Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Scanning the system for configuration compliance

A compliance audit is a process of determining whether a given object follows all the rules specified in a compliance policy. The compliance policy is defined by security professionals who specify the required settings, often in the form of a checklist, that a computing environment should use.

Compliance policies can vary substantially across organizations and even across different systems within the same organization. Differences among these policies are based on the purpose of each system and its importance for the organization. Custom software settings and deployment characteristics also raise a need for custom policy checklists.

5.1. Configuration compliance tools in RHEL
Copy link

You can perform a fully automated compliance audit in Red Hat Enterprise Linux by using the following set of configuration compliance tools. These tools are based on the Security Content Automation Protocol (SCAP) standard and are designed for automated tailoring of compliance policies.

OpenSCAP

The OpenSCAP library, with the accompanying oscap command-line utility, is designed to perform configuration scans on a local system, to validate configuration compliance content, and to generate reports and guides based on these scans and evaluations. With oscap, you can scan systems to assess their alignment with security policies contained in scap-security-guide. You can also perform an automated remediation that configures the system into a state that is aligned with a selected policy.

Important

You can experience memory-consumption problems while using OpenSCAP, which can cause stopping the program prematurely and prevent generating any result files. See the OpenSCAP memory-consumption problems Knowledgebase article for details.

SCAP Security Guide (SSG)
The scap-security-guide package provides collections of security policies for Linux systems. The guidance consists of a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines.
Script Check Engine (SCE)
With SCE, which is an extension to the SCAP protocol, administrators can write their security content by using a scripting language, such as Bash, Python, and Ruby. The SCE extension is provided in the openscap-engine-sce package. The SCE itself is not part of the SCAP standard.

Alternatively, you can perform automated compliance audits on multiple systems remotely by using the OpenSCAP solution for Red Hat Satellite.

5.2. Configuration compliance scanning
Copy link

To verify if your Red Hat Enterprise Linux systems adhere to a specific security baseline, such as industry standards or internal policies, you can perform a configuration compliance scan. With the tools provided for Red Hat Enterprise Linux, such as OpenSCAP and the SCAP Security Guide, you can scan local and remote systems, and also containers and container images.

5.2.1. Configuration compliance in RHEL
Copy link

You can use configuration compliance scanning to conform to a baseline defined by a specific organization. For example, if you are a payment processor, you might have to align your systems with the Payment Card Industry Data Security Standard (PCI-DSS). You can also perform configuration compliance scanning to harden your system security.

Follow the Security Content Automation Protocol (SCAP) content provided in the SCAP Security Guide package because it is in line with Red Hat best practices for affected components.

The SCAP Security Guide package provides content which conforms to the SCAP 1.2 and SCAP 1.3 standards. The openscap scanner utility is compatible with both SCAP 1.2 and SCAP 1.3 content provided in the SCAP Security Guide package.

Important

Performing a configuration compliance scanning does not guarantee the system is compliant.

The SCAP Security Guide suite provides profiles for several platforms in the form of data stream documents. A data stream is a file that contains definitions, benchmarks, profiles, and individual rules. Each rule specifies the applicability and requirements for compliance. RHEL provides several profiles for compliance with security policies. In addition to the industry standard, Red Hat data streams also contain information for remediation of failed rules.

Structure of compliance scanning resources

Data stream
   ├── xccdf
   |      ├── benchmark
   |            ├── profile
   |            |    ├──rule reference
   |            |    └──variable
   |            ├── rule
   |                 ├── human readable data
   |                 ├── ocil reference
   ├── ocil          ├── cpe reference
   └── cpe           └── remediation
Copy to Clipboard Toggle word wrap

A profile is a set of rules based on a security policy, such as PCI-DSS and Health Insurance Portability and Accountability Act (HIPAA). After you select a profile, you can then perform an automated audit of the system for compliance with that profile.

You can also modify, or tailor, a profile to customize certain rules, for example, password length. For more information about profile tailoring, see Customizing a security profile with autotailor.

