
OpenSCAP: Tools for managing system security and standards compliance - rayascott
https://www.open-scap.org/
======
epistasis
I have a lot of interest and questions about this, has anybody here been using
this? I would like to know:

1) what types of things does OpenSCAP audit?

2) does it support my mixture of operating systems?

3) is it for scanning remotely over a network?

4) does it scan the configuration of a computer from a local daemon?

After ~5 minutes of clicking, I eventually found this link:

[https://www.open-scap.org/getting-started/](https://www.open-
scap.org/getting-started/)

Which explains what they mean by their terms. However, it's not the
traditional definition of "getting started" which means installation.

(Also, for some reason the web developer has severely reduced the user
experience by hiding items, and only showing them once they have fully
scrolled into view, which breaks the large sections of text. It makes it
really hard to skim and learn.)

~~~
chr15p
Open SCAP has been part of the functionality of Red Hat's Satellite Server for
years, in my experience not that many people use it, but enough for it to be
well tested. Its been a while since I looked at it but from memeory...

1) SCAP is its own xml based language which includes tests for things like
packages installed, sysctl settings, and processes running, but it also has a
generic "run this command and check regexp the results" type resource so you
can pretty nuch check anything you want with a bit of work. Openscap is an
opensource tool for running scap tests.

2) SCAP is a generic standard so it should be applicable to everything, but
I've only ever used it on Linux so _shrug_. I would expect other unix's to be
supported.

3) iirc it runs locally, but its pretty trivial to run via puppet (satellite 6
comes with puppet modules) or ansible to run it and pull the reports back to a
central server

4) it doesn't run as a daemon, its a binary you run when you want a report.
The Satellite puppet modules set up a cron job to run once a week,

Like all these things its only as good as the tests you run and the xml format
isn't that easy to write unless you're willing to put in some serious work.
There are existing test sets available (again Red Hat supply some) which are a
good place to start

------
theossuary
Biggest issue I've had with open scap is Amazon Linux doesn't support it,
which sucks. Keep in mind if you do a lot in AWS

~~~
mboelen
Did you try Lynis as an alternative?

