Configuration

OpenSCM uses a platform-native approach to configuration. On Linux, FreeBSD, and macOS, configuration is handled via TOML files. On Windows, settings are stored in the System Registry to facilitate enterprise deployment via Group Policy (GPO).

Server Configuration

The scmserver manages the central database and agent authorizations.

LinuxWindows (Registry)

Default Path: /etc/openscm/scmserver.config

[server]
port = "8000"       # Port for the web server
loglevel = "info"   # debug | info | warn | error

Path: HKEY_LOCAL_MACHINE\SOFTWARE\OpenSCM\Server

Value Name	Type	Description
`Port`	REG_SZ	Port for the server (e.g., `8000`)
`LogLevel`	REG_SZ	Logging level (`info`, `debug`, etc.)

Fixed Paths

The database and key paths are fixed and cannot be changed:

Resource	Linux	Windows
Database	`/var/lib/openscm/scm.db`	`C:\ProgramData\OpenSCM\Server\scm.db`
Keys	`/etc/openscm/keys/`	`C:\ProgramData\OpenSCM\Server\keys\`
Logs	`/var/log/openscm/`	`C:\ProgramData\OpenSCM\Server\logs\`

Client Configuration

The scmclient agent handles heartbeats and local compliance scanning.

LinuxFreeBSDmacOSWindows (Registry)

Default Path: /etc/openscm/scmclient.config

[server]
url = "http://localhost:8000"   # URL of your OpenSCM Server
tenant_id = "default"          # Tenant identifier

[client]
heartbeat = "300"              # Check-in interval in seconds
loglevel = "info"              # debug | info | warn | error
cmd_enabled = false            # Allow CMD tests to run (opt-in)

Default Path: /usr/local/etc/openscm/scmclient.config

[server]
url = "http://localhost:8000"   # URL of your OpenSCM Server
tenant_id = "default"          # Tenant identifier

[client]
heartbeat = "300"              # Check-in interval in seconds
loglevel = "info"              # debug | info | warn | error
cmd_enabled = false            # Allow CMD tests to run (opt-in)

Default Path: /usr/local/etc/openscm/scmclient.config

[server]
url = "http://localhost:8000"   # URL of your OpenSCM Server
tenant_id = "default"          # Tenant identifier

[client]
heartbeat = "300"              # Check-in interval in seconds
loglevel = "info"              # debug | info | warn | error
cmd_enabled = false            # Allow CMD tests to run (opt-in)

Path: HKEY_LOCAL_MACHINE\SOFTWARE\OpenSCM\Client

Value Name	Type	Description
`ServerURL`	REG_SZ	URL of the OpenSCM Server
`TenantId`	REG_SZ	Tenant identifier
`Heartbeat`	REG_SZ	Check-in interval in seconds
`LogLevel`	REG_SZ	Logging level
`CmdEnabled`	REG_SZ	Allow CMD tests to run (`true` / `false`)

Fixed Paths

The key paths are fixed and cannot be changed:

Resource	Linux	FreeBSD / macOS	Windows
Keys	`/etc/openscm/keys/`	`/usr/local/etc/openscm/keys/`	`C:\ProgramData\OpenSCM\Client\keys\`
Logs	`/var/log/openscm/`	`/var/log/openscm/`	`C:\ProgramData\OpenSCM\Client\logs\`

Parameter Reference

Server Parameters

Parameter	Default	Description
`server.port`	`8000`	Port the server listens on
`server.loglevel`	`info`	Log verbosity: `error`, `warn`, `info`, `debug`

Client Parameters

Parameter	Default	Description
`server.url`	`http://localhost:8000`	OpenSCM server URL
`server.tenant_id`	`default`	Tenant identifier
`client.heartbeat`	`300`	Check-in interval in seconds
`client.loglevel`	`info`	Log verbosity: `error`, `warn`, `info`, `debug`
`client.cmd_enabled`	`false`	Allow CMD tests to run. When `false`, all CMD tests return `NA`.

CMD element security

Enabling cmd_enabled permits the agent to run shell commands as defined in your compliance tests. Only enable this if you trust the tests assigned to the agent and understand the security implications.

Heartbeat Interval Guidelines

The heartbeat setting controls how frequently the agent checks in with the server.

Environment	Recommended	Reason
High-security	`60`–`120`s	Faster detection of policy changes
Standard	`300`s	Good balance of responsiveness and load
Large fleets (1000+)	`600`s+	Reduces server load

Tip

A random jitter of 0–9 seconds is automatically added to each heartbeat interval to prevent thundering herd problems in large deployments.

Key Management

Identity Loss

If the files in the keys directory are deleted, the agent loses its identity. It will automatically trigger a new ID 0 registration and require an administrator to re-approve the system in the dashboard.

Key Backup

Back up your server key files regularly. If the server keys are lost, all registered agents will fail signature verification and need to re-register.

Keys are generated automatically on first run — no manual setup required.

Applying Changes

Configuration changes take effect on service restart.

Linux (systemd)FreeBSDmacOSWindows (PowerShell)CLI Override

# Server
sudo systemctl restart scmserver

# Agent
sudo systemctl restart scmclient

# Agent
service scmclient restart

# Agent
sudo launchctl bootout system/io.openscm.scmclient
sudo launchctl bootstrap system /Library/LaunchDaemons/io.openscm.scmclient.plist

# Server
Restart-Service OpenSCMServer

# Agent
Restart-Service OpenSCMClient

The server URL can be overridden at runtime without editing the config file:

scmclient --url https://openscm.yourcompany.com

This saves the new URL to the config and persists across restarts.