OpenSCAP Security Compliance on Oracle Linux 10

📅 June 29, 2026
🏷️ Oracle Liniux 10 · Openscap 1.3.10⏱ 20 min read

Article Overview:

A complete hands-on guide to installing, configuring, and running OpenSCAP security scans on Oracle Linux 10 — with real commands, remediation scripts, and automated reporting for CIS, STIG, and PCI-DSS profiles.

Table of Contents

Security compliance scanning is no longer optional. Whether you're running Oracle Linux 10 for database workloads, web services, or cloud infrastructure, regulatory frameworks like PCI-DSS, HIPAA, and DISA STIG require demonstrable, auditable compliance evidence. OpenSCAP is the industry-standard open-source framework that makes this possible — and on Oracle Linux 10, it ships with official SCAP Security Guide (SSG) content maintained by the Oracle team.

This guide walks you through everything: installing the toolchain, understanding SCAP content structure, running profile-specific scans, interpreting results, applying automated remediation, and scheduling continuous compliance reporting.

📋

Prerequisites

Oracle Linux 10 (GA or later), root or sudo access, internet access or configured local mirror for DNF, and basic familiarity with Linux administration. All commands are tested on OL10 x86_64 and aarch64.

01 Understanding OpenSCAP and SCAP

SCAP (Security Content Automation Protocol) is a NIST standard (SP 800-126) for expressing security configuration requirements in machine-readable form. OpenSCAP is the reference open-source implementation. It provides both the scanning engine (oscap) and the tooling to process XCCDF, OVAL, and DataStream content.

Key SCAP terminology

Term	What it is	File extension
XCCDF	Extensible Configuration Checklist Description Format — defines rules, groups, and profiles	.xml
OVAL	Open Vulnerability and Assessment Language — machine-readable check definitions	.xml
DataStream	Single bundled file containing XCCDF + OVAL + CPE dictionary + remediation scripts	-ds.xml
Profile	A named subset of rules from an XCCDF benchmark (e.g. CIS Level 2)	—
SSG	SCAP Security Guide — the upstream project producing all official content	package
ARF	Asset Reporting Format — structured XML results container for auditors	-arf.xml

02 Installing the OpenSCAP Toolchain

Oracle Linux 10 ships OpenSCAP and the SCAP Security Guide in the standard AppStream and BaseOS repositories. No additional repos are needed.

Install all required packages

bash# Install OpenSCAP scanner, SSG content, and reporting tools
# Update system first  dnf update -y # Install the core OpenSCAP scanner  dnf install -y openscap-scanner # Install SCAP Security Guide — contains all OL10 benchmark content  dnf install -y scap-security-guide # Install the graphical workbench (optional — useful on desktops)  dnf install -y scap-workbench # Verify installed versions  oscap --version

OpenSCAP command line tool (oscap) 1.3.10Copyright 2009--2024 Red Hat Inc., Durham, North Carolina....and othersCompiled with: OpenSSL-3.2.1, libxml2-2.12.5, libxslt-1.1.39, libcurl-8.6.0,pcre2-10.43, GConfPlatform : x86_64CPE : cpe:/o:oracle:oracle_linux:10

bash# Confirm SSG content location

ls /usr/share/xml/scap/ssg/content/ | grep ol10

ssg-ol10-ds.xmlssg-ol10-xccdf.xmlssg-ol10-oval.xmlssg-ol10-cpe-oval.xmlssg-ol10-cpe-dictionary.xmlssg-ol10-ocil.xml

💡

Always use the DataStream (-ds.xml)

Use ssg-ol10-ds.xml for all scanning operations. It is a single self-contained SCAP 1.3 DataStream file that bundles XCCDF rules, OVAL checks, CPE dictionaries, and Bash/Ansible remediation scripts together. The individual component files exist for legacy tooling only.

