open source SCAP scanners

Can anyone recommend any open source SCAP scanners for checking security configurations of OS (Windows 2008 R2), SQL Server, IIS etc. And also where do you download the actual SCAP checklists from, to import into the software, for checking compliance? Do you run the tools remotely from a workstation, or do you have to install the scanners on the servers being audited?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Thought you be interested in using openSCAP (
Related Projects
• scap-workbench - a tool with a nice graphical user interface that provides scanning (both local and remote machine), content customization and machine remediation functionality.
 • SCAP addon for Anaconda installer, which is used in Fedora and Red Hat Enterprise Linux, for applying SCAP content in the installation process.
 • SCE Community Content - set of various security configuration settings (security controls) expressed in standardized format. Each security control can be evaluated by a small shell script which is executed via SCE.
 • secstate - a tool that attempts to streamline the Certification and Accreditation (C&A) process of Linux systems by providing a mechanism to verify, validate, and provide remediation to security relevant configuration items.
 • ruby-openscap - an extension of Ruby language adding OpenSCAP scanning capabilities

It is laregly using the standard XCCDF content to perform the checks, the relevant content package can be reference to US Government Configuration Baseline (USGCB) as an example

...I believe Nessus support this too but it is commercial and most SCAP scanner are not free

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPOwnerCommented:
btanExec ConsultantCommented:
the content page from the National Checklist Program Repository has Microsoft Content and is a good one stop to select the product type and grab the xcddf if available. You can choose category as operatinng System and Tier as Should work with SCAP tools . You will get a listing of the xccdf content download to be loaded into SCAP tool e.g.

There is public DISA STIG content available in SCAP format from the DISA IASE website in domain of Operating Systems (include Windows server), and Application Security (include MSSQL Database, IIS Web Server ) well their SCAP tool (called SCAP Compliance Checker (SCC)) and benchmark as content to check against with under this repository
...and SCC tool also available in
The Security Content Automation Protocol (SCAP) Compliance Checker (SCC) is a SCAP 1.0 Validated Scanner, with support for SCAP versions 1.1 and 1.2, and an Open Vulnerability Assessment Language (OVAL) adopter, capable of performing compliance verification using SCAP content, and authenticated vulnerability scanning using OVAL content.

if you need to edit or adjust or even create SCAP content files, in particular OVAL & XCCDF files. The eSCAPe (Enhanced SCAP Editor) is useful
pma111Author Commented:
has anyone any experience of running scap-workbench from a windows 7 machine?
btanExec ConsultantCommented:
you need cywin then, pse see below
What works
•Opening XCCDF files and source datastreams
•Changing profiles
•Opening tailoring, saving tailoring
•Customizing profiles
•Saving all into a directory
•Opening user manual

What doesn’t work
•Local scanning
•Remote scanning
•Saving as RPM

I understand the Part 2 write up stated the remote scanning has some progress though still having some hiccups. But do see caveats
Please keep in mind that this is a preliminary release that is in no way official. It just shows what is possible right now and allows me to outline future plans. You should NOT use this in production!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.