Show Table of Contents
8.4.3. Scanning the System
The most important functionality of oscap is to perform configuration and vulnerability scans of a local system. The following is a general syntax of the respective command:
oscap [options] module eval [module_operation_options_and_arguments]
The oscap utility can scan systems against the SCAP content represented by both, an
XCCDF (The eXtensible Configuration Checklist Description Format) benchmark and OVAL (Open Vulnerability and Assessment Language) definitions. The security policy can have a form of a single OVAL or XCCDF file or multiple separate XML files where each file represents a different component (XCCDF, OVAL, CPE, CVE, and others). The result of a scan can be printed to both, standard output and an XML file. The result file can be then further processed by oscap in order to generate a report in a human-readable format. The following examples illustrate the most common usage of the command.
Example 8.6. Scanning the System Using the SSG OVAL definitions
To scan your system against the SSG OVAL definition file while evaluating all definitions, run the following command:
~]$ oscap oval eval --results scan-oval-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
The results of the scan will be stored as the
scan-oval-results.xml file in the current directory.
Example 8.7. Scanning the System Using the SSG OVAL definitions
To evaluate a particular OVAL definition from the security policy represented by the SSG data stream file, run the following command:
~]$ oscap oval eval --id oval:ssg:def:100 --results scan-oval-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
The results of the scan will be stored as the
scan-oval-results.xml file in the current directory.
Example 8.8. Scanning the System Using the SSG XCCDF benchmark
To perform the SSG XCCDF benchmark for the
xccdf_org.ssgproject.content_profile_rht-ccp profile on your system, run the following command:
~]$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
The results of the scan will be stored as the
scan-xccdf-results.xml file in the current directory.
Note
The
--profile command-line argument selects the security profile from the given XCCDF or data stream file. The list of available profiles can be obtained by running the oscap info command. If the --profile command-line argument is omitted the default XCCDF profile is used as required by SCAP standard. Note that the default XCCDF profile may or may not be an appropriate security policy.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.