5.2.2. Possible results of an OpenSCAP scan
Copy link

Depending on the data stream and profile applied to an OpenSCAP scan and the various properties of your system, each rule produces a specific result. These are the possible results with brief explanations of their meanings:

Pass
The scan did not find any conflicts with this rule.
Fail
The scan found a conflict with this rule.
Not checked
OpenSCAP does not perform an automatic evaluation of this rule. Check whether your system conforms to this rule manually.
Not applicable
This rule does not apply to the current configuration.
Not selected
This rule is not part of the profile. OpenSCAP does not evaluate this rule and does not display these rules in the results.
Error
The scan encountered an error. For additional information, you can enter the oscap command with the --verbose DEVEL option. File a support case on the Red Hat Customer Portal or open a ticket in the RHEL project in Red Hat Jira.
Unknown
The scan encountered an unexpected situation. For additional information, you can enter the oscap command with the --verbose DEVEL option. File a support case on the Red Hat Customer Portal or open a ticket in the RHEL project in Red Hat Jira.

Before you decide to use profiles for scanning or remediation, you can list them and check their detailed descriptions by using the oscap info subcommand.

Prerequisites

  • The openscap-scanner and scap-security-guide packages are installed.

Procedure

  1. List all available files with security compliance profiles provided by the SCAP Security Guide project: 

    $ ls /usr/share/xml/scap/ssg/content/
ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

  2. Display detailed information about a selected data stream by using the oscap info subcommand. XML files containing data streams are indicated by the -ds string in their names. In the Profiles section, you can find a list of available profiles and their IDs: 

    $ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
Profiles:
…
  Title: Australian Cyber Security Centre (ACSC) ISM Official - Top Secret
		Id: xccdf_org.ssgproject.content_profile_ism_o_top_secret
	Title: PCI-DSS v4.0.1 Control Baseline for Red Hat Enterprise Linux 10
		Id: xccdf_org.ssgproject.content_profile_pci-dss
	Title: Red Hat STIG for Red Hat Enterprise Linux 10
		Id: xccdf_org.ssgproject.content_profile_stig

…
    Copy to Clipboard Toggle word wrap

  3. Select a profile from the data stream file and display additional details about the selected profile. To do so, use oscap info with the --profile option followed by the last section of the ID displayed in the output of the previous command. For example, the ID of the HIPPA profile is xccdf_org.ssgproject.content_profile_hipaa, and the value for the --profile option is hipaa: 

    $ oscap info --profile hipaa /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
…
Profile
	Title: Health Insurance Portability and Accountability Act (HIPAA)

	Description: The HIPAA Security Rule establishes U.S. national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity.
…
    Copy to Clipboard Toggle word wrap

You can determine whether your system or a remote system conforms to a specific baseline, and save the results in a report by using the oscap command-line tool.

Prerequisites

  • The openscap-scanner and scap-security-guide packages are installed.
  • You know the ID of the profile within the baseline with which the system should comply. To find the ID, see the Viewing profiles for configuration compliance section.

Procedure

  1. Scan the local system for compliance with the selected profile and save the scan results to a file: 

    $ oscap xccdf eval --report <scan_report.html> --profile <profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace:

    • <scan_report.html> with the file name where oscap saves the scan results.
    • <profile_ID> with the profile ID with which the system should comply, for example, hipaa.

  2. Optional: Scan a remote system for compliance with the selected profile and save the scan results to a file: 

    $ oscap-ssh <username>@<hostname> <port> xccdf eval --report <scan_report.html> --profile <profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace:

    • <username>@<hostname> with the user name and host name of the remote system.
    • <port> with the port number through which you can access the remote system.
    • <scan_report.html> with the file name where oscap saves the scan results.
    • <profile_ID> with the profile ID with which the system should comply, for example, hipaa.

You can assess the compliance of your container or a container image with a specific security baseline, such as Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act (HIPAA).

Prerequisites

  • The openscap-utils and scap-security-guide packages are installed.
  • You have root access to the system.

Procedure

  1. Find the ID of a container or a container image:

    1. To find the ID of a container: 

      # podman ps -a
      Copy to Clipboard Toggle word wrap

    2. To find the ID of a container image: 

      # podman images
      Copy to Clipboard Toggle word wrap

  2. Evaluate the compliance of the container or container image with a profile and save the scan results into a file: 

    # oscap-podman <ID> xccdf eval --report <scan_report.html> --profile <profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace:

    • <ID> with the ID of your container or container image
    • <scan_report.html> with the file name where oscap saves the scan results
    • <profile_ID> with the profile ID with which the system should comply, for example, hipaa or pci-dss

Verification

  • Check the results in a browser of your choice, for example: 

    $ firefox <scan_report.html> &
    Copy to Clipboard Toggle word wrap
Note

The rules marked as notapplicable apply only to bare-metal and virtualized systems and not to containers or container images.

5.3. Configuration compliance remediation
Copy link

To automatically align your system with a specific profile, you can perform a remediation. You can remediate the system to align with any profile provided by the SCAP Security Guide.

You can remediate the RHEL system to align with a specific baseline. You can remediate the system to align with any profile provided by the SCAP Security Guide.

For details on listing available profiles, see the Viewing profiles for configuration compliance section.

Warning

Remediations are supported on RHEL systems in the default configuration. Remediating a system that has been altered after installation might render the system nonfunctional or noncompliant with the required security profile. Red Hat does not provide any automated method to revert changes made by security-hardening remediations.

Test the effects of the remediation before applying it on production systems.

Prerequisites

  • The openscap-scanner and scap-security-guide packages are installed.

Procedure

  1. Remediate the system: 

    # oscap xccdf eval --profile <profile_ID> --remediate /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace <profile_ID> with the profile ID with which the system should comply, for example, hipaa.

  2. Restart your system.

Verification

  1. Evaluate compliance of the system with the profile, and save the scan results to a file: 

    $ oscap xccdf eval --report <scan_report.html> --profile <profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace:

    • <scan_report.html> with the file name where oscap saves the scan results.
    • <profile_ID> with the profile ID with which the system should comply, for example, hipaa.

You can remediate your system to align with a specific baseline by using an Ansible Playbook file from the SCAP Security Guide project. You can remediate to align with any profile provided by the SCAP Security Guide.

Warning

Remediations are supported on RHEL systems in the default configuration. Remediating a system that has been altered after installation might render the system nonfunctional or noncompliant with the required security profile. Red Hat does not provide any automated method to revert changes made by security-hardening remediations.

Test the effects of the remediation before applying it on production systems.

Prerequisites

Procedure

  1. Remediate your system to align with a selected profile by using Ansible: 

    # ANSIBLE_COLLECTIONS_PATH=/usr/share/rhc-worker-playbook/ansible/collections/ansible_collections/ ansible-playbook -i "localhost," -c local /usr/share/scap-security-guide/ansible/rhel10-playbook-<profile_ID>.yml
    Copy to Clipboard Toggle word wrap

    The ANSIBLE_COLLECTIONS_PATH environment variable is necessary for the command to run the playbook.

    Replace <profile_ID> with the profile ID of the selected profile.

  2. Restart the system.

Verification

  • Evaluate the compliance of the system with the selected profile, and save the scan results to a file: 

    # oscap xccdf eval --profile <profile_ID> --report <scan_report.html> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace <scan_report.html> with the file name where oscap saves the scan results.

You can create an Ansible Playbook that contains only the remediations that are required to align your system with a specific baseline. This playbook is smaller because it does not cover already satisfied requirements. Creating the playbook does not modify your system in any way, because you only prepare a file for later application.

Prerequisites

Procedure

  1. Scan the system and save the results: 

    # oscap xccdf eval --profile <profile_ID> --results <profile_results.xml> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace: * <profile_ID> with the profile ID with which the system should comply, for example, hipaa * <profile_results.xml> with the path to the file where oscap saves the results

  2. Find the value of the result ID in the file with the results: 

    # oscap info <profile_results.xml>
    Copy to Clipboard Toggle word wrap

  3. Generate an Ansible Playbook based on the file generated in step 1: 

    # oscap xccdf generate fix --fix-type ansible --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_<profile_ID> --output <profile_remediations.yml> <profile_results.xml>
    Copy to Clipboard Toggle word wrap

    Replace <profile_remediations.yml> with the path to the file where oscap saves rules that failed the scan.

