OpenSCAP — Compliance Scanning

Overview

OpenSCAP is the open standard for automated security compliance scanning. It evaluates a system against machine-readable SCAP (Security Content Automation Protocol) content — including CIS Benchmarks, DISA STIGs, PCI-DSS, HIPAA, and ANSSI profiles. Scan results are produced as detailed HTML and XML reports that map each test to a specific compliance requirement. Xloud Cloud Platform ships OpenSCAP tooling on XOS and supports fleet-wide compliance scanning via the XDeploy automation pipeline. Scan reports can be forwarded to SIEM systems or stored as audit artifacts for regulatory reviews.

Xloud-Developed — OpenSCAP is one of three independent scanners in the Xloud triple compliance system. XAVS runs SCA benchmarks, system audit, and SCAP profile scans in parallel across all nodes, providing layered compliance coverage. Results from all three scanners are aggregated in the Security Operations Dashboard.

Prerequisites

openscap-scanner and scap-security-guide packages installed (pre-installed on XOS nodes)
Guest VMs: apt install openscap-scanner ssg-debderived on Ubuntu/Debian
Root access on the target system
Target profile selected from the SCAP Security Guide (SSG)

Available Profiles

The SCAP Security Guide ships dozens of profiles for common compliance frameworks. Key profiles for Xloud environments:

Profile ID	Framework	Target
`xccdf_org.ssgproject.content_profile_cis_level1_server`	CIS Level 1	Ubuntu Server
`xccdf_org.ssgproject.content_profile_cis_level2_server`	CIS Level 2	Ubuntu Server
`xccdf_org.ssgproject.content_profile_pci-dss`	PCI-DSS v3.2.1	Ubuntu Server
`xccdf_org.ssgproject.content_profile_hipaa`	HIPAA	Ubuntu Server
`xccdf_org.ssgproject.content_profile_anssi_bp28_high`	ANSSI BP-028 HIGH	Ubuntu Server
`xccdf_org.ssgproject.content_profile_stig`	DISA STIG	RHEL-based

List all available profiles for your OS

oscap info /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml | grep "Profile:"

Run a Compliance Scan

Single Host
With Remediation
Fleet Scan (Ansible)

Identify the SCAP content file

Locate SSG content for Ubuntu 22.04

ls /usr/share/xml/scap/ssg/content/ | grep ubuntu22
# Output: ssg-ubuntu2204-ds.xml

Run the scan against a profile

Scan against CIS Level 1 Server profile

oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_cis_level1_server \
  --results /tmp/results-cis-l1.xml \
  --report /tmp/report-cis-l1.html \
  /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

The scan evaluates each rule and produces:

results-cis-l1.xml — machine-readable XCCDF results
report-cis-l1.html — human-readable HTML report

Review the HTML report

Copy the report to a location accessible from a browser:

Copy report to web-accessible path

cp /tmp/report-cis-l1.html /var/www/html/scap-report.html

The report shows each rule with a pass, fail, or not applicable result, linked to the compliance requirement ID and remediation guidance.

Check the score at the top of the report. A score above 80% indicates strong compliance posture for that profile.

OpenSCAP can generate an Ansible remediation playbook for all failing rules:

Generate remediation playbook

Generate Ansible remediation from scan results

oscap xccdf generate fix \
  --fix-type ansible \
  --output /tmp/remediation-cis-l1.yml \
  --result-id "" \
  /tmp/results-cis-l1.xml

Review and apply the playbook

Apply remediations

ansible-playbook /tmp/remediation-cis-l1.yml \
  -i localhost, --connection local \
  --become

Review the generated playbook before applying. Some remediations (e.g., disabling USB storage or changing kernel parameters) may affect running services. Apply during a maintenance window.

Re-scan to verify

Re-scan after remediation

oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_cis_level1_server \
  --results /tmp/results-cis-l1-post.xml \
  --report /tmp/report-cis-l1-post.html \
  /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

Score should improve. Compare with the pre-remediation report to confirm fixes applied successfully.

