CentOS Stream 10
Sponsored Link

OpenSCAP : Install2026/04/23
 

Install OpenSCAP which is the security audit and vulnerability scanning tool based on SCAP (Security Content Automation Protocol).

For details about SCAP, refer to the site below.
⇒ https://csrc.nist.gov/projects/security-content-automation-protocol 

OVAL  (Open Vulnerability and Assessment Language)

XCCDF (Extensible Configuration Checklist Description Format)

OCIL  (Open Checklist Interactive Language)

CPE   (Common Platform Enumeration)

CCE   (Common Configuration Enumeration)

CVE   (Common Vulnerabilities and Exposures)

CVSS  (Common Vulnerability Scoring System)
[1] Install OpenSCAP command line tool and SCAP Security Guide for Linux.
[root@dlp ~]#
dnf -y install openscap-scanner scap-security-guide
[2] SCAP Security Guide is installed under the [/usr/share/xml/scap/ssg/content] directory.
[root@dlp ~]#
ll /usr/share/xml/scap/ssg/content/ 

total 42912
-rw-r--r--. 1 root root 21844905 Mar 10 09:00 ssg-cs10-ds.xml
-rw-r--r--. 1 root root 22090066 Mar 10 09:00 ssg-rhel10-ds.xml
# display description for each content

[root@dlp ~]#
oscap info /usr/share/xml/scap/ssg/content/ssg-cs10-ds.xml 

Document type: Source Data Stream
Imported: 2026-03-10T09:00:00

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel10-xccdf.xml
Generated: 2026-03-10T00:00:00
Version: 1.3
Checklists:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel10-xccdf.xml
                Status: draft
                Generated: 2026-03-10
                Resolved: true
                Profiles:
                        Title: ANSSI-BP-028 (enhanced)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
                        Title: ANSSI-BP-028 (high)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
                        Title: ANSSI-BP-028 (intermediary)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
                        Title: ANSSI-BP-028 (minimal)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
                        Title: BSI SYS.1.1 and SYS.1.3
                                Id: xccdf_org.ssgproject.content_profile_bsi
                        Title: CIS Red Hat Enterprise Linux 10 Benchmark for Level 2 - Server
                                Id: xccdf_org.ssgproject.content_profile_cis
                        Title: CIS Red Hat Enterprise Linux 10 Benchmark for Level 1 - Server
                                Id: xccdf_org.ssgproject.content_profile_cis_server_l1
                        Title: CIS Red Hat Enterprise Linux 10 Benchmark for Level 1 - Workstation
                                Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
                        Title: CIS Red Hat Enterprise Linux 10 Benchmark for Level 2 - Workstation
                                Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2
                        Title: Australian Cyber Security Centre (ACSC) Essential Eight
                                Id: xccdf_org.ssgproject.content_profile_e8
                        Title: Health Insurance Portability and Accountability Act (HIPAA)
                                Id: xccdf_org.ssgproject.content_profile_hipaa
                        Title: Australian Cyber Security Centre (ACSC) ISM Official - Base
                                Id: xccdf_org.ssgproject.content_profile_ism_o
                        Title: Australian Cyber Security Centre (ACSC) ISM Official - Secret
                                Id: xccdf_org.ssgproject.content_profile_ism_o_secret
                        Title: Australian Cyber Security Centre (ACSC) ISM Official - Top Secret
                                Id: xccdf_org.ssgproject.content_profile_ism_o_top_secret
                        Title: PCI-DSS v4.0.1 Control Baseline for Red Hat Enterprise Linux 10
                                Id: xccdf_org.ssgproject.content_profile_pci-dss
                        Title: Red Hat STIG for Red Hat Enterprise Linux 10
                                Id: xccdf_org.ssgproject.content_profile_stig
                        Title: Red Hat STIG with GUI for Red Hat Enterprise Linux 10
                                Id: xccdf_org.ssgproject.content_profile_stig_gui
                Referenced check files:
                        ssg-rhel10-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                        ssg-rhel10-ocil.xml
                                system: http://scap.nist.gov/schema/ocil/2
[3] Scan CentOS System with [oscap] command.
Scan result is renerated as HTML report, you should verify it and try to apply recommended settings as much as possible.
# xccdf : specify [xccdf] module
# ⇒ available modules : info, xccdf, oval, ds, cpe, cvss, cve, cvrf
# [--profile] : specify profile
# ⇒ available profiles are on the result you run [oscap info] command above
# [--results] : output file
# [--report] : output HTML report
[root@dlp ~]#
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
--results ssg-cs10-ds.xml \
--report ssg-cs10-ds.html \
/usr/share/xml/scap/ssg/content/ssg-cs10-ds.xml 


.....
.....

Title   Set type of computer node name logging in audit logs
Rule    xccdf_org.ssgproject.content_rule_auditd_name_format
Result  fail

Title   Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
Rule    xccdf_org.ssgproject.content_rule_auditd_overflow_action
Result  pass

Title   Write Audit Logs to the Disk
Rule    xccdf_org.ssgproject.content_rule_auditd_write_logs
Result  pass

Title   Verify Permissions on /etc/audit/auditd.conf
Rule    xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd
Result  pass

Title   Verify Permissions on /etc/audit/rules.d/*.rules
Rule    xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
Result  pass
[4]
It's possible to generate remediation script from scaned result.
Remediation script will change various system settings, so you must take care if you run it, especially for production systems.
# make sure the [Result ID] in the result output on [3]

[root@dlp ~]#
oscap info ssg-cs10-ds.xml | grep "Result ID" 

        Result ID: xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig
# generate remediation script
# [--fix-type] : specify fix type : default is Bash
# ⇒ available type ⇒ bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint
# [--output] : specify output script file
# [--result-id] : specify [Result ID]
[root@dlp ~]#
oscap xccdf generate fix \
--fix-type bash \
--output ssg-cs10-ds-remediation.sh \
--result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig \
ssg-cs10-ds.xml
[root@dlp ~]#
ll 

total 16020
-rw-------. 1 root root      981 Dec 14  2024 anaconda-ks.cfg
-rwx------. 1 root root  1599788 Apr 23 10:53 ssg-cs10-ds-remediation.sh
-rw-r--r--. 1 root root 14797108 Apr 23 10:43 ssg-cs10-ds.xml
# run remediation script

[root@dlp ~]#
./ssg-cs10-ds-remediation.sh 

.....
.....
Remediating rule 111/112: 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled'
Created symlink /etc/systemd/system/basic.target.wants/usbguard.service  /usr/lib/systemd/system/usbguard.service.
Remediating rule 112/112: 'xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub'
# check again

[root@dlp ~]#
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
--results ssg-cs10-ds.xml \
--report ssg-cs10-ds.html \
/usr/share/xml/scap/ssg/content/ssg-cs10-ds.xml

  After running remediation script, many [fail] items has been improved.
Matched Content