How To Install OpenSCAP on Manjaro
OpenSCAP stands as one of the most comprehensive open-source security compliance and vulnerability scanning tools available for Linux systems. For Manjaro users concerned about security compliance and vulnerability assessment, implementing OpenSCAP provides a robust framework for maintaining system integrity. This guide explores the complete process of installing, configuring, and utilizing OpenSCAP on Manjaro Linux to enhance your system’s security posture through automated scanning and compliance checking.
Introduction
In today’s increasingly complex digital threat landscape, security compliance and vulnerability scanning have become essential practices for maintaining system integrity. OpenSCAP (Open Security Content Automation Protocol) represents a powerful, standardized approach to automating security assessments on Linux systems. As a NIST-certified framework, OpenSCAP enables users to scan their systems against established security benchmarks and identify potential vulnerabilities before they can be exploited.
Manjaro Linux users can leverage OpenSCAP to implement systematic security scanning practices, ensuring their systems adhere to recognized security standards and best practices. Whether you’re managing personal workstations or enterprise servers, OpenSCAP provides the tools necessary to evaluate your security posture against industry-standard compliance frameworks.
This comprehensive guide walks through the complete process of installing, configuring, and utilizing OpenSCAP on Manjaro Linux, empowering you to implement professional-grade security scanning practices on your system.
Understanding OpenSCAP and Its Importance
OpenSCAP represents an open-source implementation of the Security Content Automation Protocol (SCAP) framework developed to standardize security assessment and vulnerability management across systems. At its core, OpenSCAP helps organizations automate security compliance checking while providing detailed reports on potential vulnerabilities and compliance issues.
The framework supports multiple SCAP standards (versions 1.0 through 1.3) and integrates several key security components:
- Common Vulnerabilities and Exposures (CVE)
- Common Configuration Enumeration (CCE)
- Common Platform Enumeration (CPE)
- Common Vulnerability Scoring System (CVSS)
OpenSCAP carries significant importance in the Linux security ecosystem because it provides:
- Standardized Security Assessment: OpenSCAP implements standardized methods for security evaluation based on recognized frameworks like CIS benchmarks and DISA STIGs.
- Automated Compliance Checking: Rather than manually verifying hundreds of security settings, OpenSCAP automatically scans systems against predefined security policies.
- Comprehensive Reporting: After scanning, OpenSCAP generates detailed reports highlighting vulnerabilities, misconfigurations, and compliance issues with remediation guidance.
- Policy Enforcement: Beyond identification, OpenSCAP can help enforce security policies consistently across systems.
For Manjaro Linux users, implementing OpenSCAP delivers crucial security benefits, particularly for systems handling sensitive information or requiring compliance with specific security frameworks. The tool’s ability to perform thorough security assessments makes it invaluable for sysadmins focused on maintaining robust security postures.
Prerequisites for Installation
Before installing OpenSCAP on your Manjaro system, ensure you meet the following requirements to guarantee a smooth installation and optimal performance:
System Requirements:
- Manjaro Linux (latest stable version recommended)
- Minimum 2GB RAM (4GB+ recommended for scanning larger systems)
- At least 20GB free disk space for installation and scan reports
- Active internet connection for package downloads
Permission Requirements:
- Root access or sudo privileges on your Manjaro system
- Appropriate file system permissions to scan system directories
Preparatory Steps:
- Update your Manjaro system to ensure all packages are current:
sudo pacman -Syu
- Verify your system architecture to select appropriate packages:
uname -m
- Create a backup of important system files before proceeding with security tools installation:
sudo timeshift --create --comments "Before OpenSCAP installation"
- Ensure sufficient disk space is available:
df -h /
Meeting these prerequisites ensures your Manjaro system is properly prepared for OpenSCAP installation and prevents potential issues during the setup process. A fully updated system with sufficient resources provides the optimal foundation for security scanning operations.
OpenSCAP Components Overview
OpenSCAP consists of several integrated components that work together to provide comprehensive security assessment capabilities. Understanding these components is crucial for effectively implementing and utilizing OpenSCAP on your Manjaro system.
- OpenSCAP Scanner (oscap):
The core component is theoscap
command-line tool, which serves as the primary interface for conducting security scans. This NIST-certified scanner evaluates your system against security policies and generates detailed reports. The scanner interprets SCAP content and applies the specified checks to your system configuration and files. - SCAP Security Guide:
This component provides the actual security policies and benchmarks used during scans. The SCAP Security Guide contains machine-readable security policies covering various areas of computer security and implements guidance from respected authorities like PCI DSS, STIG, and USGCB. These policies are transformed into formats that OpenSCAP can interpret and apply to your system. - SCAP Workbench:
For users who prefer graphical interfaces, SCAP Workbench provides a GUI alternative to the command-line scanner. It simplifies the scanning process through an intuitive interface while still leveraging the powerful OpenSCAP scanning engine underneath. - OpenSCAP Libraries:
These libraries form the foundation of the OpenSCAP ecosystem, providing the necessary functionality for parsing and processing SCAP content. They enable integration with other security tools and custom implementations. - OpenSCAP Daemon (optional):
For automated scanning, the OpenSCAP Daemon runs as a background service, ensuring your systems are regularly evaluated according to specified schedules. This component is particularly valuable for maintaining continuous security compliance.
