Summary
The compliance category has a single skill (policy-opa) focused on cloud/K8s policy-as-code. There is no skill for OS-level hardening verification — a foundational compliance requirement for PCI-DSS, HIPAA, FedRAMP, and SOC2. OpenSCAP is the open-source standard for SCAP-based automated compliance scanning, used by DISA, NIST, and most FedRAMP assessors.
Requested Skill: compliance/hardening-openscap
What to Cover
Core workflows:
- Baseline scan against CIS Benchmark
# Scan RHEL 9 against CIS Level 2
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis_server_l2 \
--results scan-results.xml \
--report scan-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
- Generate remediation script — produce a bash script that applies all failing controls
oscap xccdf generate fix \
--profile cis_server_l2 \
--output remediation.sh \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
- Scan a container image (offline, without running it)
oscap-docker image-cve <image-id> \
--report cve-report.html
- CI/CD integration — fail pipeline if compliance score drops below threshold
SCORE=$(oscap xccdf eval ... | grep "Score:" | awk '{print $2}')
python3 -c "import sys; sys.exit(0 if float('$SCORE') >= 85.0 else 1)"
- Delta reporting — compare two scan results to track hardening progress over time
oscap xccdf generate report --output delta.html before.xml after.xml
Profiles Covered
| OS |
Profile |
Standard |
| RHEL/CentOS/Rocky |
cis_server_l1, cis_server_l2 |
CIS Benchmark |
| Ubuntu |
cis_level1_server |
CIS Benchmark |
| Any Linux |
stig |
DISA STIG |
| Any Linux |
pci-dss |
PCI-DSS |
| Container images |
standard |
OpenSCAP CVE checks |
Frameworks
- CIS Benchmarks (OS-level)
- DISA STIG
- PCI-DSS Req 2.2 (system configuration standards)
- HIPAA § 164.312(a)(1) (Access Control)
- NIST SP 800-53 CM-6 (Configuration Settings)
- SOC2 CC6.6 (Logical Access)
- FedRAMP CM controls
Relationship to Existing Skills
- Complements
compliance/policy-opa (cloud/K8s) — OpenSCAP covers the OS layer beneath
- Findings can be imported to
devsecops/vuln-defectdojo via its XCCDF parser
- High-severity findings feed
incident-response workflows if active exploitation is suspected
Summary
The
compliancecategory has a single skill (policy-opa) focused on cloud/K8s policy-as-code. There is no skill for OS-level hardening verification — a foundational compliance requirement for PCI-DSS, HIPAA, FedRAMP, and SOC2. OpenSCAP is the open-source standard for SCAP-based automated compliance scanning, used by DISA, NIST, and most FedRAMP assessors.Requested Skill:
compliance/hardening-openscapWhat to Cover
Core workflows:
Profiles Covered
cis_server_l1,cis_server_l2cis_level1_serverstigpci-dssstandardFrameworks
Relationship to Existing Skills
compliance/policy-opa(cloud/K8s) — OpenSCAP covers the OS layer beneathdevsecops/vuln-defectdojovia its XCCDF parserincident-responseworkflows if active exploitation is suspected