  4. Review the generated <profile_remediations.yml> file.

  5. Remediate your system to align with a selected profile by using Ansible: 

    # ANSIBLE_COLLECTIONS_PATH=/usr/share/rhc-worker-playbook/ansible/collections/ansible_collections/ ansible-playbook -i "localhost," -c local <profile_remediations.yml>`
    Copy to Clipboard Toggle word wrap

    The ANSIBLE_COLLECTIONS_PATH environment variable is necessary for the command to run the playbook.

    Warning

    Remediations are supported on RHEL systems in the default configuration. Remediating a system that has been altered after installation might render the system nonfunctional or noncompliant with the required security profile. Red Hat does not provide any automated method to revert changes made by security-hardening remediations.

    Test the effects of the remediation before applying it on production systems.

Verification

  • Evaluate the compliance of the system with the selected profile, and save the scan results to a file: 

    # oscap xccdf eval --profile <profile_ID> --report <scan_report.html> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    Replace <scan_report.html> with the file name where oscap saves the scan results.

If you need your system to be compliant with a specific security profile, such as DISA STIG, CIS, or ANSSI, you can prepare a Kickstart file that defines the hardened configuration, customize the configuration with a tailoring file, and start an automated installation of the hardened system.

Prerequisites

  • The openscap-scanner is installed on your system.

  • The scap-security-guide package is installed on your system and the package version corresponds to the version of RHEL that you want to install. For more information, see Supported versions of the SCAP Security Guide in RHEL. Using a different version can cause conflicts.

    Note

    If your system has the same version of RHEL as the version you want to install, you can install the scap-security-guide package directly.

Procedure

  1. Find the ID of the security profile from the data stream file: 

    $ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
Profiles:
…
  Title: Australian Cyber Security Centre (ACSC) Essential Eight
	Id: xccdf_org.ssgproject.content_profile_e8
  Title: Health Insurance Portability and Accountability Act (HIPAA)
	Id: xccdf_org.ssgproject.content_profile_hipaa
  Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 10
	Id: xccdf_org.ssgproject.content_profile_pci-dss
…
    Copy to Clipboard Toggle word wrap
  2. Optional: If you want to customize your hardening with XCCDF Tailoring file you can use the autotailor command provided in the openscap-utils package. For more information, see Customizing a security profile with autotailor.

  3. Generate the Kickstart file from the SCAP source data stream: 

    $ oscap xccdf generate fix --profile <profile_ID> --output <kickstart_file>.cfg --fix-type kickstart /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Copy to Clipboard Toggle word wrap

    + Replace <profile_ID> with the profile ID with which the system should comply, for example, hipaa.

    + If you are using a tailoring file, embed the tailoring file into the generated Kickstart file by using the --tailoring-file tailoring.xml option and your custom profile ID, for example:

    + 

$ *oscap xccdf generate fix --tailoring-file tailoring.xml --profile _<custom_profile_ID>_ --output _<kickstart_file>_.cfg --fix-type kickstart ./ssg-rhel10-ds.xml*
Copy to Clipboard Toggle word wrap

  1. Review and, if necessary, manually modify the generated <kickstart_file>.cfg to fit the needs of your deployment. Follow the instructions in the comments in the file.

    Note

    Some changes might affect the compliance of the systems installed by the Kickstart file. For example, some security policies require defined partitions or specific packages and services.

  2. Use the Kickstart file for your installation. For the installation program to use the Kickstart, the Kickstart can be served through a web server, provided in PXE, or embedded into the ISO image. For detailed steps, see the Semi-automated installations: Making Kickstart files available to the RHEL installer chapter in the Automatically installing RHEL document.
  3. After the installation finishes, the system reboots automatically. After the reboot, log in and review the installation SCAP report saved in the /root directory.

Verification

  • Scan the system for compliance and save the report in a HTML file for review:

    • With the original profile: 

      # oscap xccdf eval --report report.html --profile <profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
      Copy to Clipboard Toggle word wrap

    • With the tailored profile: 

      # oscap xccdf eval --report report.html --tailoring-file tailoring.xml --profile <custom_profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
      Copy to Clipboard Toggle word wrap

You can customize a security profile to better adjust it to your specific needs, for example, to implement an internal policy that differs from the official profile. When customizing a profile, you can select additional rules, remove rules that you cover differently, and change parameters of certain rules such as minimum password length. You cannot define new rules when customizing a profile.