On Manjaro Linux, these components are organized in a structured file hierarchy:
- Security policies are typically stored in
/usr/share/xml/scap
- Configuration files reside in
/etc/openscap
- Executable tools are placed in standard binary directories like
/usr/bin
Understanding how these components interact is essential for effectively implementing OpenSCAP in your security workflow. The modular nature of OpenSCAP allows you to start with basic scanning capabilities and gradually implement more advanced features as your security needs evolve.
Installation Methods Comparison
Before proceeding with installation, it’s important to understand the different methods available for installing OpenSCAP on Manjaro Linux, each with distinct advantages and considerations.
Using Pacman (Official Repositories):
- Advantages: Simplest method with automatic dependency resolution, official packages maintained by Manjaro team, seamless updates through system update process
- Disadvantages: May not always have the latest OpenSCAP version immediately after release
- Best for: Most users who prioritize stability and ease of maintenance
- Command example:
sudo pacman -S openscap
Installing from AUR (Arch User Repository):
- Advantages: Access to the latest versions, potentially more features, community-maintained packages
- Disadvantages: Requires more manual steps or AUR helper, packages may occasionally break with system updates, less officially supported
- Best for: Users who need cutting-edge features or specific versions not in official repositories
- Command example with helper:
yay -S openscap-git
Manual Compilation from Source:
- Advantages: Complete control over build options, access to unreleased features, ability to apply custom patches
- Disadvantages: Most complex method, requires development tools, manual dependency management, no automatic updates
- Best for: Advanced users with specific customization needs or developers
- Process overview: Download source code, resolve dependencies, configure with custom options, compile, and install
For most Manjaro users, the official repository method (pacman) offers the best balance between ease of use and stability. This approach ensures that OpenSCAP integrates smoothly with the rest of your system and receives regular updates through the standard system update process.
The AUR installation method provides a good middle ground when you need newer features not yet available in the official repositories. If using this method, consider using an AUR helper like yay
or pamac
to simplify the process.
Manual compilation should generally be reserved for advanced users with specific requirements or those contributing to OpenSCAP development. While offering maximum flexibility, it requires significantly more expertise and ongoing maintenance effort.
Installing OpenSCAP via Pacman
The most straightforward method to install OpenSCAP on Manjaro is through the pacman package manager, which provides access to officially maintained packages. This approach ensures compatibility with your system and streamlines the installation process.
Follow these detailed steps to install OpenSCAP using pacman:
- Update Package Database
First, ensure your package database is up-to-date:
sudo pacman -Syy
This command synchronizes the package databases to get information about the latest available packages.
- Install Core OpenSCAP Package
Install the main OpenSCAP scanner and libraries:
sudo pacman -S openscap
This command installs the core OpenSCAP components, including the oscap
command-line tool and the necessary libraries.
- Install Auxiliary Tools
For additional utilities and the SCAP Security Guide:
sudo pacman -S openscap-utils scap-security-guide
The openscap-utils
package provides additional tools for working with SCAP content, while the scap-security-guide
package contains predefined security policies and benchmarks.
- Verify Installation
After installation, verify that OpenSCAP has been installed correctly:
oscap --version
This command should display the installed version of OpenSCAP, supported specifications, built-in CPE names, and supported OVAL objects.
- Handle Common Installation Issues
If you encounter errors during installation, try the following:
- For dependency resolution issues:
sudo pacman -Syu
to fully upgrade your system before attempting installation again - For file conflicts:
sudo pacman -S --overwrite "*" openscap
to force overwriting conflicting files - For permission errors: Ensure you’re using sudo or have proper permissions
- Initial Configuration
After successful installation, perform these initial configuration steps:
# Create directory for custom policies (optional)
sudo mkdir -p /etc/openscap/policies
# Set appropriate permissions
sudo chmod 755 /etc/openscap/policies
Installing via pacman provides the advantage of simplified updates through your regular system update process. When new versions of OpenSCAP become available in the Manjaro repositories, you can update them along with your other system packages using sudo pacman -Syu
.
Installing OpenSCAP from AUR
For Manjaro users who need the latest OpenSCAP features or versions not yet available in the official repositories, the Arch User Repository (AUR) provides an alternative installation method. This approach requires a few additional steps but offers access to community-maintained packages.
Using AUR Helpers
The simplest way to install OpenSCAP from AUR is through an AUR helper like yay
or pamac
:
- Install an AUR Helper (if not already installed)
If you don’t have an AUR helper installed, you can install yay
:
sudo pacman -S git base-devel
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si
- Install OpenSCAP Packages
Once you have an AUR helper:
# Using yay
yay -S openscap-git
# Alternative: Using pamac (GUI option in Manjaro)
pamac build openscap-git
- Install Additional Components
yay -S scap-security-guide-git openscap-daemon-git
Manual AUR Installation
For users who prefer not to use AUR helpers, here’s how to manually install OpenSCAP from AUR:
- Prepare Build Environment
sudo pacman -S git base-devel
- Clone the Package Repository
git clone https://aur.archlinux.org/openscap.git
cd openscap
- Build and Install the Package
makepkg -si
- Handle Dependencies
The -s
flag in the above command will attempt to resolve dependencies automatically. If any dependencies are also from AUR, you’ll need to install them separately using the same process.
- Verification
After installation, verify that OpenSCAP has been installed correctly:
oscap --version
Troubleshooting AUR Installation Issues
If you encounter problems during AUR installation:
- Build Failures: Check the build output for specific errors. Common issues include missing dependencies or compilation errors.
