About SCAP

1 About SCAP

The Security Content Automation Protocol (SCAP) provides an automated, standardized method for evaluating a system's compliance against security standards. SCAP helps automate the monitoring of a system for vulnerabilities and ensuring that the system is in compliance with security policies, such as the Federal Information Security Management Act (FISMA). The U.S. government content repository for SCAP standards is the National Vulnerability Database (NVD), which is managed by the National Institute of Standards and Technology (NIST).

All SCAP files are released in XML format so that they're straightforward to parse and change for custom requirements.

OpenSCAP (OSCAP) is an open source utility that can use a SCAP Security Guide (SSG) profile as a basis for testing security compliance. You can use the OSCAP utilities with Oracle Linux to automate compliance testing.

OSCAP scans a system against a SCAP Security Guide profile, which is typically available as an Extensible Configuration Checklist Description Format (XCCDF) file or within a SCAP data stream file. An XCCDF file contains a structured collection of security configuration rules that can be applied to meet certain security recommendations or requirements. Each XCCDF file can contain several profiles that apply to different use cases. A profile contains generic security recommendations that apply to all Oracle Linux installations and extra security recommendations that are specific to the intended usage of a particular system. Commonly used XCCDF files that are intended for use with Oracle Linux are included within the SCAP packages and are available for use immediately after install. XCCDF profiles are often used to assess whether a system's security configuration aligns with the Security Technical Implementation Guide (STIG) that's released by the Defense Information Systems Agency (DISA) and to provide remediation steps to implement a particular recommendation.

The Oracle Linux installer also provides options to install the OS to match a specific security profile or policy as defined by the XCCDF profiles available in the scap-security-guide package. By applying a policy during installation, you can ensure the system is compliant when it begins operation. See Oracle Linux 9: Installing Oracle Linux for more information.

You can use OSCAP to audit systems against Open Vulnerability and Assessment Language (OVAL) definition files to test whether a system might be vulnerable to publicly known vulnerabilities or configuration issues. Oracle releases OVAL definitions for all errata on the Unbreakable Linux Network (ULN).

SCAP artifacts such as XCCDF profiles can be bundled into a single SCAP data stream file which by convention has the file name suffix .ds. OSCAP can process data stream files similarly to XCCDF files. We recommend using data stream files whenever possible as they reduce overhead and can contain references to external resources that can be kept current.

In Oracle Linux 9 and later, the scap-security-guide package excludes the redundant OVAL and XCCDF files in favor of a data stream file that contains all the required artifacts to perform evaluations.