By using the autotailor utility, you create an XCCDF tailoring file that contains all of the modifications of the original profile. Then, when you are scanning, remediating, or installing a system in accordance to a SCAP profile, you pass this tailoring file to the oscap command-line utility.

Prerequisites

Procedure

  1. Create a tailoring file for your profile by using the autotailor command, for example: 

    $ autotailor \ --select=<rule_ID_1> \ --select=<rule_ID_2> \ --unselect=<rule_ID_3> \ --var-value=<value_ID_1>=<value_1> \ --var-value=<value_ID_2>=<value_2> \ --output=<tailoring.xml> \ --tailored-profile-id=<custom_profile_ID> \ /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml <profile_ID>
    Copy to Clipboard Toggle word wrap

    Where:

    • <customization_options> are the modifications of the profile. Use one or more of the following options:

      --select=<rule_ID>
      Add an existing rule to the profile.
      --unselect=<rule_ID>
      Remove a rule from the profile.
      --var-value=<value_ID>=<value>
      Override a pre-set value. For example, to set var_sshd_max_sessions to 10, use --var-value=var_sshd_max_sessions=10.
    • <tailoring.xml> is the file name where autotailor saves the tailoring.
    • <custom_profile_ID> is the profile ID within which the autotailor saves customizations, for example, custom_cis.
    • <profile_ID> is the profile ID with which the system should comply, for example, cis.
    Note

    For all profile, rule, and variable XCCDF IDs, you can use either a full namespaced identifier or a shortened ID that autotailor automatically augments with the namespace prefix. For example, cis is equivalent to xccdf_org.ssgproject.content_profile_cis.

    You can override the default namespace org.ssgproject.content by using the --id-namespace option.

  2. Optional: Create a tailoring file based on the customizations defined in the JSON Tailoring format: 

    $ autotailor --output=<tailoring.xml> --json-tailoring=<json_tailoring.json>
    Copy to Clipboard Toggle word wrap

    Replace <json_tailoring.json> with the file name with JSON Tailoring definitions.

    Note

    You can mix --json-tailoring with --select, --unselect, and --var-value command-line customizations. In that case, command-line customizations have priority over JSON Tailoring.

Use only the SCAP content provided in the particular minor release of RHEL. This is because components that participate in hardening are sometimes updated with new capabilities. SCAP content changes to reflect these updates, but it is not always compatible with earlier versions.

Note

You can get the information relevant for the version of scap-security-guide RPM installed on your system by using the oscap info command. For more information, see Viewing profiles for configuration compliance.

Expand
Table 5.1. SCAP Security Guide profiles supported in RHEL 10.0
Profile nameProfile IDPolicy version

French National Agency for the Security of Information Systems (ANSSI) BP-028 Enhanced Level

xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level

xccdf_org.ssgproject.content_profile_anssi_bp28_high

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 Intermediary Level

xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

2.0

French National Agency for the Security of Information Systems (ANSSI) BP-028 Minimal Level

xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

2.0

[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server

xccdf_org.ssgproject.content_profile_cis

DRAFT

[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server

xccdf_org.ssgproject.content_profile_cis_server_l1

DRAFT

[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l1

DRAFT

[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l2

DRAFT

Australian Cyber Security Centre (ACSC) Essential Eight

xccdf_org.ssgproject.content_profile_e8

not versioned

Health Insurance Portability and Accountability Act (HIPAA)

xccdf_org.ssgproject.content_profile_hipaa

not versioned

Australian Cyber Security Centre (ACSC) ISM Official - Base

xccdf_org.ssgproject.content_profile_ism_o

not versioned

Australian Cyber Security Centre (ACSC) ISM Official - Secret

xccdf_org.ssgproject.content_profile_ism_o_secret

not versioned

Australian Cyber Security Centre (ACSC) ISM Official - Top Secret

xccdf_org.ssgproject.content_profile_ism_o_top_secret

not versioned

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9

xccdf_org.ssgproject.content_profile_pci-dss

4.0

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Enterprise Linux 10

xccdf_org.ssgproject.content_profile_stig

vendor

The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) with GUI for Red Hat Enterprise Linux 10

xccdf_org.ssgproject.content_profile_stig_gui

vendor

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat