OpenSCAP Deep Dive¶
Platform: Linux | Binary: oscap | Type: NIST-certified SCAP scanner
Overview¶
OpenSCAP is the most standards-compliant tool in CISentinel's arsenal. It evaluates systems against XCCDF (Extensible Configuration Checklist Description Format) benchmarks using SCAP Security Guide (SSG) content.
How CISentinel Uses OpenSCAP¶
1. Content Discovery¶
CISentinel automatically finds the correct SSG datastream file for your OS:
/usr/share/xml/scap/ssg/content/
├── ssg-ubuntu1804-ds.xml
├── ssg-ubuntu2204-ds.xml
├── ssg-ubuntu2404-ds.xml
├── ssg-debian12-ds.xml
├── ssg-almalinux9-ds.xml
├── ssg-opensuse-ds.xml
└── ...
The LinuxWrapper.find_content_path() method searches for the matching content file based on the detected OS.
2. Scan Execution¶
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis_level1_server \
--results /path/to/results.xml \
--report /path/to/report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
3. Output Parsing¶
CISentinel parses the XML results to extract: - rule-result elements with result='pass' or result='fail' - Rule IDs and severity levels - Total pass/fail counts for the summary table
Installation per Distro¶
| Distro | Packages | Package Manager |
|---|---|---|
| Ubuntu 18.04 | openscap-scanner, openscap-utils, libopenscap8, ssg-base, ssg-debderived | apt |
| Ubuntu 22.04 | openscap-scanner, openscap-utils, libopenscap8, ssg-base, ssg-debderived | apt |
| Ubuntu 24.04 | openscap-scanner, openscap-utils, ssg-base, ssg-debderived | apt |
| Debian 12 | openscap-utils, ssg-debderived, ssg-debian | apt |
| Debian 11 | ❌ Unavailable in default repos | — |
| AlmaLinux 9 | openscap-scanner, scap-security-guide | dnf |
| openSUSE 15 | openscap-utils, scap-security-guide | zypper |
| Kali Linux | openscap-utils, ssg-debderived | apt |
Verification¶
CISentinel verifies OpenSCAP differently from other tools — it doesn't just check that oscap exists, it also verifies that SSG content is available:
# From core/tool_manager.py
if tool_name == "openscap":
content_path = wrapper.find_content_path()
if content_path:
return True # Both binary and content present
else:
return False # Binary exists but no content
Output Artifacts¶
| Artifact | Format | Location |
|---|---|---|
| Results XML | XCCDF ARF | ~/.cis-sentinel/reports/<scan_id>/openscap_results.xml |
| HTML Report | HTML | ~/.cis-sentinel/reports/<scan_id>/openscap_report.html |
| Stdout | Text | Captured and displayed in CLI/GUI |
Common Issues¶
| Issue | Cause | Solution |
|---|---|---|
| No SSG content found | Packages not installed | sudo cis-hardening-tool tools install openscap --yes |
| Profile not found | Wrong SSG version for OS | Check /usr/share/xml/scap/ssg/content/ for available files |
| Debian 11 failure | Not in default repos | Use Lynis or CIS-CAT instead |