OpenSCAP Integration with SUSE Manager

 

Description

Automating security and compliance verification is crucial in modern IT environments, covering everything from traditional Linux operating systems to container and Kubernetes ecosystems. This article explores how solutions address these challenges in an integrated manner. We detail the use of SUSE Manager now SUSE Multi Linux Manager with OpenSCAP for auditing Linux hosts and briefly discuss the application of Rancher with NeuVector for full-lifecycle security in containers and Kubernetes, presenting a layered security strategy.

Disclaimer

This document is provided solely for informational and educational purposes, based on information and functionalities available up to April 2025. The content presented here reflects an understanding of the discussed technologies and standards but does not replace consultation with official and updated documentation provided by the respective maintainers (SUSE, NIST, PCI SSC, OpenSCAP, HHS, ANPD, etc.), nor specific professional advice. No explicit or implicit warranty is offered regarding the accuracy, completeness, or suitability of the information for any particular purpose. The implementation of any concepts, execution of commands, including examples, or application of remediation scripts are the sole responsibility of the reader and should be performed with caution, preferably after rigorous validation and testing in controlled environments and by qualified professionals. The author of this document is not responsible for any loss or damage resulting from the use of the information contained herein.

Content

• Introduction: The SCAP Standard and the OpenSCAP Tool
• Definition and purpose of SCAP and its components.
• The role of OpenSCAP as an open-source implementation.
• Auditing Linux Hosts with SUSE Manager and OpenSCAP
• Integration details: How SUSE Manager utilizes OpenSCAP.
• Key components and functionalities: SCAP content, profiles, scheduling, execution, and reporting. Considerations on frequency and maintaining compliance.
• Additional Context: Security in Containers and Kubernetes
• Challenges and the approach with Rancher and NeuVector (overview).
• Conclusion
• References

Introduction: SCAP and OpenSCAP

SCAP (Security Content Automation Protocol):

It is a set of specifications maintained by the U.S. NIST (National Institute of Standards and Technology).

The goal of SCAP is to standardize how organizations manage vulnerabilities and verify the compliance of security configurations on computer systems.

It uses several interconnected standards:

• XCCDF (Extensible Configuration Checklist Description Format): Defines the structure for security checklists and configuration policies.
• OVAL (Open Vulnerability and Assessment Language): Describes the security state of systems, such as specific configurations or the presence of vulnerabilities.
• CPE (Common Platform Enumeration): Standardizes the naming of hardware and software platforms.
• CCE (Common Configuration Enumeration): Provides unique identifiers for system configuration entries.
• CVE (Common Vulnerabilities and Exposures): Enumerates publicly known security vulnerabilities.

 

OpenSCAP:

It is a NIST-certified open-source implementation of the SCAP specifications.

It consists of a library and a set of command-line tools (oscap) that allow performing vulnerability and configuration compliance scans on Linux systems.

Integration with SUSE Manager (SUSE Multi-Linux Manager)

SUSE Manager, which in version 5.0 was renamed SUSE Multi-Linux Manager, integrates OpenSCAP to provide a centralized security and compliance auditing solution for the Linux systems it manages.

• Utility: Allows administrators to automate the security compliance verification of multiple systems (such as SUSE Linux Enterprise SLES clients, openSUSE, Red Hat Enterprise Linux, CentOS, and others) against predefined or customized security policies, all from a single console. This is fundamental for meeting regulatory requirements like PCI-DSS, HIPAA, and consistently applying internal policies.
• Mechanism: The SUSE Manager Server schedules and triggers OpenSCAP scans on managed clients.
• On Salt-based clients (the standard), execution is orchestrated via Salt. On traditional clients (obsolete), it used osad/rhnsd.
• The client executes the oscap tool locally, using the specified SCAP content.
• The results (XML and HTML files) are then sent back to the SUSE Manager Server for storage, processing, and viewing in the web interface.

A Bit More...

PCI-DSS and HIPAA: Sector-Specific Security Standards

Two security standards frequently found in compliance requirements and mentioned in OpenSCAP profiles are PCI-DSS and HIPAA.

• PCI-DSS (Payment Card Industry Data Security Standard):

A global security standard, maintained by the PCI Security Standards Council, applicable to all organizations that process, store, or transmit cardholder data from major brands (Visa, Mastercard, etc.). Its main goal is to protect this data against fraud and leaks by establishing strict technical and operational requirements for secure networks, data protection, vulnerability management, access control, among others.

