Zum aktuellen Linux-Magazin 04/26 durfte ich neben dem zweiten Artikel über Patch-Management mit #Uyuni (https://www.linux-magazin.de/ausgaben/2026/04/patch-me-if-you-can/) auch Informationen zum Thema #OpenSCAP beitragen.
👉🏻 https://www.linux-magazin.de/ausgaben/2026/04/openscap/
In diesem Artikel werden die Grundlagen des Frameworks erklärt - anhand von Praxisbeispielen wird das Auditieren und automatische Abhärten geschildert.
So. one of the things that I am busy with, is part of a lab that will be used at conferences and events around RHEL Image mode (bootc), on building compliance and hardening into the base image. Pretty neat stuff.
You can use OpenSCAP in the Containerfile, and harden the OS before it ever hits hardware. On the other side of it, you get an immutable OS, thats configured to your compliance profile. Pretty cool.
But its due tomorrow, which is what makes it stressful. :P
Dusting off my hardening skills. SURF is already doing a lot in this field but I think there is some room for improvement.
So playing around with #OpenSCAP to check what can be improved and jotting down ideas on possible ways to do so.
Didn't know the openscap-scanner tool has the possibility to create #Ansible playbooks to remediate failing rules of for instance CIS Benchmark profile checks. Nice bonus!
Anyone have some experience with #SCAP using something like #OpenSCAP and #ComplianceAsCode?
I'm looking to do some tailoring, both removing and adding rules. E.g. CIS Benchmark L2 Server's have a federal ssh warning. But my institution has it's own. So I'd need to remove that rule from a custom profile but add another one.
Such lovely news, post holiday ...
I suppose with #MITRE being on life support and #OpenSCAP being a dependent of same, I guess I now have to start earnest work in in finding a cross distribution Threat Intelligence solution . . apparently I've 11 months to do this in, and as usual FA budget.
Degradation is likely to be faster than first anticipated, as the funding thins out to *Nothing* rather rapidly, the funding vultures, and newly promoted, post cut Shite Hawks work their magic.
At first blush, one hopes EUVD can emit OVAL files . . an investigatory task for tomorrow, after Mail Mountain is scaled.
Cómo instalar y usar OpenSCAP para mejorar la seguridad de Rocky Linux #RockyLinux #Linux #OpenSCAP
https://algoentremanos.com/como-instalar-usar-openscap-rocky-linux/
Oh! It's been a while since I commented on #RedHat #ImageBuilder / #osbuild :D Let's correct that.
It's absolute awesome how you can set an #OpenSCAP profile directly in the blueprint. It's also completely useless :) It always performs both an evaluation and remediation step, with no option to turn the remediation off, or to supply a tailored profile with added or excluded tests.
I can't imagine many images being built that don't have some form of post-processing, so running remediation beforehand is either just unwanted or worse, changes things that shouldn't be changed.
Now, I do really mean that the intention is awesome. I just think there weren't too many actual users offering input :) So, this is mine - please take it as constructive criticism.
stdevel
[nate@social0 ~]$ 
0x696f
Jeremy Jongepier
catatonicprime
erstwhile
Ivan
ricardo 
Troed Sångberg