OpenSCAP: Compliance Scanning for the Linux Corporate Desktop

Compliance audits used to mean a person with a clipboard. OpenSCAP automates the entire process. What I built: → OpenSCAP on Rocky Linux (SSG from dnf), Ubuntu 24.04 (SSG from upstream GitHub), and Fedora Kinoite (baked into OSTree image) → CIS profile auto-discovery handling Rocky vs Oracle Linux profile ID differences → SCAPinoculars exposing ARF XML results as Prometheus metrics on port 2112 → Compliance metrics alongside CPU, memory, and logs in Grafana → Custom RPM packaging for SCAPinoculars and OSTree Kinoite integration What it solves: ✓ Cross-distribution compliance scanning with one consistent workflow ✓ Compliance results visible continuously — not just at audit time ✓ Configuration drift detected immediately via Grafana alerts ✓ Prometheus + Loki + OpenSCAP unified in one Grafana dashboard Quirks documented: SCAPinoculars v0.0.3 ignores --report-dir and --port flags Ubuntu ssg-base package has no datastream XML — use upstream ZIP Rocky + Fedora repos enabled: use --disabler