OpenSCAP [0] has made a lot of progress in the last two or three years. The SCAP Security Guide [1] includes security policies for USGCB, DISA STIG, PCI-DSS, CJIS, etc. and it's really easy to get started, scan your host, and generate a nice HTML report of the results for quick consumption. They've also started including "remediation" scripts to fix any problems that are found (n.b.: that can be dangerous).
To scan remote hosts, they simple need a single package installed (I think they actually only need the oscap binary) and an SSH server running.
In recent versions of Anaconda, you can specify a security policy in your kickstart file and have the host configured in accordance with the security policy as part of the installation process. The host is in compliance before you even get that first initial "login" prompt. (For those of us who have to deal with this, this is f'ing awesome.)
Another thing you can do with it is compare a host against, say, Red Hat's security errata and get a report of which security updates a host is missing. This can be automated, ran by cron, and the results e-mailed to you once a week or whatever.
All that said, OpenSCAP isn't a panacea. It's still pretty "rough around the edges", so to speak, but it's much, much better than the tools we had to deal with this stuff just two or three years ago.
Windows isn't a supported platform (yet). There's still a lot of work to do on the Linux side of things to improve the software so I'm not sure when (if?) they'll start working at Windows.
I tried it a few months ago and as far as I could see, it's not just Windows that is unsupported, it only really supports Red Hat. It was packaged for Debian, but the policy files were absent and you could only find old unmaintained ones.
(this is not a critic, I understand that Red Hat prefers to spend money on their own distro)
To scan remote hosts, they simple need a single package installed (I think they actually only need the oscap binary) and an SSH server running.
In recent versions of Anaconda, you can specify a security policy in your kickstart file and have the host configured in accordance with the security policy as part of the installation process. The host is in compliance before you even get that first initial "login" prompt. (For those of us who have to deal with this, this is f'ing awesome.)
Another thing you can do with it is compare a host against, say, Red Hat's security errata and get a report of which security updates a host is missing. This can be automated, ran by cron, and the results e-mailed to you once a week or whatever.
All that said, OpenSCAP isn't a panacea. It's still pretty "rough around the edges", so to speak, but it's much, much better than the tools we had to deal with this stuff just two or three years ago.
Windows isn't a supported platform (yet). There's still a lot of work to do on the Linux side of things to improve the software so I'm not sure when (if?) they'll start working at Windows.
[0]: https://www.open-scap.org/
[1]: https://www.open-scap.org/security-policies/scap-security-gu...