Arch Linux BasedManjaro

How To Install OpenSCAP on Manjaro

Install OpenSCAP on Manjaro

OpenSCAP stands as one of the most comprehensive open-source security compliance and vulnerability scanning tools available for Linux systems. For Manjaro users concerned about security compliance and vulnerability assessment, implementing OpenSCAP provides a robust framework for maintaining system integrity. This guide explores the complete process of installing, configuring, and utilizing OpenSCAP on Manjaro Linux to enhance your system’s security posture through automated scanning and compliance checking.

Table of Contents

Introduction

In today’s increasingly complex digital threat landscape, security compliance and vulnerability scanning have become essential practices for maintaining system integrity. OpenSCAP (Open Security Content Automation Protocol) represents a powerful, standardized approach to automating security assessments on Linux systems. As a NIST-certified framework, OpenSCAP enables users to scan their systems against established security benchmarks and identify potential vulnerabilities before they can be exploited.

Manjaro Linux users can leverage OpenSCAP to implement systematic security scanning practices, ensuring their systems adhere to recognized security standards and best practices. Whether you’re managing personal workstations or enterprise servers, OpenSCAP provides the tools necessary to evaluate your security posture against industry-standard compliance frameworks.

This comprehensive guide walks through the complete process of installing, configuring, and utilizing OpenSCAP on Manjaro Linux, empowering you to implement professional-grade security scanning practices on your system.

Understanding OpenSCAP and Its Importance

OpenSCAP represents an open-source implementation of the Security Content Automation Protocol (SCAP) framework developed to standardize security assessment and vulnerability management across systems. At its core, OpenSCAP helps organizations automate security compliance checking while providing detailed reports on potential vulnerabilities and compliance issues.

The framework supports multiple SCAP standards (versions 1.0 through 1.3) and integrates several key security components:

  • Common Vulnerabilities and Exposures (CVE)
  • Common Configuration Enumeration (CCE)
  • Common Platform Enumeration (CPE)
  • Common Vulnerability Scoring System (CVSS)

OpenSCAP carries significant importance in the Linux security ecosystem because it provides:

  1. Standardized Security Assessment: OpenSCAP implements standardized methods for security evaluation based on recognized frameworks like CIS benchmarks and DISA STIGs.
  2. Automated Compliance Checking: Rather than manually verifying hundreds of security settings, OpenSCAP automatically scans systems against predefined security policies.
  3. Comprehensive Reporting: After scanning, OpenSCAP generates detailed reports highlighting vulnerabilities, misconfigurations, and compliance issues with remediation guidance.
  4. Policy Enforcement: Beyond identification, OpenSCAP can help enforce security policies consistently across systems.

For Manjaro Linux users, implementing OpenSCAP delivers crucial security benefits, particularly for systems handling sensitive information or requiring compliance with specific security frameworks. The tool’s ability to perform thorough security assessments makes it invaluable for sysadmins focused on maintaining robust security postures.

Prerequisites for Installation

Before installing OpenSCAP on your Manjaro system, ensure you meet the following requirements to guarantee a smooth installation and optimal performance:

System Requirements:

  • Manjaro Linux (latest stable version recommended)
  • Minimum 2GB RAM (4GB+ recommended for scanning larger systems)
  • At least 20GB free disk space for installation and scan reports
  • Active internet connection for package downloads

Permission Requirements:

  • Root access or sudo privileges on your Manjaro system
  • Appropriate file system permissions to scan system directories

Preparatory Steps:

  1. Update your Manjaro system to ensure all packages are current:
    sudo pacman -Syu
  2. Verify your system architecture to select appropriate packages:
    uname -m
  3. Create a backup of important system files before proceeding with security tools installation:
    sudo timeshift --create --comments "Before OpenSCAP installation"
  4. Ensure sufficient disk space is available:
    df -h /

Meeting these prerequisites ensures your Manjaro system is properly prepared for OpenSCAP installation and prevents potential issues during the setup process. A fully updated system with sufficient resources provides the optimal foundation for security scanning operations.

OpenSCAP Components Overview

OpenSCAP consists of several integrated components that work together to provide comprehensive security assessment capabilities. Understanding these components is crucial for effectively implementing and utilizing OpenSCAP on your Manjaro system.

  • OpenSCAP Scanner (oscap):
    The core component is the oscap command-line tool, which serves as the primary interface for conducting security scans. This NIST-certified scanner evaluates your system against security policies and generates detailed reports. The scanner interprets SCAP content and applies the specified checks to your system configuration and files.
  • SCAP Security Guide:
    This component provides the actual security policies and benchmarks used during scans. The SCAP Security Guide contains machine-readable security policies covering various areas of computer security and implements guidance from respected authorities like PCI DSS, STIG, and USGCB. These policies are transformed into formats that OpenSCAP can interpret and apply to your system.
  • SCAP Workbench:
    For users who prefer graphical interfaces, SCAP Workbench provides a GUI alternative to the command-line scanner. It simplifies the scanning process through an intuitive interface while still leveraging the powerful OpenSCAP scanning engine underneath.
  • OpenSCAP Libraries:
    These libraries form the foundation of the OpenSCAP ecosystem, providing the necessary functionality for parsing and processing SCAP content. They enable integration with other security tools and custom implementations.
  • OpenSCAP Daemon (optional):
    For automated scanning, the OpenSCAP Daemon runs as a background service, ensuring your systems are regularly evaluated according to specified schedules. This component is particularly valuable for maintaining continuous security compliance.