- Missing Dependencies: Install any manually identified dependencies with
sudo pacman -S [dependency-name]
or through AUR if they’re not in official repositories. - Signature Verification Issues: Update your keyring with
sudo pacman-key --refresh-keys
- Compilation Errors: Look for package-specific patches or modifications needed for compatibility with your system.
Installing from AUR provides the advantage of access to the latest OpenSCAP versions but requires more manual maintenance. When using packages from AUR, you’ll need to periodically check for updates using your AUR helper or by manually rebuilding the packages from updated sources.
Installing SCAP Security Guide
The SCAP Security Guide (SSG) is a critical component that provides the security policies and benchmarks needed for OpenSCAP to perform meaningful scans. While the basic installation steps covered earlier include the SSG package, this section provides a more detailed look at installing and utilizing this essential component.
Standard Installation
On Manjaro, you can install the SCAP Security Guide through the official repositories:
sudo pacman -S scap-security-guide
This package contains security policies for various platforms in the form of XCCDF, OVAL, and datastream documents.
Alternative Installation Methods
If you need a more recent version than what’s available in the repositories:
- From AUR:
yay -S scap-security-guide-git
- From GitHub releases:
# Download the latest release curl -LO https://github.com/ComplianceAsCode/content/releases/download/v0.1.XX/scap-security-guide-0.1.XX.zip # Extract the archive unzip scap-security-guide-0.1.XX.zip -d scap-security-guide # Move to appropriate location sudo mkdir -p /usr/share/xml/scap/ssg/content/ sudo cp scap-security-guide/ssg-*.xml /usr/share/xml/scap/ssg/content/
Exploring Installed Security Policies
After installation, the security content is typically located in /usr/share/xml/scap/ssg/content/
. To explore the available security policies:
ls -la /usr/share/xml/scap/ssg/content/
The files with names ending in -ds.xml
are datastreams that contain complete security policies suitable for scanning.
Verifying Policy Installation
To verify that the security policies are correctly installed and accessible:
# List available datastreams
find /usr/share/xml/scap/ssg/content/ -name "*-ds.xml"
# Check a specific datastream
oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
This command will display information about the available profiles within the datastream, confirming that OpenSCAP can properly read the content.
Customizing for Manjaro
Since specific Manjaro policies might not be available in the standard packages, you may need to use policies designed for similar distributions. For example:
- Copy an existing policy as a template:
sudo cp /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml /etc/openscap/policies/custom-manjaro-ds.xml
- Edit the policy to customize it for Manjaro-specific requirements:
sudo nano /etc/openscap/policies/custom-manjaro-ds.xml
The SCAP Security Guide forms the cornerstone of your security compliance scanning capability. By properly installing and configuring these security policies, you ensure that OpenSCAP has the necessary benchmarks to effectively evaluate your Manjaro system against industry-standard security practices.
Setting Up SCAP Workbench (Optional)
SCAP Workbench provides a graphical user interface for OpenSCAP, making it easier to configure and run security scans for users who prefer GUI tools over command-line operations. While optional, it significantly simplifies the scanning process for many users.
Installation Process
To install SCAP Workbench on Manjaro:
- Install from Official Repositories:
sudo pacman -S scap-workbench
- Alternative: Install from AUR if not available in repositories:
yay -S scap-workbench
Initial Configuration
After installation, you’ll want to configure SCAP Workbench to work efficiently with your system:
- Launch SCAP Workbench:
scap-workbench
- First-time Setup:
When you first launch SCAP Workbench, it should automatically detect the installed SCAP content in the standard locations. If not, you’ll need to manually specify the path to your security content. - Configure Default Options:
- Navigate to Edit → Preferences
- Set your preferred report output directory
- Configure scanning options according to your needs
- Adjust resource usage settings if necessary
Connecting to Security Content
SCAP Workbench needs to access security content to perform scans:
- Using Bundled Content:
By default, SCAP Workbench should detect and offer the security content installed via thescap-security-guide
package. - Custom Content:
To use custom security content:- Click “Open Other Content”
- Navigate to your custom datastream file
- Select the file and click “Open”
Basic UI Navigation
Understanding the SCAP Workbench interface:
- Profile Selection: The dropdown menu in the top section allows you to choose a security profile
- Target Selection: Choose between scanning the local system or a remote system
- Tailoring: Modify the selected profile to customize which rules are applied
- Scan Button: Initiates the security scan with the selected profile and target
- Results: After scanning, results are displayed and can be saved as reports
Troubleshooting Installation Issues
If you encounter problems with SCAP Workbench:
- Missing Dependencies: Install any reported missing dependencies with
sudo pacman -S [package-name]
- Display Issues: Ensure your X server is properly configured
- Content Not Found: Verify that security content is correctly installed in
/usr/share/xml/scap/ssg/content/
- Permission Problems: Run with sudo if scanning requires system-wide access:
sudo scap-workbench
SCAP Workbench significantly lowers the barrier to entry for users new to security compliance scanning. Its intuitive interface makes it possible to run complex security assessments with minimal command-line knowledge while still leveraging the powerful OpenSCAP engine underneath. For many desktop Manjaro users, this graphical approach offers the ideal balance between capability and usability.
Configuring OpenSCAP
After installing OpenSCAP and its components on your Manjaro system, proper configuration is essential to ensure effective security scanning. This section covers the key configuration steps and settings to optimize OpenSCAP for your specific requirements.
