scap scanners and scap content

Can anyone recommend and free SCAP scanners? And recommendations for wher to download the actual scap content/checklsits? Does all scap "content" work in all scap scanners? I am specifically after scap content for newer releases of oracle RDBMS, SQL Server, and Exchange 2010. So any pointers in that direction most welcome.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Oscap is an candidate checkout the link as ut support xccdf and oval and likewise uses the dist stig and nist nvd  and see its real life example in link...

SSA is another to check out

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
I am doubtful the scap checklist is ready for the newer rdbms though...
pma111Author Commented:
Albeit those are the tools to do the scanning, where do you get the actual scap checklists from, i.e. those to import into the scanner to do the scans? Who produces the checklists in SCAP format?
btanExec ConsultantCommented:
Actually the checklist can be created by anyone but normally we take it from the govt standard body which readily make it available or even some vendor (commercial) came up with is as part of their scap scanning

e.g. usgcb-rhel5desktop-ds.xml is from United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies

More widely used is the National Checklist Program (NCP), defined by the NIST SP 800-70 Rev. 2, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.


This FAQ shares further

Is NIST working exclusively with Microsoft on Security Content Automation Protocol (SCAP)?
No. NIST is currently working with a number of IT vendors on standardizing security settings and their expression in SCAP for a wide variety of IT products and environments. NIST does this through the NIST Security Configuration Checklists Program for IT Products. The NIST process for creating, vetting, and making security checklists available for public use is documented in NIST SP 800-70 Revision 2- Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developers. For more information about the National Checklist Program, visit If IT vendors would like to standardize additional security settings with NIST, please contact

Please note that SCAP content can be provided either in a single file (as an OVAL file or SCAP Data Stream), or as multiple separate XML files.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.