Forge Home


This puppet module exposes OpenSCAP primitives to puppet DSL.


11,780 latest version

3.9 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.3.1 (latest)
  • 0.3.0
  • 0.2.0
  • 0.1.0
released Jul 25th 2014

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'isimluk-openscap', '0.3.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add isimluk-openscap
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install isimluk-openscap --version 0.3.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



isimluk/openscap — version 0.3.1 Jul 25th 2014

#OpenSCAP Puppet Module

OpenSCAP Puppet Module exposes OpenSCAP primitives to puppet DSL.

Class: openscap::xccdf::eval

This class ensures that client system is evaluated against given XCCDF guidance. The class supports reoccuring scans. The results are stored at the client system.


  • $xccdf_path: Path to XCCDF or DataStream file
  • $xccdf_profile: XCCDF Profile to evaluate
  • $period: How often the evaluation shall happen
  • $weekday: Preferable weekday for evaluation to happen
  • $content_package: Package which includes $xccdf_path
  • $scan_name: The identifier of the reoccuring scan on the disk

Default arguments will evaluate SCAP-Security-Guide policy in a weekly manner.

Sample Usage

The following example ensures that every week an SCAP audit is executed and the results are stored under /var/lib/openscap directory. The openscap::xccdf::eval class ensures that the very last audit result is present. I.e. if puppet is not run on Friday, the audit will be executed within the next puppet run. The example will automatically attempt to install ruby-openscap and scap-security-guide on the system.

class { openscap::xccdf::eval:
  name => my-weekly-ssg-audit,
  weekday => Friday,
  period => weekly,

Class: openscap::xccdf::foreman_audit

This class is very same as openscap::xccdf::eval. The only difference is that this one attempts to upload audit results to Foreman's smart-proxy.


foreman_audit takes the same parameters as openscap::xccdf::eval, plus:

  • foreman_proxy: The URI of Foremen's Smart Proxy to receive the audit result

By default (without the foreman_proxy argument) foreman_audit assumes that proxy is hosted on the same system as the puppetmaster.