Using Script Check Engine (SCE) in OpenSCAP for large filesystems

Updated 1 Oct 2025

The Script Check Engine (SCE) provides a workaround for OpenSCAP memory-consumption problems when scanning systems with large file systems containing millions of files. With SCE content, OpenSCAP can efficiently scan such systems.

Prerequisites

scap-security-guide package version 0.1.78 or newer
openscap package version 1.3.11 or newer

Procedure

On the system targeted for assessment, install the openscap-engine-sce package:

# dnf install openscap-engine-sce

To prioritize the SCE engine over the default OVAL engine for your current terminal session:

$ export OSCAP_PREFERRED_ENGINE=SCE

To make SCE the default preferred engine for all OpenSCAP scans, add the OSCAP_PREFERRED_ENGINE=SCE variable to the /etc/environment file:

$ echo "OSCAP_PREFERRED_ENGINE=SCE" >> /etc/environment

Conclusion

When you configure the setup correctly, OpenSCAP scans automatically use SCE content for applicable rules. SCE content is available for all rules mentioned in the OpenSCAP memory-consumption problems article.

Category

Secure

Article Type

General