CoursesLinux hardeningAudit & compliance

CIS benchmarks with OpenSCAP

Scan, remediate, and track drift.

Intermediate12 min · lesson 16 of 16

Everything in this course — SSH, PAM, sysctl, SELinux, auditd, mounts — is enumerated, item by item, in the CIS Benchmarks: a consensus, freely-available checklist of specific, testable hardening settings for each operating system. Rather than remember hundreds of settings, you measure a host against the benchmark automatically and get a scored report of exactly what passes, what fails, and how to fix each item. OpenSCAP is the standard open-source scanner that does this.

SCAN, REMEDIATE, TRACK DRIFT
1Scan
oscap eval vs CIS profile -> scored report
2Remediate
generate fix script/playbook, review, apply
3Re-scan
confirm fixes took and score improved
4Schedule & track drift
periodic run; falling score flags regressions
Run on a schedule so hardening becomes a maintained state, not a one-time event.
terminal
$ sudo dnf install openscap-scanner scap-security-guide # RHEL family
$ sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--results scan.xml --report report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# open report.html: every control, pass/fail, severity, and the remediation for each

Scan, remediate, and re-scan

The workflow is a loop. Scan to get a baseline score and the list of failures; remediate the failures (OpenSCAP can even generate a remediation script or an Ansible playbook to apply the fixes); then re-scan to confirm the fixes took and the score improved. Not every control applies to every host — some you will justify skipping — but recording that decision is part of the process. The benchmark turns "is this host hardened?" from an opinion into a measured, repeatable number.

terminal
# generate a remediation script from a scan’s failures, review it, then apply
$ sudo oscap xccdf generate fix --profile cis --result-id "" scan.xml > remediate.sh
$ less remediate.sh # ALWAYS read generated remediation before running it
$ sudo bash remediate.sh && sudo oscap xccdf eval ... # re-scan to confirm

Track drift over time

A host is hardened the day you scan it and drifts afterward — a change here, a package there, an emergency "just disable it for now" that never gets re-enabled. So the real value of benchmark scanning is running it on a schedule and tracking the score over time, so drift shows up as a falling number and a specific newly-failing control. Wire OpenSCAP into your configuration management or a periodic job, and hardening becomes a maintained state rather than a one-time event you slowly lose.

A benchmark is a baseline, not the whole of security
A 100% CIS score is a strong, measurable hardening baseline — and it is not the same as "secure." Benchmarks check configuration, not your application’s vulnerabilities, your network architecture, or an attacker already inside. Treat CIS as the floor every host should meet and a way to catch drift, then layer the rest: patching, least privilege, detection, and response. The benchmark answers "is this host configured to a known standard?", which is necessary but not sufficient.