Vulnarex | Elite Cybersecurity Learning Platform

#Scan Before the Attacker Does—Continuous Compliance with OpenSCAP & Lynis#link

A one-time hardening check is a snapshot that goes stale immediately. OpenSCAP evaluates systems against SCAP content (STIGs, CIS), Lynis provides deep security auditing, and osquery enables real-time SQL-based interrogation of OS state. This lesson teaches you to integrate all three into a continuous compliance pipeline—so you detect drift before it becomes a breach.

OpenSCAP: SCAP Standards and Profile Evaluation

OpenSCAP reads SCAP data streams (XCCDF + OVAL) and checks a system against them. Use 'oscap xccdf eval' to assess compliance and generate HTML reports. You can also apply remediation scripts with 'oscap xccdf generate fix'. Integrate OpenSCAP into a cron job or CI pipeline to regularly check servers. The SCAP Security Guide (ssg) provides profiles for STIG, CIS, and PCI-DSS.

Run OpenSCAP against a RHEL8 system with CIS profile

root@vulnarex:~#sudo oscap xccdf eval --profile cis --report cis-report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

The HTML report lists pass/fail for each rule, making it easy to share with auditors.

Lynis: Deep Security Auditing and Hardening Suggestions

Lynis performs a comprehensive security audit: it checks kernel parameters, installed packages, file permissions, authentication settings, and even suggests hardening measures. Run 'lynis audit system' to generate a report. Lynis is not based on SCAP but provides a broader health assessment. It's excellent for initial baselining and continuous monitoring. Use the '--cronjob' flag for automated daily scans.

bash

# Run Lynis audit and save report
sudo lynis audit system --cronjob > /var/log/lynis/report_$(date +%F).log
# Check suggestions in the report
grep -E "suggestion|warning" /var/log/lynis/report_*.log

info

💡 Lynis can be integrated with tools like 'lynis-parser' to convert output to JSON and feed into a central dashboard or SIEM.

osquery: SQL-Powered System Introspection

osquery exposes the OS as a relational database. You can write SQL queries to check compliance: 'SELECT * FROM listening_ports WHERE port = 23;' returns if telnet is active. With osquery packs (e.g., CIS benchmarks packs), you get pre-written compliance queries. osqueryd runs as a daemon and logs state changes, enabling real-time drift detection. Feed osquery logs into a SIEM for alerting.

Tool	Standards Basis	Primary Use Case
OpenSCAP	SCAP (XCCDF/OVAL)	Compliance scanning against STIG/CIS
Lynis	Proprietary audit rules	General security audit and hardening suggestions
osquery	SQL tables + packs	Real-time system state query, drift detection

▪Schedule OpenSCAP scans weekly; feed reports to a central compliance dashboard.
▪Run Lynis as a baseline and then regularly to catch configuration drift.
▪Deploy osqueryd with CIS packs; stream differential logs to your SIEM.
▪Combine all three into a layered compliance strategy: SCAP for formal, Lynis for deep, osquery for real-time.

STRICT SECURE AUDIT RULE

⚠️ osquery can query sensitive data (e.g., process memory). Ensure only trusted administrators can run osqueryi interactively; restrict access via sudo or least privilege.

quiz BLOCK (★ 50 XP)

You need to prove to auditors that your RHEL servers meet DISA STIG requirements. Which tool would provide the most authoritative evidence?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

Compliance Scanning Pipeline