Post-Installation Configuration
- Create Configuration Directory Structure:
sudo mkdir -p /etc/openscap/{policies,results,reports} sudo chmod 755 /etc/openscap sudo chmod 700 /etc/openscap/results
- Set Up Default Profile Location:
Create a configuration file to specify the default location for security profiles:sudo nano /etc/openscap/config.ini
Add the following content:
[OpenSCAP] ContentPath=/usr/share/xml/scap/ssg/content/ ResultsPath=/etc/openscap/results/ ReportsPath=/etc/openscap/reports/
Important Configuration Files
OpenSCAP utilizes several key configuration files:
- /etc/openscap/config.ini: Main configuration file (created above)
- /usr/share/xml/scap/ssg/content/*.xml: Security policy files
- /etc/openscap/policies/: Location for custom policies
Setting Up Default Profiles
To configure a default security profile for regular use:
- Identify an appropriate profile:
oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
- Create a symbolic link to your preferred profile:
sudo ln -s /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml /etc/openscap/policies/default-policy.xml
- Create a default profile configuration:
sudo nano /etc/openscap/default-profile.conf
Add your preferred profile ID:
xccdf_org.ssgproject.content_profile_standard
Configuring Scan Preferences
To customize how OpenSCAP performs scans:
- Create a scan configuration file:
sudo nano /etc/openscap/scan.conf
- Add scan preferences:
[Scan] Thoroughness=high FetchRemoteResources=false OnlineRemediations=false TimeoutFactor=1.5
Permission Settings for Security Content
Proper permissions are crucial for security scanning:
# Ensure security content is readable
sudo chmod 644 /usr/share/xml/scap/ssg/content/*.xml
# Protect custom policies
sudo chmod 640 /etc/openscap/policies/*
sudo chown root:root /etc/openscap/policies/*
# Set appropriate permissions for results
sudo chmod 700 /etc/openscap/results
sudo chown root:root /etc/openscap/results
Testing Your Configuration
To verify your configuration is working correctly:
# Test with a simple scan
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results /etc/openscap/results/test-scan.xml /etc/openscap/policies/default-policy.xml
If the scan runs successfully, your configuration is properly set up. If you encounter errors, review the output for specific configuration issues to address.
Proper configuration of OpenSCAP ensures that security scans run efficiently and produce meaningful results for your specific environment. Taking the time to customize these settings will optimize the scanning process and improve the relevance of security findings for your Manjaro system.
Selecting Security Policies
Choosing the right security policies is a critical step in effectively using OpenSCAP on Manjaro. Security policies define the rules and benchmarks against which your system will be evaluated, directly impacting the relevance and usefulness of scan results.
Locating Available Policies
Security policies in OpenSCAP are stored as XML files, typically in the /usr/share/xml/scap/ssg/content/
directory. To explore available policies:
ls -la /usr/share/xml/scap/ssg/content/
The most important files to look for end with -ds.xml
, which indicates they are SCAP datastreams containing complete security content.
Understanding Policy Files and Formats
OpenSCAP uses several file formats for security content:
- Datastreams (-ds.xml): Comprehensive files containing all components needed for scanning
- XCCDF (.xccdf.xml): Contains security benchmarks and rules
- OVAL (.oval.xml): Contains technical checks for vulnerabilities and configurations
- CPE (.cpe-dictionary.xml): Defines platforms and software to which policies apply
Listing Available Policies
To get detailed information about a specific policy file:
oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
This command displays the policy’s metadata, available profiles, and referenced components.
Selecting Appropriate Policies for Manjaro
Since Manjaro is based on Arch Linux, you may need to adapt policies from similar distributions:
- Primary Options:
- Use Fedora policies for desktop environments
- Use RHEL/CentOS policies for server configurations
- Use generic Linux policies when available
- Selection Criteria:
- System role (desktop, server, workstation)
- Security requirements (basic hardening vs. strict compliance)
- Specific compliance frameworks needed (PCI DSS, HIPAA, etc.)
For example, to use a Fedora policy on Manjaro:
# View available Fedora policy
oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
# Make a copy for customization
sudo cp /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml /etc/openscap/policies/manjaro-custom.xml
Differences Between Policy Files
Different policy files focus on various aspects of security:
- ssg-fedora-ds.xml: General-purpose security for Fedora-based systems
- ssg-rhel?-ds.xml: Enterprise-level security for Red Hat Enterprise Linux
- ssg-ubuntu?-ds.xml: Security profiles for Ubuntu systems
Custom Policy Considerations
For advanced users, creating custom policies tailored specifically for Manjaro may be beneficial:
- Start with an existing policy as a template
- Use an XML editor to modify rules that aren’t applicable to Manjaro
- Add Manjaro-specific checks for unique system characteristics
- Test thoroughly before implementing in production
Selecting the appropriate security policies ensures that your OpenSCAP scans evaluate relevant security aspects of your Manjaro system. While Manjaro-specific policies might not be available by default, adapting policies from similar distributions provides a solid foundation for security assessment.
Choosing Security Profiles
Within each security policy, OpenSCAP offers multiple security profiles that represent different levels of security requirements or specific compliance frameworks. Selecting the appropriate profile is crucial for effective security scanning that aligns with your specific needs.
Listing Available Security Profiles
To see what profiles are available in a specific policy file:
oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
This command will display all profiles contained within the selected policy file, along with their IDs and titles.
