This guide provides step-by-step instructions for installing, configuring, and running OpenSCAP security compliance scans on an AlmaLinux 9.4 server.
What is OpenSCAP?
OpenSCAP (Open Security Content Automation Protocol) is an open-source security compliance solution that helps organizations assess, measure, and enforce security baselines. It implements the SCAP (Security Content Automation Protocol) standard to automate vulnerability management and security compliance.
Prerequisites
- AlmaLinux 9.4 server with administrative (root) access
- Internet connectivity for package installation
- Sufficient disk space for scan results
Installation
Update your system packages:
sudo dnf update -yInstall OpenSCAP and related tools:
sudo dnf install openscap-scanner scap-security-guide -yThis installs:
openscap-scanner: The core scanning utilityscap-security-guide: A collection of security policies including STIG, PCI-DSS, and others
Available Security Profiles
To list available security profiles for AlmaLinux 9:
ls -la /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xml
oscap info /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xml
Common security profiles include:
xccdf_org.ssgproject.content_profile_cis: Implements the CIS AlmaLinux 9 Benchmark. Use for organizations seeking Center for
Internet Security best practices for hardening and compliance.xccdf_org.ssgproject.content_profile_ospp: Applies the OSPP (Protection Profile for General Purpose Operating Systems). Suitable for environments requiring baseline security controls for
general-purpose OS deployments.xccdf_org.ssgproject.content_profile_pci-dss: Enforces PCI-DSS requirements. Use for systems handling payment card data to meet Payment Card Industry Data Security Standard compliance.xccdf_org.ssgproject.content_profile_stig: Follows the STIG (Security Technical Implementation Guide). Ideal for government or
defense systems needing strict security configuration per DoD
guidelines.
Running a Basic Scan
Create a directory to store scan results:
sudo mkdir -p /opt/scans/$(date +%Y-%m-%d) cd /opt/scans/$(date +%Y-%m-%d)Run a basic evaluation using the OSPP profile:
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --report report.html --results results.xml /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xmlFor a more comprehensive STIG compliance scan:
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --report stig-report.html --results stig-results.xml /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xml
Generating Different Report Formats
OpenSCAP supports various output formats:
HTML Report (human-readable):
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --report report.html /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xmlXML Results:
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --results results.xml /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xmlBoth HTML and XML:
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --report report.html --results results.xml /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xml
Scanning for CVEs (Vulnerabilities)
To scan the system for known vulnerabilities (CVEs):
Install the OVAL definitions for AlmaLinux:
sudo dnf install almalinux-security-oval -yRun a vulnerability scan:
sudo oscap oval eval --report cve-report.html /usr/share/oval/almalinux-9/almalinux-9-oval.xml
Remediation
OpenSCAP can generate remediation scripts to fix issues:
Generate a Bash remediation script:
sudo oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_ospp --output fix-script.sh /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xmlReview the generated script carefully before running:
sudo less fix-script.shApply the fixes (use with caution in production):
sudo bash fix-script.sh
Scheduled Scans
To set up regular automated scans:
Create a scan script:
sudo nano /usr/local/bin/run-oscap-scan.shAdd the following content:
#!/bin/bash SCAN_DATE=$(date +%Y-%m-%d) SCAN_DIR="/opt/scans/$SCAN_DATE" mkdir -p $SCAN_DIR cd $SCAN_DIR oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp \ --report "$SCAN_DIR/report.html" \ --results "$SCAN_DIR/results.xml" \ /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xml # Optional: Send email with results # mail -s "OpenSCAP Scan Results $SCAN_DATE" admin@example.com < "$SCAN_DIR/report.html"Make the script executable:
sudo chmod +x /usr/local/bin/run-oscap-scan.shCreate a cron job for weekly scans:
sudo crontab -eAdd the following line to run the scan every Sunday at 2 AM:
0 2 * * 0 /usr/local/bin/run-oscap-scan.sh
Tailoring Security Profiles
To customize a security profile for your environment:
Create a tailoring file:
oscap xccdf generate tailoring --profile xccdf_org.ssgproject.content_profile_ospp --output tailoring.xml /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xmlEdit the tailoring file as needed (use a graphical tool like SCAP Workbench for easier editing)
Run a scan with the tailored profile:
sudo oscap xccdf eval --tailoring-file tailoring.xml --profile xccdf_org.ssgproject.content_profile_ospp-tailored --report tailored-report.html /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xml
Troubleshooting
If you encounter issues:
- Check for errors in the OpenSCAP command output
- Verify that the correct profile name is used
- Ensure proper permissions when running scans (use sudo)
- Check the system logs for additional information:
sudo journalctl -u openscap.service
Additional Resources
- OpenSCAP Project Website
- SCAP Security Guide Documentation
- National Vulnerability Database
- AlmaLinux Documentation
Conclusion
Regular security scanning with OpenSCAP helps ensure your AlmaLinux 9.4 server maintains compliance with security standards and identifies potential vulnerabilities before they can be exploited. By following this guide, you can implement a comprehensive security scanning strategy to protect your systems.