03 Listing Available Profiles

Before running a scan, discover which security profiles are bundled in the OL10 content. Each profile maps to a specific regulatory framework or hardening standard.

bash# List all available profiles in the OL10 DataStream

 oscap info \ /usr/share/xml/scap/ssg/content/ssg-ol10-ds.xml \ | grep "Id\|Title" | head -40

Profiles:Id: xccdf_org.ssgproject.content_profile_cisTitle: CIS Oracle Linux 10 Benchmark Level 1 - ServerId: xccdf_org.ssgproject.content_profile_cis_server_l2Title: CIS Oracle Linux 10 Benchmark Level 2 - ServerId: xccdf_org.ssgproject.content_profile_cis_workstation_l1Title: CIS Oracle Linux 10 Benchmark Level 1 - WorkstationId: xccdf_org.ssgproject.content_profile_stigTitle: DISA STIG for Oracle Linux 10Id: xccdf_org.ssgproject.content_profile_pci-dssTitle: PCI-DSS v3.2.1 Oracle Linux 10Id: xccdf_org.ssgproject.content_profile_hipaaTitle: Health Insurance Portability and Accountability Act (HIPAA)Id: xccdf_org.ssgproject.content_profile_standardTitle: Standard System Security Profile

Profile quick reference

04 Running Your First Scan

The oscap xccdf eval command is the workhorse of OpenSCAP. Here are the complete examples for each major use case.

CIS Level 1 Server scan

bash# CIS Level 1 scan — recommended starting profile
# Create output directory  mkdir -p /var/log/scap/$(date +%Y-%m) # Run CIS Level 1 scan with HTML report and XML results  oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis \ --results /var/log/scap/$(date +%Y-%m)/cis-l1-results.xml \ --report /var/log/scap/$(date +%Y-%m)/cis-l1-report.html \ --fetch-remote-resources \ /usr/share/xml/scap/ssg/content/ssg-ol10-ds.xml

CIS Level 2 Server scan (stricter)

bash# CIS Level 2 — includes all L1 rules plus additional controls
 oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis_server_l2 \ --results /var/log/scap/$(date +%Y-%m)/cis-l2-results.xml \ --report /var/log/scap/$(date +%Y-%m)/cis-l2-report.html \ --oval-results \ --verbose WARNING \ /usr/share/xml/scap/ssg/content/ssg-ol10-ds.xml

DISA STIG scan

bash# DISA STIG scan with ARF output (required for DoD auditors)
 oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_stig \ --results-arf /var/log/scap/$(date +%Y-%m)/stig-arf.xml \ --results /var/log/scap/$(date +%Y-%m)/stig-results.xml \ --report /var/log/scap/$(date +%Y-%m)/stig-report.html \ /usr/share/xml/scap/ssg/content/ssg-ol10-ds.xml # Verify ARF output exists and is well-formed  xmllint --noout /var/log/scap/$(date +%Y-%m)/stig-arf.xml && echo "Valid XML"

PCI-DSS scan

bash# PCI-DSS scan — suitable for cardholder data environment (CDE) systems

 oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_pci-dss \ --results /var/log/scap/$(date +%Y-%m)/pci-results.xml \ --report /var/log/scap/$(date +%Y-%m)/pci-report.html \ --oval-results \ /usr/share/xml/scap/ssg/content/ssg-ol10-ds.xml

⚠️

Scan Duration

A full STIG scan evaluates 300+ rules and can take 3–8 minutes depending on system resources. Run scans during maintenance windows on production systems, or use --rule to target specific rule IDs for quick spot checks.

05 Interpreting Scan Results

OpenSCAP produces both a human-readable HTML report and a machine-readable XML results file. Understanding what each section means is essential for building a remediation plan.

Generating a score summary from XML results

bash# Extract score and result counts from results XML
# Quick score summary  oscap xccdf generate report \ /var/log/scap/$(date +%Y-%m)/cis-l2-results.xml \ | grep -E "score|pass|fail|error" | head -10 # Count results by type using xmllint  echo "=== Result Summary ==="  xmllint --xpath \ "count(//result[.='pass'])" \ /var/log/scap/$(date +%Y-%m)/cis-l2-results.xml  echo "rules passed"  xmllint --xpath \ "count(//result[.='fail'])" \ /var/log/scap/$(date +%Y-%m)/cis-l2-results.xml  echo "rules failed"

List only the failed rules

bash# Extract failed rule IDs and titles for remediation planning
 oscap xccdf generate report \ /var/log/scap/$(date +%Y-%m)/cis-l2-results.xml \ | grep "fail" | grep "rule" # Alternative: use xsltproc with the built-in XSLT stylesheet  xsltproc \ /usr/share/openscap/xsl/xccdf-report.xsl \ /var/log/scap/$(date +%Y-%m)/cis-l2-results.xml \ > /var/log/scap/$(date +%Y-%m)/cis-l2-custom-report.html # Parse failed rules with awk for quick terminal review  grep -A2 'result>fail<' \ /var/log/scap/$(date +%Y-%m)/cis-l2-results.xml \ | grep "idref" | awk -F'"' '{print $2}'

