Rocky 9.x OpenSCAP Installation & Usage on Rocky Linux

From Notes_Wiki

Home > Rocky Linux or CentOS > Rocky Linux 9.x > Creating Rocky 9.x OpenSCAP Installation & Usage on Rocky Linux

OpenSCAP Installation & Usage on Rocky Linux 9

1. Update System Packages

sudo dnf update -y

2. Install OpenSCAP and SCAP Security Guide

sudo dnf install -y openscap-scanner scap-security-guide

3. Verify Installation

which oscap
oscap -V

4. Locate SCAP Security Guide Files

SCAP content is available in:

/usr/share/xml/scap/ssg/content/

For Rocky Linux 9, you should see files like:

  • ssg-rl9-ds.xml
  • ssg-rhel9-ds.xml

5. List Available Security Profiles

oscap info /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml

6. Run a Compliance Scan

Example: Run STIG profile and generate an HTML report:

sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig \
--report report.html /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml

7. Optional: CIS Benchmark Example

sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis \
--report compliance-report.html /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml

Troubleshooting

  • If results show many Not Applicable rules, ensure you are using the correct file (`ssg-rl9-ds.xml`) instead of the RHEL one.
  • Run commands with `sudo` if permission errors occur.

Notes

  • Reports (`.html`) can be opened in a web browser for detailed results.
  • Profiles include STIG, CIS, ANSSI, etc.

References




Home > Rocky Linux or CentOS > Rocky Linux 9.x > Creating Rocky 9.x OpenSCAP Installation & Usage on Rocky Linux