OpenSCAP, the reference open source compliance scanner, paired with current SCAP Security Guide content so it can audit the operating system it runs on from the first boot.
OpenSCAP is the reference open source implementation of the SCAP standard, the format governments and auditors use to express machine readable security policy. It evaluates a system against a published benchmark and produces a report showing exactly which rules pass, which fail, and why.
It is worth being precise about what this is: OpenSCAP is a compliance scanner, not a compliance programme. There is no web console, no fleet inventory and no historical trending. It measures and reports; it does not make a machine compliant. What it does extremely well is answer one question reliably and repeatably: how does this system measure against a recognised benchmark, right now. That suits four patterns. Auditing the server it runs on against CIS or DISA STIG profiles and producing an HTML report plus machine readable results. Detecting configuration drift on a schedule, so a system that was hardened in January is proven still hardened in June. Scanning other hosts over SSH, so one appliance can audit a small estate. And generating remediation, as shell scripts or Ansible playbooks scoped to the rules that actually failed, for an engineer to review and apply deliberately.
The value here is in the content pairing, and it addresses a real gap. The compliance content published in the operating system's own archive predates this release, so it contains no benchmark for the very system it ships on. A scanner installed the obvious way therefore cannot audit its own host: it installs cleanly, reports its version happily, and is useless. cloudimg pairs the scanner with the current upstream SCAP Security Guide release, which does carry the right benchmarks, verified against its published checksum and installed at the standard content path. Five profiles are available immediately, spanning CIS Level 1 and Level 2 for servers and workstations plus DISA STIG. On first boot the image runs a baseline scan of that instance and leaves a report waiting, so the appliance arrives having already proved it works rather than asking you to prove it. A scheduled scan then tracks drift, and the scanner refuses to produce a report at all if its policy content fails an integrity check, because a compliance tool that reports confidently from corrupt content is worse than one that reports nothing. Nothing on the image ever remediates automatically. It comes with a paired deployment guide and 24/7 cloudimg support.