Sample result output

Passed

218

rules satisfied

Failed

require action

Not Applicable

skipped

Total Rules

250

CIS L2 profile

Score

87.35

out of 100

Understanding the results XML structure

ssg-ol10-results.xml — XCCDF Result excerpt

<!-- Root benchmark result element --> <TestResult id="xccdf_org.open-scap_testresult_cis_server_l2" start-time="2026-06-15T02:14:07" end-time="2026-06-15T02:17:43"> <target>ol10-prod-db01.example.com</target> <!-- Individual rule result --> <rule-result idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" severity="high" weight="1.0"> <result>fail</result> <message severity="info"> PermitRootLogin is set to 'yes' in /etc/ssh/sshd_config </message> </rule-result> <!-- Aggregate score --> <score system="urn:xccdf:scoring:default" maximum="100"> 87.350006 </score> </TestResult>

06 Automated Remediation

OpenSCAP can generate and apply remediation scripts directly from scan results. The SSG bundles both Bash scripts and Ansible playbooks for every remediatable rule. This is the most powerful feature for operations teams — you can go from scan to fix in a single pipeline.

🚨

Always test remediation in a non-production environment first

Automated remediation can alter SSH configuration, PAM settings, filesystem mount options, and kernel parameters. Some changes require a reboot. Test in a staging environment and review the generated script before running it on production systems.

Generate a Bash remediation script from results

bash# Generate Bash remediation from existing scan results
# Generate a Bash fix script from the results XML  oscap xccdf generate fix \ --fix-type bash \ --result-id xccdf_org.open-scap_testresult_cis_server_l2 \ --output /tmp/ol10-cis-l2-remediate.sh \ /var/log/scap/$(date +%Y-%m)/cis-l2-results.xml # Review the generated script before running  wc -l /tmp/ol10-cis-l2-remediate.sh 847 /tmp/ol10-cis-l2-remediate.sh  head -30 /tmp/ol10-cis-l2-remediate.sh

#!/bin/bash################################################################################ Bash Remediation Script for xccdf_org.ssgproject.content_profile_cis_server_l2# Profile Title: CIS Oracle Linux 10 Benchmark Level 2 - Server# Generated: 2026-06-15T02:17:43###############################################################################set -e# Ensure /tmp is a separate partitionif grep -qP '^\S+\s+/tmp\s' /etc/fstab; thenmount -o remount,nodev,nosuid,noexec /tmpfi# Disable SSH root login (RULE: sshd_disable_root_login)if grep -q "^PermitRootLogin" /etc/ssh/sshd_config; thensed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_configelseecho "PermitRootLogin no" >> /etc/ssh/sshd_configfi

Generate an Ansible playbook for remediation

bash# Generate Ansible remediation playbook from results
# Generate Ansible playbook from failed rules  oscap xccdf generate fix \ --fix-type ansible \ --result-id xccdf_org.open-scap_testresult_cis_server_l2 \ --output /tmp/ol10-cis-l2-remediate.yml \ /var/log/scap/$(date +%Y-%m)/cis-l2-results.xml # Run the playbook against localhost (dry-run first)  ansible-playbook \ --check # dry-run mode --connection local \ -i "localhost," \ /tmp/ol10-cis-l2-remediate.yml # Apply for real (remove --check)  ansible-playbook \ --connection local \ -i "localhost," \ /tmp/ol10-cis-l2-remediate.yml

Scan with inline Bash remediation (single command)

bash# Scan and auto-remediate in one pass (use with caution)
# --remediate applies Bash fixes immediately after evaluating each rule # Use only after testing in staging!  oscap xccdf eval \ --remediate \ --profile xccdf_org.ssgproject.content_profile_cis \ --results /var/log/scap/$(date +%Y-%m)/cis-remediated-results.xml \ --report /var/log/scap/$(date +%Y-%m)/cis-remediated-report.html \ /usr/share/xml/scap/ssg/content/ssg-ol10-ds.xml # Re-scan after remediation to confirm improvement  oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis \ --results /var/log/scap/$(date +%Y-%m)/cis-post-remediation.xml \ --report /var/log/scap/$(date +%Y-%m)/cis-post-remediation.html \ /usr/share/xml/scap/ssg/content/ssg-ol10-ds.xml

