> ## Documentation Index
> Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt
> Use this file to discover all available pages before exploring further.

# OpenSCAP

> Scan Xloud virtual machines and host nodes against CIS Benchmarks, DISA STIGs, and PCI-DSS profiles using OpenSCAP and the SCAP Security Guide.

## Overview

OpenSCAP is the open standard for automated security compliance scanning. It evaluates your system against machine-readable SCAP (Security Content Automation Protocol) content — including CIS Benchmarks, DISA STIGs, PCI-DSS, HIPAA, and ANSSI profiles. Each scan produces detailed HTML and XML reports that map every test to a specific compliance requirement.

Xloud Platform ships OpenSCAP tooling on XOS and supports fleet-wide compliance scanning via the XDeploy automation pipeline. You can forward scan reports to SIEM systems or store them as audit artifacts for regulatory reviews.

<Info>**Xloud-Developed** — OpenSCAP is one of three independent scanners in [Xloud SIEM](/security/xloud-siem) — Wazuh, Lynis, and OpenSCAP run in parallel across all nodes for layered compliance coverage. Results are aggregated on the **Security Posture** page in Monitor Center.</Info>

<Note>
  **Prerequisites**

  * `openscap-scanner` and `scap-security-guide` packages installed (pre-installed on XOS nodes)
  * Guest VMs: `apt install openscap-scanner ssg-debderived` on Ubuntu/Debian
  * Root access on the target system
  * Target profile selected from the SCAP Security Guide (SSG)
</Note>

***

## Available Profiles

The SCAP Security Guide ships dozens of profiles for common compliance frameworks. Key profiles for Xloud environments:

| Profile ID                                               | Framework         | Target        |
| -------------------------------------------------------- | ----------------- | ------------- |
| `xccdf_org.ssgproject.content_profile_cis_level1_server` | CIS Level 1       | Ubuntu Server |
| `xccdf_org.ssgproject.content_profile_cis_level2_server` | CIS Level 2       | Ubuntu Server |
| `xccdf_org.ssgproject.content_profile_pci-dss`           | PCI-DSS v3.2.1    | Ubuntu Server |
| `xccdf_org.ssgproject.content_profile_hipaa`             | HIPAA             | Ubuntu Server |
| `xccdf_org.ssgproject.content_profile_anssi_bp28_high`   | ANSSI BP-028 HIGH | Ubuntu Server |
| `xccdf_org.ssgproject.content_profile_stig`              | DISA STIG         | RHEL-based    |

```bash title="List all available profiles for your OS" theme={null}
oscap info /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml | grep "Profile:"
```

***

## Run a Compliance Scan

<Tabs>
  <Tab title="Single Host" icon="terminal">
    <Steps titleSize="h3">
      <Step title="Identify the SCAP content file" icon="file">
        ```bash title="Locate SSG content for Ubuntu 22.04" theme={null}
        ls /usr/share/xml/scap/ssg/content/ | grep ubuntu22
        # Output: ssg-ubuntu2204-ds.xml
        ```
      </Step>

      <Step title="Run the scan against a profile" icon="play">
        ```bash title="Scan against CIS Level 1 Server profile" theme={null}
        oscap xccdf eval \
          --profile xccdf_org.ssgproject.content_profile_cis_level1_server \
          --results /tmp/results-cis-l1.xml \
          --report /tmp/report-cis-l1.html \
          /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
        ```

        The scan evaluates each rule and produces:

        * `results-cis-l1.xml` — machine-readable XCCDF results
        * `report-cis-l1.html` — human-readable HTML report
      </Step>

      <Step title="Review the HTML report" icon="eye">
        Copy the report to a location accessible from a browser:

        ```bash title="Copy report to web-accessible path" theme={null}
        cp /tmp/report-cis-l1.html /var/www/html/scap-report.html
        ```

        The report shows each rule with a **pass**, **fail**, or **not applicable** result, linked to the compliance requirement ID and remediation guidance.

        <Check>Check the score at the top of the report. A score above 80% indicates strong compliance posture for that profile.</Check>
      </Step>
    </Steps>
  </Tab>

  <Tab title="With Remediation" icon="wrench">
    OpenSCAP can generate an Ansible remediation playbook for all failing rules:

    <Steps titleSize="h3">
      <Step title="Generate remediation playbook" icon="layers">
        ```bash title="Generate Ansible remediation from scan results" theme={null}
        oscap xccdf generate fix \
          --fix-type ansible \
          --output /tmp/remediation-cis-l1.yml \
          --result-id "" \
          /tmp/results-cis-l1.xml
        ```
      </Step>

      <Step title="Review and apply the playbook" icon="play">
        ```bash title="Apply remediations" theme={null}
        ansible-playbook /tmp/remediation-cis-l1.yml \
          -i localhost, --connection local \
          --become
        ```

        <Warning>
          Review the generated playbook before applying. Some remediations (e.g., disabling USB storage or changing kernel parameters) may affect running services. Apply during a maintenance window.
        </Warning>
      </Step>

      <Step title="Re-scan to verify" icon="refresh-cw">
        ```bash title="Re-scan after remediation" theme={null}
        oscap xccdf eval \
          --profile xccdf_org.ssgproject.content_profile_cis_level1_server \
          --results /tmp/results-cis-l1-post.xml \
          --report /tmp/report-cis-l1-post.html \
          /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
        ```

