It is highly possible that the SSG security policies will form the core of your auditing framework with OpenSCAP—however, given the open source nature of OpenSCAP, it is entirely possible for anyone, including you, to write a policy file.
The most likely policies you would wish to supplement your SSG ones with are ones that can check the patch level of your servers. Given the frequent nature at which patches are released for Linux operating systems, integrating such policies with SSG would create a headache for the maintainers, and so they are generally kept separate.
For example, on your CentOS 7 server, you can download the following security policy (note that it is available in OVAL format only):
$ wget https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
$ bunzip2 com.redhat.rhsa-RHEL7.xml.bz2
This contains checks for all CentOS 7 (and RHEL 7) package vulnerabilities that have been found to date and checks the installed versions to ensure that they are newer than the versions where known vulnerabilities existed. Hence, this can very easily generate a report that can show you whether you need to patch your CentOS 7 or RHEL 7 systems urgently.
A similar list is available from Canonical for Ubuntu Server 18.04, which can be downloaded as follows:
$ wget https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.bionic.cve.oval.xml.bz2
$ bunzip2 com.ubuntu.bionic.cve.oval.xml.bz2
Once again, this contains a list of all packages vulnerabilities that have been found on Ubuntu Server 18.04 and again checks to ensure that the package versions installed on your system are newer than the vulnerable versions. For both of these security policies, all checks are run every time as they are in OVAL format—however, tests only report a failure if a package is installed and is older than the version containing the fix for the given vulnerability. Hence, you should not receive any false positives resulting from running these scans.
Unlike the SSG policies, these policies are updated regularly—at the time of writing, the Ubuntu package vulnerability scanning profile we downloaded using the preceding commands was only one hour old! As a result, part of your auditing process must involve downloading the latest package vulnerability OVAL policies and scanning against these—possibly a good job for Ansible (though this is left as an exercise for you).
By now, you should have a good understanding of the types of policies you can download, the formats you may come across them in, and what their intended purposes are. Hence, in the next section, we will proceed to demonstrate how they can be used to scan your Linux hosts and audit your compliance against your chosen security policies.