On Manjaro Linux, these components are organized in a structured file hierarchy:

  • Security policies are typically stored in /usr/share/xml/scap
  • Configuration files reside in /etc/openscap
  • Executable tools are placed in standard binary directories like /usr/bin

Understanding how these components interact is essential for effectively implementing OpenSCAP in your security workflow. The modular nature of OpenSCAP allows you to start with basic scanning capabilities and gradually implement more advanced features as your security needs evolve.

Installation Methods Comparison

Before proceeding with installation, it’s important to understand the different methods available for installing OpenSCAP on Manjaro Linux, each with distinct advantages and considerations.

Using Pacman (Official Repositories):

  • Advantages: Simplest method with automatic dependency resolution, official packages maintained by Manjaro team, seamless updates through system update process
  • Disadvantages: May not always have the latest OpenSCAP version immediately after release
  • Best for: Most users who prioritize stability and ease of maintenance
  • Command example: sudo pacman -S openscap

Installing from AUR (Arch User Repository):

  • Advantages: Access to the latest versions, potentially more features, community-maintained packages
  • Disadvantages: Requires more manual steps or AUR helper, packages may occasionally break with system updates, less officially supported
  • Best for: Users who need cutting-edge features or specific versions not in official repositories
  • Command example with helper: yay -S openscap-git

Manual Compilation from Source:

  • Advantages: Complete control over build options, access to unreleased features, ability to apply custom patches
  • Disadvantages: Most complex method, requires development tools, manual dependency management, no automatic updates
  • Best for: Advanced users with specific customization needs or developers
  • Process overview: Download source code, resolve dependencies, configure with custom options, compile, and install

For most Manjaro users, the official repository method (pacman) offers the best balance between ease of use and stability. This approach ensures that OpenSCAP integrates smoothly with the rest of your system and receives regular updates through the standard system update process.

The AUR installation method provides a good middle ground when you need newer features not yet available in the official repositories. If using this method, consider using an AUR helper like yay or pamac to simplify the process.

Manual compilation should generally be reserved for advanced users with specific requirements or those contributing to OpenSCAP development. While offering maximum flexibility, it requires significantly more expertise and ongoing maintenance effort.

Installing OpenSCAP via Pacman

The most straightforward method to install OpenSCAP on Manjaro is through the pacman package manager, which provides access to officially maintained packages. This approach ensures compatibility with your system and streamlines the installation process.

Follow these detailed steps to install OpenSCAP using pacman:

  1. Update Package Database

First, ensure your package database is up-to-date:

sudo pacman -Syy

This command synchronizes the package databases to get information about the latest available packages.

  1. Install Core OpenSCAP Package

Install the main OpenSCAP scanner and libraries:

sudo pacman -S openscap

This command installs the core OpenSCAP components, including the oscap command-line tool and the necessary libraries.

  1. Install Auxiliary Tools

For additional utilities and the SCAP Security Guide:

sudo pacman -S openscap-utils scap-security-guide

The openscap-utils package provides additional tools for working with SCAP content, while the scap-security-guide package contains predefined security policies and benchmarks.

  1. Verify Installation

After installation, verify that OpenSCAP has been installed correctly:

oscap --version

This command should display the installed version of OpenSCAP, supported specifications, built-in CPE names, and supported OVAL objects.

  1. Handle Common Installation Issues

If you encounter errors during installation, try the following:

  • For dependency resolution issues: sudo pacman -Syu to fully upgrade your system before attempting installation again
  • For file conflicts: sudo pacman -S --overwrite "*" openscap to force overwriting conflicting files
  • For permission errors: Ensure you’re using sudo or have proper permissions
  1. Initial Configuration

After successful installation, perform these initial configuration steps:

# Create directory for custom policies (optional)
sudo mkdir -p /etc/openscap/policies

# Set appropriate permissions
sudo chmod 755 /etc/openscap/policies

Installing via pacman provides the advantage of simplified updates through your regular system update process. When new versions of OpenSCAP become available in the Manjaro repositories, you can update them along with your other system packages using sudo pacman -Syu.

Installing OpenSCAP from AUR

For Manjaro users who need the latest OpenSCAP features or versions not yet available in the official repositories, the Arch User Repository (AUR) provides an alternative installation method. This approach requires a few additional steps but offers access to community-maintained packages.

Using AUR Helpers

The simplest way to install OpenSCAP from AUR is through an AUR helper like yay or pamac:

  1. Install an AUR Helper (if not already installed)

If you don’t have an AUR helper installed, you can install yay:

sudo pacman -S git base-devel
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si
  1. Install OpenSCAP Packages

Once you have an AUR helper:

# Using yay
yay -S openscap-git

# Alternative: Using pamac (GUI option in Manjaro)
pamac build openscap-git
  1. Install Additional Components
yay -S scap-security-guide-git openscap-daemon-git

Manual AUR Installation

For users who prefer not to use AUR helpers, here’s how to manually install OpenSCAP from AUR:

  1. Prepare Build Environment
sudo pacman -S git base-devel
  1. Clone the Package Repository
git clone https://aur.archlinux.org/openscap.git
cd openscap
  1. Build and Install the Package
makepkg -si
  1. Handle Dependencies

The -s flag in the above command will attempt to resolve dependencies automatically. If any dependencies are also from AUR, you’ll need to install them separately using the same process.

  1. Verification

After installation, verify that OpenSCAP has been installed correctly:

oscap --version

Troubleshooting AUR Installation Issues

If you encounter problems during AUR installation:

  • Build Failures: Check the build output for specific errors. Common issues include missing dependencies or compilation errors.
  • Missing Dependencies: Install any manually identified dependencies with sudo pacman -S [dependency-name] or through AUR if they’re not in official repositories.
  • Signature Verification Issues: Update your keyring with sudo pacman-key --refresh-keys
  • Compilation Errors: Look for package-specific patches or modifications needed for compatibility with your system.

