OpenSCAP command-line tool

With security being the focus these days, tools are more readily available for use to assist in remediation. One such tool is the OpenSCAP command-line tool. oscap is Security Content Automation Protocol (SCAP) toolkit based on OpenSCAP library. It provides various functions for different SCAP specifications (modules). This article is intended to identify the options that are available along with a few examples.  More detailed examples will be in found in future articles.

Prerequisites

Install oscap.

yum install openscap scap-security-guide -y

Once installed, the SCAP files are located at /usr/share/xml/scap/ssg/content/ Each is specific for it's use case as identified by the name.

[root@oscap]ls -1 /usr/share/xml/scap/ssg/content
ssg-centos6-ds.xml
ssg-centos6-xccdf.xml
ssg-centos7-ds.xml
ssg-centos7-xccdf.xml
ssg-firefox-cpe-dictionary.xml
ssg-firefox-cpe-oval.xml
ssg-firefox-ds.xml
ssg-firefox-ocil.xml
ssg-firefox-oval.xml
ssg-firefox-xccdf.xml
ssg-jre-cpe-dictionary.xml
ssg-jre-cpe-oval.xml
ssg-jre-ds.xml
ssg-jre-ocil.xml
ssg-jre-oval.xml
ssg-jre-xccdf.xml
ssg-rhel6-cpe-dictionary.xml
ssg-rhel6-cpe-oval.xml
ssg-rhel6-ds.xml
ssg-rhel6-ocil.xml
ssg-rhel6-oval.xml
ssg-rhel6-xccdf.xml
ssg-rhel7-cpe-dictionary.xml
ssg-rhel7-cpe-oval.xml
ssg-rhel7-ds.xml
ssg-rhel7-ocil.xml
ssg-rhel7-oval.xml
ssg-rhel7-xccdf.xml

oscap

Simply typing oscap -h reveals the options to get started.

oscap

OpenSCAP command-line tool

Usage: oscap [options] module operation [operation-options-and-arguments]

oscap options:
-h --help - show this help
-q --quiet - quiet mode
-V --version - print info about supported SCAP versions

Commands:
ds - DataStream utilities
oval - Open Vulnerability and Assessment Language
xccdf - eXtensible Configuration Checklist Description Format
cvss - Common Vulnerability Scoring System
cpe - Common Platform Enumeration
cve - Common Vulnerabilities and Exposures
cvrf - Common Vulnerability Reporting Framework
info - info module

As you narrow down your search, the help command will get you further.

oscap xccdf -h
oscap xccdf eval -h
oscap xccdf validate -h
oscap xccdf generate fix -h
oscap oval -h
oscap oval collect -h
oscap ds -h

Profiles

Information about ssg-centos7-ds.xm file.

oscap info /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xm

From this file, we can pick and choose what profile to use or use the complete scap.  here is an example of selecting only the DISA STIG. The profile is the Id: xccdf_org.ssgproject.content_profile_pci-dss.

Source(s)

  • man oscap
  • oscap -h
  • https://conklin.io/assessing-centos-7-with-openscap/