Python XSLT Shell CMake HTML Puppet
Clone or download
Latest commit 5fe43cd Jul 20, 2018
Failed to load latest commit information.
.github Add Pull Request Template Sep 28, 2017
Dockerfiles Add centos6 Dockerfile and to Travis CI Jul 11, 2018
build-scripts Merge pull request #3135 from cipherboy/hilbert-space Jul 19, 2018
build Added build/.gitkeep and added build/ to .gitignores Feb 20, 2017
chromium Removed formatting leftovers. Jul 20, 2018
cmake Merge pull request #3141 from yuumasato/html_table_tests_and_fixes Jul 20, 2018
debian8 Removed formatting leftovers. Jul 20, 2018
docs Convert custom string-replacement to jinja macros Jul 19, 2018
eap6 Removed formatting leftovers. Jul 20, 2018
fedora Moved bootloader_nousb_argument to grub2_nousb_argument.rule Jun 28, 2018
firefox Removed formatting leftovers. Jul 20, 2018
fuse6 Removed formatting leftovers. Jul 20, 2018
jre Removed formatting leftovers. Jul 20, 2018
linux_os/guide Merge pull request #3145 from matejak/guide-formatting Jul 20, 2018
ocp3 Introduced "type" into product yaml - either platform or product Jun 25, 2018
ol7 Remove commented out ol7 pci-dss rules Jul 11, 2018
opensuse Introduced "type" into product yaml - either platform or product Jun 25, 2018
rhel-osp7 Unshadowed some stray osp7 ovals. Jul 4, 2018
rhel6 Merge pull request #3107 from yuumasato/unshadow_rhel6_audit_rules_fi… Jul 20, 2018
rhel7 Do not build reference tables for ANSSI profiles Jul 19, 2018
shared Merge pull request #3107 from yuumasato/unshadow_rhel6_audit_rules_fi… Jul 20, 2018
sle11 Introduced "type" into product yaml - either platform or product Jun 25, 2018
sle12 Introduced "type" into product yaml - either platform or product Jun 25, 2018
ssg Merge pull request #3143 from redhatrises/remove_cce_fips Jul 19, 2018
tests Merge pull request #3135 from cipherboy/hilbert-space Jul 19, 2018
ubuntu1404 Introduced "type" into product yaml - either platform or product Jun 25, 2018
ubuntu1604 Introduced "type" into product yaml - either platform or product Jun 25, 2018
utils Fix utilities for compraison, testoval Jul 13, 2018
wrlinux Removed formatting leftovers. Jul 20, 2018
.cico.yaml Fixes small issues and code style, added unit tests. Jun 8, 2018
.dockerignore Ignore .git Dec 2, 2016
.gitignore Ignore the ropeproject folders Jun 13, 2018
.pep8speaks.yml Allow over 80 chars-long lines in Python scripts. Apr 6, 2018 Refactor shared/modules/ to create new /ssg module Jun 15, 2018
.travis.yml Add centos6 Dockerfile and to Travis CI Jul 11, 2018 Mention testing in Jun 4, 2018
CMakeLists.txt Clean-up, removed because it's not needed any more Jun 25, 2018 Update Contributors list for release v0.1.39 May 2, 2018
Contributors.xml Update Contributors list for release v0.1.39 May 2, 2018
DISCLAIMER Rename auxiliary directory to overlays Sep 28, 2017
LICENSE Update license to BSD-3 Oct 10, 2017 Enable Travis CI Jul 2, 2018 Enabled jinja2 caching by default, default to build/jinja2_cache Jun 8, 2018


Release Nightly ZIP Status Nightly 5.10 ZIP Status Link-checker Status CentOS CI Status Travis CI Build Status Scrutinizer Code Quality

Evaluation report sample

The purpose of this project is to create security policy content for various platforms -- Red Hat Enterprise Linux, Fedora, Ubuntu, Debian, and others. Our aim is to make it as easy as possible to write new and maintain existing security content in all the commonly used formats.

We build security content in various formats

NIST logo     Ansible logo     Bash logo

"SCAP content" refers to documents in the XCCDF, OVAL and Source DataStream formats. These documents can be presented in different forms and by different organizations to meet their security automation and technical implementation needs. For general use we recommend Source DataStreams because they contain all the data you need to evaluate and put machines into compliance. The datastreams are part of our release ZIP archives.

"Ansible content" refers to Ansible playbooks generated from security profiles. These can be used both in check-mode to evaluate compliance, as well as run-mode to put machines into compliance. We publish these on Ansible Galaxy as well as in release ZIP archives.

"Bash fix files" refers to Bash scripts generate from security profiles. These are meant to be run on machines to put them into compliance. We recommend using other formats but understand that for some deployment scenarios bash is the only option.


This project is an attempt to allow multiple organizations to efficiently develop security content by avoiding redundancy, which is possible by taking advantage of the powerful build system of this project. The build system combines the easy-to-edit YAML rule files with OVAL checks, Ansible task snippets, Bash fixes and other files. Templating is provided at every step to avoid boilerplate. Security identifiers (CCE, NIST ID, STIG, ...) appear in all of our output formats but are all sourced from the YAML rule files.

We understand that depending on your organization's needs you may need to use a specific security content format. We let you choose.

Build system schema

We use an OpenControl-inspired YAML rule format for input. Write once and generate security content in XCCDF, Ansible and others.

prodtype: rhel7

title: 'Configure The Number of Allowed Simultaneous Requests'

description: |-
    The <tt>MaxKeepAliveRequests</tt> directive should be set and configured to
    <sub idref="var_max_keepalive_requests" /> or greater by setting the following
    in <tt>/etc/httpd/conf/httpd.conf</tt>:
    <pre>MaxKeepAliveRequests <sub idref="var_max_keepalive_requests" /></pre>

rationale: |-
    Resource exhaustion can occur when an unlimited number of concurrent requests
    are allowed on a web site, facilitating a denial of service attack. Mitigating
    this kind of attack will include limiting the number of concurrent HTTP/HTTPS
    requests per IP address and may include, where feasible, limiting parameter
    values associated with keepalive, (i.e., a parameter used to limit the amount of
    time a connection may be inactive).

severity: medium

    cce: "80551-5"

Scan targets

Our security content can be used to scan bare-metal machines, virtual machines, virtual machine images (qcow2 and others), containers (including Docker) and container images.

We use platform checks to detect whether we should or should not evaluate some of the rules. For example: separate partition checks make perfect sense on bare-metal machines but go against recommended practices on containers.


From packages

The preferred method of installation is via the package manager of your distribution. On Red Hat Enterprise Linux and Fedora you can use:

yum install scap-security-guide

On Debian (sid), you can use:

apt install ssg-debian  # for Debian guides
apt install ssg-debderived  # for Debian-based distributions (e.g. Ubuntu) guides
apt install ssg-nondebian  # for other distributions guides (RHEL, Fedora, etc.)
apt install ssg-applications  # for application-oriented guides (Firefox, JBoss, etc.)

From release ZIP files

Download pre-built SSG zip archive from the release page. Each zip file is an archive with ready-made SCAP source datastreams.


We maintain a COPR repository that provides unofficial builds of latest versions of openscap, scap-security-guide, scap-workbench and openscap-daemon. The packages are suitable for use on Red Hat Enterprise Linux 6 and 7 and CentOS 6 and 7.

See for detailed instructions.

From source

If SCAP Security Guide is not packaged in your distribution or if the version that is packaged is too old, you need to build the content yourself and install it via make install. Please see the document for more info. We also recommend opening an issue on that distributions bug tracker to voice interest.


We assume you have installed SCAP Security Guide system-wide into a standard location as instructed in the previous section.

There are several ways to consume SCAP Security Guide content, we will only go through a few of them here.

oscap tool

The oscap tool is a low-level command line interface that comes from the OpenSCAP project. It can be used to scan the local machine.

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results-arf arf.xml --report report.html --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

After evaluation, the arf.xml file will contain all results in a reusable Result DataStream format, report.html will contain a human readable report that can be opened in a browser.

Replace the profile with other profile of your choice, you can display all possible choices using:

oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Please see the OpenSCAP User Manual for more info.

SCAP Workbench

The SCAP Workbench is a graphical user interface for SCAP evaluation and customization. It is suitable for scanning a single machine, either local or remote (via SSH). New versions of SCAP Workbench have SSG integration and will automatically offer it when the application is started.

Please see the SCAP Workbench User Manual for more info.

oscap-ssh tool

oscap-ssh comes bundled with OpenSCAP 1.2.3 and later. It allows scanning a remote machine via SSH with an interface resembling the oscap tool.

The following command evaluates machine with IP with content stored on local machine. Keep in mind that oscap has to be installed on the remote machine but the SSG content doesn't need to be.

oscap-ssh root@ 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_usgcb-rhel6-server --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml


To see a list of available playbooks, run:

# ls /usr/share/scap-security-guide/ansible/

These roles are generated from SCAP profiles available for the products.

To apply the playbook on your local machine run: (THIS WILL CHANGE CONFIGURATION OF THE MACHINE!)

ansible-playbook -i "localhost," -c local /usr/share/scap-security-guide/ansible/ssg-rhel7-role-rht-ccp.yml

Each of the Ansible playbooks contain instructions on how to deploy them. Here is a snippet of the instructions:

# This file was generated by OpenSCAP 1.2.16 using:
#   $ oscap xccdf generate fix --profile rht-ccp --template urn:xccdf:fix:script:ansible sds.xml
# This script is generated from an OpenSCAP profile without preliminary evaluation.
# It attempts to fix every selected rule, even if the system is already compliant.
# How to apply this remediation role:
# $ ansible-playbook -i "," playbook.yml
# $ ansible-playbook -i inventory.ini playbook.yml


The SSG mailing list can be found at

If you encounter issues with OpenSCAP or SCAP Workbench, use

You can also join the #openscap IRC channel on

Further reading

The SSG homepage is