Installing from AUR provides the advantage of access to the latest OpenSCAP versions but requires more manual maintenance. When using packages from AUR, you’ll need to periodically check for updates using your AUR helper or by manually rebuilding the packages from updated sources.

Installing SCAP Security Guide

The SCAP Security Guide (SSG) is a critical component that provides the security policies and benchmarks needed for OpenSCAP to perform meaningful scans. While the basic installation steps covered earlier include the SSG package, this section provides a more detailed look at installing and utilizing this essential component.

Standard Installation

On Manjaro, you can install the SCAP Security Guide through the official repositories:

sudo pacman -S scap-security-guide

This package contains security policies for various platforms in the form of XCCDF, OVAL, and datastream documents.

Alternative Installation Methods

If you need a more recent version than what’s available in the repositories:

  1. From AUR:
    yay -S scap-security-guide-git
  2. From GitHub releases:
    # Download the latest release
    curl -LO https://github.com/ComplianceAsCode/content/releases/download/v0.1.XX/scap-security-guide-0.1.XX.zip
    
    # Extract the archive
    unzip scap-security-guide-0.1.XX.zip -d scap-security-guide
    
    # Move to appropriate location
    sudo mkdir -p /usr/share/xml/scap/ssg/content/
    sudo cp scap-security-guide/ssg-*.xml /usr/share/xml/scap/ssg/content/

Exploring Installed Security Policies

After installation, the security content is typically located in /usr/share/xml/scap/ssg/content/. To explore the available security policies:

ls -la /usr/share/xml/scap/ssg/content/

The files with names ending in -ds.xml are datastreams that contain complete security policies suitable for scanning.

Verifying Policy Installation

To verify that the security policies are correctly installed and accessible:

# List available datastreams
find /usr/share/xml/scap/ssg/content/ -name "*-ds.xml"

# Check a specific datastream
oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

This command will display information about the available profiles within the datastream, confirming that OpenSCAP can properly read the content.

Customizing for Manjaro

Since specific Manjaro policies might not be available in the standard packages, you may need to use policies designed for similar distributions. For example:

  1. Copy an existing policy as a template:
    sudo cp /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml /etc/openscap/policies/custom-manjaro-ds.xml
  2. Edit the policy to customize it for Manjaro-specific requirements:
    sudo nano /etc/openscap/policies/custom-manjaro-ds.xml

The SCAP Security Guide forms the cornerstone of your security compliance scanning capability. By properly installing and configuring these security policies, you ensure that OpenSCAP has the necessary benchmarks to effectively evaluate your Manjaro system against industry-standard security practices.

Setting Up SCAP Workbench (Optional)

SCAP Workbench provides a graphical user interface for OpenSCAP, making it easier to configure and run security scans for users who prefer GUI tools over command-line operations. While optional, it significantly simplifies the scanning process for many users.

Installation Process

To install SCAP Workbench on Manjaro:

  1. Install from Official Repositories:
    sudo pacman -S scap-workbench
  2. Alternative: Install from AUR if not available in repositories:
    yay -S scap-workbench

Initial Configuration

After installation, you’ll want to configure SCAP Workbench to work efficiently with your system:

  1. Launch SCAP Workbench:
    scap-workbench
  2. First-time Setup:
    When you first launch SCAP Workbench, it should automatically detect the installed SCAP content in the standard locations. If not, you’ll need to manually specify the path to your security content.
  3. Configure Default Options:
    • Navigate to Edit → Preferences
    • Set your preferred report output directory
    • Configure scanning options according to your needs
    • Adjust resource usage settings if necessary

Connecting to Security Content

SCAP Workbench needs to access security content to perform scans:

  1. Using Bundled Content:
    By default, SCAP Workbench should detect and offer the security content installed via the scap-security-guide package.
  2. Custom Content:
    To use custom security content:

    • Click “Open Other Content”
    • Navigate to your custom datastream file
    • Select the file and click “Open”

Basic UI Navigation

Understanding the SCAP Workbench interface:

  • Profile Selection: The dropdown menu in the top section allows you to choose a security profile
  • Target Selection: Choose between scanning the local system or a remote system
  • Tailoring: Modify the selected profile to customize which rules are applied
  • Scan Button: Initiates the security scan with the selected profile and target
  • Results: After scanning, results are displayed and can be saved as reports

Troubleshooting Installation Issues

If you encounter problems with SCAP Workbench:

  • Missing Dependencies: Install any reported missing dependencies with sudo pacman -S [package-name]
  • Display Issues: Ensure your X server is properly configured
  • Content Not Found: Verify that security content is correctly installed in /usr/share/xml/scap/ssg/content/
  • Permission Problems: Run with sudo if scanning requires system-wide access: sudo scap-workbench

SCAP Workbench significantly lowers the barrier to entry for users new to security compliance scanning. Its intuitive interface makes it possible to run complex security assessments with minimal command-line knowledge while still leveraging the powerful OpenSCAP engine underneath. For many desktop Manjaro users, this graphical approach offers the ideal balance between capability and usability.

Configuring OpenSCAP

After installing OpenSCAP and its components on your Manjaro system, proper configuration is essential to ensure effective security scanning. This section covers the key configuration steps and settings to optimize OpenSCAP for your specific requirements.