        <Check>Score should improve. Compare with the pre-remediation report to confirm fixes applied successfully.</Check>
      </Step>
    </Steps>
  </Tab>

  <Tab title="Fleet Scan (Ansible)" icon="layers">
    Run OpenSCAP across all instances and collect reports centrally:

    ```yaml title="ansible/playbooks/openscap-scan.yml" theme={null}
    ---
    - name: OpenSCAP compliance scan
      hosts: all
      become: true
      vars:
        scap_profile: xccdf_org.ssgproject.content_profile_cis_level1_server
        scap_content: /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
        report_dir: /var/log/scap

      tasks:
        - name: Install OpenSCAP and SSG
          apt:
            name:
              - openscap-scanner
              - ssg-debderived
            state: present
            update_cache: true

        - name: Create report directory
          file:
            path: "{{ report_dir }}"
            state: directory
            mode: "0750"

        - name: Run SCAP scan
          command: >
            oscap xccdf eval
            --profile {{ scap_profile }}
            --results {{ report_dir }}/results-{{ inventory_hostname }}.xml
            --report {{ report_dir }}/report-{{ inventory_hostname }}.html
            {{ scap_content }}
          register: scap_result
          failed_when: scap_result.rc > 2
          changed_when: false

        - name: Fetch results
          fetch:
            src: "{{ report_dir }}/results-{{ inventory_hostname }}.xml"
            dest: "scap-results/{{ inventory_hostname }}-results.xml"
            flat: true
    ```

    ```bash title="Run the fleet scan" theme={null}
    xavs-ansible run --playbook openscap-scan.yml
    ```
  </Tab>
</Tabs>

***

## Interpreting Results

Each rule in the HTML report maps to a specific compliance control:

| Result             | Meaning                            | Action                         |
| ------------------ | ---------------------------------- | ------------------------------ |
| **Pass**           | System meets the requirement       | No action needed               |
| **Fail**           | Requirement not met                | Apply remediation              |
| **Not Applicable** | Rule does not apply to this system | Document exemption             |
| **Not Checked**    | Rule requires manual verification  | Perform manual check           |
| **Error**          | Scan could not evaluate the rule   | Check for missing dependencies |

### Score Interpretation

| Score Range | Compliance Posture                              |
| ----------- | ----------------------------------------------- |
| 90–100%     | Excellent — minimal gaps                        |
| 80–89%      | Good — a few controls need attention            |
| 70–79%      | Moderate — hardening required before production |
| Below 70%   | Poor — significant remediation needed           |

***

## Scheduled Scanning

Run scans on a weekly schedule and archive results:

```bash title="/etc/cron.weekly/openscap-scan" theme={null}
#!/bin/bash
DATE=$(date +%Y%m%d)
REPORT_DIR="/var/log/scap"
PROFILE="xccdf_org.ssgproject.content_profile_cis_level1_server"
CONTENT="/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml"

mkdir -p "$REPORT_DIR"

oscap xccdf eval \
  --profile "$PROFILE" \
  --results "$REPORT_DIR/results-$DATE.xml" \
  --report "$REPORT_DIR/report-$DATE.html" \
  "$CONTENT"

# Keep 90 days of reports
find "$REPORT_DIR" -name "*.xml" -mtime +90 -delete
find "$REPORT_DIR" -name "*.html" -mtime +90 -delete
```

```bash theme={null}
chmod +x /etc/cron.weekly/openscap-scan
```

***

## Profile Selection Guide

<AccordionGroup>
  <Accordion title="Which profile should I use?" icon="help-circle">
    | Workload Type                | Recommended Profile               |
    | ---------------------------- | --------------------------------- |
    | General production instances | CIS Level 1 Server                |
    | High-security workloads      | CIS Level 2 Server                |
    | Payment card environments    | PCI-DSS                           |
    | Healthcare data              | HIPAA                             |
    | Government / defense         | ANSSI BP-028 HIGH or DISA STIG    |
    | Development and staging      | CIS Level 1 (relaxed enforcement) |

    Start with CIS Level 1 for all new deployments. Escalate to Level 2 or framework-specific profiles for regulated workloads.
  </Accordion>

  <Accordion title="Custom profile development" icon="settings">
    You can create tailored profiles by extending existing SSG content using SCAP Workbench or editing the XCCDF XML directly. Custom profiles allow you to:

    * Disable rules that conflict with your application requirements
    * Add organization-specific controls
    * Override severity levels for risk-accepted findings

    Store custom profiles in `/etc/scap/custom-profiles/` and reference them with `--profile-id` in scan commands.
  </Accordion>
</AccordionGroup>

***

## Next Steps

<CardGroup cols={2}>
  <Card title="Xloud SIEM Overview" href="/security/xloud-siem" color="#197560">
    Back to the unified Xloud SIEM hub — Security Posture and Alerts dashboards
  </Card>

  <Card title="Wazuh HIDS" href="/security/wazuh" color="#197560">
    Complement SCAP scans with continuous real-time host intrusion detection
  </Card>

  <Card title="Lynis Auditing" href="/security/lynis" color="#197560">
    Run OS security audits with hardening index scoring
  </Card>

  <Card title="Compliance Frameworks" href="/security/compliance" color="#197560">
    Map SCAP results to SOC 2, ISO 27001, and HIPAA audit requirements
  </Card>
</CardGroup>