As stated earlier, writing own SCAP content from scratch is rather hard. One needs to understand at least XCCDF, and often also OVAL layer. On the other hand, customization (tailoring) of existing content is easy. One needs only to review the existing and decide which checks he (or she) wants to include in his (her) security profile, and customize a few variables. There is even opensource graphical tool for tailoring, it is called scap-workbench.

There are groups publishing their XCCDF content under opensource licences. So anyone may start hacking on top of them.

  • USGCB for RHEL5 Desktop: The United States Government Configuration Baseline, It’s the official SCAP content for desktops within federal agencies. It has been developed at NIST which collaborated with DoD and Red Hat, Inc. Unfortunatelly, it turned out, that the content tends to become out of date and some parts of OVAL may not fit nicely to the latest Fedoras.
  • SCAP Security Guide for RHEL6: It reassumes and extends USGCB, containing profiles for desktop, server, and ftp server. This content is under active community development.
  • SCE Community Content: This content does not use OVAL, instead it contains arbitrary scripts as checking engine. Arbitrary scripts might be no-go for some deployments, on the other hand they allow rapid development which might came handy elsewhere. The content combines rules from STIG, Aqueduct, and Sectool.
  • Content Based on Sectool: and obsoleting it. It’s also included in the previous.
  • OpenSCAP Content for Fedora 14:” Exemplary SCAP content created for Fedora 14 and maintained by OpenSCAP community.
  • OpenSCAP Content for RHEL6

Please let me know, in case you are aware about another group publishing their XCCDF content. I would like to have them added.