此内容没有您所选择的语言版本。
8.4.3. Scanning the System
The most important functionality of oscap is to perform configuration and vulnerability scans of a local system. The following is a general syntax of the respective command:
oscap [options] module eval [module_operation_options_and_arguments]
The oscap utility can scan systems against the SCAP content represented by both, an
XCCDF
(The eXtensible Configuration Checklist Description Format) benchmark and OVAL
(Open Vulnerability and Assessment Language) definitions. The security policy can have a form of a single OVAL or XCCDF file or multiple separate XML files where each file represents a different component (XCCDF, OVAL, CPE, CVE, and others). The result of a scan can be printed to both, standard output and an XML file. The result file can be then further processed by oscap in order to generate a report in a human-readable format. The following examples illustrate the most common usage of the command.
Example 8.6. Scanning the System Using the SSG OVAL definitions
To scan your system against the SSG OVAL definition file while evaluating all definitions, run the following command:
~]$ oscap oval eval --results
scan-oval-results.xml
/usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
The results of the scan will be stored as the
scan-oval-results.xml
file in the current directory.
Example 8.7. Scanning the System Using the SSG OVAL definitions
To evaluate a particular OVAL definition from the security policy represented by the SSG data stream file, run the following command:
~]$ oscap oval eval --id
oval:ssg:def:100 --results
scan-oval-results.xml
/usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
The results of the scan will be stored as the
scan-oval-results.xml
file in the current directory.
Example 8.8. Scanning the System Using the SSG XCCDF benchmark
To perform the SSG XCCDF benchmark for the
xccdf_org.ssgproject.content_profile_rht-ccp
profile on your system, run the following command:
~]$ oscap xccdf eval --profile
xccdf_org.ssgproject.content_profile_rht-ccp --results
scan-xccdf-results.xml
/usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
The results of the scan will be stored as the
scan-xccdf-results.xml
file in the current directory.
Note
The
--profile
command-line argument selects the security profile from the given XCCDF or data stream file. The list of available profiles can be obtained by running the oscap info
command. If the --profile
command-line argument is omitted the default XCCDF profile is used as required by SCAP standard. Note that the default XCCDF profile may or may not be an appropriate security policy.