SLES package scap-security-guide contains only a limited set of profiles

[mayrstefan]

Description of problem:

Some guides state, that they are present in the scap-security-guide package which is not true.

e.g. https://static.open-scap.org/ssg-guides/ssg-sle15-guide-cis_server_l1.html

This guide presents a catalog of security-relevant configuration settings for SUSE Linux Enterprise 15. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

As far as I can tell this project does not provide rpm packages so I quess the above quote references the operating system supplied package.

Details:

This content is not aligned with content from the SUSE package

The misalignment affects these profiles:

• CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server
• CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation
• CIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server
• CIS SUSE Linux Enterprise 15 Benchmark Level 2 - Workstation
• and possibly more are missing

# rpm -qi scap-security-guide
Name        : scap-security-guide
Version     : 0.1.79
Release     : 150000.1.103.1
Architecture: noarch
Install Date: Fri Jan 23 01:02:41 2026
Group       : Unspecified
Size        : 231357337
License     : BSD-3-Clause
Signature   : RSA/SHA256, Thu Dec 18 16:25:10 2025, Key ID 70af9e8139db7c82
Source RPM  : scap-security-guide-0.1.79-150000.1.103.1.src.rpm
Build Date  : Thu Dec 18 16:19:29 2025
Build Host  : h01-ch3c
Relocations : (not relocatable)
Packager    : https://www.suse.com/
Vendor      : SUSE LLC <https://www.suse.com/>
URL         : https://github.com/ComplianceAsCode/content
Summary     : XCCDF files for SUSE Linux and openSUSE
Description :
Security Content Automation Protocol (SCAP) Security Guide for SUSE Linux.

This package contains XCCDF (Extensible Configuration Checklist
Description Format), OVAL (Open Vulnerability and Assessment
Language), CPE (Common Platform Enumeration) and DS (Data Stream)
files to run a compliance test on SLE12, SLE15, SLEM5, SLEM6 and openSUSE

SUSE supported in this version of scap-security-guide:

- DISA STIG profile for SUSE Linux Enterprise Server 12 and 15
- DISA STIG profile for SUSE Linux Enterprise Micro 5
- ANSSI-BP-028 profile for SUSE Linux Enterprise Server 12 and 15
- PCI-DSS profile for SUSE Linux Enterprise Server 12 and 15
- HIPAA profile for SUSE Linux Enterprise Server 12 and 15
- Hardening for Public Cloud Image of SUSE Linux Enterprise Server for SAP Applications 15
- Public Cloud Hardening for SUSE Linux Enterprise 15

Other profiles, like the Standard System Security Profile for SUSE Linux Enterprise 12 and 15,
are community supplied and not officially supported by SUSE.
Distribution: SUSE Linux Enterprise 15

I opened a support ticket with SUSE because the CIS profiles are not present in the SLES package. They told me that the CIS profiles are not part of their package (so no bug on their side) and that they cannot control the (ComplianceAsCode) projects website.

Outcome:

I see two options:

1. convince SUSE to contain all SLES profiles
2. remove the information on the affected profiles that they are part of the SLES scap-security-guide package

SCAP Security Guide Version: 0.1.79

External Content's Version: scap-security-guide-0.1.79-150000.1.103.1.noarch