• To learn more: https://www.pcisecuritystandards.org/ (Official site, look for "Document Library" for the standards).
• HIPAA (Health Insurance Portability and Accountability Act):

A United States federal law that sets standards to protect sensitive health information, known as Protected Health Information (PHI), from disclosure without the patient's consent or knowledge. The HIPAA Security Rule specifies administrative, physical, and technical safeguards that covered entities and their business associates must implement to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI).

• To learn more: https://www.hhs.gov/hipaa/for-professionals/security/index.html (U.S. HHS Security Rule page).

 

• Equivalents in Brazil:
• PCI-DSS: As a global payment industry standard, PCI-DSS applies directly to organizations in Brazil that handle card data. There isn't a "Brazilian PCI-DSS," but rather the need for compliance with the international standard. Additionally, the Central Bank of Brazil (BACEN) has its own regulations on cybersecurity and data security for financial and payment institutions that may complement or overlap with some requirements.
• HIPAA: Being a U.S.-specific law, HIPAA does not apply directly in Brazil. The main Brazilian legal framework for data protection, including health data (considered "sensitive personal data"), is the General Data Protection Law (LGPD - Law No. 13.709/2018). The LGPD establishes comprehensive rules on the collection, processing, storage, and sharing of personal data, imposing requirements for security, consent, and data subject rights, serving as the main compliance benchmark for health data in the country. In addition to the LGPD, regulations from the Ministry of Health and the National Supplementary Health Agency (ANS) may also apply to health systems and information.
• To learn more (LGPD): https://www.gov.br/anpd/pt-br (Page of the National Data Protection Authority).

Tools and Components Involved

• oscap tool: The main command-line tool of OpenSCAP, executed on the client. It is responsible for analyzing the system based on SCAP content.
• SCAP Content: Files, usually in XML format (DataStream), containing security rules, checks, and metadata. They are typically provided by packages like scap-security-guide.
• Example package (SLES): scap-security-guide
• Example package (RHEL/CentOS): scap-security-guide
• Common content location: /usr/share/xml/scap/ssg/content/
• Security Profiles: Predefined sets of rules within a DataStream, targeted at a specific benchmark. Common examples found in scap-security-guide:
• xccdf_org.ssgproject.content_profile_cis: Center for Internet Security (CIS) Benchmark.
• xccdf_org.ssgproject.content_profile_stig: Security Technical Implementation Guide (STIG) from DISA.
• xccdf_org.ssgproject.content_profile_pci-dss: Payment Card Industry Data Security Standard.
• xccdf_org.ssgproject.content_profile_hipaa: Health Insurance Portability and Accountability Act.
• Tailoring Files: XML files that allow modifying an existing profile (selecting/deselecting rules, adjusting parameters) without changing the original DataStream. This allows adapting a standard benchmark to the specific needs of the organization. They can be created with the OpenSCAP Workbench tool or manually.

Functionalities and Command Examples

• Client Prerequisites: The client to be scanned needs to have the OpenSCAP packages installed.
• Command (SLES/openSUSE): sudo zypper in openscap-scanner scap-security-guide
• Command (RHEL/CentOS/AlmaLinux): sudo dnf install openscap-scanner scap-security-guide
• Command (Debian/Ubuntu): sudo apt-get install libopenscap8 ssg-base ssg-debderived (package names may vary slightly).
• Resources: Running oscap can consume significant resources (CPU and memory, especially RAM - at least 2GB free is recommended on the client during the scan).
• List Available Profiles (on Client): To see which profiles a DataStream file contains.
• Command:

oscap info /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml

(Adjust the path/filename according to the OS and version).

• Schedule Scan (SUSE Manager Web UI):

1.      Navigate to Systems -> [Select a system or group] -> Audit tab.

2.      Select the OpenSCAP sub-tab -> Schedule.

3.      Fill in the fields:

• Command: Usually:

/usr/bin/oscap

• Command line arguments: Here you define the profile and other options. Example:

--profile xccdf_org.ssgproject.content_profile_cis_server_l1 --report /tmp/oscap_cis_report.html

• Path to XCCDF document: The full path to the DataStream file on the client. Example:

/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml

4.      Define the schedule (date/time). The scan will occur the next time the client contacts the server after the scheduled time.

• Manual Execution (on Client - for Testing):

Useful for checking syntax or testing a profile before scheduling via SUSE Manager.

• Command:

sudo oscap xccdf eval \

--profile xccdf_org.ssgproject.content_profile_cis_server_l1 \

--results /tmp/scan-results.xml \

--report /tmp/scan-report.html \

/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml

• Where:
• --profile: Specifies the ID of the profile to use.
• --results: Saves detailed results in XML format.
• --report: Generates a readable report in HTML format.
• The last argument is the DataStream file.
• Remediation:

Some SCAP profiles include remediation snippets (Bash, Ansible, etc.) for rules that fail. oscap can generate a complete remediation script based on the results.

• Command to generate script (based on results):

sudo oscap xccdf generate fix --result-id <ID_from_XML_result> /tmp/scan-results.xml > /tmp/remediation_script.sh

• Important: Remediation scripts must be carefully reviewed and tested in non-production environments before being applied to production systems, as they can cause unexpected changes or downtime. SUSE Manager allows executing these scripts via Remote Commands or System Set Manager (SSM) for multiple systems.

Reading and Interpreting Reports

The HTML reports generated by oscap (and accessible via SUSE Manager under Audit -> OpenSCAP -> All Scans -> click on a scan) are the primary way to view results.

• Typical Structure:
• Header/Summary: General information about the scan (target system, profile used, date/time, overall compliance score, count of Pass/Fail/Other rules).
• Detailed Results by Rule: A list of all evaluated rules, usually grouped by benchmark sections.
• Each rule shows:
• Identifier (ID)
• Title/Description
• Severity (e.g., High, Medium, Low)
• Result (Pass, Fail, Not Applicable, Error, etc.)
• Check Details (if failed, may indicate why)
• Remediation Suggestion (if available in SCAP content)
• Analysis: Focus on rules with a Fail result.
• Understand the rule description and why it's important (security justification).
• Analyze the failure details to confirm non-compliance on the system.
• Evaluate the remediation suggestion. Check if it is applicable and safe for your environment.
• Prioritize fixing failures with higher severity or greater impact on security/compliance.

Convenience of Repeating Scans (Frequency)

Periodically running OpenSCAP scans is essential for continuous maintenance of compliance and security.

• Reasons for Repetition:
• Detection of Deviations (Configuration Drift): Manual changes or changes by other processes can cause systems to become non-compliant. Regular scans detect these drifts.
• New Vulnerabilities and Rules: SCAP content (like scap-security-guide) is updated to include new checks and address new threats or benchmark versions.
• Post-Remediation Validation: Confirm that corrective actions were effective and did not introduce new problems.
• Audit Requirements: Many regulations and policies require periodic proof of compliance (e.g., quarterly, semi-annually, annually).
• Environment Changes: Installation of new software, system updates, or infrastructure changes can impact compliance.
• Recommended Frequency: There is no single answer, as it depends on:
• Internal Security Policy: What does your organization's policy require?
• Regulatory Requirements: Standards like PCI-DSS may dictate minimum frequencies (e.g., quarterly).
• Rate of Change: Very dynamic environments may require more frequent scans.
• System Criticality: Critical systems may justify more frequent scans.
• Performance Impact: Scans consume resources; the frequency should be balanced not to negatively impact client performance.
• Common Starting Point: A monthly or quarterly frequency is a good starting point for many environments, adjusting as needed.

In conclusion, the integration of SUSE Manager with OpenSCAP provides a robust and scalable mechanism for automating security and compliance auditing in heterogeneous Linux infrastructures, based on open and widely adopted standards. Its effective use involves understanding SCAP content, configuring and scheduling scans, analyzing reports, and establishing an appropriate cadence for periodic reassessments.

While OpenSCAP integrated with SUSE Manager addresses host security, the container ecosystem presents distinct challenges...

Expanding the topic to the universe of containers and Kubernetes, the approach to security and compliance changes, and the relevant tools also adapt to this ecosystem.

Security and Compliance in Containers and Kubernetes

While OpenSCAP with SUSE Manager focuses on the security and compliance of the host operating system (nodes), the dynamic and ephemeral environment of containers and orchestrators like Kubernetes requires specialized tools. In this case, robust solutions for this domain are primarily through Rancher and NeuVector.

