Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

8.4. Using oscap

The oscap command-line utility allows users to scan their local systems, validate security compliance content, and generate reports and guides based on these scans and evaluations. This utility serves as a front end to the OpenSCAP library and groups its functionalities to modules (sub-commands) based on a type of the SCAP content it processes.
The following sections explain how to install oscap, perform the most common operations, and display the relevant examples for these tasks. To learn more about specific sub-commands, use the --help option with an oscap command:
oscap [options] module module_operation [module_operation_options_and_arguments] --help
where module represents a type of SCAP content that is being processed, and module_operation is a sub-command for the specific operation on the SCAP content.

Example 8.4. Getting Help on the Specific oscap Operation

~]$ oscap ds sds-split --help
oscap -> ds -> sds-split

Split given SourceDataStream into separate files

Usage: oscap [options] ds sds-split [options] SDS TARGET_DIRECTORY

SDS - Source data stream that will be split into multiple files.
TARGET_DIRECTORY - Directory of the resulting files.

Options:
   --datastream-id <id>          - ID of the datastream in the collection to use.
   --xccdf-id <id>               - ID of XCCDF in the datastream that should be evaluated.
To learn about all oscap features and the complete list of its options, see the oscap(8) manual page.

8.4.1. Installing oscap

To install oscap to your system, run the following command as root:
~]# yum install openscap-scanner
This command allows you to install all packages required by oscap to function properly, including the openscap package.
If you want to write your own security content, you should also install the openscap-engine-sce package that provides the Script Check Engine (SCE). SCE is an extension to SCAP protocol that allows content authors to write their security content using a scripting language, such as Bash, Python or Ruby. The openscap-engine-sce package can be installed in the same way as the openscap-scanner package, however, you need to have access to the repository or channel with optional packages for your Red Hat Enterprise Linux variant. If your system is registered with Red Hat Subscription Management, enable the rhel-6-variant-optional-rpms repository as described in the Yum chapter of Red Hat Enterprise Linux 6 Deployment Guide, where variant is your Red Hat Enterprise Linux variant, such as server, or workstation. If your system is registered with RHN Classic, subscribe the system to the rhel-architecture-variant-6-optional channel as documented here: https://access.redhat.com/site/solutions/9907.
Optionally, after installing oscap, you can check capabilities of your version of oscap, what specifications it supports, where the certain oscap files are stored, what kinds of SCAP objects you can use, and other useful information. To display this information, type the following command:
~]$ oscap -V
OpenSCAP command line tool (oscap) 1.0.8
Copyright 2009--2014 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.10.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1

==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)

==== Paths ====
Schema files: /usr/share/openscap/schemas
Schematron files: /usr/share/openscap/xsl
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/libexec/openscap

==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Fedora 16 - cpe:/o:fedoraproject:fedora:16
Fedora 17 - cpe:/o:fedoraproject:fedora:17
Fedora 18 - cpe:/o:fedoraproject:fedora:18
Fedora 19 - cpe:/o:fedoraproject:fedora:19
Fedora 20 - cpe:/o:fedoraproject:fedora:20
Fedora 21 - cpe:/o:fedoraproject:fedora:21
Red Hat Enterprise Linux Optional Productivity Applications - cpe:/a:redhat:rhel_productivity
Red Hat Enterprise Linux Optional Productivity Applications 5 - cpe:/a:redhat:rhel_productivity:5

==== Supported OVAL objects and associated OpenSCAP probes ====
system_info                  probe_system_info           
family                       probe_family                
filehash                     probe_filehash              
environmentvariable          probe_environmentvariable   
textfilecontent54            probe_textfilecontent54     
textfilecontent              probe_textfilecontent       
variable                     probe_variable              
xmlfilecontent               probe_xmlfilecontent        
environmentvariable58        probe_environmentvariable58 
filehash58                   probe_filehash58            
inetlisteningservers         probe_inetlisteningservers  
rpminfo                      probe_rpminfo               
partition                    probe_partition             
iflisteners                  probe_iflisteners           
rpmverify                    probe_rpmverify             
rpmverifyfile                probe_rpmverifyfile         
rpmverifypackage             probe_rpmverifypackage      
selinuxboolean               probe_selinuxboolean        
selinuxsecuritycontext       probe_selinuxsecuritycontext
file                         probe_file                  
interface                    probe_interface             
password                     probe_password              
process                      probe_process               
runlevel                     probe_runlevel              
shadow                       probe_shadow                
uname                        probe_uname                 
xinetd                       probe_xinetd                
sysctl                       probe_sysctl                
process58                    probe_process58             
fileextendedattribute        probe_fileextendedattribute 
routingtable                 probe_routingtable
Before you can start using the oscap utility effectively, you also have to install or import some security content on your system. You can download the SCAP content from the respective web site, or if specified as an RPM file or package, you can install it from the specified location, or known repository, using the Yum package manager.
For example, to install the SCAP Security Guide (SSG) package that contains the latest set of security polices for Linux systems, run the following command:
~]# yum install scap-security-guide
After you install the scap-security-guide package on your system, unless specified otherwise, the SSG security content is available under the /usr/share/xml/scap/ssg/content/ directory, and you can proceed with other security compliance operations.
To find out other possible sources of existing SCAP content that might suit your needs, see Section 8.8, “Additional Resources”.
After installing the SCAP content on your system, oscap can process the content by specifying the file path to the content. The oscap utility supports SCAP version 1.2 and is backward compatible with SCAP versions 1.1 and 1.0 so it can process earlier versions of the SCAP content without any special requirements.