Understanding Profile Differences
Security profiles within policies typically differ in several key ways:
- Security Level: Profiles range from basic security settings to highly restrictive configurations
- Compliance Framework: Some profiles specifically address compliance with standards like PCI DSS, HIPAA, or DISA STIG
- System Role: Different profiles may be optimized for workstations, servers, or specialized roles
- Rule Count: More stringent profiles typically include more security rules
Common profile types you might encounter include:
- Standard: Balanced security suitable for general use
- Server: Optimized for server deployments with network services
- Workstation: Focused on desktop security with user productivity in mind
- Common Criteria: Aligned with international security certification requirements
- PCI-DSS: Specifically designed to support Payment Card Industry Data Security Standard compliance
Using the Profile Selection Command
To view detailed information about profiles, use the oscap info
command with the --profiles
option:
oscap info --profiles /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
Selecting Profiles Based on Requirements
When choosing a profile, consider:
- Security Requirements: What level of security does your system need?
- Operational Impact: More stringent profiles may impact system usability
- Compliance Needs: Are you required to meet specific regulatory standards?
- Resource Constraints: More comprehensive profiles require more resources to scan
For example, if you’re setting up a Manjaro workstation that handles sensitive data, you might choose a profile that balances usability with strong security controls:
# Example of selecting a balanced profile for scanning
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
Customizing Profiles for Specific Needs
For cases where existing profiles don’t perfectly match your requirements:
- Profile Tailoring:
oscap xccdf generate-profile --tailoring-file my-tailoring.xml --profile xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
- Edit the tailoring file to include or exclude specific rules
- Apply the tailored profile:
oscap xccdf eval --tailoring-file my-tailoring.xml --profile xccdf_org.ssgproject.content_profile_standard-tailored --results results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
Selecting the right security profile is a balance between security requirements and operational needs. By understanding the differences between profiles and matching them to your specific use case, you can ensure that OpenSCAP provides meaningful security assessments for your Manjaro system.
Running Your First Scan
After installing and configuring OpenSCAP, it’s time to perform your first security scan. This section guides you through the process of executing a basic scan and understanding the command structure.
Basic Scan Command Syntax
The fundamental command for running an OpenSCAP scan follows this structure:
oscap xccdf eval --profile [profile_id] --results [results_file.xml] --report [report_file.html] [policy_file.xml]
Each component serves a specific purpose:
oscap xccdf eval
: Invokes the OpenSCAP evaluator for XCCDF content--profile [profile_id]
: Specifies which security profile to use--results [results_file.xml]
: Defines where to save the detailed XML results--report [report_file.html]
: Defines where to save the human-readable HTML report[policy_file.xml]
: The security policy datastream to use for the scan
Example Command
Here’s an example command to run a scan using the standard profile from a Fedora security policy (which can be adapted for Manjaro):
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results ~/openscap-results.xml --report ~/openscap-report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
Note that you can use a shortened profile name by providing just the profile suffix instead of the full ID:
sudo oscap xccdf eval --profile standard --results ~/openscap-results.xml --report ~/openscap-report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
Controlling Verbosity Levels
You can adjust the amount of information displayed during scanning:
# Minimal output
sudo oscap xccdf eval --profile standard --results results.xml --report report.html --quiet /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
# Verbose output
sudo oscap xccdf eval --profile standard --results results.xml --report report.html --verbose INFO /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
# Debug output
sudo oscap xccdf eval --profile standard --results results.xml --report report.html --verbose DEBUG /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
Scan Duration Expectations
The time required to complete a scan depends on several factors:
- System resources (CPU, memory, disk speed)
- Profile complexity (number of rules to evaluate)
- System complexity (number of installed packages and services)
A typical scan on a moderately powered system might take between 5-30 minutes for comprehensive profiles. Basic profiles may complete in just a few minutes.
Handling Scan Interruptions
If a scan is interrupted, you can resume it using the checkpoint feature:
# Initial scan with checkpoint
sudo oscap xccdf eval --profile standard --results results.xml --report report.html --progress --checkpoint checkpoint.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
# Resume interrupted scan
sudo oscap xccdf eval --profile standard --results results.xml --report report.html --progress --checkpoint-restore checkpoint.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
During your first scan, you’ll see real-time feedback in the terminal showing which rules are being evaluated and their pass/fail status. Once the scan completes, detailed results will be available in both the XML results file and the HTML report.
Running your first OpenSCAP scan is an important milestone in implementing security compliance checking on your Manjaro system. The scan results will provide valuable insights into your system’s security posture and highlight areas that may need attention to improve security and compliance.
Understanding Scan Results
After completing an OpenSCAP scan, interpreting the results is crucial for understanding your system’s security posture and addressing potential vulnerabilities. This section explains how to analyze and make the most of the scan reports.
Interpreting XML and HTML Reports
OpenSCAP generates two primary types of reports:
- XML Results File: Contains comprehensive machine-readable data about the scan
- Structured format suitable for automated processing
- Contains detailed technical information about each rule check
- Can be imported into other security management systems
- HTML Report: Provides a human-readable summary of findings
- Visually presents pass/fail results with color coding
- Offers filtering options to focus on specific types of results
- Includes detailed descriptions and remediation advice
To view the HTML report:
firefox report.html
Analyzing Pass/Fail Results
The report categorizes findings into several result types:
- Pass: The system complies with this security rule
- Fail: The system does not comply with this rule
- Error: The check could not be completed due to technical issues
- Not Applicable: The rule doesn’t apply to your system
- Not Checked: The rule was skipped during scanning
- Not Selected: The rule was not included in the selected profile
Focus first on the “Fail” results, as these represent non-compliant areas that may require remediation.
Prioritizing Vulnerabilities by Severity
OpenSCAP assigns severity levels to help prioritize remediation efforts:
- High: Critical security issues requiring immediate attention
- Medium: Important security issues that should be addressed soon
- Low: Less critical issues that represent best practices
In the HTML report, you can filter results by severity to focus on the most critical findings first.
Understanding Remediation Recommendations
For each failed check, the report provides:
- Rule Description: Explains the security requirement
- Rationale: Provides the security reasoning behind the rule
- Detection Details: Shows specific findings that caused the failure
- Remediation Instructions: Step-by-step guidance to resolve the issue
Some reports also include machine-readable remediation instructions that can be used to automatically fix issues.
Exporting Results to Different Formats
Besides the default XML and HTML formats, you can export results to other formats:
# Convert results to CSV format
oscap xccdf generate report --output report.csv results.xml
# Generate a results summary
oscap xccdf generate report-summary --output summary.txt results.xml
Sharing Reports with Stakeholders
When sharing reports with team members or management:
- Focus on the HTML report for non-technical stakeholders
- Create executive summaries highlighting key statistics:
- Overall compliance percentage
- Number of high/medium/low findings
- Areas requiring immediate attention
- Redact sensitive information if sharing outside trusted teams
Understanding scan results enables you to make informed decisions about security improvements. By prioritizing findings based on severity and focusing on actionable remediation steps, you can systematically enhance your Manjaro system’s security posture and address compliance requirements efficiently.
Automating Security Scans
Implementing regular, automated security scans ensures continuous monitoring of your Manjaro system’s security posture. This section covers methods to automate OpenSCAP scans using systemd timers, cron jobs, and bash scripts.
Creating Systemd Timers for Regular Scans
Systemd timers provide a modern, flexible way to schedule regular security scans:
- Create a service file:
sudo nano /etc/systemd/system/openscap-scan.service
Add the following content:
[Unit] Description=OpenSCAP Security Compliance Scan After=network.target [Service] Type=oneshot ExecStart=/usr/bin/oscap xccdf eval --profile standard --results /var/log/openscap/results-$(date +%%Y-%%m-%%d).xml --report /var/log/openscap/report-$(date +%%Y-%%m-%%d).html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml User=root [Install] WantedBy=multi-user.target
- Create a timer file:
sudo nano /etc/systemd/system/openscap-scan.timer
Add the following content:
[Unit] Description=Run OpenSCAP scan weekly [Timer] OnCalendar=Sun 02:00:00 Persistent=true RandomizedDelaySec=3600 [Install] WantedBy=timers.target
- Create the log directory:
sudo mkdir -p /var/log/openscap
- Enable and start the timer:
sudo systemctl enable openscap-scan.timer sudo systemctl start openscap-scan.timer
Cron Job Configuration Examples
For systems where you prefer using traditional cron jobs:
- Create a script for the scan:
sudo nano /usr/local/bin/openscap-scan.sh
Add the following content:
#!/bin/bash DATESTAMP=$(date +%Y-%m-%d) LOG_DIR="/var/log/openscap" mkdir -p "$LOG_DIR" oscap xccdf eval --profile standard \ --results "$LOG_DIR/results-$DATESTAMP.xml" \ --report "$LOG_DIR/report-$DATESTAMP.html" \ /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml # Keep only the last 10 reports cd "$LOG_DIR" && ls -t results-*.xml | tail -n +11 | xargs rm -f cd "$LOG_DIR" && ls -t report-*.html | tail -n +11 | xargs rm -f
- Make the script executable:
sudo chmod +x /usr/local/bin/openscap-scan.sh
- Add a cron job:
sudo crontab -e
Add this line to run weekly at 2 AM on Sunday:
0 2 * * 0 /usr/local/bin/openscap-scan.sh > /var/log/openscap/scan.log 2>&1
Bash Scripts for Automated Scanning
A more sophisticated bash script can provide additional functionality:
sudo nano /usr/local/bin/enhanced-openscap-scan.sh
Content for enhanced script:
#!/bin/bash
# Configuration
DATESTAMP=$(date +%Y-%m-%d-%H%M)
LOG_DIR="/var/log/openscap"
RETENTION_DAYS=30
EMAIL_RECIPIENT="admin@example.com"
PROFILE="standard"
POLICY="/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml"
# Create log directory
mkdir -p "$LOG_DIR"
# Run the scan
echo "Starting OpenSCAP scan at $(date)"
oscap xccdf eval --profile "$PROFILE" \
--results "$LOG_DIR/results-$DATESTAMP.xml" \
--report "$LOG_DIR/report-$DATESTAMP.html" \
"$POLICY"
SCAN_STATUS=$?
# Generate summary
FAILED=$(grep -c 'result="fail"' "$LOG_DIR/results-$DATESTAMP.xml")
PASSED=$(grep -c 'result="pass"' "$LOG_DIR/results-$DATESTAMP.xml")
TOTAL=$((FAILED + PASSED))
COMPLIANCE=$(( (PASSED * 100) / TOTAL ))
# Log summary
echo "Scan completed at $(date)" > "$LOG_DIR/summary-$DATESTAMP.txt"
echo "Compliance: $COMPLIANCE% ($PASSED/$TOTAL rules passed)" >> "$LOG_DIR/summary-$DATESTAMP.txt"
echo "Failed rules: $FAILED" >> "$LOG_DIR/summary-$DATESTAMP.txt"
# Send notification
if [ $SCAN_STATUS -eq 0 ]; then
echo "OpenSCAP scan completed. Compliance: $COMPLIANCE%" | mail -s "OpenSCAP Scan Results" -a "$LOG_DIR/report-$DATESTAMP.html" "$EMAIL_RECIPIENT"
else
echo "OpenSCAP scan failed with status $SCAN_STATUS" | mail -s "OpenSCAP Scan Failed" "$EMAIL_RECIPIENT"
fi
# Clean old reports
find "$LOG_DIR" -name "results-*.xml" -mtime +$RETENTION_DAYS -delete
find "$LOG_DIR" -name "report-*.html" -mtime +$RETENTION_DAYS -delete
find "$LOG_DIR" -name "summary-*.txt" -mtime +$RETENTION_DAYS -delete
exit $SCAN_STATUS
Setting Up Result Logging
To ensure scan results are properly logged:
sudo mkdir -p /var/log/openscap
sudo chown root:root /var/log/openscap
sudo chmod 750 /var/log/openscap
# Create a logrotate config
sudo nano /etc/logrotate.d/openscap
Add the following content:
/var/log/openscap/*.log {
weekly
rotate 12
compress
delaycompress
missingok
notifempty
create 0640 root root
}
Notification Setup for Failed Compliance
To be alerted when compliance issues are detected:
- Install mail utilities:
sudo pacman -S s-nail
- Modify your automated script to send notifications:
Add conditional email alerts based on scan results, as demonstrated in the enhanced script above.
Automating OpenSCAP scans ensures consistent security monitoring without manual intervention. Whether using systemd timers, cron jobs, or custom scripts, regular automated scanning helps maintain ongoing security compliance and quickly identifies new vulnerabilities as they emerge.
Remediation Techniques
After identifying security issues through OpenSCAP scans, the critical next step is remediation-addressing the vulnerabilities and compliance gaps to improve your system’s security posture. This section covers effective approaches to remediation using both automated and manual techniques.
Using OpenSCAP-Generated Remediation Scripts
OpenSCAP can generate remediation scripts that automatically fix identified issues:
- Generate a remediation script:
oscap xccdf generate fix --fix-type bash --output remediation.sh --result-id "" results.xml
- Review the generated script:
less remediation.sh
- Apply the remediation (after careful review):
sudo bash remediation.sh
It’s essential to thoroughly review any auto-generated remediation script before execution, as some changes may impact system functionality.
Manual Remediation Approaches
For more controlled remediation or when automated scripts aren’t available:
- Prioritize findings based on severity and business impact
- Create a remediation plan that addresses high-priority issues first
- For each finding:
- Review the detailed description in the HTML report
- Follow the provided remediation guidance
- Document changes made to the system
- Test system functionality after changes
Example of manual remediation for a common finding (weak SSH configuration):
# Edit SSH configuration
sudo nano /etc/ssh/sshd_config
# Make the recommended changes
# Example: Disable root login
# Change: #PermitRootLogin yes
# To: PermitRootLogin no
# Save and restart the SSH service
sudo systemctl restart sshd
Verifying Fixes with Follow-Up Scans
After applying remediation measures, it’s crucial to verify their effectiveness:
- Run a focused scan on the remediated areas:
sudo oscap xccdf eval --profile standard --rule rule-id --results verification.xml --report verification.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
- Compare before and after results:
oscap xccdf generate result-difference --old results-before.xml --new verification.xml
- Document changes and update your security baseline
Documenting Remediation Steps
Maintain comprehensive documentation of remediation activities:
# Security Remediation Log
## Date: 2025-05-10
## Finding: Weak SSH Password Authentication (rule_id: xccdf_org.ssgproject.content_rule_sshd_disable_root_login)
## Severity: High
### Actions Taken:
1. Modified /etc/ssh/sshd_config to disable root login
2. Restarted SSH service
3. Verified configuration change took effect
4. Ran verification scan (passed)
### Notes:
Informed system users about the change. Updated documentation for emergency access procedures.
Handling False Positives
Not all scan findings represent actual security issues:
- Identify potential false positives by reviewing the technical context
- Document justification for classifying a finding as a false positive
- Create exceptions in future scans through profile tailoring:
oscap xccdf tailor --profile standard --output tailored-profile.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
Then modify the tailored profile to exclude the false-positive rule.
Prioritizing Remediation Tasks
When faced with numerous findings, use this approach to prioritization:
- Critical severity vulnerabilities with public exploit availability
- High severity items affecting public-facing systems
- Medium severity items on critical systems
- Low severity items and general hardening recommendations
Effective remediation transforms security scanning from a detection exercise into actual security improvements. By systematically addressing findings through a combination of automated and manual techniques, you can significantly enhance your Manjaro system’s security posture over time.
Troubleshooting Common Issues
When working with OpenSCAP on Manjaro, you may encounter various challenges during installation, configuration, or scanning. This section addresses common issues and provides practical solutions to help you overcome these obstacles.
Dependency Resolution Problems
Issue: Missing dependencies during installation or operation.
Solution:
- Update package databases and try reinstalling:
sudo pacman -Syy sudo pacman -S openscap openscap-utils
- For AUR packages, ensure base-devel is installed:
sudo pacman -S base-devel
- Manually install specific dependencies:
# Example for XML libraries sudo pacman -S libxml2 libxslt
- Check for conflicting packages:
pacman -Qkk openscap
Permission Errors During Scanning
Issue: “Permission denied” errors when running scans.
