Contents
With security being the focus these days, tools are more readily available for use to assist in remediation. One such tool is the OpenSCAP command-line tool. oscap is Security Content Automation Protocol (SCAP) toolkit based on OpenSCAP library. It provides various functions for different SCAP specifications (modules). This article is intended to identify the options that are available along with a few examples. More detailed examples will be in found in future articles.
Prerequisites
Install oscap.
yum install openscap scap-security-guide -y
Once installed, the SCAP files are located at /usr/share/xml/scap/ssg/content/
Each is specific for it’s use case as identified by the name.
[root@oscap]ls -1 /usr/share/xml/scap/ssg/content ssg-centos6-ds.xml ssg-centos6-xccdf.xml ssg-centos7-ds.xml ssg-centos7-xccdf.xml ssg-firefox-cpe-dictionary.xml ssg-firefox-cpe-oval.xml ssg-firefox-ds.xml ssg-firefox-ocil.xml ssg-firefox-oval.xml ssg-firefox-xccdf.xml ssg-jre-cpe-dictionary.xml ssg-jre-cpe-oval.xml ssg-jre-ds.xml ssg-jre-ocil.xml ssg-jre-oval.xml ssg-jre-xccdf.xml ssg-rhel6-cpe-dictionary.xml ssg-rhel6-cpe-oval.xml ssg-rhel6-ds.xml ssg-rhel6-ocil.xml ssg-rhel6-oval.xml ssg-rhel6-xccdf.xml ssg-rhel7-cpe-dictionary.xml ssg-rhel7-cpe-oval.xml ssg-rhel7-ds.xml ssg-rhel7-ocil.xml ssg-rhel7-oval.xml ssg-rhel7-xccdf.xml
oscap
Simply typing oscap -h
reveals the options to get started.
oscap OpenSCAP command-line tool Usage: oscap [options] module operation [operation-options-and-arguments] oscap options: -h --help - show this help -q --quiet - quiet mode -V --version - print info about supported SCAP versions Commands: ds - DataStream utilities oval - Open Vulnerability and Assessment Language xccdf - eXtensible Configuration Checklist Description Format cvss - Common Vulnerability Scoring System cpe - Common Platform Enumeration cve - Common Vulnerabilities and Exposures cvrf - Common Vulnerability Reporting Framework info - info module
As you narrow down your search, the help command will get you further.
oscap xccdf -h oscap xccdf eval -h oscap xccdf validate -h oscap xccdf generate fix -h oscap oval -h oscap oval collect -h oscap ds -h
Profiles
Information about ssg-centos7-ds.xm file.
oscap info /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xm
From this file, we can pick and choose what profile to use or use the complete scap. here is an example of selecting only the DISA STIG. The profile is the Id: xccdf_org.ssgproject.content_profile_pci-dss.
Source(s)
- man oscap
- oscap -h
- https://conklin.io/assessing-centos-7-with-openscap/