CIS benchmarks with OpenSCAP
Scan, remediate, and track drift.
Everything in this course — SSH, PAM, sysctl, SELinux, auditd, mounts — is enumerated, item by item, in the CIS Benchmarks: a consensus, freely-available checklist of specific, testable hardening settings for each operating system. Rather than remember hundreds of settings, you measure a host against the benchmark automatically and get a scored report of exactly what passes, what fails, and how to fix each item. OpenSCAP is the standard open-source scanner that does this.
$ sudo dnf install openscap-scanner scap-security-guide # RHEL family$ sudo oscap xccdf eval \--profile xccdf_org.ssgproject.content_profile_cis \--results scan.xml --report report.html \/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml# open report.html: every control, pass/fail, severity, and the remediation for each
Scan, remediate, and re-scan
The workflow is a loop. Scan to get a baseline score and the list of failures; remediate the failures (OpenSCAP can even generate a remediation script or an Ansible playbook to apply the fixes); then re-scan to confirm the fixes took and the score improved. Not every control applies to every host — some you will justify skipping — but recording that decision is part of the process. The benchmark turns "is this host hardened?" from an opinion into a measured, repeatable number.
# generate a remediation script from a scan’s failures, review it, then apply$ sudo oscap xccdf generate fix --profile cis --result-id "" scan.xml > remediate.sh$ less remediate.sh # ALWAYS read generated remediation before running it$ sudo bash remediate.sh && sudo oscap xccdf eval ... # re-scan to confirm
Track drift over time
A host is hardened the day you scan it and drifts afterward — a change here, a package there, an emergency "just disable it for now" that never gets re-enabled. So the real value of benchmark scanning is running it on a schedule and tracking the score over time, so drift shows up as a falling number and a specific newly-failing control. Wire OpenSCAP into your configuration management or a periodic job, and hardening becomes a maintained state rather than a one-time event you slowly lose.