OpenSCAP (1.2k ⭐) is a tool that can automatically scan if a hardening guide was applied and even automatically apply the guide.

OpenSCAP works on a hardening guide generated by the Compliance As Code (CAC) project. It generates an XML file per product, such as ssg-debian11-ds.xml for Debian 11. Download existing XMLs here.

To install OpenSCAP on Debian 10:

$ sudo apt-get update && sudo apt-get install libopenscap8

To check if openscap is installed:

$ oscap -V | head -n 1
OpenSCAP command line tool (oscap) X.Y.Z

Basic Usage

Check if a guide is valid

You may want to check if the XML is valid. If there is no output, then the XML may be valid.

$ oscap ds sds-validate ssg-xxx-ds.xml

Select A Guide

Each XML file is divided into profiles which usually correspond to a guide adapted for a kind of target (ex: CIS Guide for Workstations).

$ oscap info ssg-xxx-ds.xml
    Title: Standard System Security Profile for Parrot Linux
    Id: xccdf_org.ssgproject.content_profile_standard

Compliance scan

To check if a system is hardened given a profile, and a guide:

$ oscap xccdf eval \
    --profile xccdf_org.ssgproject.content_profile_standard \

You can add more options right before the XML.

  • To generate an HTML report, add --report report.html.
  • To add verbosity, add --verbose INFO

πŸ’‘ You can test a remote system using oscap-ssh, as long as the target has openscap installed. Refer to the manual.

πŸš€ You can use a GUI called scap-workbench (0.2k ⭐).