Post-Installation Configuration

  1. Create Configuration Directory Structure:
    sudo mkdir -p /etc/openscap/{policies,results,reports}
    sudo chmod 755 /etc/openscap
    sudo chmod 700 /etc/openscap/results
  2. Set Up Default Profile Location:
    Create a configuration file to specify the default location for security profiles:

    sudo nano /etc/openscap/config.ini

    Add the following content:

    [OpenSCAP]
    ContentPath=/usr/share/xml/scap/ssg/content/
    ResultsPath=/etc/openscap/results/
    ReportsPath=/etc/openscap/reports/

Important Configuration Files

OpenSCAP utilizes several key configuration files:

  • /etc/openscap/config.ini: Main configuration file (created above)
  • /usr/share/xml/scap/ssg/content/*.xml: Security policy files
  • /etc/openscap/policies/: Location for custom policies

Setting Up Default Profiles

To configure a default security profile for regular use:

  1. Identify an appropriate profile:
    oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
  2. Create a symbolic link to your preferred profile:
    sudo ln -s /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml /etc/openscap/policies/default-policy.xml
  3. Create a default profile configuration:
    sudo nano /etc/openscap/default-profile.conf

    Add your preferred profile ID:

    xccdf_org.ssgproject.content_profile_standard

Configuring Scan Preferences

To customize how OpenSCAP performs scans:

  1. Create a scan configuration file:
    sudo nano /etc/openscap/scan.conf
  2. Add scan preferences:
    [Scan]
    Thoroughness=high
    FetchRemoteResources=false
    OnlineRemediations=false
    TimeoutFactor=1.5

Permission Settings for Security Content

Proper permissions are crucial for security scanning:

# Ensure security content is readable
sudo chmod 644 /usr/share/xml/scap/ssg/content/*.xml

# Protect custom policies
sudo chmod 640 /etc/openscap/policies/*
sudo chown root:root /etc/openscap/policies/*

# Set appropriate permissions for results
sudo chmod 700 /etc/openscap/results
sudo chown root:root /etc/openscap/results

Testing Your Configuration

To verify your configuration is working correctly:

# Test with a simple scan
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results /etc/openscap/results/test-scan.xml /etc/openscap/policies/default-policy.xml

If the scan runs successfully, your configuration is properly set up. If you encounter errors, review the output for specific configuration issues to address.

Proper configuration of OpenSCAP ensures that security scans run efficiently and produce meaningful results for your specific environment. Taking the time to customize these settings will optimize the scanning process and improve the relevance of security findings for your Manjaro system.

Selecting Security Policies

Choosing the right security policies is a critical step in effectively using OpenSCAP on Manjaro. Security policies define the rules and benchmarks against which your system will be evaluated, directly impacting the relevance and usefulness of scan results.

Locating Available Policies

Security policies in OpenSCAP are stored as XML files, typically in the /usr/share/xml/scap/ssg/content/ directory. To explore available policies:

ls -la /usr/share/xml/scap/ssg/content/

The most important files to look for end with -ds.xml, which indicates they are SCAP datastreams containing complete security content.

Understanding Policy Files and Formats

OpenSCAP uses several file formats for security content:

  • Datastreams (-ds.xml): Comprehensive files containing all components needed for scanning
  • XCCDF (.xccdf.xml): Contains security benchmarks and rules
  • OVAL (.oval.xml): Contains technical checks for vulnerabilities and configurations
  • CPE (.cpe-dictionary.xml): Defines platforms and software to which policies apply

Listing Available Policies

To get detailed information about a specific policy file:

oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

This command displays the policy’s metadata, available profiles, and referenced components.

Selecting Appropriate Policies for Manjaro

Since Manjaro is based on Arch Linux, you may need to adapt policies from similar distributions:

  1. Primary Options:
    • Use Fedora policies for desktop environments
    • Use RHEL/CentOS policies for server configurations
    • Use generic Linux policies when available
  2. Selection Criteria:
    • System role (desktop, server, workstation)
    • Security requirements (basic hardening vs. strict compliance)
    • Specific compliance frameworks needed (PCI DSS, HIPAA, etc.)

For example, to use a Fedora policy on Manjaro:

# View available Fedora policy
oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

# Make a copy for customization
sudo cp /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml /etc/openscap/policies/manjaro-custom.xml

Differences Between Policy Files

Different policy files focus on various aspects of security:

  • ssg-fedora-ds.xml: General-purpose security for Fedora-based systems
  • ssg-rhel?-ds.xml: Enterprise-level security for Red Hat Enterprise Linux
  • ssg-ubuntu?-ds.xml: Security profiles for Ubuntu systems

Custom Policy Considerations

For advanced users, creating custom policies tailored specifically for Manjaro may be beneficial:

  1. Start with an existing policy as a template
  2. Use an XML editor to modify rules that aren’t applicable to Manjaro
  3. Add Manjaro-specific checks for unique system characteristics
  4. Test thoroughly before implementing in production

Selecting the appropriate security policies ensures that your OpenSCAP scans evaluate relevant security aspects of your Manjaro system. While Manjaro-specific policies might not be available by default, adapting policies from similar distributions provides a solid foundation for security assessment.

Choosing Security Profiles

Within each security policy, OpenSCAP offers multiple security profiles that represent different levels of security requirements or specific compliance frameworks. Selecting the appropriate profile is crucial for effective security scanning that aligns with your specific needs.

Listing Available Security Profiles

To see what profiles are available in a specific policy file:

oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

This command will display all profiles contained within the selected policy file, along with their IDs and titles.

Understanding Profile Differences

Security profiles within policies typically differ in several key ways:

  • Security Level: Profiles range from basic security settings to highly restrictive configurations
  • Compliance Framework: Some profiles specifically address compliance with standards like PCI DSS, HIPAA, or DISA STIG
  • System Role: Different profiles may be optimized for workstations, servers, or specialized roles
  • Rule Count: More stringent profiles typically include more security rules

Common profile types you might encounter include:

  • Standard: Balanced security suitable for general use
  • Server: Optimized for server deployments with network services
  • Workstation: Focused on desktop security with user productivity in mind
  • Common Criteria: Aligned with international security certification requirements
  • PCI-DSS: Specifically designed to support Payment Card Industry Data Security Standard compliance

Using the Profile Selection Command

To view detailed information about profiles, use the oscap info command with the --profiles option:

oscap info --profiles /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Selecting Profiles Based on Requirements

When choosing a profile, consider:

  1. Security Requirements: What level of security does your system need?
  2. Operational Impact: More stringent profiles may impact system usability
  3. Compliance Needs: Are you required to meet specific regulatory standards?
  4. Resource Constraints: More comprehensive profiles require more resources to scan

For example, if you’re setting up a Manjaro workstation that handles sensitive data, you might choose a profile that balances usability with strong security controls:

# Example of selecting a balanced profile for scanning
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Customizing Profiles for Specific Needs

For cases where existing profiles don’t perfectly match your requirements:

  1. Profile Tailoring:
    oscap xccdf generate-profile --tailoring-file my-tailoring.xml --profile xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
  2. Edit the tailoring file to include or exclude specific rules
  3. Apply the tailored profile:
    oscap xccdf eval --tailoring-file my-tailoring.xml --profile xccdf_org.ssgproject.content_profile_standard-tailored --results results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Selecting the right security profile is a balance between security requirements and operational needs. By understanding the differences between profiles and matching them to your specific use case, you can ensure that OpenSCAP provides meaningful security assessments for your Manjaro system.

Running Your First Scan

After installing and configuring OpenSCAP, it’s time to perform your first security scan. This section guides you through the process of executing a basic scan and understanding the command structure.

Basic Scan Command Syntax

The fundamental command for running an OpenSCAP scan follows this structure:

oscap xccdf eval --profile [profile_id] --results [results_file.xml] --report [report_file.html] [policy_file.xml]

Each component serves a specific purpose:

  • oscap xccdf eval: Invokes the OpenSCAP evaluator for XCCDF content
  • --profile [profile_id]: Specifies which security profile to use
  • --results [results_file.xml]: Defines where to save the detailed XML results
  • --report [report_file.html]: Defines where to save the human-readable HTML report
  • [policy_file.xml]: The security policy datastream to use for the scan

Example Command

Here’s an example command to run a scan using the standard profile from a Fedora security policy (which can be adapted for Manjaro):

sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results ~/openscap-results.xml --report ~/openscap-report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Note that you can use a shortened profile name by providing just the profile suffix instead of the full ID:

sudo oscap xccdf eval --profile standard --results ~/openscap-results.xml --report ~/openscap-report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Controlling Verbosity Levels

You can adjust the amount of information displayed during scanning:

# Minimal output
sudo oscap xccdf eval --profile standard --results results.xml --report report.html --quiet /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

# Verbose output
sudo oscap xccdf eval --profile standard --results results.xml --report report.html --verbose INFO /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

# Debug output
sudo oscap xccdf eval --profile standard --results results.xml --report report.html --verbose DEBUG /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Scan Duration Expectations

The time required to complete a scan depends on several factors:

  • System resources (CPU, memory, disk speed)
  • Profile complexity (number of rules to evaluate)
  • System complexity (number of installed packages and services)

A typical scan on a moderately powered system might take between 5-30 minutes for comprehensive profiles. Basic profiles may complete in just a few minutes.

Handling Scan Interruptions

If a scan is interrupted, you can resume it using the checkpoint feature:

# Initial scan with checkpoint
sudo oscap xccdf eval --profile standard --results results.xml --report report.html --progress --checkpoint checkpoint.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

# Resume interrupted scan
sudo oscap xccdf eval --profile standard --results results.xml --report report.html --progress --checkpoint-restore checkpoint.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

During your first scan, you’ll see real-time feedback in the terminal showing which rules are being evaluated and their pass/fail status. Once the scan completes, detailed results will be available in both the XML results file and the HTML report.

Running your first OpenSCAP scan is an important milestone in implementing security compliance checking on your Manjaro system. The scan results will provide valuable insights into your system’s security posture and highlight areas that may need attention to improve security and compliance.

Understanding Scan Results

After completing an OpenSCAP scan, interpreting the results is crucial for understanding your system’s security posture and addressing potential vulnerabilities. This section explains how to analyze and make the most of the scan reports.

Interpreting XML and HTML Reports

OpenSCAP generates two primary types of reports:

  1. XML Results File: Contains comprehensive machine-readable data about the scan
    • Structured format suitable for automated processing
    • Contains detailed technical information about each rule check
    • Can be imported into other security management systems
  2. HTML Report: Provides a human-readable summary of findings
    • Visually presents pass/fail results with color coding
    • Offers filtering options to focus on specific types of results
    • Includes detailed descriptions and remediation advice

To view the HTML report:

firefox report.html

Analyzing Pass/Fail Results

The report categorizes findings into several result types:

  • Pass: The system complies with this security rule
  • Fail: The system does not comply with this rule
  • Error: The check could not be completed due to technical issues
  • Not Applicable: The rule doesn’t apply to your system
  • Not Checked: The rule was skipped during scanning
  • Not Selected: The rule was not included in the selected profile

Focus first on the “Fail” results, as these represent non-compliant areas that may require remediation.

Prioritizing Vulnerabilities by Severity

OpenSCAP assigns severity levels to help prioritize remediation efforts:

  • High: Critical security issues requiring immediate attention
  • Medium: Important security issues that should be addressed soon
  • Low: Less critical issues that represent best practices

In the HTML report, you can filter results by severity to focus on the most critical findings first.