Run OpenSCAP across all instances and collect reports centrally:

ansible/playbooks/openscap-scan.yml

---
- name: OpenSCAP compliance scan
  hosts: all
  become: true
  vars:
    scap_profile: xccdf_org.ssgproject.content_profile_cis_level1_server
    scap_content: /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
    report_dir: /var/log/scap

  tasks:
    - name: Install OpenSCAP and SSG
      apt:
        name:
          - openscap-scanner
          - ssg-debderived
        state: present
        update_cache: true

    - name: Create report directory
      file:
        path: "{{ report_dir }}"
        state: directory
        mode: "0750"

    - name: Run SCAP scan
      command: >
        oscap xccdf eval
        --profile {{ scap_profile }}
        --results {{ report_dir }}/results-{{ inventory_hostname }}.xml
        --report {{ report_dir }}/report-{{ inventory_hostname }}.html
        {{ scap_content }}
      register: scap_result
      failed_when: scap_result.rc > 2
      changed_when: false

    - name: Fetch results
      fetch:
        src: "{{ report_dir }}/results-{{ inventory_hostname }}.xml"
        dest: "scap-results/{{ inventory_hostname }}-results.xml"
        flat: true

Run the fleet scan

xavs-ansible run --playbook openscap-scan.yml

Interpreting Results

Each rule in the HTML report maps to a specific compliance control:

Result	Meaning	Action
Pass	System meets the requirement	No action needed
Fail	Requirement not met	Apply remediation
Not Applicable	Rule does not apply to this system	Document exemption
Not Checked	Rule requires manual verification	Perform manual check
Error	Scan could not evaluate the rule	Check for missing dependencies

Score Interpretation

Score Range	Compliance Posture
90–100%	Excellent — minimal gaps
80–89%	Good — a few controls need attention
70–79%	Moderate — hardening required before production
Below 70%	Poor — significant remediation needed

Scheduled Scanning

Run scans on a weekly schedule and archive results:

/etc/cron.weekly/openscap-scan

#!/bin/bash
DATE=$(date +%Y%m%d)
REPORT_DIR="/var/log/scap"
PROFILE="xccdf_org.ssgproject.content_profile_cis_level1_server"
CONTENT="/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml"

mkdir -p "$REPORT_DIR"

oscap xccdf eval \
  --profile "$PROFILE" \
  --results "$REPORT_DIR/results-$DATE.xml" \
  --report "$REPORT_DIR/report-$DATE.html" \
  "$CONTENT"

# Keep 90 days of reports
find "$REPORT_DIR" -name "*.xml" -mtime +90 -delete
find "$REPORT_DIR" -name "*.html" -mtime +90 -delete

chmod +x /etc/cron.weekly/openscap-scan

Profile Selection Guide

Which profile should I use?

Workload Type	Recommended Profile
General production VMs	CIS Level 1 Server
High-security workloads	CIS Level 2 Server
Payment card environments	PCI-DSS
Healthcare data	HIPAA
Government / defence	ANSSI BP-028 HIGH or DISA STIG
Development and staging	CIS Level 1 (relaxed enforcement)

Start with CIS Level 1 for all new deployments. Escalate to Level 2 or framework-specific profiles for regulated workloads.

Custom profile development

You can create tailored profiles by extending existing SSG content using SCAP Workbench or editing the XCCDF XML directly. Custom profiles allow you to:

Disable rules that conflict with your application requirements
Add organization-specific controls
Override severity levels for risk-accepted findings

Store custom profiles in /etc/scap/custom-profiles/ and reference them with --profile-id in scan commands.

Next Steps

Wazuh HIDS

Complement SCAP scans with continuous real-time host intrusion detection

Lynis Auditing

Run agentless OS security audits with hardening index scoring

Compliance Frameworks

Map SCAP results to SOC 2, ISO 27001, and HIPAA audit requirements

Hardening Guide

Apply baseline hardening before running compliance scans

Core Services

Other Services

OpenSCAP — Compliance Scanning

Overview

Available Profiles

Run a Compliance Scan

Identify the SCAP content file

Run the scan against a profile

Review the HTML report

Generate remediation playbook

Review and apply the playbook

Re-scan to verify

Interpreting Results

Score Interpretation

Scheduled Scanning

Profile Selection Guide

Next Steps

Wazuh HIDS

Lynis Auditing

Compliance Frameworks

Hardening Guide

Core Services

Other Services

​Overview

​Available Profiles

​Run a Compliance Scan

Identify the SCAP content file

Run the scan against a profile

Review the HTML report

Generate remediation playbook

Review and apply the playbook

Re-scan to verify

​Interpreting Results

​Score Interpretation

​Scheduled Scanning

​Profile Selection Guide

​Next Steps

Wazuh HIDS

Lynis Auditing

Compliance Frameworks

Hardening Guide

Overview

Available Profiles

Run a Compliance Scan

Interpreting Results

Score Interpretation

Scheduled Scanning

Profile Selection Guide

Next Steps