Last modified 3 months ago Last modified on 03/25/15 08:06:51

Welcome to scap-security-guide

The scap-security-guide project (SSG) delivers security guidance, baselines, and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP). We currently provide content for Fedora, Java, Red Hat Enterprise Linux 5, 6, and 7 (RHEL5/6/7), OpenStack, JBoss Enterprise Application Server 5 (JBoss EAP5), and JBossFuse6.

The project provides practical security hardening advice for Red Hat products, and also links it to compliance requirements in order to ease deployment activities, such as certification and accreditation. These include requirements in the U.S. government (Federal, Defense, and Intelligence Community) as well as of the financial services and health care industries. For example, high-level and widely-accepted policies such as NIST 800-53 provides prose stating that System Administrators must audit "privileged user actions," but do not define what "privileged actions" are. The SSG bridges the gap between generalized policy requirements and specific implementation guidance, in SCAP formats to support automation whenever possible.

To see how this works:

Major initiatives for our SCAP content include:

Getting Involved


Join the mailing list at:

Join our community calls:

Join the project as a developer:


  1. Enable the Extra Packages for Enterprise Linux (EPEL) repository by installing the epel-release RPM package. For CentOS 7 and RHEL 7 just use 'yum'. If you are using an older release, please refer to the How can I use these extra packages? section on the EPEL wiki page.
    $ sudo yum install epel-release
  1. Install SCAP Security Guide. Depending on previously installed packages, the SCAP Security Guide package will also download dependencies (namely, openscap-utils).
    $ sudo yum install scap-security-guide
  1. See the Usage Guide for how to use the project.

Related Projects

  • The OpenSCAP project provides an execution capability for automated checking in the SCAP formats, as well as libraries for third parties to build SCAP-supporting tools. As part of the Red Hat Enterprise Linux operating system, it means that the platform natively possesses the ability to process SCAP content, which is unique and significant.
  • The Aqueduct project provides remediation resources such as kickstarts, Puppet modules, and hardening scripts for System Administrators who wish to become compliant with established baselines. It is important to note that SSG provides security recommendations and means for automated compliance checking/validation, but not comprehensive remediation.
  • The scap-workbench project provides a graphical user interface (GUI) tool to perform various tasks related with processing of data in SCAP format (such as system compliance checking/validation or XCCDF content tailoring). It is based on the OpenSCAP library and internally calls oscap executable to perform all the evaluation.
  • The OSCAP Anaconda Addon project focuses on the development of an add-on for the Anaconda installer that would allow application of SCAP content during the operating system installation process. Both approaches (specification of the targeted SCAP policy in the form of a kickstart file or its specification via graphical user interface) are supported.
  • The OpenSCAP Puppet module exposes OpenSCAP primitives to puppet DSL.