Tool Support Matrix and Installation Strategy¶
Supported tools by platform¶
| Tool | Linux | Windows | Install mechanism |
|---|---|---|---|
| OpenSCAP | ✅ | ❌ | distro package manager |
| Lynis | ✅ | ❌ | distro package manager |
| USG | ✅ (Ubuntu only) | ❌ | ubuntu-advantage-tools + entitlement |
| CIS-CAT Lite | ✅ | ✅ | download + extract (+ Java prerequisite) |
| HardeningKitty | ❌ | ✅ | download PowerShell module |
Microsoft SCT (LGPO) | ❌ | ✅ | manual/integrator-provided |
Linux package mapping behavior¶
Diagram source: tool-install-decision.mmd
Defined in core/tools_config.py:
- OpenSCAP mappings by distro/version (
PACKAGE_MAPPINGS) - unsupported-version guard (e.g., Debian 11 for OpenSCAP)
- distro-scoped tool applicability (
supported_distros, e.g., USG on Ubuntu)
Installer behavior (core/tool_manager.py):
- Detects package manager from host
- Chooses package list using exact distro-version, then distro fallback
- Attempts per-package install with continue-on-error
- Verifies binary/functional status where configured
- Skips unsupported distro/version cleanly with informative logs
Linux distro/version behavior (current tested policy)¶
| Distro | OpenSCAP | Lynis | CIS-CAT | USG |
|---|---|---|---|---|
| Ubuntu 18.04 | ✅ (libopenscap8 + SSG packages) | ✅ | ✅ | ⚠ package path only; entitlement may still block binary |
| Ubuntu 22.04 | ✅ (libopenscap8) | ✅ | ✅ | ⚠ package path only; entitlement may still block binary |
| Ubuntu 24.04 | ✅ (libopenscap8) | ✅ | ✅ | ⚠ package path only; entitlement may still block binary |
| Debian 12 | ✅ (openscap-utils + ssg-*) | ✅ | ✅ | ❌ (not supported) |
| AlmaLinux 9 | ✅ (openscap-scanner + scap-security-guide) | ✅ | ✅ | ❌ |
| OpenSUSE 15 | ✅ (openscap-utils + scap-security-guide) | ✅ | ✅ | ❌ |
Note: Debian 11 OpenSCAP packages are not available in default repos; this is explicitly guarded as unsupported in installer logic.
Windows prerequisites¶
For ciscat, Java is required and now handled in tool install path:
- checks existing
javainPATH - checks common install directories
- attempts install via
wingetorchocofallback
Expected caveats¶
usgmay still be unavailable even after package install without Ubuntu Pro enablement.- SCAP content availability differs by distribution repository state.
- CIS-CAT benchmark matching depends on available benchmark files in extracted package.