How To Install OpenSCAP on openSUSE

Security compliance and vulnerability management have become critical priorities for system administrators managing Linux infrastructure. OpenSCAP provides an automated, standardized approach to security auditing that aligns with industry standards and government regulations. This comprehensive guide walks you through installing and configuring OpenSCAP on openSUSE systems, enabling you to perform security assessments, vulnerability scans, and automated compliance checking.

Whether you’re hardening servers for production deployment, meeting regulatory requirements, or establishing security baselines for your organization, OpenSCAP delivers the tools necessary to automate these processes. You’ll learn how to install the software, configure security profiles, run your first compliance scan, and interpret the results to improve your system’s security posture.

Table of Contents

What is OpenSCAP?

OpenSCAP represents the open-source implementation of the Security Content Automation Protocol (SCAP), a framework developed and maintained by the National Institute of Standards and Technology (NIST). This protocol standardizes how organizations assess security vulnerabilities, measure compliance against security policies, and automate security management tasks across their infrastructure.

The framework addresses critical needs in enterprise security management. Organizations dealing with Federal Information Security Management Act (FISMA) compliance, Payment Card Industry Data Security Standard (PCI-DSS) requirements, or Health Insurance Portability and Accountability Act (HIPAA) regulations benefit from SCAP’s standardized approach. Rather than manually checking hundreds of security settings, SCAP automates the evaluation process using machine-readable security content.

Understanding SCAP Standards

SCAP consists of multiple component specifications working together. The Extensible Configuration Checklist Description Format (XCCDF) defines security checklists and benchmarks. Open Vulnerability and Assessment Language (OVAL) provides a standardized method for describing system configuration states and testing for vulnerabilities. Common Platform Enumeration (CPE) creates a standardized naming scheme for IT platforms and systems. Common Vulnerabilities and Exposures (CVE) identifies publicly known security vulnerabilities.

These components create a comprehensive security automation ecosystem. When you run an OpenSCAP scan, the tool evaluates your system against XCCDF profiles containing hundreds of security checks. Each check uses OVAL definitions to test specific system configurations. The results indicate which security controls pass or fail, providing actionable intelligence for system hardening.

OpenSCAP Components and Architecture

The OpenSCAP software stack includes several key components. The core libopenscap library handles SCAP content processing, evaluation logic, and remediation functions. The oscap command-line tool serves as the primary interface for performing scans, generating reports, and executing remediation scripts. The oscap-chroot utility enables scanning of offline filesystems within chroot environments.

The SCAP Security Guide provides the actual security content—profiles, rules, and remediation scripts for various operating systems and compliance frameworks. This content defines what gets checked during security evaluations. Without appropriate content files, OpenSCAP has no criteria against which to evaluate your system.

Why Use OpenSCAP on openSUSE?

Manual security auditing consumes significant time and expertise. Checking file permissions, service configurations, kernel parameters, and authentication settings across dozens or hundreds of systems becomes impractical without automation. OpenSCAP solves this problem by codifying security requirements into machine-readable formats that execute automatically.

OpenSUSE systems benefit particularly from OpenSCAP integration due to SUSE’s commitment to enterprise security standards. Security profiles exist specifically for SUSE Linux Enterprise (SLE) and openSUSE distributions, addressing the unique configuration requirements of these systems. The profiles include checks for zypper package management, SUSE-specific systemd configurations, and distribution-specific file layouts.

Automated vulnerability detection represents another compelling use case. OpenSCAP can scan your system against databases of known Common Vulnerabilities and Exposures (CVE) identifiers. The tool identifies installed packages with known security flaws and recommends updates or mitigations. This capability transforms reactive security management into proactive vulnerability remediation.

System hardening workflows become repeatable and documentable with OpenSCAP. Generate remediation scripts from security profiles, review them for applicability to your environment, test on development systems, then deploy systematically across production infrastructure. This approach ensures consistent security configurations while maintaining audit trails for compliance reporting.

