Install OpenSCAP on Rocky Linux

This article will go through how to install OpenSCAP on Rocky Linux. The auditing tool OpenSCAP uses the XCCDF (Extensible Configuration Checklist Description Format) to define security checklists, a standard for conveying checklist content. Additionally, it connects with additional specifications like CPE, CCE, and OVAL to produce a SCAP-expressed checklist that SCAP-validated products can process.

How to Install OpenSCAP on Rocky Linux

  • Update your system packages using the command below.
sudo dnf update
  • Then install OpenSCAP and SCAP security guide using the following command.
sudo dnf install openscap-scanner scap-security-guide

Sample output

Dependencies resolved.
=====================================================================
 Package             Arch   Version                  Repo       Size
=====================================================================
Installing:
 openscap-scanner    x86_64 1:1.3.6-3.el9.rocky.0.1  appstream  63 k
 scap-security-guide noarch 0.1.60-6.el9_0.rocky.0.3 appstream 1.2 M
Installing dependencies:
 openscap            x86_64 1:1.3.6-3.el9.rocky.0.1  appstream 1.9 M

Transaction Summary
=====================================================================
Install  3 Packages

Total download size: 3.2 M
Installed size: 119 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): openscap-scanner-1.3.6-3.el9.  16 kB/s |  63 kB     00:03    
(2/3): scap-security-guide-0.1.60-6. 102 kB/s | 1.2 MB     00:12    
(3/3): openscap-1.3.6-3.el9.rocky.0. 121 kB/s | 1.9 MB     00:15    
---------------------------------------------------------------------
Total                                171 kB/s | 3.2 MB     00:18     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                             1/1 
  Installing       : openscap-1:1.3.6-3.el9.rocky.0.1.x86_64     1/3 
  Installing       : openscap-scanner-1:1.3.6-3.el9.rocky.0.1.   2/3 
  Installing       : scap-security-guide-0.1.60-6.el9_0.rocky.   3/3 
  Running scriptlet: scap-security-guide-0.1.60-6.el9_0.rocky.   3/3 
  Verifying        : openscap-scanner-1:1.3.6-3.el9.rocky.0.1.   1/3 
  Verifying        : openscap-1:1.3.6-3.el9.rocky.0.1.x86_64     2/3 
  Verifying        : scap-security-guide-0.1.60-6.el9_0.rocky.   3/3 

Installed:
  openscap-1:1.3.6-3.el9.rocky.0.1.x86_64                            
  openscap-scanner-1:1.3.6-3.el9.rocky.0.1.x86_64                    
  scap-security-guide-0.1.60-6.el9_0.rocky.0.3.noarch                

Complete!
  • The SCAP security guide will be in the /usr/share/xml/scap/ssg/content directory after the installation. You can list it using the command below.
ls /usr/share/xml/scap/ssg/content/

Sample output

ssg-rhel9-ds.xml  ssg-rl9-ds.xml
  • To view the description run the following command with the guide name at the end e.g. ssg-rhel9-ds.xml or ssg-rl9-ds.xml
oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Sample output

Document type: Source Data Stream
Imported: 2022-06-28T00:17:14

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Checklists:
    Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf-1.2.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2' file which is referenced from datastream
        Status: draft
        Generated: 2022-06-27
        Resolved: true
        Profiles:
            Title: ANSSI-BP-028 (enhanced)
                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
            Title: ANSSI-BP-028 (high)
                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
            Title: ANSSI-BP-028 (intermediary)
                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
            Title: ANSSI-BP-028 (minimal)
                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
            Title: [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
                Id: xccdf_org.ssgproject.content_profile_cis
            Title: [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
                Id: xccdf_org.ssgproject.content_profile_cis_server_l1
            Title: [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
                Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
            Title: [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
                Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2
            Title: [DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
                Id: xccdf_org.ssgproject.content_profile_cui
            Title: Australian Cyber Security Centre (ACSC) Essential Eight
                Id: xccdf_org.ssgproject.content_profile_e8
            Title: Health Insurance Portability and Accountability Act (HIPAA)
                Id: xccdf_org.ssgproject.content_profile_hipaa
            Title: Australian Cyber Security Centre (ACSC) ISM Official
                Id: xccdf_org.ssgproject.content_profile_ism_o
            Title: [DRAFT] Protection Profile for General Purpose Operating Systems
                Id: xccdf_org.ssgproject.content_profile_ospp
            Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
                Id: xccdf_org.ssgproject.content_profile_pci-dss
            Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 9
                Id: xccdf_org.ssgproject.content_profile_stig
            Title: [DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
                Id: xccdf_org.ssgproject.content_profile_stig_gui
        Referenced check files:
            ssg-rhel9-oval.xml
                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
            ssg-rhel9-ocil.xml
                system: http://scap.nist.gov/schema/ocil/2
            security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2
                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
    Ref-Id: scap_org.open-scap_cref_ssg-rhel9-oval.xml
    Ref-Id: scap_org.open-scap_cref_ssg-rhel9-ocil.xml
    Ref-Id: scap_org.open-scap_cref_--builddir--build--BUILD--scap-security-guide-0.1.60--build--ssg-rhel9-cpe-oval.xml
    Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2
Dictionaries:
    Ref-Id: scap_org.open-scap_cref_--builddir--build--BUILD--scap-security-guide-0.1.60--build--ssg-rhel9-cpe-dictionary.xml
  • Next, scan Rocky Linux for any vulnerabilities, enter the profile and content to perform an audit.
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_ospp \
--results ssg-rhel9-ds.xml \
--report ssg-rhel9-ds.html \
--fetch-remote-resources \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Sample output

