Ce contenu n'est pas disponible dans la langue sélectionnée.
8.4. Using oscap
The oscap command-line utility allows users to scan their local systems, validate security compliance content, and generate reports and guides based on these scans and evaluations. This utility serves as a front end to the OpenSCAP library and groups its functionalities to modules (sub-commands) based on a type of the SCAP content it processes.
The following sections explain how to install oscap, perform the most common operations, and display the relevant examples for these tasks. To learn more about specific sub-commands, use the
--help
option with an oscap command:
oscap [options] module module_operation [module_operation_options_and_arguments] --help
where module represents a type of SCAP content that is being processed, and module_operation is a sub-command for the specific operation on the SCAP content.
Example 8.4. Getting Help on the Specific oscap Operation
~]$ oscap ds sds-split --help
oscap -> ds -> sds-split
Split given SourceDataStream into separate files
Usage: oscap [options] ds sds-split [options] SDS TARGET_DIRECTORY
SDS - Source data stream that will be split into multiple files.
TARGET_DIRECTORY - Directory of the resulting files.
Options:
--datastream-id <id> - ID of the datastream in the collection to use.
--xccdf-id <id> - ID of XCCDF in the datastream that should be evaluated.
To learn about all oscap features and the complete list of its options, see the
oscap(8)
manual page.
8.4.1. Installing oscap
To install oscap to your system, run the following command as
root
:
~]# yum install openscap-scanner
This command allows you to install all packages required by oscap to function properly, including the openscap package.
If you want to write your own security content, you should also install the openscap-engine-sce package that provides the Script Check Engine (SCE). SCE is an extension to SCAP protocol that allows content authors to write their security content using a scripting language, such as Bash, Python or Ruby. The openscap-engine-sce package can be installed in the same way as the openscap-scanner package, however, you need to have access to the repository or channel with optional packages for your Red Hat Enterprise Linux variant. If your system is registered with Red Hat Subscription Management, enable the
rhel-6-variant-optional-rpms
repository as described in the Yum chapter of Red Hat Enterprise Linux 6 Deployment Guide, where variant is your Red Hat Enterprise Linux variant, such as server, or workstation. If your system is registered with RHN Classic, subscribe the system to the rhel-architecture-variant-6-optional
channel as documented here: https://access.redhat.com/site/solutions/9907.
Optionally, after installing oscap, you can check capabilities of your version of oscap, what specifications it supports, where the certain oscap files are stored, what kinds of SCAP objects you can use, and other useful information. To display this information, type the following command:
~]$ oscap -V
OpenSCAP command line tool (oscap) 1.0.8
Copyright 2009--2014 Red Hat Inc., Durham, North Carolina.
==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.10.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)
==== Paths ====
Schema files: /usr/share/openscap/schemas
Schematron files: /usr/share/openscap/xsl
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/libexec/openscap
==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Fedora 16 - cpe:/o:fedoraproject:fedora:16
Fedora 17 - cpe:/o:fedoraproject:fedora:17
Fedora 18 - cpe:/o:fedoraproject:fedora:18
Fedora 19 - cpe:/o:fedoraproject:fedora:19
Fedora 20 - cpe:/o:fedoraproject:fedora:20
Fedora 21 - cpe:/o:fedoraproject:fedora:21
Red Hat Enterprise Linux Optional Productivity Applications - cpe:/a:redhat:rhel_productivity
Red Hat Enterprise Linux Optional Productivity Applications 5 - cpe:/a:redhat:rhel_productivity:5
==== Supported OVAL objects and associated OpenSCAP probes ====
system_info probe_system_info
family probe_family
filehash probe_filehash
environmentvariable probe_environmentvariable
textfilecontent54 probe_textfilecontent54
textfilecontent probe_textfilecontent
variable probe_variable
xmlfilecontent probe_xmlfilecontent
environmentvariable58 probe_environmentvariable58
filehash58 probe_filehash58
inetlisteningservers probe_inetlisteningservers
rpminfo probe_rpminfo
partition probe_partition
iflisteners probe_iflisteners
rpmverify probe_rpmverify
rpmverifyfile probe_rpmverifyfile
rpmverifypackage probe_rpmverifypackage
selinuxboolean probe_selinuxboolean
selinuxsecuritycontext probe_selinuxsecuritycontext
file probe_file
interface probe_interface
password probe_password
process probe_process
runlevel probe_runlevel
shadow probe_shadow
uname probe_uname
xinetd probe_xinetd
sysctl probe_sysctl
process58 probe_process58
fileextendedattribute probe_fileextendedattribute
routingtable probe_routingtable
Before you can start using the oscap utility effectively, you also have to install or import some security content on your system. You can download the SCAP content from the respective web site, or if specified as an RPM file or package, you can install it from the specified location, or known repository, using the Yum package manager.
For example, to install the SCAP Security Guide (SSG) package that contains the latest set of security polices for Linux systems, run the following command:
~]# yum install scap-security-guide
After you install the scap-security-guide package on your system, unless specified otherwise, the SSG security content is available under the
/usr/share/xml/scap/ssg/content/
directory, and you can proceed with other security compliance operations.
To find out other possible sources of existing SCAP content that might suit your needs, see Section 8.8, “Additional Resources”.
After installing the SCAP content on your system, oscap can process the content by specifying the file path to the content. The oscap utility supports SCAP version 1.2 and is backward compatible with SCAP versions 1.1 and 1.0 so it can process earlier versions of the SCAP content without any special requirements.