07 Running OVAL Vulnerability Scans

Beyond configuration compliance, OpenSCAP can also scan for known CVEs using OVAL definitions published by Oracle. This requires downloading the latest OVAL feed from Oracle's security advisory page.

bash# Download Oracle Linux 10 OVAL definitions and scan for CVEs
# Download latest Oracle Linux 10 OVAL definitions  mkdir -p /var/lib/scap/oval  curl -s -o /var/lib/scap/oval/ol10-oval.xml.bz2 \ "https://linux.oracle.com/security/oval/com.oracle.elsa-ol10.xml.bz2" # Decompress  bzip2 -dk /var/lib/scap/oval/ol10-oval.xml.bz2 # Run OVAL vulnerability scan  oscap oval eval \ --results /var/log/scap/$(date +%Y-%m)/oval-results.xml \ --report /var/log/scap/$(date +%Y-%m)/oval-report.html \ /var/lib/scap/oval/ol10-oval.xml # List only vulnerable packages found  oscap oval eval \ --results /var/log/scap/$(date +%Y-%m)/oval-results.xml \ /var/lib/scap/oval/ol10-oval.xml \ | grep "true" | awk '{print $1}'

OVAL Results Summary:Definition oval:com.oracle.elsa:def:20245260 trueCVE CVE-2024-5260 — openssl: memory confusion in PKCS#12Severity HIGHAffected openssl-3.2.1-2.el10.x86_64Fixed in openssl-3.2.2-1.el10.x86_64Definition oval:com.oracle.elsa:def:20245178 trueCVE CVE-2024-5178 — kernel: use-after-free in io_uringSeverity MEDIUMAffected kernel-6.8.8-100.0.1.el10.x86_64Fixed in kernel-6.8.12-100.0.2.el10.x86_64Total vulnerable definitions: 2Recommended action: dnf update openssl kernel

08 Automating Scans with systemd Timers

Production environments need continuous compliance monitoring. Rather than cron, Oracle Linux 10 uses systemd timers as the standard scheduler. Here is a complete setup for daily automated scanning with log rotation.

Create the scan script

bash# /usr/local/bin/run-scap-scan.sh
 cat > /usr/local/bin/run-scap-scan.sh << 'EOF' #!/bin/bash # Automated OpenSCAP compliance scan for Oracle Linux 10 # Runs daily via systemd timer; results stored in /var/log/scap/ set -euo pipefail PROFILE="xccdf_org.ssgproject.content_profile_cis_server_l2" CONTENT="/usr/share/xml/scap/ssg/content/ssg-ol10-ds.xml" DATESTAMP=$(date +%Y-%m-%d) OUTDIR="/var/log/scap/${DATESTAMP}" HOSTNAME=$(hostname -s) LOGFILE="/var/log/scap/scan-runner.log" mkdir -p "${OUTDIR}" echo "[$(date -Is)] Starting CIS L2 scan on ${HOSTNAME}" >> "${LOGFILE}" oscap xccdf eval \ --profile "${PROFILE}" \ --results "${OUTDIR}/${HOSTNAME}-cis-l2-results.xml" \ --report "${OUTDIR}/${HOSTNAME}-cis-l2-report.html" \ --oval-results \ "${CONTENT}" || true # non-zero exit on failures is expected SCORE=$(xmllint --xpath "string(//score)" \ "${OUTDIR}/${HOSTNAME}-cis-l2-results.xml" 2>/dev/null || echo "N/A") echo "[$(date -Is)] Scan complete. Score: ${SCORE}" >> "${LOGFILE}" # Optional: email report if score drops below threshold if [[ "${SCORE%%.*}" -lt "80" ]] 2>/dev/null; then echo "ALERT: SCAP score ${SCORE} below threshold on ${HOSTNAME}" \ | mail -s "[SCAP ALERT] ${HOSTNAME} CIS Score: ${SCORE}" security@example.com fi EOF  chmod +x /usr/local/bin/run-scap-scan.sh

