Table of Contents
Introduction
The Center for Internet Security (CIS) Benchmarks represent the gold standard for cybersecurity configuration guidelines, developed through a consensus-driven process involving cybersecurity professionals worldwide. These benchmarks provide detailed, actionable recommendations for securing various operating systems, applications, and network devices. For Linux systems, CIS Benchmarks are particularly valuable as they address both server and workstation configurations across multiple distributions.
OpenSCAP (Security Content Automation Protocol) serves as the cornerstone framework for automated security compliance assessment and remediation. As an open-source implementation of the SCAP standard developed by NIST, OpenSCAP enables organizations to:
- Perform automated vulnerability assessments
- Validate security configuration compliance
- Generate detailed compliance reports
- Execute automated remediation procedures
- Integrate security checks into CI/CD pipelines
Note: This report focuses specifically on Linux distributions that provide native support for CIS compliance validation through OpenSCAP, examining implementation quality, available features, and practical deployment considerations.
Distribution Comparison Matrix
| Distribution | CIS Support Level | Available Profiles | Remediation Scripts | GUI Tools | Documentation Quality |
|---|---|---|---|---|---|
| RHEL 8/9 | Excellent | Multiple Levels | Bash, Ansible, Kickstart | scap-workbench | Comprehensive |
| Ubuntu 20.04/22.04 | Good | Level 1 & 2 (Server/Workstation) | Bash, Ansible | Limited | Good |
| SLES 15 | Good | CIS Profiles Available | Shell, Ansible | scap-workbench | Good |
| CentOS Stream | Good | Similar to RHEL | Bash, Ansible | Basic | Moderate |
| Debian 11/12 | Moderate | Basic Profiles | Limited | None | Basic |
| Fedora | Moderate | Standard Profiles | Basic | Limited | Moderate |
Red Hat Enterprise Linux (RHEL)
Red Hat Enterprise Linux stands as the industry leader in OpenSCAP implementation and CIS compliance support. With over a decade of development and refinement, RHEL’s security automation capabilities are unmatched in the enterprise Linux ecosystem.
Package Architecture and Installation
RHEL’s OpenSCAP implementation follows a modular architecture with clearly defined components:
# Essential packages for CIS compliance
sudo dnf install openscap-scanner scap-security-guide
# Optional but recommended packages
sudo dnf install scap-workbench openscap-utils
# For development and customization
sudo dnf install openscap-python3 scap-security-guide-docAdvanced Implementation Features
Key Strength: RHEL provides the most comprehensive set of remediation options, including support for automated remediation during system installation via Kickstart integration.
The RHEL implementation includes several advanced features:
- Tailoring Files: Customizable XML files allowing organizations to modify default profiles
- Multi-format Remediation: Supports Ansible, Bash, Puppet, and Kickstart remediation formats
- Integration Support: Native integration with Red Hat Satellite for enterprise-scale deployment
- Containerized Scanning: Support for scanning container images and OpenShift environments
CIS Profile Implementation
RHEL 8 and 9 include comprehensive CIS profiles with granular control options:
# List available CIS profiles
oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | grep -i cis
# Scan with detailed reporting
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--results /tmp/scan_results.xml \
--report /tmp/detailed_report.html \
--oval-results \
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
# Generate comprehensive remediation playbook
oscap xccdf generate fix \
--fix-type ansible \
--output /tmp/rhel8_cis_remediation.yml \
--result-id "" \
/tmp/scan_results.xmlEnterprise Integration Capabilities
Enterprise Tip: RHEL’s OpenSCAP implementation can be integrated with Red Hat Satellite for centralized compliance management across thousands of systems, providing dashboard reporting and automated remediation scheduling.
Ubuntu
Ubuntu has significantly improved its OpenSCAP support in recent LTS releases, particularly Ubuntu 20.04 and 22.04. Canonical has invested considerable effort in ensuring comprehensive CIS Benchmark coverage for both server and desktop environments.
Installation and Setup
# Update package repository
sudo apt update
# Install core OpenSCAP packages
sudo apt install openscap-scanner scap-security-guide
# Optional packages for enhanced functionality
sudo apt install scap-workbench libopenscap8-devUbuntu-Specific CIS Implementations
Ubuntu’s CIS implementation is particularly robust for the following environments:
| Profile Type | Profile ID | Target Environment | Security Impact |
|---|---|---|---|
| CIS Level 1 Server | cis_level1_server | Production Servers | Minimal Performance Impact |
| CIS Level 1 Workstation | cis_level1_workstation | Desktop/Laptop Systems | User-Friendly Security |
| CIS Level 2 Server | cis_level2_server | High-Security Environments | Enhanced Security Controls |
| CIS Level 2 Workstation | cis_level2_workstation | Secure Workstations | Maximum Security Settings |
Advanced Scanning and Remediation
# Comprehensive CIS Level 1 Server scan with detailed output
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis_level1_server \
--results /tmp/ubuntu_cis_results.xml \
--report /tmp/ubuntu_cis_report.html \
--oval-results \
--cpe /usr/share/openscap/cpe/openscap-cpe-dict.xml \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
# Generate Ansible remediation playbook
oscap xccdf generate fix \
--fix-type ansible \
--profile xccdf_org.ssgproject.content_profile_cis_level1_server \
--output /tmp/ubuntu_remediation.yml \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xmlImportant: Ubuntu’s CIS Level 2 profiles may impact system usability. Test thoroughly in non-production environments before deployment.
SUSE Linux Enterprise Server (SLES)
SUSE Linux Enterprise Server provides enterprise-grade OpenSCAP support with integration into SUSE’s management ecosystem. SLES 15 SP3 and later versions include comprehensive CIS Benchmark support.
Package Installation and Configuration
# Install OpenSCAP packages via zypper
sudo zypper install openscap openscap-utils scap-security-guide
# Optional GUI and additional tools
sudo zypper install scap-workbench ssg-apply
# Verify installation
rpm -qa | grep -E "(openscap|scap)"SLES-Specific Features
SLES offers several unique advantages in enterprise environments:
- SUSE Manager Integration: Centralized compliance management across SLES infrastructure
- Extended Support: Long-term support with security updates for compliance content
- SAP Integration: Specialized profiles for SAP HANA and SAP NetWeaver environments
- Container Support: OpenSCAP scanning capabilities for SUSE Container Platform
Scanning and Remediation Examples
# List available profiles for SLES
oscap info /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml
# Execute CIS compliance scan
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--results /tmp/sles_scan_results.xml \
--report /tmp/sles_compliance_report.html \
/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml
# Generate shell script remediation
oscap xccdf generate fix \
--fix-type bash \
--output /tmp/sles_remediation.sh \
--result-id "" \
/tmp/sles_scan_results.xmlOther Linux Distributions
Debian
Debian’s OpenSCAP support has evolved significantly, with improved CIS Benchmark coverage in Debian 11 (Bullseye) and Debian 12 (Bookworm).
# Install Debian-specific security guides
sudo apt install ssg-debian ssg-debderived ssg-applications
# Basic CIS scanning for Debian
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced \
--results /tmp/debian_results.xml \
--report /tmp/debian_report.html \
/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xmlCentOS Stream and Rocky Linux
As RHEL derivatives, these distributions inherit robust OpenSCAP support with some modifications:
Migration Note: Organizations migrating from CentOS 7 to CentOS Stream or Rocky Linux can leverage similar OpenSCAP workflows with minimal modification.
Fedora
Fedora serves as the upstream for RHEL security features, often providing early access to new OpenSCAP capabilities:
# Install latest OpenSCAP packages
sudo dnf install openscap-scanner scap-security-guide scap-workbench
# Fedora-specific scanning
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_ospp \
--results /tmp/fedora_results.xml \
--report /tmp/fedora_report.html \
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xmlComplianceAsCode/content Project
The ComplianceAsCode/content project represents the collaborative effort behind most Linux OpenSCAP implementations. This upstream project ensures consistency and quality across distributions while enabling customization for specific organizational needs.
Project Architecture
The project maintains a sophisticated build system that generates content for multiple target platforms:
- Source Management: YAML-based rule definitions for maintainability
- Multi-Target Building: Single source generating content for multiple distributions
- Quality Assurance: Automated testing and validation pipelines
- Community Contributions: Open-source model enabling rapid improvement
Building Custom Content
# Clone the repository
git clone https://github.com/ComplianceAsCode/content.git
cd content
# Install build dependencies (Ubuntu/Debian)
sudo apt install cmake make python3-yaml python3-jinja2 libopenscap8
# Build content for specific distribution
mkdir build && cd build
cmake ..
make -j4 ssg-ubuntu2204-ds.xml
# Alternative: Build all content
make -j4Customization Capabilities
Advanced Feature: Organizations can create custom profiles by combining existing rules or developing new ones, enabling tailored compliance frameworks that address specific regulatory requirements.
Best Practices and Recommendations
Pre-Deployment Planning
- Environment Assessment: Evaluate current system configurations and identify potential conflicts
- Pilot Testing: Implement CIS controls in non-production environments first
- Business Impact Analysis: Assess how security controls affect application functionality
- Rollback Planning: Develop procedures for reverting changes if issues arise
Implementation Strategy
Phased Approach Recommended: Implement CIS Level 1 controls first, validate system stability, then progressively apply Level 2 controls based on risk tolerance and operational requirements.