Downloading: https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2 ... ok
--- Starting Evaluation ---

Title   Install AIDE
Rule    xccdf_org.ssgproject.content_rule_package_aide_installed
Ident   CCE-90843-4
Result  notapplicable

Title   Enable Dracut FIPS Module
Rule    xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
Ident   CCE-86547-7
Result  notapplicable

Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-88742-2
Result  notapplicable

Title   Install crypto-policies package
Rule    xccdf_org.ssgproject.content_rule_package_crypto-policies_installed
Ident   CCE-83442-4
Result  notapplicable

Title   Configure BIND to use System Crypto Policy
Rule    xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
Ident   CCE-83451-5
Result  notapplicable

Title   Configure System Cryptography Policy
Rule    xccdf_org.ssgproject.content_rule_configure_crypto_policy
Ident   CCE-83450-7
Result  notapplicable

Title   Configure Kerberos to use System Crypto Policy
Rule    xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
Ident   CCE-83449-9
Result  notapplicable

Title   Configure Libreswan to use System Crypto Policy
Rule    xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
Ident   CCE-83446-5
Result  notapplicable

Title   Configure OpenSSL library to use System Crypto Policy
Rule    xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
Ident   CCE-83452-3
Result  notapplicable

Title   Configure SSH to use System Crypto Policy
Rule    xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
Ident   CCE-83445-7
Result  notapplicable

Title   Ensure /home Located On Separate Partition
Rule    xccdf_org.ssgproject.content_rule_partition_for_home
Ident   CCE-83468-9
Result  notapplicable

Title   Ensure /var Located On Separate Partition
Rule    xccdf_org.ssgproject.content_rule_partition_for_var
Ident   CCE-83466-3
Result  notapplicable

Title   Ensure /var/log Located On Separate Partition
Rule    xccdf_org.ssgproject.content_rule_partition_for_var_log
Ident   CCE-90848-3
Result  notapplicable

Title   Ensure /var/log/audit Located On Separate Partition
Rule    xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Ident   CCE-90847-5
Result  notapplicable

Title   Ensure /var/tmp Located On Separate Partition
Rule    xccdf_org.ssgproject.content_rule_partition_for_var_tmp
Ident   CCE-83487-9
Result  notapplicable

Title   Install sudo Package
Rule    xccdf_org.ssgproject.content_rule_package_sudo_installed
Ident   CCE-83523-1
Result  notapplicable

Title   Ensure gnutls-utils is installed
Rule    xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed
Ident   CCE-83494-5
Result  notapplicable

Title   Install openscap-scanner Package
Rule    xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed
Ident   CCE-83502-5
Result  notapplicable

Title   Install scap-security-guide Package
Rule    xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed
Ident   CCE-83505-8
Result  notapplicable

Title   Install subscription-manager Package
Rule    xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
Ident   CCE-83506-6
Result  notapplicable

Title   Uninstall gssproxy Package
Rule    xccdf_org.ssgproject.content_rule_package_gssproxy_removed
Ident   CCE-83516-5
Result  notapplicable

Title   Uninstall iprutils Package
Rule    xccdf_org.ssgproject.content_rule_package_iprutils_removed
Ident   CCE-83519-9
Result  notapplicable

Title   Uninstall krb5-workstation Package
Rule    xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed
Ident   CCE-83520-7
Result  notapplicable

Title   Install dnf-automatic Package
Rule    xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed
Ident   CCE-83454-9
Result  notapplicable

Title   Configure dnf-automatic to Install Available Updates Automatically
Rule    xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
Ident   CCE-83456-4
Result  notapplicable

Title   Configure dnf-automatic to Install Only Security Updates
Rule    xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
Ident   CCE-83461-4
Result  notapplicable

Title   Ensure gpgcheck Enabled In Main dnf Configuration
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Ident   CCE-83457-2
Result  notapplicable

Title   Ensure gpgcheck Enabled for Local Packages
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
Ident   CCE-83463-0
Result  notapplicable
  • After scanning, you will get your system report generated in HTML in the home directory as specified in the oscap command above, double click to open it in the browser. Sample OpenSCAP Evaluation Report.
Install OpenSCAP on Rocky Linux
Install OpenSCAP on Rocky Linux
  • Under Compliance and Scoring, you will find recommendations for your system.
Install OpenSCAP on Rocky Linux
Install OpenSCAP on Rocky Linux
  • You can click to view more on a specific category.
Install OpenSCAP on Rocky Linux
Install OpenSCAP on Rocky Linux
  • Details about specific results.
Install OpenSCAP on Rocky Linux
Install OpenSCAP on Rocky Linux
  • You have made it to the end of our article, we have gone through how to install OpenSCAP on Rocky Linux.

Read more on OpenSCAP Documentation

Other Tutorials

Setup Nagios Passive Checks with NRDP

Install PostgreSQL on FreeBSD 13

Install PostgreSQL on Rocky Linux

System administrator | Software Developer | DevOps

1 thought on “Install OpenSCAP on Rocky Linux”

Leave a Comment