Understanding Remediation Recommendations

For each failed check, the report provides:

  1. Rule Description: Explains the security requirement
  2. Rationale: Provides the security reasoning behind the rule
  3. Detection Details: Shows specific findings that caused the failure
  4. Remediation Instructions: Step-by-step guidance to resolve the issue

Some reports also include machine-readable remediation instructions that can be used to automatically fix issues.

Exporting Results to Different Formats

Besides the default XML and HTML formats, you can export results to other formats:

# Convert results to CSV format
oscap xccdf generate report --output report.csv results.xml

# Generate a results summary
oscap xccdf generate report-summary --output summary.txt results.xml

Sharing Reports with Stakeholders

When sharing reports with team members or management:

  1. Focus on the HTML report for non-technical stakeholders
  2. Create executive summaries highlighting key statistics:
    • Overall compliance percentage
    • Number of high/medium/low findings
    • Areas requiring immediate attention
  3. Redact sensitive information if sharing outside trusted teams

Understanding scan results enables you to make informed decisions about security improvements. By prioritizing findings based on severity and focusing on actionable remediation steps, you can systematically enhance your Manjaro system’s security posture and address compliance requirements efficiently.

Automating Security Scans

Implementing regular, automated security scans ensures continuous monitoring of your Manjaro system’s security posture. This section covers methods to automate OpenSCAP scans using systemd timers, cron jobs, and bash scripts.

Creating Systemd Timers for Regular Scans

Systemd timers provide a modern, flexible way to schedule regular security scans:

  1. Create a service file:
    sudo nano /etc/systemd/system/openscap-scan.service

    Add the following content:

    [Unit]
    Description=OpenSCAP Security Compliance Scan
    After=network.target
    
    [Service]
    Type=oneshot
    ExecStart=/usr/bin/oscap xccdf eval --profile standard --results /var/log/openscap/results-$(date +%%Y-%%m-%%d).xml --report /var/log/openscap/report-$(date +%%Y-%%m-%%d).html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
    User=root
    
    [Install]
    WantedBy=multi-user.target
  2. Create a timer file:
    sudo nano /etc/systemd/system/openscap-scan.timer

    Add the following content:

    [Unit]
    Description=Run OpenSCAP scan weekly
    
    [Timer]
    OnCalendar=Sun 02:00:00
    Persistent=true
    RandomizedDelaySec=3600
    
    [Install]
    WantedBy=timers.target
  3. Create the log directory:
    sudo mkdir -p /var/log/openscap
  4. Enable and start the timer:
    sudo systemctl enable openscap-scan.timer
    sudo systemctl start openscap-scan.timer

Cron Job Configuration Examples

For systems where you prefer using traditional cron jobs:

  1. Create a script for the scan:
    sudo nano /usr/local/bin/openscap-scan.sh

    Add the following content:

    #!/bin/bash
    DATESTAMP=$(date +%Y-%m-%d)
    LOG_DIR="/var/log/openscap"
    mkdir -p "$LOG_DIR"
    
    oscap xccdf eval --profile standard \
      --results "$LOG_DIR/results-$DATESTAMP.xml" \
      --report "$LOG_DIR/report-$DATESTAMP.html" \
      /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
    
    # Keep only the last 10 reports
    cd "$LOG_DIR" && ls -t results-*.xml | tail -n +11 | xargs rm -f
    cd "$LOG_DIR" && ls -t report-*.html | tail -n +11 | xargs rm -f
  2. Make the script executable:
    sudo chmod +x /usr/local/bin/openscap-scan.sh
  3. Add a cron job:
    sudo crontab -e

    Add this line to run weekly at 2 AM on Sunday:

    0 2 * * 0 /usr/local/bin/openscap-scan.sh > /var/log/openscap/scan.log 2>&1

Bash Scripts for Automated Scanning

A more sophisticated bash script can provide additional functionality:

sudo nano /usr/local/bin/enhanced-openscap-scan.sh

Content for enhanced script:

#!/bin/bash

# Configuration
DATESTAMP=$(date +%Y-%m-%d-%H%M)
LOG_DIR="/var/log/openscap"
RETENTION_DAYS=30
EMAIL_RECIPIENT="admin@example.com"
PROFILE="standard"
POLICY="/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml"

# Create log directory
mkdir -p "$LOG_DIR"

# Run the scan
echo "Starting OpenSCAP scan at $(date)"
oscap xccdf eval --profile "$PROFILE" \
  --results "$LOG_DIR/results-$DATESTAMP.xml" \
  --report "$LOG_DIR/report-$DATESTAMP.html" \
  "$POLICY"
SCAN_STATUS=$?

# Generate summary
FAILED=$(grep -c 'result="fail"' "$LOG_DIR/results-$DATESTAMP.xml")
PASSED=$(grep -c 'result="pass"' "$LOG_DIR/results-$DATESTAMP.xml")
TOTAL=$((FAILED + PASSED))
COMPLIANCE=$(( (PASSED * 100) / TOTAL ))

# Log summary
echo "Scan completed at $(date)" > "$LOG_DIR/summary-$DATESTAMP.txt"
echo "Compliance: $COMPLIANCE% ($PASSED/$TOTAL rules passed)" >> "$LOG_DIR/summary-$DATESTAMP.txt"
echo "Failed rules: $FAILED" >> "$LOG_DIR/summary-$DATESTAMP.txt"

# Send notification
if [ $SCAN_STATUS -eq 0 ]; then
  echo "OpenSCAP scan completed. Compliance: $COMPLIANCE%" | mail -s "OpenSCAP Scan Results" -a "$LOG_DIR/report-$DATESTAMP.html" "$EMAIL_RECIPIENT"
else
  echo "OpenSCAP scan failed with status $SCAN_STATUS" | mail -s "OpenSCAP Scan Failed" "$EMAIL_RECIPIENT"
fi

# Clean old reports
find "$LOG_DIR" -name "results-*.xml" -mtime +$RETENTION_DAYS -delete
find "$LOG_DIR" -name "report-*.html" -mtime +$RETENTION_DAYS -delete
find "$LOG_DIR" -name "summary-*.txt" -mtime +$RETENTION_DAYS -delete

exit $SCAN_STATUS

Setting Up Result Logging

To ensure scan results are properly logged:

sudo mkdir -p /var/log/openscap
sudo chown root:root /var/log/openscap
sudo chmod 750 /var/log/openscap

# Create a logrotate config
sudo nano /etc/logrotate.d/openscap

Add the following content:

/var/log/openscap/*.log {
    weekly
    rotate 12
    compress
    delaycompress
    missingok
    notifempty
    create 0640 root root
}

Notification Setup for Failed Compliance

To be alerted when compliance issues are detected:

  1. Install mail utilities:
    sudo pacman -S s-nail
  2. Modify your automated script to send notifications:
    Add conditional email alerts based on scan results, as demonstrated in the enhanced script above.

Automating OpenSCAP scans ensures consistent security monitoring without manual intervention. Whether using systemd timers, cron jobs, or custom scripts, regular automated scanning helps maintain ongoing security compliance and quickly identifies new vulnerabilities as they emerge.

Remediation Techniques

After identifying security issues through OpenSCAP scans, the critical next step is remediation-addressing the vulnerabilities and compliance gaps to improve your system’s security posture. This section covers effective approaches to remediation using both automated and manual techniques.

Using OpenSCAP-Generated Remediation Scripts

OpenSCAP can generate remediation scripts that automatically fix identified issues:

  1. Generate a remediation script:
    oscap xccdf generate fix --fix-type bash --output remediation.sh --result-id "" results.xml
  2. Review the generated script:
    less remediation.sh
  3. Apply the remediation (after careful review):
    sudo bash remediation.sh

It’s essential to thoroughly review any auto-generated remediation script before execution, as some changes may impact system functionality.

Manual Remediation Approaches

For more controlled remediation or when automated scripts aren’t available:

  1. Prioritize findings based on severity and business impact
  2. Create a remediation plan that addresses high-priority issues first
  3. For each finding:
    • Review the detailed description in the HTML report
    • Follow the provided remediation guidance
    • Document changes made to the system
    • Test system functionality after changes

Example of manual remediation for a common finding (weak SSH configuration):

# Edit SSH configuration
sudo nano /etc/ssh/sshd_config

# Make the recommended changes
# Example: Disable root login
# Change: #PermitRootLogin yes
# To: PermitRootLogin no

# Save and restart the SSH service
sudo systemctl restart sshd

Verifying Fixes with Follow-Up Scans

After applying remediation measures, it’s crucial to verify their effectiveness:

  1. Run a focused scan on the remediated areas:
    sudo oscap xccdf eval --profile standard --rule rule-id --results verification.xml --report verification.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
  2. Compare before and after results:
    oscap xccdf generate result-difference --old results-before.xml --new verification.xml
  3. Document changes and update your security baseline

Documenting Remediation Steps

Maintain comprehensive documentation of remediation activities:

# Security Remediation Log

## Date: 2025-05-10
## Finding: Weak SSH Password Authentication (rule_id: xccdf_org.ssgproject.content_rule_sshd_disable_root_login)
## Severity: High

### Actions Taken:
1. Modified /etc/ssh/sshd_config to disable root login
2. Restarted SSH service
3. Verified configuration change took effect
4. Ran verification scan (passed)

### Notes:
Informed system users about the change. Updated documentation for emergency access procedures.

Handling False Positives

Not all scan findings represent actual security issues:

  1. Identify potential false positives by reviewing the technical context
  2. Document justification for classifying a finding as a false positive
  3. Create exceptions in future scans through profile tailoring:
    oscap xccdf tailor --profile standard --output tailored-profile.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Then modify the tailored profile to exclude the false-positive rule.

Prioritizing Remediation Tasks

When faced with numerous findings, use this approach to prioritization:

  1. Critical severity vulnerabilities with public exploit availability
  2. High severity items affecting public-facing systems
  3. Medium severity items on critical systems
  4. Low severity items and general hardening recommendations

Effective remediation transforms security scanning from a detection exercise into actual security improvements. By systematically addressing findings through a combination of automated and manual techniques, you can significantly enhance your Manjaro system’s security posture over time.

Troubleshooting Common Issues

When working with OpenSCAP on Manjaro, you may encounter various challenges during installation, configuration, or scanning. This section addresses common issues and provides practical solutions to help you overcome these obstacles.

Dependency Resolution Problems

Issue: Missing dependencies during installation or operation.

Solution:

  1. Update package databases and try reinstalling:
    sudo pacman -Syy
    sudo pacman -S openscap openscap-utils
  2. For AUR packages, ensure base-devel is installed:
    sudo pacman -S base-devel
  3. Manually install specific dependencies:
    # Example for XML libraries
    sudo pacman -S libxml2 libxslt
  4. Check for conflicting packages:
    pacman -Qkk openscap

Permission Errors During Scanning

Issue: “Permission denied” errors when running scans.

