Skip to content

OpenSCAP content for SLE Micro 6 #685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sounix000 wants to merge 3 commits into
base: maintenance/SLE_Micro_6.1
Choose a base branch
from
Open

OpenSCAP content for SLE Micro 6 #685

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2dc6b7f
OpenSCAP content for SLE Micro 6
sounix000 May 8, 2026
e4a5f82
Added content about SSG
sounix000 May 29, 2026
3a228fc
Incorporated comments from Jana
sounix000 May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions DC-Micro-openscap
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# This file originates from the project https://github.com/openSUSE/doc-kit
# This file can be edited downstream.

MAIN="openscap-system-hardening.asm.xml"
SRC_DIR="articles"
IMG_SRC_DIR="images"

## Profiling
PROFOS="slem"
#STRUCTID="openscap-system-hardening"
#PROFARCH="x86_64;zseries;power;aarch64"

DOCBOOK5_RNG_URI="urn:x-suse:rng:v2:geekodoc-flat"

STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2022-ns"
FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns"
206 changes: 206 additions & 0 deletions articles/openscap-system-hardening.asm.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,206 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- This file originates from the project https://github.com/openSUSE/doc-kit -->
<!-- This file can be edited downstream. -->
<!DOCTYPE assembly
[
<!ENTITY % entities SYSTEM "../common/generic-entities.ent">
%entities;
]>
<!-- refers to legacy doc: https://github.com/SUSE/doc-unversioned/blob/main/openscap/xml/article_openscap.xml -->
<!-- point back to this document with a similar comment added to your legacy doc piece -->
<assembly version="5.2" xml:lang="en"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:trans="http://docbook.org/ns/transclusion"
xmlns:its="http://www.w3.org/2005/11/its"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns="http://docbook.org/ns/docbook">
<!-- R E S O U R C E S -->
<!-- Glue files -->
<resources>
<resource xml:id="_openscap-intro" href="../glues/openscap-intro.xml">
<description>Overview of the OpenSCAP hardening workflow</description>
</resource>
<resource xml:id="_openscap-more-info" href="../glues/openscap-more-info.xml">
<description>Links to external OpenSCAP and SSG resources</description>
</resource>
<resource xml:id="_openscap-whats-next" href="../glues/openscap-whats-next.xml">
<description>Suggested next steps after hardening</description>
</resource>
</resources>
<!-- Concept files -->
<resources>
<resource xml:id="_openscap-scap-overview" href="../concepts/openscap-scap-overview.xml">
<description>What SCAP and OpenSCAP are, key components, and benefits</description>
</resource>
</resources>
<!-- Task files -->
<resources>
<resource xml:id="_openscap-infrastructure-preparing" href="../tasks/openscap-infrastructure-preparing.xml">
<description>Preparing the IT infrastructure before hardening</description>
</resource>
<resource xml:id="_openscap-packages-installing" href="../tasks/openscap-packages-installing.xml">
<description>Installing OpenSCAP and SSG packages</description>
</resource>
<resource xml:id="_openscap-system-scanning" href="../tasks/openscap-system-scanning.xml">
<description>Scanning a system for vulnerabilities with oscap</description>
</resource>
<resource xml:id="_openscap-system-remediating" href="../tasks/openscap-system-remediating.xml">
<description>Remediating vulnerabilities with oscap, shell scripts, and Ansible</description>
</resource>
</resources>
<!-- Reference files -->
<resources>
<resource xml:id="_openscap-profiles" href="../references/openscap-profiles.xml">
<description>SSG directories and supported profiles</description>
</resource>
</resources>
<!-- Legal -->
<resources>
<resource href="../common/legal.xml" xml:id="_legal">
<description>Legal Notice</description>
</resource>
<resource href="../common/license_gfdl1.2.xml" xml:id="_gfdl">
<description>GNU Free Documentation License</description>
</resource>
</resources>
<!-- S T R U C T U R E -->
<structure renderas="article" xml:id="openscap-system-hardening" xml:lang="en">
<merge>
<title>Hardening &productname; with &openscap;</title>
<revhistory xml:id="rh-openscap-system-hardening">
<revision><date>2026-05-08</date>
<revdescription>
<para>
Initial release of the modular &productname; OpenSCAP article.
</para>
</revdescription>
</revision>
</revhistory>
<meta name="maintainer" content="souvik.sarkar@suse.com" its:translate="no"/>
<meta name="architecture" its:translate="no"><phrase>&x86-64;</phrase><phrase>&power;</phrase><phrase>&zseries;</phrase><phrase>&aarch64;</phrase>
</meta>
<meta name="productname" its:translate="no"><productname>&productname;</productname>
</meta>
<meta name="title" its:translate="yes">Hardening &productname; with OpenSCAP</meta>
<meta name="description" its:translate="yes">How to audit and harden &productname; using &openscap; and the &ssg;</meta>
<meta name="social-descr" its:translate="yes">Harden &productname; with OpenSCAP and SSG</meta>
<meta name="category" its:translate="no"><phrase>Security</phrase>
</meta>
<meta name="task" its:translate="no"><phrase>Auditing</phrase><phrase>Compliance</phrase>
</meta>
<meta name="series" its:translate="no">Products &amp; Solutions</meta>
<dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
<dm:bugtracker>
<dm:url>https://bugzilla.suse.com/enter_bug.cgi</dm:url>
<dm:component>Security</dm:component>
<dm:product>SUSE Linux Enterprise Micro 6.1</dm:product>
<dm:assignee>souvik.sarkar@suse.com</dm:assignee>
</dm:bugtracker>
<dm:translation>yes</dm:translation>
</dm:docmanager>
<abstract>
<variablelist>
<varlistentry>
<term>WHAT?</term>
<listitem>
<para>
&openscap; is an open source toolset that implements the Security Content
Automation Protocol (SCAP) framework. Combined with the &ssg;, it enables automated
security auditing and hardening of &productname;.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>WHY?</term>
<listitem>
<para>
Automated scanning and remediation reduces manual effort and ensures consistent
policy enforcement across systems. &productname; ships with the <literal>general</literal>
security profile, which provides a practical baseline for hardening immutable
systems.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>EFFORT</term>
<listitem>
<para>
Reading time: approximately 30 minutes. A full scan and remediation cycle takes 1–2
hours depending on the number of rules and the initial state of the target system.
Because &productname; is an immutable system, remediation must be run more than once with
reboots between passes. Familiarity with the Linux command line is required.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>GOAL</term>
<listitem>
<para>
After completing this article, you can install the required packages, scan your
&productname; system for policy violations against the <literal>general</literal> profile,
and remediate identified issues using <command>oscap</command>, &ssg; shell
scripts, or &ansible; playbooks.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>REQUIREMENTS</term>
<listitem>
<itemizedlist>
<listitem>
<para>
A running installation of &productnameshort;.
</para>
</listitem>
<listitem>
<para>
<systemitem>root</systemitem> or <command>sudo</command> privileges on the
target system.
</para>
</listitem>
<listitem>
<para>
Access to &suse; repositories for package installation, or an offline package
source.
</para>
</listitem>
<listitem>
<para>
A non-production test environment for validating remediation before applying it
to production systems.
</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
</variablelist>
</abstract>
</merge>
<!-- Introductory glue: sets context and outlines the workflow -->
<module resourceref="_openscap-intro" renderas="section">
<merge>
<title>Overview</title>
</merge>
</module>
<!-- Concept: SCAP, OpenSCAP, components, benefits -->
<module resourceref="_openscap-scap-overview" renderas="section"/>
<!-- Task 1: Prepare the IT infrastructure -->
<module resourceref="_openscap-infrastructure-preparing" renderas="section"/>
<!-- Task 2: Install packages -->
<module resourceref="_openscap-packages-installing" renderas="section"/>
<!-- Reference: SSG directories and supported profiles -->
<module resourceref="_openscap-profiles" renderas="section"/>
<!-- Task 3: Scan the system -->
<module resourceref="_openscap-system-scanning" renderas="section"/>
<!-- Task 4: Remediate vulnerabilities -->
<module resourceref="_openscap-system-remediating" renderas="section"/>
<!-- Closing glues -->
<module resourceref="_openscap-more-info" renderas="section"/>
<module resourceref="_openscap-whats-next" renderas="section"/>
<!-- Legal -->
<module resourceref="_legal"/>
<module resourceref="_gfdl">
<output renderas="appendix"/>
</module>
</structure>
</assembly>
153 changes: 153 additions & 0 deletions concepts/openscap-scap-overview.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- This file originates from the project https://github.com/openSUSE/doc-kit -->
<!-- This file can be edited downstream. -->
<!DOCTYPE topic
[
<!ENTITY % entities SYSTEM "../common/generic-entities.ent">
%entities;
]>
<!-- refers to legacy doc: https://github.com/SUSE/doc-unversioned/blob/main/openscap/xml/article_openscap.xml -->
<!-- point back to this document with a similar comment added to your legacy doc piece -->
<topic xml:id="openscap-scap-overview"
role="concept" xml:lang="en"
xmlns="http://docbook.org/ns/docbook" version="5.2"
xmlns:its="http://www.w3.org/2005/11/its"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:trans="http://docbook.org/ns/transclusion">
<info>
<title>SCAP and &openscap;</title>
<meta name="maintainer" content="souvik.sarkar@suse.com" its:translate="no"/>
<abstract>
<para>
SCAP is a framework of specifications for automating security compliance. &openscap;
implements this framework for Linux, and together with the &ssg;, enables automated
auditing and hardening of &productname;.
</para>
</abstract>
</info>
<section xml:id="openscap-scap-overview-what-is-scap">
<title>What is SCAP?</title>
<para>
SCAP stands for <emphasis>Security Content Automation Protocol</emphasis>. It is a framework
of specifications developed and maintained by the National Institute of Standards and
Technology (NIST) that supports automated configuration, vulnerability scanning, and policy
compliance evaluation of systems in an organization. SCAP also standardizes how
vulnerabilities and security configurations are communicated, both to machines and to human
beings.
</para>
</section>
<section xml:id="openscap-scap-overview-what-is-openscap">
<title>What is &openscap;?</title>
<para>
&openscap; is a collection of open source tools that implement the SCAP framework for Linux.
It received the SCAP 1.2 certification from NIST in 2014. &openscap; works together with the
<literal>&ssg;</literal> (SSG), which implements security guidelines recommended by respected
authorities in a machine-readable format. This allows &openscap; to automatically audit and
harden your &productname; system against recognized security baselines.
</para>
</section>
<section xml:id="openscap-scap-overview-components">
<title>Key SCAP components</title>
<para>
SCAP consists of the following components, which interact with each other to describe,
evaluate, and report on the security state of a system.
</para>
<variablelist>
<varlistentry>
<term>Open Vulnerability and Assessment Language (OVAL)</term>
<listitem>
<para>
An XML format for testing the presence of a specific state on a system.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Extensible Configuration Checklist Description Format (XCCDF)</term>
<listitem>
<para>
An XML format that specifies security checklists, benchmarks, and configuration
documentation. An XCCDF file contains a benchmark consisting of different profiles,
where each profile is a set of rules with OVAL definitions.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Common Platform Enumeration (CPE)</term>
<listitem>
<para>
A structured naming scheme maintained by NIST for identifying IT systems, platforms,
and software packages. A CPE name has the following format:
<literal>cpe:/<replaceable>part</replaceable>:<replaceable>vendor</replaceable>:<replaceable>product</replaceable>:<replaceable>version</replaceable>:<replaceable>update</replaceable>:<replaceable>edition</replaceable>:<replaceable>language</replaceable></literal>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DataStream (DS)</term>
<listitem>
<para>
An XML format that bundles multiple SCAP components (CPE, XCCDF, OVAL) into a single
file for distribution over a network. DataStream files are the primary input format for
&openscap; when hardening and auditing a &productname; system.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Common Configuration Enumeration (CCE)</term>
<listitem>
<para>
Unique identifiers assigned to security-related system configuration issues, used to
track individual rules across profiles and tools.
</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="scap-security-guide-whatis">
<title>What is the &ssg;?</title>
<para>
The <literal>&ssg;</literal> is an open source project that provides machine-readable
security policies for Linux systems. It translates established security benchmarks, such as
<orgname>Defense Information Systems Agency (DISA)</orgname>
STIGs and
<orgname>Center for
Internet Security (CIS)</orgname>
benchmarks, into SCAP content that can be automatically applied and verified. The
<literal>&ssg;</literal> delivers XCCDF checklists, OVAL checks, and ready-to-use remediation
scripts in the form of Ansible playbooks and Bash scripts.
</para>
</section>
<section xml:id="openscap-scap-overview-benefits">
<title>Benefits of using &openscap; with the &ssg;</title>
<para>
Using &openscap; together with the &ssg; provides the following benefits:
</para>
<itemizedlist>
<listitem>
<para>
Security guidelines from recognized authorities are transformed into a machine-readable
format, removing the need for manual interpretation.
</para>
</listitem>
<listitem>
<para>
Scanning and remediation can be automated and run repeatedly, ensuring consistent policy
enforcement across all systems in your infrastructure.
</para>
</listitem>
<listitem>
<para>
Results are stored in standardized XML formats and can be rendered as human-readable HTML
reports for audit and compliance purposes.
</para>
</listitem>
<listitem>
<para>
The <literal>general</literal> security profile available for &productname; provides a practical
hardening baseline suited to immutable systems, reducing the effort required to achieve
and demonstrate compliance.
</para>
</listitem>
</itemizedlist>
</section>
</topic>
Loading