Create the systemd service and timer units

bash# Create systemd service unit for the scan
 cat > /etc/systemd/system/scap-scan.service << 'EOF' [Unit] Description=OpenSCAP CIS Level 2 Compliance Scan Documentation=man:oscap(8) After=network.target [Service] Type=oneshot ExecStart=/usr/local/bin/run-scap-scan.sh StandardOutput=journal StandardError=journal SyslogIdentifier=scap-scan # Harden the scan service itself NoNewPrivileges=yes PrivateTmp=yes EOF

bash# Create systemd timer — runs daily at 02:00 with 30min jitter
 cat > /etc/systemd/system/scap-scan.timer << 'EOF' [Unit] Description=Daily OpenSCAP CIS Compliance Scan Timer Requires=scap-scan.service [Timer] OnCalendar=*-*-* 02:00:00 RandomizedDelaySec=1800 # up to 30 min random delay Persistent=true # catch up if system was off Unit=scap-scan.service [Install] WantedBy=timers.target EOF # Enable and start the timer  systemctl daemon-reload  systemctl enable --now scap-scan.timer  systemctl list-timers scap-scan.timer

NEXT LEFT LAST PASSED UNIT ACTIVATESMon 2026-06-16 02:17:44 UTC 23h left Sun 2026-06-15 02:14:07 UTC 3h ago scap-scan.timer scap-scan.service1 timers listed.

Log rotation for scan results

bash# Configure logrotate to manage scan output
 cat > /etc/logrotate.d/scap-scan << 'EOF' /var/log/scap/scan-runner.log { weekly rotate 52 compress delaycompress missingok notifempty create 0640 root root } EOF # Clean reports older than 90 days (run via cron or add to scan script)  find /var/log/scap/ -type d -mtime +90 -exec rm -rf {} + 2>/dev/null

09 Scanning Remote Hosts via SSH

OpenSCAP's oscap-ssh utility lets you scan remote Oracle Linux 10 hosts from a central management node without installing the full OpenSCAP suite on each target.

bash# Remote scan with oscap-ssh — requires OpenSCAP on target too
# Install oscap-ssh on the management node  dnf install -y openscap-utils # oscap-ssh syntax: oscap-ssh USER@HOST PORT oscap [oscap args...]  oscap-ssh root@ol10-target-01 22 xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis \ --report /tmp/ol10-target-01-cis-report.html \ --results /tmp/ol10-target-01-cis-results.xml \ /usr/share/xml/scap/ssg/content/ssg-ol10-ds.xml # For multiple hosts: loop with ssh key auth  for HOST in ol10-db01 ol10-db02 ol10-web01; do echo "=== Scanning ${HOST} ===" oscap-ssh root@${HOST} 22 xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis \ --results /var/log/scap/$(date +%Y-%m)/${HOST}-cis-results.xml \ --report /var/log/scap/$(date +%Y-%m)/${HOST}-cis-report.html \ /usr/share/xml/scap/ssg/content/ssg-ol10-ds.xml & done wait # parallel scanning  echo "All scans complete"

10 Common Findings and Manual Fixes

The following rules fail most frequently on a default Oracle Linux 10 installation. Here are the specific fixes for the most impactful ones.

Fix 1: Disable SSH root login

bash# Rule: xccdf_org.ssgproject.content_rule_sshd_disable_root_login
# Check current value  grep -i PermitRootLogin /etc/ssh/sshd_config PermitRootLogin yes # ← this must be 'no' # Apply the fix  sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' \ /etc/ssh/sshd_config # Reload sshd (not restart — avoids dropping active sessions)  systemctl reload sshd # Verify  grep PermitRootLogin /etc/ssh/sshd_config PermitRootLogin no

Fix 2: Set password hashing to SHA-512

bash# Rule: accounts_password_pam_unix_sha512
# Check current hashing algorithm  authselect current  grep "sha512\|md5" /etc/pam.d/password-auth # Ensure SHA-512 is configured via authselect  authselect select sssd with-faillock --force # Verify the PAM password module uses sha512  grep password /etc/pam.d/system-auth | grep unix password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok # Update /etc/login.defs for new accounts  sed -i 's/^ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/' \ /etc/login.defs

Fix 3: Set secure umask system-wide

bash# Rule: accounts_umask_etc_profile — ensure default umask is 027
# Check current umask  grep umask /etc/profile /etc/bashrc # Set umask to 027 (owner: rwx, group: r-x, others: ---)  cat > /etc/profile.d/cis-umask.sh << 'EOF' # CIS Benchmark: Set default umask for all users umask 027 EOF  chmod 644 /etc/profile.d/cis-umask.sh

