Automation of security audits for operating systems using OpenSCAP
Article Sidebar
Main Article Content
Abstract
The security configuration audit of operating systems, managed by the General Directorate of Computing and Information and Communication Technologies, posed a challenge due to the considerable time required for manual reviews and the need to ensure high levels of compliance with internationally recognized security practices and recommendations. In this context, the use of the OpenSCAP tool was evaluated to automate both the review and correction of security configurations. The evaluation was conducted in a test environment with commonly used operating systems at the University. The tool enabled automated audits based on best practices, autonomously applied corrections, and objectively measured compliance levels before and after corrective actions. The results showed that the use of OpenSCAP significantly reduced the execution time of audits. Additionally, the automated corrections applied improved compliance with security recommendations, reaching levels above 90%. However, certain configurations were identified that required manual intervention, particularly those related to boot password management, partition administration, and access control to critical services. These results demonstrated that automation helped reduce operational workload and made verification processes more uniform, without completely replacing the need for human supervision in specific cases. It was concluded that integrating automation mechanisms into institutional procedures contribute to a more efficient model for information security management at the University.
Downloads
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Este trabajo tiene la licencia CC BY-NC-ND 4.0
References
Bakhtiyarov, B., & Mammadov, V. (2024). OpenSCAP technology application to enterprise. PAHTEI-Proceedings of Azerbaijan High Technical Educational Institutions, 42(05), 221-228. https://doi.org/10.36962/pahtei42072024-24 DOI: https://doi.org/10.36962/PAHTEI42072024-24
Bandara, E., Shetty, S., Rahman, A., Mukkamala, R., Foytik, P., & Liang, X. (2024). RMF-GPT — OpenAI GPT-3.5 LLM, Blockchain, NFT, Model Cards and OpenSCAP Enabled Intelligent RMF Automation System. 2024 International Conference on Computing, Networking and Communications (ICNC), 653-658. https://doi.org/10.1109/ICNC59896.2024.10555963 DOI: https://doi.org/10.1109/ICNC59896.2024.10555963
Center for Internet Security. (2025). CIS Benchmarks: Security configuration guides. https://www.cisecurity.org/cis-benchmarks/
Dirección General de Cómputo y de Tecnologías de Información y Comunicación. (2023). Política General de Seguridad de la Información en la DGTIC. Universidad Nacional Autónoma de México. https://www.tic.unam.mx/politica-general-seguridad-informacion/
Dirección General de Cómputo y de Tecnologías de Información y Comunicación. (2024). Seguridad informática para sistemas operativos y aplicaciones. Universidad Nacional Autónoma de México. https://sistemas.tic.unam.mx/index.php/seguridad-informatica-sistemas-operativos-aplicaciones/
Liu, Y., & Hu, B. (2023). Security baseline verification technology for domestic computer terminal based on SCAP. 2023 IEEE 5th International Conference on Power, Intelligent Computing and Systems (ICPICS), 171-174. https://doi.org/10.1109/ICPICS58376.2023.10235334 DOI: https://doi.org/10.1109/ICPICS58376.2023.10235334
National Institute of Standards and Technology. (30 de septiembre de 2025). Security Content Automation Protocol (SCAP). https://csrc.nist.gov/projects/security-content-automation-protocol
OpenSCAP. (2025). OpenSCAP project. https://www.open-scap.org/
Urtamo, I., & Costin, A. (2023). On tools for practical and effective security policy management and vulnerability scanning. En B. Shishkov (Ed.), Business Modeling and Software Design. BMSD 2023. Lecture Notes in Business Information Processing (Vol. 483, pp. 375-382). Springer. https://doi.org/10.1007/978-3-031-36757-1_28 DOI: https://doi.org/10.1007/978-3-031-36757-1_28
Webb, J. A., Henderson, M. W., & Webb, M. L. (2019). An open source approach to automating surveillance and compliance of automatic test systems. 2019 IEEE AUTOTESTCON, 1-8. https://doi.org/10.1109/AUTOTESTCON43700.2019.8961077 DOI: https://doi.org/10.1109/AUTOTESTCON43700.2019.8961077