Home Tools OpenSCAP Base
OpenSCAP Base OpenSCAP Daemon SCAP Workbench SCAPTimony OSCAP Annaconda Addon
openscap base

Looking for a certified tool which can parse and evaluate each component of the SCAP standard?

OpenSCAP represents both a library and a command line tool which can be used to parse and evaluate each component of the SCAP standard. The library approach allows for the swift creation of new SCAP tools rather than spending time learning existing file structure. The command-line tool, called oscap, offers a multi-purpose tool designed to format content into documents or scan the system based on this content. Whether you want to evaluate DISA STIGs, NIST‘s USGCB, or Red Hat’s Security Response Team’s content, all are supported by OpenSCAP.

If your main goal is to perform configuration and vulnerability scans of a local system then oscap can be the right tool for you. It can evaluate both XCCDF benchmarks and OVAL definitions and generate the appropriate results.

The tool supports SCAP 1.2 and is backward compatible with SCAP 1.1 and 1.0.

The OpenSCAP library is the core building block used in a content tailoring program called SCAP Workbench, integrated in Red Hat Satellite by SCAPTimony and used for all SCAP evaluation by OpenSCAP Daemon.

OpenSCAP is available on various Linux distributions, including Red Hat Enterprise Linux, Fedora and Ubuntu. Since version 1.3.0 OpenSCAP supports also Microsoft Windows.

Download and Install OpenSCAP

OpenSCAP for Linux

Install OpenSCAP using the following command:

  • On Fedora:

    dnf install openscap-scanner

  • On RHEL 6, RHEL7, CentOS 6 and CentOS 7:

    yum install openscap-scanner

  • On Debian and Ubuntu:

    apt-get install libopenscap8

OpenSCAP for Windows

OpenSCAP sources

Documentation for OpenSCAP Base

With the oscap tool you can perform configuration and vulnerability scans, validate your SCAP content in line with SCAP standard XML schemas, display basic information about your content, or list profiles in an XCCDF benchmark.

To display the version of oscap, supported specifications, built-in CPE names, and supported OVAL objects, type the following command:

$ oscap -V

How to Evaluate a DISA STIG

The oscap tool can help you evaluate a Security Technical Implementation Guide (STIG) from the Defense Information Systems Agency (DISA) on your local machine with the following command:

$ oscap xccdf eval --profile selected_profile --results result_file --cpe cpe_dictionary disa_stig_content

If you are looking for a detailed step by step instruction please refer to the user manual.

Make a RHEL7 machine PCI-DSS compliant

You can use the oscap tool to evaluate a Payment Card Industry Data Security Standard (PCI-DSS) on your machine with the following command which assumes that you have the SCAP Security Guide installed already:

$ oscap xccdf eval --report report.html --profile xccdf_org.ssgproject.content_profile_pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

If you are interested in more practical examples of basic or advanced usage, or want to find information regarding development please see the manual.


"Red Hat’s development team did a great job implementing the sizable and challenging requirements from the SCAP standard for 32 bit and 64 bit Linux systems."

Stephan Mueller, atsec, Team Lead
"SCAP is a valuable tool for maintaining a secure, consistent computing environment. We believe in open standards, and we believe in the continuous, repeatable security process SCAP makes possible. That’s why we’re proud to offer this certified, open source SCAP tool. OpenSCAP will make it much easier for agencies to add verifiable, repeatable scanning to their security process."

Gunnar Hellekson, chief strategist, U.S. Public Sector, Red Hat
OpenSCAP Base received SCAP 1.2 certification from NIST on 29th April 2014.

Do you need help with OpenSCAP Base?

I have a problem I would like to ask about

OPTION 1: Join the mailing list.

OPTION 2: You can also join the #openscap IRC channel on chat.freenode.net.