Posted inSecurity

Hardening Linux: Using OpenSCAP to Automate CIS Benchmark Compliance

Security tutorial - IT technology blog
Security tutorial - IT technology blog

The ‘It Works’ Trap: Why Default Configs Are a Security Liability

Spinning up a new Linux server feels like a win when the services status turns green. The web server responds, the firewall passes traffic on port 443, and everything looks perfect. But here is the catch: ‘default’ is rarely ‘secure.’ Most distributions prioritize out-of-the-box compatibility over lockdown. They ship with legacy protocols enabled and permissive settings just to ensure your hardware doesn’t complain.

I learned this the hard way when a fresh VPS of mine faced 8,500 failed SSH login attempts from 140 unique IP addresses in less than six hours. My logs were a mess. If I hadn’t already moved SSH to a non-standard port and enforced public-key-only authentication, that story would have ended with a compromised database rather than a bloated log file. Functional systems aren’t necessarily safe ones.

Manually hardening a server is a grind. You have to verify over 200 individual settings, from kernel parameters to file permissions. Overlooking one tiny detail—like a world-writable config file or an insecure sysctl variable—is all an attacker needs to escalate their privileges.

The Gap Between ‘Up and Running’ and ‘Hardened’

Complexity is the main reason we leave servers in a vulnerable state. When you install a new package, the maintainer provides a configuration designed to run on the widest possible variety of environments. They won’t disable a feature that 5% of users might need, even if that feature represents a massive surface area for an exploit.

Security also becomes dangerously subjective without a formal framework. One admin might think disabling the root login is ‘good enough.’ Another might insist on complex fstab restrictions like nosuid and nodev. Without a rigorous, industry-recognized standard, your security posture is limited by the memory and patience of whoever built the box.

Manual Hardening vs. Automated Auditing

You generally have three ways to bridge this security gap:

  • The Manual Checklist: You follow a 300-page PDF and run commands one by one. It is slow and prone to human error. You will eventually miss a step or make a typo.
  • Custom Shell Scripts: You build a hardening.sh tool. This works until the OS updates. Keeping a script compatible as you move from Ubuntu 22.04 to 24.04 becomes a maintenance burden.
  • SCAP-Compliant Tools: The Security Content Automation Protocol (SCAP) is the professional standard for vulnerability scanning. OpenSCAP lets you audit your system against the CIS Benchmarks—the gold standard for operating system security.

For production environments, OpenSCAP is the logical choice. It provides a formal, repeatable way to define security policies and generates audit-ready reports that prove your systems meet compliance requirements.

Step-by-Step: Automating Compliance with OpenSCAP

OpenSCAP acts as an automated auditor. It scans your configuration against established profiles, identifies exactly where you fail, and provides the code needed to fix the issues.

1. Installing the Engine and Security Guides

You need the scanning engine and the ‘Security Guide’ (the actual rules). On Debian or Ubuntu, install them via apt:

sudo apt update
sudo apt install -y libopenscap8 scap-security-guide

For RHEL, AlmaLinux, or Rocky Linux, the package names change slightly:

sudo dnf install -y openscap-scanner scap-security-guide

2. Picking Your Security Profile

Rules are stored in ‘DataStream’ files inside /usr/share/xml/scap/ssg/content/. These files contain different profiles like PCI-DSS, STIG, and CIS. To see what is available for an Ubuntu 22.04 system, run:

oscap info /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

Look for the ID labeled xccdf_org.ssgproject.content_profile_cis. This is the profile we will use to measure our server against the Center for Internet Security standards.

3. Running the Security Audit

Now, execute the scan. This command evaluates the system and generates a detailed HTML report. This step is safe; it only observes and does not change your settings.

sudo oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_cis \
  --report cis_report.html \
  /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

Your terminal will stream a list of Pass and Fail results. Once it finishes, open cis_report.html in a browser to see a categorized breakdown of your security score.

4. Fixing the Failures

Don’t panic if a fresh server scores below 40%. You will likely see critical failures in three main areas:

  • Partitioning: Missing nodev, nosuid, or noexec flags on /tmp or /dev/shm.
  • Auditing: The auditd service isn’t tracking file deletions or admin changes.
  • Networking: IP forwarding is active, or the system is still accepting ICMP redirects.

OpenSCAP provides two fix methods. The HTML report includes a ‘Remediation’ section for every rule, showing you the exact command or config line needed for a manual fix.

Alternatively, you can use automated remediation to apply fixes instantly:

# CAUTION: This modifies system files directly
sudo oscap xccdf eval \
  --remediate \
  --profile xccdf_org.ssgproject.content_profile_cis \
  /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

Avoid running --remediate blindly on live production nodes. Some rules, like tightening permissions on system binaries, can break specific legacy apps. Use the report findings to update your Ansible playbooks instead. This ensures your infrastructure stays secure by design.

Security is a Process, Not a Task

Hardening isn’t a one-and-done project. Compliance slips every time a dev installs a new tool or tweaks a config file. To stay ahead, integrate OpenSCAP into a weekly cron job or your CI/CD pipeline. By automating these scans and reviewing the weekly reports, you prevent ‘configuration drift’ from turning your server into an easy target for the next brute-force attack.

Share:
Tags: