Compliance audits used to mean a person with a clipboard. OpenSCAP automates the entire process.
What I built:
→ OpenSCAP on Rocky Linux (SSG from dnf), Ubuntu 24.04 (SSG from upstream GitHub), and Fedora Kinoite (baked into OSTree image) → CIS profile auto-discovery handling Rocky vs Oracle Linux profile ID differences → SCAPinoculars exposing ARF XML results as Prometheus metrics on port 2112 → Compliance metrics alongside CPU, memory, and logs in Grafana → Custom RPM packaging for SCAPinoculars and OSTree Kinoite integration
What it solves:
✓ Cross-distribution compliance scanning with one consistent workflow
✓ Compliance results visible continuously — not just at audit time
✓ Configuration drift detected immediately via Grafana alerts
✓ Prometheus + Loki + OpenSCAP unified in one Grafana dashboard
Quirks documented:
- SCAPinoculars v0.0.3 ignores --report-dir and --port flags
- Ubuntu ssg-base package has no datastream XML — use upstream ZIP
- Rocky + Fedora repos enabled: use --disablerepo="fedora*" at install
linux #openscap #compliance #cis #prometheus #grafana #kinoite #ansible #sysadmin
[Read the full article] → https://richard-sebos.github.io/sebostechnology/posts/OpenSCAP/
Top comments (0)