8.4.3. Scanning the System

The most important functionality of oscap is to perform configuration and vulnerability scans of a local system. The following is a general syntax of the respective command:
oscap [options] module eval [module_operation_options_and_arguments]
The oscap utility can scan systems against the SCAP content represented by both, an XCCDF (The eXtensible Configuration Checklist Description Format) benchmark and OVAL (Open Vulnerability and Assessment Language) definitions. The security policy can have a form of a single OVAL or XCCDF file or multiple separate XML files where each file represents a different component (XCCDF, OVAL, CPE, CVE, and others). The result of a scan can be printed to both, standard output and an XML file. The result file can be then further processed by oscap in order to generate a report in a human-readable format. The following examples illustrate the most common usage of the command.

Example 8.6. Scanning the System Using the SSG OVAL definitions

To scan your system against the SSG OVAL definition file while evaluating all definitions, run the following command:
~]$ oscap oval eval --results scan-oval-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
The results of the scan will be stored as the scan-oval-results.xml file in the current directory.

Example 8.7. Scanning the System Using the SSG OVAL definitions

To evaluate a particular OVAL definition from the security policy represented by the SSG data stream file, run the following command:
~]$ oscap oval eval --id oval:ssg:def:100 --results scan-oval-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
The results of the scan will be stored as the scan-oval-results.xml file in the current directory.

Example 8.8. Scanning the System Using the SSG XCCDF benchmark

To perform the SSG XCCDF benchmark for the xccdf_org.ssgproject.content_profile_rht-ccp profile on your system, run the following command:
~]$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
The results of the scan will be stored as the scan-xccdf-results.xml file in the current directory.

Note

The --profile command-line argument selects the security profile from the given XCCDF or data stream file. The list of available profiles can be obtained by running the oscap info command. If the --profile command-line argument is omitted the default XCCDF profile is used as required by SCAP standard. Note that the default XCCDF profile may or may not be an appropriate security policy.