Security compliance is a state where computer systems are in line with a specific security policy

— OpenSCAP project



This project contains integration code that assists with managing OpenSCAP scans across a fleet of instances. The example deployment template automates the creation of a demonstration environment meant to show a working example of the automation process.

The kay takeaways from this demonstration are as follows:

  • Automating compliance auditing is the only way to meet established goals at scale

  • Customized organizational policies are supported through the user of a tailoring file

  • The publishing of metrics and failure events supports customized organizational processes and responses

The folks at OpenSCAP/RedHat have a number of additional tools to manage servers at scale which can schedule and ingest scan result content. This project is meant to demonstrate lightweight alternative approaches with an emphasis on integration with AWS services.


Figure 1. Example Architecture


The project includes a Makefile that automates the creation of the RPM using a Docker container. Docker must be installed already on your machine.

make rpm


The RPM requires that the AWS CLI be installed but does not require that you do it using the official RPMs. If you don’t have a preference then ensuring you have the EPEL repo configured and installing using commands like the following is the easiest method to install onto your servers.

yum -y install epel-release
yum -y install awscli openscap-aws


There is a CloudFormation template in the examples directory that can be used to demonstrate the capability. The default settings will create 3 EC2 micro sized instances which each cost about a cent per hour.


Before deploying the CloudFormation template complete the following steps

  • Ensure you have both make and docker installed on your workstation

  • Create an S3 bucket to hold your custom tailoring file and the RPM

    • Accept all the defaults and keep the bucket permissions set to private

  • Run make rpm and upload the rpm file found in the src/rpm/RPMS/noarch directory to your S3 bucket

    • If you regularly manage your systems via RPM you might have a custom RPM repo already created into which you’d add this RPM instead of uploading to your configuration S3 bucket

  • Review, update and upload the tailoring file located in the /src/rpm/SOURCES directory into the S3 bucket