Solution:
- Ensure you’re running the scan with appropriate privileges:
sudo oscap xccdf eval --profile standard --results results.xml --report report.html /path/to/policy.xml
- Check file permissions for content files:
sudo chmod 644 /usr/share/xml/scap/ssg/content/*.xml
- Verify directory permissions for results:
sudo mkdir -p /var/log/openscap sudo chmod 755 /var/log/openscap
- If using a custom policy, ensure it has correct permissions:
sudo chmod 644 /etc/openscap/policies/*.xml
Policy File Not Found Errors
Issue: “Unable to locate policy file” or similar errors.
Solution:
- Verify the policy file exists:
ls -la /usr/share/xml/scap/ssg/content/
- Use absolute paths when referencing policy files:
sudo oscap xccdf eval --profile standard --results results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
- Install or reinstall the SCAP Security Guide:
sudo pacman -S scap-security-guide
- Check for corrupted files:
oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
Scan Failures and Timeout Issues
Issue: Scans hang, timeout, or fail to complete.
Solution:
- Try running with lower verbosity:
sudo oscap xccdf eval --profile standard --results results.xml --report report.html --quiet /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
- Use the progress option to monitor scan status:
sudo oscap xccdf eval --profile standard --results results.xml --report report.html --progress /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
- Create checkpoints for long scans:
sudo oscap xccdf eval --profile standard --results results.xml --report report.html --progress --checkpoint checkpoint.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
- Check system resources during the scan:
top -b -n 1 | head -20
Resource Constraint Problems
Issue: System becomes unresponsive during scanning.
Solution:
- Run scans during low-usage periods
- Use a less intensive profile for resource-constrained systems:
# List available profiles oscap info --profiles /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml # Choose a lighter profile sudo oscap xccdf eval --profile standard --results results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
- Limit the scope of scans using rule selection:
sudo oscap xccdf eval --profile standard --rule rule-id1,rule-id2 --results results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
Version Compatibility Issues
Issue: Errors related to incompatible versions between components.
Solution:
- Check all component versions:
oscap --version pacman -Qi openscap scap-security-guide
- Ensure you have compatible versions of all components:
sudo pacman -Syu openscap openscap-utils scap-security-guide
- If using AUR packages, consider switching to stable repository versions:
sudo pacman -S openscap openscap-utils
- For advanced users, consider installing specific versions:
# Using downgrade utility sudo pacman -S downgrade sudo downgrade openscap
By systematically troubleshooting these common issues, you can overcome most obstacles encountered when working with OpenSCAP on Manjaro. Remember to check logs and error messages carefully, as they often provide valuable clues about the specific cause of problems.
Keeping OpenSCAP Updated
Maintaining an up-to-date OpenSCAP installation is crucial for ensuring you have access to the latest security definitions, vulnerability checks, and features. This section covers best practices for updating OpenSCAP and its components on Manjaro Linux.
Updating OpenSCAP Packages with Pacman
For OpenSCAP installed from official repositories, regular updates are simple:
# Update package database and all packages
sudo pacman -Syu
# Update only OpenSCAP packages
sudo pacman -S openscap openscap-utils scap-security-guide
It’s recommended to perform these updates as part of your regular system maintenance schedule. Setting up a recurring reminder to check for updates ensures you don’t miss important security content updates.
Refreshing Security Content Regularly
Security definitions and compliance rules are constantly evolving as new vulnerabilities are discovered and security best practices evolve:
- Update SCAP Security Guide content:
sudo pacman -S scap-security-guide
- For custom or additional content, check the respective sources:
# Example: Checking for updated content from GitHub cd ~/scap-content git pull origin main
- After updates, verify content integrity:
oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
Monitoring for New Security Profiles
Stay informed about new security profiles that might be relevant to your environment:
- Check for new profiles after updates:
oscap info --profiles /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml > profiles-new.txt diff profiles-old.txt profiles-new.txt
- Follow security mailing lists and the OpenSCAP community for announcements about new profiles and content
- Review release notes for the OpenSCAP packages when updating
Update Frequency Recommendations
For optimal security management, follow these update frequency guidelines:
- System packages (openscap, utils): Monthly or with regular system updates
- Security content (scap-security-guide): Biweekly for high-security environments, monthly for general use
- Custom scripts and automations: Quarterly review and update
- Security scans: Weekly for critical systems, monthly for general workstations
Version Compatibility Considerations
When updating OpenSCAP components, consider these compatibility factors:
- Check component interdependencies before updating individual packages
- Test updates in a non-production environment when possible
- Review changelog and release notes for potential breaking changes
- Consider holding back updates during critical audit periods to maintain consistency
Backup Procedures Before Major Updates
Before significant version updates:
# Backup configuration
sudo cp -r /etc/openscap /etc/openscap.bak-$(date +%Y%m%d)
# Backup custom content
sudo cp -r /usr/local/share/xml/scap /usr/local/share/xml/scap.bak-$(date +%Y%m%d)
# Backup recent results
sudo cp -r /var/log/openscap /var/log/openscap.bak-$(date +%Y%m%d)
By following these update practices, you ensure that your OpenSCAP installation remains current with the latest security definitions and vulnerability checks. Regular updates are a critical component of an effective security compliance program, enabling your Manjaro system to maintain defense against evolving security threats.
Congratulations! You have successfully installed OpenSCAP. Thanks for using this tutorial for installing OpenSCAP on Manjaro Linux system. For additional help or useful information, we recommend you check the official OpenSCAP website.