Install Now
oscap-ssh - Tool for running oscap over SSH and collecting results.
Contents
Description
oscap-ssh runs oscap tool on a remote system through SSH connection. The input files are transferred to
the target system and after the scan finishes result files are transferred back. No temporary data
remains on the remote machine.
The tool requires bash, ssh, scp and mktemp to perform OVAL and XCCDF evaluation of remote machines. The
remote machine also has to have oscap installed and in $PATH. This can be accomplished by installing
openscap-scanner.
Usage of the tool mimics usage and options of oscap(8) tool.
Example Usage
SimpleXCCDFevaluation
The following command evaluates a remote Fedora machine as root. HTML report is written out as
report.html on the local machine. Can be executed from any machine that has ssh, scp and bash. The local
machine does not need to have openscap installed. It also uses the SSH_ADDITIONAL_OPTIONS variable to
configure ssh in such way that contents of the known_hosts file are ignored.
$ export SSH_ADDITIONAL_OPTIONS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" $ oscap-ssh
root@192.168.1.13 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_common --report
report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
XCCDFEvaluationwithtailoringfile
The following command uses a tailoring file and also copies back ARF and XCCDF results. The tailoring
file is automatically copied from local machine to remote.
$ oscap-ssh --sudo oscap-user@192.168.1.13 22 xccdf eval --profile
xccdf_org.ssgproject.content_profile_common --report report.html --results results.xml --results-arf
arf.xml --tailoring-file ssg-fedora-ds-tailoring.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
Runningremotelyasroot
Note that the openscap scanner is best run by the 'root' user as in the first example above. To do this,
the "PermitRootLogin" directive must be enabled in /etc/ssh/sshd_config, which is itself a security
violation. A safer approach is to enable a non-privileged user ('oscap-user' in the second example above)
to run only the oscap binary as root (with the '--sudo' flag) by updating the remote machine's 'sudoers'
file or adding a file like /etc/sudoers.d/99-oscap-user:
# allow oscap-user to run openscap scanner
Defaults!/usr/bin/oscap !requiretty
oscap-user ALL=(root) NOPASSWD: /usr/bin/oscap
Name
oscap-ssh - Tool for running oscap over SSH and collecting results.
Reporting Bugs
Please report bugs using https://github.com/OpenSCAP/openscap/issues
Usage
EvaluationofXCCDFcontent
$ oscap-ssh user@host 22 xccdf eval [options] INPUT_CONTENT
Only source data streams are supported as INPUT_CONTENT!
Supported options are:
--profile
--tailoring-file
--tailoring-id
--cpe
--results
--results-arf
--report
--skip-validation
--fetch-remote-resources
--local-files
--progress
--datastream-id
--xccdf-id
--benchmark-id
--remediate
EvaluationofOVALcontent
$ oscap-ssh user@host 22 oval eval [options] INPUT_CONTENT
Supported options are:
--id
--variables
--directives
--results
--report
--skip-validation
--datastream-id
--oval-id
CollectionofOVALSystemCharacteristic
$ oscap-ssh user@host 22 oval collect [options] INPUT_CONTENT
Supported options are:
--id
--syschar
--variables
--skip-validation
Specific option for oscap-ssh (must be first argument):
--sudo
Environmentvariables
oscap-ssh checks out the SSH_ADDITIONAL_OPTIONS environment variable, and pastes its contents into the
command-line of ssh to the location where options are expected. Supply the variable in form of a string
that corresponds to a section of the ssh command-line and that consists of options you want to pass.
Using--local-filesoption
The oscap-ssh command supports the --local-files option, but it isn't possible to pass './' and '../' as
an argument. Use a full directory path instead.
PNG Icons