Monitoring and Maintenance
- Regular Scanning: Schedule weekly or monthly compliance scans
- Drift Detection: Monitor configuration changes that affect compliance status
- Update Management: Keep OpenSCAP content updated with latest security profiles
- Exception Handling: Document and track approved deviations from CIS benchmarks
Common Issues and Troubleshooting
Scanning Issues
Common Problem: Permission errors during scanning. Ensure the scanning user has appropriate privileges or run scans with sudo when necessary.
Remediation Challenges
- Service Dependencies: Some remediation actions may restart critical services
- Network Connectivity: Firewall changes may affect network access
- Application Compatibility: Security controls may conflict with application requirements
Performance Considerations
# Monitor system performance during scans
htop &
iostat -x 1 &
# Run scan with progress indication
oscap xccdf eval --progress \
--profile xccdf_org.ssgproject.content_profile_cis \
--results scan_results.xml \
--report scan_report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xmlConclusion
The landscape of Linux distributions supporting CIS OpenSCAP compliance has matured significantly, with enterprise-grade solutions now available across multiple platforms. Red Hat Enterprise Linux continues to lead in implementation quality and feature completeness, while Ubuntu has made substantial improvements in recent LTS releases. SUSE Linux Enterprise Server provides solid enterprise integration, and community distributions like Debian and Fedora offer adequate support for most organizational needs.
Key factors for successful implementation include:
- Distribution Selection: Choose based on existing infrastructure, support requirements, and compliance objectives
- Gradual Implementation: Phase deployment to minimize operational disruption
- Continuous Monitoring: Establish ongoing compliance verification processes
- Documentation: Maintain detailed records of configurations, exceptions, and remediation actions
Organizations implementing CIS compliance through OpenSCAP can expect improved security posture, simplified audit processes, and reduced manual configuration management overhead. The investment in automated compliance tooling pays dividends through consistent security configurations and reduced human error.
References
- Red Hat, Inc. “Using OpenSCAP.” Red Hat Enterprise Linux 8 Security Guide. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/scanning-the-system-for-security-compliance-and-vulnerabilities_security-hardening
- Red Hat Developer Blog. “Center for Internet Security (CIS) compliance on Red Hat Enterprise Linux using OpenSCAP.” https://developers.redhat.com/blog/2020/12/10/center-for-internet-security-cis-compliance-on-red-hat-enterprise-linux-using-openscap
- Nazhimidinova, Aika. “CIS Benchmark of Ubuntu 22.04: OpenSCAP Security Guide.” Medium. https://medium.com/@aika.nazhimidinova/cis-benchmark-of-ubuntu-22-04-openscap-security-guide-707f206e73c8
- SUSE LLC. “OpenSCAP User Guide.” SUSE Linux Enterprise Server Documentation. https://documentation.suse.com/sles/15-SP4/html/SLES-all/book-security.html#part-auth
- ComplianceAsCode Community. “ComplianceAsCode/content: Security automation content in SCAP, Bash, Ansible, and other formats.” GitHub. https://github.com/ComplianceAsCode/content
- OpenSCAP Community. “Security Policies.” OpenSCAP Portal. https://www.open-scap.org/security-policies/scap-security-guide/
- Center for Internet Security. “CIS Benchmarks.” CIS Controls. https://www.cisecurity.org/cis-benchmarks
- National Institute of Standards and Technology. “Security Content Automation Protocol (SCAP).” NIST Computer Security Division. https://csrc.nist.gov/projects/security-content-automation-protocol
- Canonical Ltd. “Ubuntu Security Guide.” Ubuntu Documentation. https://ubuntu.com/security/certifications/docs/usg
- Debian Project. “Debian Security Manual.” Debian Documentation. https://www.debian.org/doc/manuals/securing-debian-manual/
This content is free to use, adapt, and share.
Knowledge and information should be open—please spread them far and wide.A few things to keep in mind:
- All of my work comes with absolutely no warranty, expressed or implied. However…
- It will almost certainly work until it breaks,
though I must admit it may never work or be useful—and that would be sad.- If/when it breaks, you can keep all the pieces.
- As for what you don’t like, it’s yours to do with as you will.
- If you find my materials helpful, both you and I will be happy (at least for a while).
- My advice is worth every penny you paid for it!
Full disclosure:
I use various AI systems to assist in developing my content.
If you’re curious about how I use them, feel free to check out:
The Revolutionary Impact of AI on Genealogy and Historical Research.
