OpenSCAP Part 2: SCAP Content for RHEL 7



In part one of the OpenSCAP series we were introduced to the basic usage of the OpenSCAP toolset. In that post we learned how to run a basic scan via the scap-workbench in a desktop environment.

This post will focus on the Content, Profiles, and Targets.


All content will be installed in the directory shown below.  The content in this directory will vary based on the installed OS (the content on my Fedora differs from RHEL for example).


The screenshot below contains a list of content installed by default on RHEL 7.

Screenshot from 2019-07-24 15-58-04.png

Additional content can be obtained and added to the content directory shown above.  For example, NIST content can be downloaded directly from the NIST website. Link below.

National Checklist Program Repository

In the screenshot below we have performed a search for all content that targets RHEL 7.6

Screenshot from 2019-07-25 11-45-44.png


Content Types

SCAP security guides are security policy written in the form of an SCAP document. Each guide consists of rules and definitions. Guides can be written in one of several formats.  These formats are shown below.

OVAL Definitions file [1] Open Vulnerability and Assessment Language formatted file
OCIL Definitions file [2] Open Checklist Interactive Language formatted file
XCCDF Checklist [3] Extensible Configuration Checklist Description Format
Source Data Stream [4] An SCAP data stream that holds input (source) content
CPE Dictionary [5] Official Common Platform Enumeration Checklist

The innards of each file can be inspected with oscap, which we will dive into later.

More information below on each file type below. 



Targets are the specific operating system or application that you want to evaluate for vulnerabilities or compliance.  For example, RHEL, OSX, Windows, and BSD are all targets. Tomcat, Apache, Microsoft SQL, and Java are also targets. The list of available targets is quite extensive.  You can browse the list here.


The following profiles are available for RHEL 7 via the ssg-rhel7-ds.xml content file. Shown below are the default profiles included for RHEL 7.


PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7
OSPP – Protection Profile for General Purpose Operating Systems v. 4.2
Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
DISA STIG for Red Hat Enterprise Linux 7
Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
Health Insurance Portability and Accountability Act (HIPAA)
United States Government Configuration Baseline
Standard System Security Profile for Red Hat Enterprise Linux 7
C2S for Red Hat Enterprise Linux 7
Criminal Justice Information Services (CJIS) Security Policy
PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7

Profiles are based on recommendations from authorities such as NIST, the PCI Security Standards Council, the Center for Internet Security (CIS), vendors such as Red Hat, HP,  and Microsoft, and known standards such as NIST 800-171, NIST 800-53, HIPAA, and PCI-DSS.

Next Steps

The topic of SCAP content is rather complicated and possibly a bit convoluted with overlapping terminologies, but in the end a user will select a target which will either be an application (such as Java or Apache), or and operating system (such as RHEL, Windows, Solaris).

Once the target is selected, a profile will be selected (if multiple profiles exists — such is not always the case for applications). In this case the target might be PCI-DSS, HIPAA, STIG.

Once the target and a profile are selected, it’s time to start scanning

Read Part 3

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.