Last modified 7 months ago Last modified on 07/13/15 16:39:35

Welcome to SCAP Security Guide

The SCAP Security Guide project (SSG) delivers security guidance, baselines, and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP).

We currently provide content for Chromium (web browser), Fedora, Java (JRE), Mozilla Firefox, Red Hat Enterprise Linux 5, 6, and 7 (RHEL5/6/7), OpenStack, JBoss Enterprise
Application Server 5 (JBoss EAP5), JBossFuse6, and Webmin.

The project provides practical security hardening advice for Red Hat products, and also links it to compliance requirements in order to ease deployment activities, such as certification and accreditation.
These include requirements in the U.S. government (Federal, Defense, and Intelligence Community) as well as of the financial services and health care industries. For example, high-level and
widely-accepted policies such as NIST 800-53 provides prose stating that System Administrators must audit "privileged user actions," but do not define what "privileged actions" are. The SSG bridges
the gap between generalized policy requirements and specific implementation guidance, in SCAP formats to support automation whenever possible.

To see how this works:

Major initiatives for our SCAP content include:

Getting Involved


Join the mailing list at:

Join our community calls:

Join the project as a developer:


SCAP Security Guide is natively shipped with Red Hat Enterprise Linux 6 and 7. To install SCAP Security Guide RPM package on these systems issue the following command:

$ sudo yum install scap-security-guide

The source tarballs and Zip archives with pre-built XML benchmarks in SCAP source data stream format are available at GitHub.

See the Building from Source and Usage Guide articles for further information how to build and use the provided SCAP content.


Found a bug, or got a feature request? Report them!


Experiencing issues building the content? Uncertain what concrete result of a particular rule during system scan means? Want to share experience using SCAP Security Guide content? Use our mailing list.


Interested what's new in OpenSCAP/scap-security-guide? Check it out!

Related Projects

  • The OpenSCAP project provides an execution capability for automated checking in the SCAP formats, as well as libraries for third parties to build SCAP-supporting tools.
    As part of the Red Hat Enterprise Linux operating system, it means that the platform natively possesses the ability to process SCAP content, which is unique and significant.
  • The Aqueduct project provides remediation resources such as kickstarts, Puppet modules, and hardening scripts for System Administrators who wish to become compliant
    with established baselines. It is important to note that SSG provides security recommendations and means for automated compliance checking/validation, but not comprehensive
  • The SCAP Workbench project provides a graphical user interface (GUI) tool to perform various tasks related with processing of data in SCAP format (such as system
    compliance checking/validation or XCCDF content tailoring). It is based on the OpenSCAP library and internally calls oscap executable to perform all the evaluation.
  • The OSCAP Anaconda Addon project focuses on the development of an add-on for the Anaconda installer that would allow application of SCAP content during the operating
    system installation process. Both approaches (specification of the targeted SCAP policy in the form of a kickstart file or its specification via graphical user interface) are supported.