Fix 4: Enable and configure auditd

bash# Rule: service_auditd_enabled + auditd configuration
# Enable auditd  systemctl enable --now auditd # Add CIS-required audit rules  cat > /etc/audit/rules.d/cis-ol10.rules << 'EOF' ## CIS Oracle Linux 10 - Required Audit Rules # Record date/time modification -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change # Record user/group changes -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/group -p wa -k identity -w /etc/gshadow -p wa -k identity # Record sudo / privileged commands -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged # Record network configuration changes -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale # Record access to audit logs -w /var/log/audit/ -p wa -k audit-access # Make config immutable (requires reboot to change) -e 2 EOF # Load new rules  augenrules --load  auditctl -l | head -20

Fix 5: Configure kernel parameters

bash# sysctl hardening — CIS network and kernel parameters
 cat > /etc/sysctl.d/99-cis-ol10.conf << 'EOF' ## CIS Oracle Linux 10 sysctl hardening # Disable IP forwarding (unless this is a router) net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 # Disable ICMP redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 # Enable reverse path filtering net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Disable source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 # Protect against SYN flood attacks net.ipv4.tcp_syncookies = 1 # Enable ExecShield / ASLR kernel.randomize_va_space = 2 # Restrict ptrace (limits process inspection) kernel.yama.ptrace_scope = 1 # Disable core dumps with setuid fs.suid_dumpable = 0 EOF # Apply immediately  sysctl --system  sysctl kernel.randomize_va_space kernel.randomize_va_space = 2

11 Viewing and Comparing Reports Over Time

Compliance is not a one-time event — it's a continuous process. OpenSCAP lets you compare results across time to measure improvement.

bash# Compare two scan results to track remediation progress
# Generate a diff between two scan results (requires Python + jq)  dnf install -y python3-lxml jq # Extract scores from multiple result files for trending  for RESULT in /var/log/scap/2026-*/*cis-l2-results.xml; do DATE=$(xmllint --xpath "string(//TestResult/@end-time)" "${RESULT}" 2>/dev/null) SCORE=$(xmllint --xpath "string(//score[1])" "${RESULT}" 2>/dev/null) printf "%s\t%.2f\n" "${DATE}" "${SCORE}" done

Date Score────────────────────────────────2026-06-01T02:14:07 73.202026-06-08T02:11:33 79.452026-06-15T02:17:43 87.35↑ +14.15 points improvement over 14 days

bash# Serve the HTML report on a temporary web port for review

# Serve reports locally for browser access (development/review only)  cd /var/log/scap/$(date +%Y-%m) && \ python3 -m http.server 8080 & # Access from jump host or with SSH port forward: # ssh -L 8080:ol10-host:8080 your-jump-host # Then open http://localhost:8080 in your browser

12 Quick Reference

Command	Purpose	Key flags
oscap info <ds.xml>	Inspect content: list profiles, benchmarks, CPE	—
oscap xccdf eval	Run a compliance scan against an XCCDF profile	--profile, --results, --report
oscap xccdf generate fix	Generate Bash or Ansible remediation from results	--fix-type bash\|ansible
oscap oval eval	Scan for CVEs using Oracle OVAL definitions	--results, --report
oscap-ssh	Scan a remote host over SSH	USER@HOST PORT [oscap args]
oscap xccdf validate	Validate an XCCDF document for correctness	—
oscap ds split	Split a DataStream into component files	--output-dir

🎯

Production recommendation

Start with CIS Level 1. Establish a baseline score, fix the high-severity failures, re-scan, then gradually move toward Level 2 or STIG. A score increase from 65% to 90% in 30 days is achievable with the automated remediation pipeline described in this guide. Document every change — your auditors will ask for it.

Syed Zaheer

Service Delivery Director · Techvisions · Cloud, AI & Managed Infrastructure

Syed Zaheer is Service Delivery Director at Techvisions, author, speaker, and technology enthusiast with deep expertise in Oracle landscape covering - databases, middleware, Applications, AI and cloud infrastructure. He actively contributes to the Oracle community through technical articles, conference presentations, and knowledge-sharing initiatives, helping organizations modernize and optimize their enterprise technology platforms.