Solution:

  1. Ensure you’re running the scan with appropriate privileges:
    sudo oscap xccdf eval --profile standard --results results.xml --report report.html /path/to/policy.xml
  2. Check file permissions for content files:
    sudo chmod 644 /usr/share/xml/scap/ssg/content/*.xml
  3. Verify directory permissions for results:
    sudo mkdir -p /var/log/openscap
    sudo chmod 755 /var/log/openscap
  4. If using a custom policy, ensure it has correct permissions:
    sudo chmod 644 /etc/openscap/policies/*.xml

Policy File Not Found Errors

Issue: “Unable to locate policy file” or similar errors.

Solution:

  1. Verify the policy file exists:
    ls -la /usr/share/xml/scap/ssg/content/
  2. Use absolute paths when referencing policy files:
    sudo oscap xccdf eval --profile standard --results results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
  3. Install or reinstall the SCAP Security Guide:
    sudo pacman -S scap-security-guide
  4. Check for corrupted files:
    oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Scan Failures and Timeout Issues

Issue: Scans hang, timeout, or fail to complete.

Solution:

  1. Try running with lower verbosity:
    sudo oscap xccdf eval --profile standard --results results.xml --report report.html --quiet /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
  2. Use the progress option to monitor scan status:
    sudo oscap xccdf eval --profile standard --results results.xml --report report.html --progress /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
  3. Create checkpoints for long scans:
    sudo oscap xccdf eval --profile standard --results results.xml --report report.html --progress --checkpoint checkpoint.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
  4. Check system resources during the scan:
    top -b -n 1 | head -20

Resource Constraint Problems

Issue: System becomes unresponsive during scanning.

Solution:

  1. Run scans during low-usage periods
  2. Use a less intensive profile for resource-constrained systems:
    # List available profiles
    oscap info --profiles /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
    
    # Choose a lighter profile
    sudo oscap xccdf eval --profile standard --results results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
  3. Limit the scope of scans using rule selection:
    sudo oscap xccdf eval --profile standard --rule rule-id1,rule-id2 --results results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Version Compatibility Issues

Issue: Errors related to incompatible versions between components.

Solution:

  1. Check all component versions:
    oscap --version
    pacman -Qi openscap scap-security-guide
  2. Ensure you have compatible versions of all components:
    sudo pacman -Syu openscap openscap-utils scap-security-guide
  3. If using AUR packages, consider switching to stable repository versions:
    sudo pacman -S openscap openscap-utils
  4. For advanced users, consider installing specific versions:
    # Using downgrade utility
    sudo pacman -S downgrade
    sudo downgrade openscap

By systematically troubleshooting these common issues, you can overcome most obstacles encountered when working with OpenSCAP on Manjaro. Remember to check logs and error messages carefully, as they often provide valuable clues about the specific cause of problems.

Keeping OpenSCAP Updated

Maintaining an up-to-date OpenSCAP installation is crucial for ensuring you have access to the latest security definitions, vulnerability checks, and features. This section covers best practices for updating OpenSCAP and its components on Manjaro Linux.

Updating OpenSCAP Packages with Pacman

For OpenSCAP installed from official repositories, regular updates are simple:

# Update package database and all packages
sudo pacman -Syu

# Update only OpenSCAP packages
sudo pacman -S openscap openscap-utils scap-security-guide

It’s recommended to perform these updates as part of your regular system maintenance schedule. Setting up a recurring reminder to check for updates ensures you don’t miss important security content updates.

Refreshing Security Content Regularly

Security definitions and compliance rules are constantly evolving as new vulnerabilities are discovered and security best practices evolve:

  1. Update SCAP Security Guide content:
    sudo pacman -S scap-security-guide
  2. For custom or additional content, check the respective sources:
    # Example: Checking for updated content from GitHub
    cd ~/scap-content
    git pull origin main
  3. After updates, verify content integrity:
    oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Monitoring for New Security Profiles

Stay informed about new security profiles that might be relevant to your environment:

  1. Check for new profiles after updates:
    oscap info --profiles /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml > profiles-new.txt
    diff profiles-old.txt profiles-new.txt
  2. Follow security mailing lists and the OpenSCAP community for announcements about new profiles and content
  3. Review release notes for the OpenSCAP packages when updating

Update Frequency Recommendations

For optimal security management, follow these update frequency guidelines:

  • System packages (openscap, utils): Monthly or with regular system updates
  • Security content (scap-security-guide): Biweekly for high-security environments, monthly for general use
  • Custom scripts and automations: Quarterly review and update
  • Security scans: Weekly for critical systems, monthly for general workstations

Version Compatibility Considerations

When updating OpenSCAP components, consider these compatibility factors:

  1. Check component interdependencies before updating individual packages
  2. Test updates in a non-production environment when possible
  3. Review changelog and release notes for potential breaking changes
  4. Consider holding back updates during critical audit periods to maintain consistency

Backup Procedures Before Major Updates

Before significant version updates:

# Backup configuration
sudo cp -r /etc/openscap /etc/openscap.bak-$(date +%Y%m%d)

# Backup custom content
sudo cp -r /usr/local/share/xml/scap /usr/local/share/xml/scap.bak-$(date +%Y%m%d)

# Backup recent results
sudo cp -r /var/log/openscap /var/log/openscap.bak-$(date +%Y%m%d)

By following these update practices, you ensure that your OpenSCAP installation remains current with the latest security definitions and vulnerability checks. Regular updates are a critical component of an effective security compliance program, enabling your Manjaro system to maintain defense against evolving security threats.

Congratulations! You have successfully installed OpenSCAP. Thanks for using this tutorial for installing OpenSCAP on Manjaro Linux system. For additional help or useful information, we recommend you check the official OpenSCAP website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Back to top button