

For Ubuntu download USN feed

type="usn"         # or "cve" for more details
input="com.ubuntu.$(lsb_release -cs).${type}.oval.xml"
wget "${input}.bz2"
bunzip "${input}.bz2"

and check it with

oscap oval eval "${input}"


apt-get install libopenscap8       # Ubuntu + Debian
apt-get install ssg-debian         # Debian SSG profiles (for Ubuntu see next section)
yum install scap-security-guide    # Fedora/Redhat

Ubuntu Audit

For full Ubuntu server profiles “Ubuntu Advantage” subscription is required

ua status              # See status
ua enable cis          # Enable CIS auditing
ua audit <level>       # Perform scan, level is e.g. "server_level1"