Prerequisites for Installing OpenSCAP

Before beginning the installation process, verify your system meets the necessary requirements. OpenSCAP functions on openSUSE Leap 15.x versions and openSUSE Tumbleweed, the rolling release distribution. The software runs on both server and desktop installations, though most deployment scenarios involve server hardening.

System Requirements

Resource requirements remain modest for most scanning scenarios. Allocate at least 2GB of available RAM during scan execution, as complex profiles analyzing thousands of system attributes consume memory during evaluation. Smaller systems with 1GB RAM can run scans but may experience performance degradation. Plan for approximately 70MB of disk space after installing OpenSCAP utilities and the SCAP Security Guide.

Your user account requires root privileges or sudo access to install packages and perform system scans. Most security checks examine system-level configurations inaccessible to standard user accounts. Administrative privileges ensure comprehensive security evaluation covering all system components.

Pre-Installation Preparation

Update your openSUSE system before installing new software packages. This practice prevents dependency conflicts and ensures you receive the latest package versions. Repository availability matters—verify your system can reach openSUSE package repositories. Systems behind corporate firewalls may require proxy configuration for repository access.

Understanding package dependencies helps troubleshooting if installation issues arise. The openscap-utils package depends on libopenscap25 (the core library), XML parsing libraries, and various development dependencies. The scap-security-guide package remains separate, containing security content rather than executable code. Both packages work together to provide complete OpenSCAP functionality.

Step-by-Step Installation Guide

Installing OpenSCAP on openSUSE involves straightforward package management using zypper, the distribution’s native package manager. The process requires only a few commands and typically completes within minutes, depending on network speed and system performance.

Method 1: Installing via Zypper (Standard Method)

The standard installation method uses openSUSE’s default repositories, ensuring compatibility and stability. This approach works for most users and provides the simplest installation experience.

Step 1: Update System Packages

Begin by refreshing your package repositories and updating installed software. Open a terminal and execute:

sudo zypper refresh
sudo zypper update

The refresh command downloads the latest repository metadata, ensuring zypper knows about current package versions. The update command upgrades outdated packages to their newest versions. This process may take several minutes depending on how recently you updated your system. Review any prompted changes and confirm the update when ready.

Step 2: Install OpenSCAP Utilities Package

Install the primary OpenSCAP package with a single command:

sudo zypper install openscap-utils

Zypper analyzes dependencies and displays a summary of packages requiring installation. You’ll typically see openscap-utils, libopenscap25, and supporting libraries. The total download size approximates 2.1 MB, expanding to roughly 65.6 MB after installation. Zypper prompts for confirmation before proceeding—review the package list and type ‘y’ to continue.

The installation process downloads packages from openSUSE repositories, verifies package signatures, and installs files to appropriate system locations. Progress indicators display during download and installation phases. The entire process usually completes within one to three minutes on systems with reasonable internet connectivity.

Step 3: Verify Installation Success

Confirm successful installation by checking the OpenSCAP version:

oscap --version

This command should display version information, typically 1.3.5 or newer depending on your openSUSE version. The output includes the OpenSCAP library version and supported SCAP standards. If you receive a “command not found” error, the installation failed or the binary isn’t in your system PATH. Retry the installation or investigate error messages from the previous step.

Method 2: Installing from openSUSE Security Repository

Advanced users may prefer accessing bleeding-edge OpenSCAP versions from the dedicated security repository. This method provides newer features but requires additional repository configuration.

For openSUSE Leap, add the security repository manually:

sudo zypper addrepo https://download.opensuse.org/repositories/security/openSUSE_Leap_15.5/security.repo
sudo zypper refresh
sudo zypper install openscap-utils

Replace 15.5 with your specific openSUSE Leap version. Tumbleweed users typically have access to current versions through default repositories and rarely need this approach.

Use this method when you require specific OpenSCAP features or bug fixes not yet available in standard repositories. Testing environments benefit from newer versions, while production systems should prioritize stability through standard repositories.

Installing SCAP Security Guide

OpenSCAP utilities provide the scanning engine, but you need security content to perform meaningful evaluations. Install the SCAP Security Guide package:

sudo zypper install scap-security-guide

This package contains security profiles for multiple Linux distributions, compliance frameworks, and security standards. Content files install to /usr/share/xml/scap/ssg/content/, providing XCCDF profiles for CIS benchmarks, DISA STIG guidelines, PCI-DSS requirements, and standard security baselines.

The security guide includes openSUSE-specific profiles tailored to the distribution’s unique characteristics. These profiles understand zypper package management, openSUSE directory structures, and distribution-specific service configurations. Content for SUSE Linux Enterprise also installs, sharing many characteristics with openSUSE.

Post-Installation Configuration

After installing OpenSCAP and security content, verify all components function correctly. This validation prevents confusion when performing actual security scans and ensures your environment is properly configured.

Verifying Installation Components

Check installed packages to confirm successful deployment:

rpm -qa | grep openscap
rpm -qa | grep scap-security-guide

These commands list OpenSCAP-related packages on your system. You should see openscap-utils, libopenscap25, and scap-security-guide in the output. Version numbers appear alongside package names, helping you track which versions are deployed.

Verify the oscap command responds correctly:

which oscap
oscap --help

The which command displays the full path to the oscap binary, typically /usr/bin/oscap. The help output lists available modules and common options, confirming the command functions properly.

Understanding Security Content File Locations

Security content files reside in standardized locations. Navigate to the content directory:

ls -lh /usr/share/xml/scap/ssg/content/

You’ll find multiple files with names like ssg-opensuse-ds.xml, ssg-sle15-ds.xml, and similar. The -ds suffix indicates DataStream format, which bundles multiple SCAP components into a single file. DataStream files simplify content distribution and ensure all required components travel together.

The ssg-opensuse-ds.xml file contains profiles specifically designed for openSUSE systems. SUSE Linux Enterprise content (ssg-sle15-ds.xml) also works on openSUSE due to the distributions’ shared ancestry, though openSUSE-specific content provides better alignment with the distribution’s configuration patterns.

Custom content files can supplement vendor-provided profiles. Organizations often create customized security baselines reflecting internal policies. Store custom content in the same directory or maintain a separate location, specifying the full path when running scans.

Exploring Available Security Profiles

Examine available security profiles before running scans:

oscap info /usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml

This command displays comprehensive information about the content file. You’ll see document metadata, available profiles, and referenced check files. Profile listings include identifiers and descriptive titles explaining each profile’s purpose.

Common profiles include:

Standard System Security Profile: Baseline security configurations suitable for most systems
CIS Benchmark: Center for Internet Security recommendations for system hardening
STIG Profile: Defense Information Systems Agency Security Technical Implementation Guide requirements
PCI-DSS Profile: Payment Card Industry Data Security Standard compliance checks

Each profile ID (like xccdf_org.ssgproject.content_profile_standard) uniquely identifies the profile for use in scan commands. Note these identifiers—you’ll specify them when executing security evaluations.

Basic OpenSCAP Usage and Commands

Understanding core OpenSCAP commands enables effective security evaluation and remediation workflows. The oscap command provides modular functionality through subcommands targeting specific tasks.

Running Your First Security Scan

Execute a comprehensive security evaluation using this command structure:

sudo oscap xccdf eval --profile standard --results /tmp/scan-results.xml --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml

Let’s deconstruct this command for clarity. The sudo prefix grants necessary permissions for system inspection. The oscap xccdf eval portion invokes the XCCDF evaluation module. The --profile standard parameter specifies which security profile to apply—in this case, the standard baseline profile.

The --results /tmp/scan-results.xml option saves detailed evaluation results in XML format. This machine-readable file contains every rule check, result status, and supporting evidence. The --report /tmp/report.html option generates a human-friendly HTML report for easy review. Finally, the DataStream file path tells OpenSCAP which security content to use for evaluation.

Scan execution time varies based on profile complexity and system performance. A typical scan on a standard server completes in two to five minutes. CPU usage spikes during evaluation as OpenSCAP examines files, queries the package database, checks service status, and validates configurations. Memory consumption remains reasonable, typically under 500MB for most profiles.

Watch the terminal output as OpenSCAP evaluates rules. Each check displays with a pass, fail, or not applicable status. Don’t be alarmed by failed checks—even hardened systems rarely achieve 100% compliance without customization.

Generating Compliance Reports

After scan completion, open the HTML report in your web browser:

firefox /tmp/report.html

The report organizes results into sections showing passed checks, failed checks, and rules that don’t apply to your system. Each failed rule includes a description of the security requirement, rationale for the check, and remediation guidance. Severity ratings (high, medium, low) help prioritize remediation efforts.

The XML results file serves different purposes. Automated systems parse XML for programmatic analysis. Compliance management platforms import XML results for trending and reporting. Archive XML files to maintain compliance audit trails demonstrating security posture over time.

Customize report generation by adjusting command options. Generate multiple report formats simultaneously. Save reports to network shares for centralized access. Automate report delivery via email using shell scripts wrapping OpenSCAP commands.

Viewing Profile Information

Before committing to a security profile, examine its requirements:

oscap info /usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml | less

The verbose output describes every available profile, including rule counts and security framework references. Understanding profile scope prevents surprises during remediation. Some profiles enforce strict restrictions inappropriate for certain environments. Desktop systems may fail server-centric checks and vice versa.

Review rule severity distributions within profiles. Profiles heavy with high-severity rules demand immediate attention to failures. Profiles consisting mainly of low-severity checks allow gradual remediation schedules.

Automated Remediation

OpenSCAP can automatically fix failed security checks. Generate a remediation script without applying changes:

sudo oscap xccdf generate fix --profile standard --output /tmp/remediation.sh /tmp/scan-results.xml

This command reads the previous scan’s XML results and creates a bash script implementing fixes for failed rules. Review this script carefully before execution. Some remediations modify critical configurations. Test on non-production systems first.

Apply remediations directly during scanning using the --remediate flag:

sudo oscap xccdf eval --profile standard --remediate --results /tmp/scan-results.xml --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml

This approach combines evaluation and remediation in a single operation. OpenSCAP performs an initial scan, applies fixes to failed checks, then rescans to verify successful remediation. The results file contains two TestResult elements—pre-remediation and post-remediation—enabling before-and-after comparison.

Exercise caution with automated remediation. Some fixes, particularly disk partitioning schemes or filesystem modifications, cannot be applied to live systems. Review remediation documentation for your chosen profile before enabling automatic fixes on production systems.

Practical Examples and Use Cases

Real-world scenarios demonstrate OpenSCAP’s practical applications across different security objectives and organizational requirements.

Example 1: System Hardening with CIS Profile

The Center for Internet Security publishes widely respected security benchmarks. Apply CIS recommendations to an openSUSE system using OpenSCAP.

First, list available profiles to find the CIS benchmark identifier:

oscap info /usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml | grep -i cis

Run an initial assessment:

sudo oscap xccdf eval --profile cis --results /tmp/cis-baseline.xml --report /tmp/cis-baseline.html /usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml

Review the baseline report to understand current compliance levels. Typical unhardened systems score between 40-60% compliance on first scans. Generate and review the remediation script:

sudo oscap xccdf generate fix --profile cis --output /tmp/cis-remediation.sh /tmp/cis-baseline.xml

Examine the script contents. Comment out any fixes that conflict with operational requirements. Apply the remediation after thorough review:

sudo bash /tmp/cis-remediation.sh

Reboot if the remediation modified boot parameters or kernel settings. Execute a second scan to measure improvement:

sudo oscap xccdf eval --profile cis --results /tmp/cis-post-remediation.xml --report /tmp/cis-post-remediation.html /usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml

Compare the before and after reports. Compliance scores typically improve to 70-85% after initial remediation. Remaining failures often require manual intervention or represent organizational policy decisions.

Example 2: Vulnerability Assessment

OpenSCAP detects vulnerabilities using OVAL definitions that check for vulnerable package versions. While the standard security guide focuses primarily on configuration compliance, vulnerability content integrates with broader SCAP workflows.

Check for available OVAL vulnerability definitions:

ls /usr/share/xml/scap/ssg/content/*oval.xml

Organizations maintaining custom OVAL feeds can perform targeted vulnerability scanning. Configure automated vulnerability scanning to supplement your patch management processes, identifying systems requiring security updates before attackers exploit known weaknesses.

Example 3: Custom Profile Evaluation

Tailor existing profiles to match organizational security policies. Organizations rarely adopt security frameworks wholesale—business requirements necessitate deviations from baseline recommendations.

The SCAP Workbench graphical application (install via zypper install scap-workbench) enables profile customization through a user-friendly interface. Select baseline profiles, disable incompatible rules, adjust severity ratings, and export customized profiles for deployment.

Command-line workflows support profile tailoring through XCCDF tailoring files. These XML documents specify modifications to base profiles without editing the original content, maintaining separation between vendor-supplied content and organizational customizations.

Example 4: Scheduled Automated Scans

Continuous compliance requires regular scanning. Implement automated scanning using cron jobs that execute OpenSCAP evaluations on defined schedules.

Create a scanning script at /usr/local/bin/openscap-scan.sh:

#!/bin/bash
DATE=$(date +%Y%m%d-%H%M%S)
RESULTS_DIR="/var/log/openscap"
mkdir -p $RESULTS_DIR

sudo oscap xccdf eval \
  --profile standard \
  --results $RESULTS_DIR/scan-$DATE.xml \
  --report $RESULTS_DIR/report-$DATE.html \
  /usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml

# Email report if failures exceed threshold
FAIL_COUNT=$(grep -c "result=\"fail\"" $RESULTS_DIR/scan-$DATE.xml)
if [ $FAIL_COUNT -gt 50 ]; then
  mail -s "OpenSCAP Scan Alert" admin@example.com < $RESULTS_DIR/report-$DATE.html
fi

Make the script executable and schedule weekly execution:

sudo chmod +x /usr/local/bin/openscap-scan.sh
sudo crontab -e

Add this cron entry to run scans every Sunday at 2 AM:

0 2 * * 0 /usr/local/bin/openscap-scan.sh

Automated scanning provides trending data showing security posture improvements or degradations over time. Archive scan results for compliance audit trails demonstrating ongoing security diligence.

Integration with System Management Tools

OpenSCAP integrates with enterprise management platforms for centralized security compliance across large server fleets.

SUSE Manager Integration

SUSE Manager (renamed SUSE Multi-Linux Manager in version 5.0) provides native OpenSCAP integration. This platform manages system updates, configuration, and security compliance for SUSE-based distributions including openSUSE.

Clients require the spacewalk-oscap package for SUSE Manager integration:

sudo zypper install spacewalk-oscap

After client registration with SUSE Manager, administrators schedule OpenSCAP scans through the web interface. The platform distributes security content to clients, executes scans remotely, collects results centrally, and displays compliance status across the entire infrastructure.

Web-based dashboards visualize compliance trends, highlight systems requiring attention, and generate executive reports for compliance officers. This centralized approach scales security compliance management across hundreds or thousands of systems without manual intervention.

Manual vs. Centralized Management

Standalone OpenSCAP suits smaller deployments, single-server management, or environments without enterprise management platforms. Manual execution provides maximum control and customization flexibility. Security teams can rapidly test profiles, iterate remediation strategies, and fine-tune configurations.

Centralized management becomes essential at scale. Managing compliance across ten servers manually remains feasible. Extending this approach to 100 or 1,000 servers requires automation and centralization. Investment in management platforms pays dividends through reduced administrative overhead and improved compliance visibility.

Troubleshooting Common Issues

OpenSCAP installations occasionally encounter problems. Understanding common issues and solutions minimizes downtime and frustration.

Installation Problems

Repository availability errors prevent package installation. Verify repository configuration:

sudo zypper repos --details

Ensure repositories show enabled status. Connectivity problems prevent repository access. Test network connectivity to repository servers. Corporate firewalls may block repository URLs—coordinate with network administrators for appropriate access.

Dependency resolution failures indicate package conflicts. Update your system completely before installing OpenSCAP:

sudo zypper refresh
sudo zypper dist-upgrade

Clean the zypper cache if problems persist:

sudo zypper clean --all

Package conflicts arise when mixing repositories. Avoid adding multiple security repositories simultaneously. Stick with standard openSUSE repositories unless specific requirements dictate otherwise.

Scanning and Runtime Issues

Memory consumption problems occur on resource-constrained systems. OpenSCAP requires significant RAM during complex profile evaluations. Allocate at least 2GB free memory before starting scans. Close unnecessary applications. Consider running scans during maintenance windows when resource demands are minimal.

High CPU usage is normal during scans. OpenSCAP performs thousands of system checks, querying files, processes, and configurations. CPU usage approaches 100% during intensive evaluation phases. This behavior is expected and temporary—scans complete within several minutes on most systems.

“Permission denied” errors indicate insufficient privileges. Most security checks require root access to examine system-level configurations. Always use sudo when executing OpenSCAP commands:

sudo oscap xccdf eval ...

Content file errors display messages like “Failed to load source datastream.” Verify the file path is correct and the file exists:

ls -lh /usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml

Enable verbose output for debugging:

sudo oscap -v xccdf eval ...

Verbose mode displays detailed processing information, helping identify specific failures.

Report Generation Failures

Empty or incomplete reports typically result from interrupted scans. Ensure scans complete fully before examining results. Monitor terminal output for error messages indicating scan problems.

XML parsing errors suggest corrupted results files. Delete problematic files and rerun scans. Ensure sufficient disk space exists in output directories—full filesystems prevent complete file writes.

Directory permission problems prevent report creation. Verify write permissions on output directories:

ls -ld /tmp/

The /tmp directory typically allows universal write access, making it suitable for testing. Production workflows should use dedicated directories with appropriate permissions.

Keeping OpenSCAP Updated

Software and security content updates maintain evaluation accuracy and effectiveness.

Updating OpenSCAP Packages

Update OpenSCAP utilities using standard package management:

sudo zypper update openscap-utils scap-security-guide

This command checks for newer package versions and installs available updates. Zypper displays version changes and prompts for confirmation before proceeding. Review changelog information to understand what changed between versions.

Check current versions before updating:

rpm -q openscap-utils scap-security-guide

Compare against available versions to determine if updates exist. Subscribe to openSUSE security mailing lists for notifications about important updates affecting security tools.

Updating Security Content

SCAP Security Guide updates introduce new profiles, refine existing checks, and align with updated security frameworks. Content updates matter more than software updates in many cases—stale content evaluates against outdated security standards.

Update frequency recommendations vary by environment. Production systems with strict change control might update quarterly. Development environments can update monthly or even weekly. Critical security updates warrant immediate deployment regardless of standard schedules.

Test updated content before production deployment. New profile versions occasionally introduce breaking changes or modified check logic. Validate updates in test environments to identify unexpected behavior.

Version compatibility between OpenSCAP software and security content rarely causes issues, but awareness prevents problems. Major OpenSCAP version upgrades sometimes require corresponding content updates. Review release notes when updating to understand compatibility requirements.

Congratulations! You have successfully installed OpenSCAP. Thanks for using this tutorial for installing OpenSCAP on your openSUSE Linux system. For additional help or useful information, we recommend you check the official OpenSCAP website.

VPS Manage Service Offer

If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!