• Specific Challenges:
• Container Images: Images can contain vulnerabilities in base OS packages or application libraries. Scanning needs to occur during development (CI/CD) and in registries before deployment.
• Runtime Environment: Running containers need to be monitored for threats, anomalous behavior, and security policy violations.
• Cluster Configuration: The configuration of Kubernetes itself (API Server, etcd, RBAC, Network Policies, etc.) needs to be audited against security benchmarks, such as those defined by CIS (Center for Internet Security).
• Network Security: East-West traffic (between containers/pods) and North-South traffic (cluster ingress/egress) needs to be controlled and inspected.
• NeuVector: Full-Lifecycle Security for Containers: Acquired by SUSE, NeuVector is a cloud-native security platform that integrates deeply with the Kubernetes ecosystem managed by Rancher. Its main functionalities include:
• Vulnerability Scanning: Scans container images for known CVEs in registries, during the CI/CD pipeline, and in already running containers.
• Compliance Auditing: Checks the compliance of hosts, Docker images, and Kubernetes cluster configurations against benchmarks like CIS, and allows the creation of custom checks.
• Runtime Security: Monitors processes, file system activities, and network behavior within containers in real-time. It uses a "Zero-Trust" model to detect and block suspicious or unauthorized activities, including unknown threats (zero-day).
• Container Firewall: Automatically discovers the application topology and segments the network at Layer 7 (application), allowing the creation of granular firewall policies for traffic between pods/containers.
• Admission Control: Integrates with Kubernetes to prevent the deployment of images or configurations that do not meet defined security and compliance criteria (e.g., images with critical vulnerabilities, insecure configurations).
• Rancher: Kubernetes Management and Security: Rancher, as a multi-cluster Kubernetes management platform, centralizes and simplifies the application of security policies:
• NeuVector Integration: Allows installing, managing, and visualizing NeuVector security features directly through the Rancher interface.
• CIS Scans: Rancher can directly run compliance scans based on CIS Benchmarks for Kubernetes on the managed cluster. It presents the results and guides on necessary remediations to harden the cluster configuration.
• Policy Management: Facilitates the configuration of Kubernetes security policies, such as NetworkPolicies, Pod Security Admission (PSA - successor to PodSecurityPolicy/PSP), and Role-Based Access Control (RBAC).
• Configuration Management: Ensures the consistent application of secure configurations across multiple clusters.
• Relationship with SUSE Manager: SUSE Manager and Rancher/NeuVector operate on complementary layers of the infrastructure:
• SUSE Manager + OpenSCAP: Focuses on the security and compliance of the host operating system (the "nodes" of the Kubernetes cluster). Ensures the underlying OS is properly configured, updated, and free of known vulnerabilities, as verified by OpenSCAP profiles.
• Rancher + NeuVector: Focus on the security and compliance of the orchestration layer (Kubernetes) and the workload (containers). They handle the security of images, the runtime behavior of containers, cluster configuration, and network security within the cluster.
• Typically, there is no direct integration where SUSE Manager performs scans inside containers or audits the Kubernetes configuration in the same way as Rancher/NeuVector.
• A comprehensive security strategy uses both solutions: SUSE Manager to protect the base (node OS) and Rancher/NeuVector to protect what runs on that base (Kubernetes and containers). The health and security of the node, managed by SUSE Manager, is a fundamental prerequisite for the security of the cluster managed by Rancher.

Conclusion

Automating security and compliance verification in Linux infrastructures can benefit from using open standards like SCAP and implementations like OpenSCAP. OpenSCAP's ability to evaluate systems based on standardized content (XCCDF, OVAL) provides a consistent and repeatable method for security audits. Integrating this technology into centralized management platforms, as with SUSE Manager, enhances its effectiveness. Such integration allows orchestrating the execution of OpenSCAP scans at scale, collecting results centrally, and applying security policies based on standardized profiles (CIS, STIG, etc.) uniformly across multiple systems. This operational model results in efficiency gains for security and operations teams, enabling more systematic and frequent compliance assessments of Linux hosts. The use of OpenSCAP, enhanced by its integration into management tools, therefore represents a fundamental component for maintaining and validating the security posture of the base infrastructure.

References

The information presented is based on the functionalities and documentation of the solutions. For in-depth technical details, it is recommended to consult:

• Official SUSE Manager Documentation (https://documentation.suse.com/suma/)
• Official Rancher Documentation (https://ranchermanager.docs.rancher.com/)
• Official NeuVector Documentation (https://open-docs.neuvector.com/)
• NIST SCAP Standards (https://csrc.nist.gov/projects/security-content-automation-protocol)
• OpenSCAP Project (https://www.open-scap.org/)

What are the biggest challenges in automating security and compliance in your Linux and Kubernetes environments? Share your perspectives in the comments.

#Linux #SUSEManager #SUMA #SCAP #OpenSCAP #LinuxSecurity #Compliance #Automation #SecurityAudit #SUSE #Compliance #LinuxSecurity #SUSE #Security #Automation #Kubernetes #OpenSCAP #Rancher #NeuVector #DevSecOps #InformationSecurity #ITInfrastructure

Este mesmo artigo no:

Linkedin

https://www.linkedin.com/pulse/openscap-integration-suse-manager-m%25C3%25A1rio-luz-krwvf