1oscap-ssh(8) System Administration Utilities oscap-ssh(8)
2
6 oscap-ssh - Tool for running oscap over SSH and collecting results.
7
9 oscap-ssh runs oscap tool on a remote system through SSH connection.
10 The input files are transfered to the target system and after the scan
11 finishes result files are transfered back. No temporary data remains on
12 the remote machine.
13 The tool requires bash, ssh, scp and mktemp to perform OVAL and XCCDF
15 evaluation of remote machines. The remote machine also has to have
16 oscap installed and in $PATH. This can be accomplished by installing
17 openscap-scanner.
18 Usage of the tool mimics usage and options of oscap(8) tool.
20
23 Evaluation of XCCDF content
24 $ oscap-ssh user@host 22 xccdf eval [options] INPUT_CONTENT
25 Only source datastreams are supported as INPUT_CONTENT!
27 Supported options are:
29 --profile
30 --tailoring-file
31 --tailoring-id
32 --cpe
33 --results
34 --results-arf
35 --report
36 --skip-valid
37 --fetch-remote-resources
38 --progress
39 --datastream-id
40 --xccdf-id
41 --benchmark-id
42 --remediate
43 Evaluation of OVAL content
46 $ oscap-ssh user@host 22 oval eval [options] INPUT_CONTENT
47 Supported options are:
49 --id
50 --variables
51 --directives
52 --results
53 --report
54 --skip-valid
55 --datastream-id
56 --oval-id
57 --probe-root (has to be remote path)
58 Collection of OVAL System Characteristic
61 $ oscap-ssh user@host 22 oval collect [options] INPUT_CONTENT
62 Supported options are:
64 --id
65 --syschar
66 --variables
67 --skip-valid
68 Specific option for oscap-ssh (must be first argument):
70 --sudo
71
74 Simple XCCDF evaluation
75 The following command evaluates a remote Fedora machine as root. HTML
76 report is written out as report.html on the local machine. Can be exe‐
77 cuted from any machine that has ssh, scp and bash. The local machine
78 does not need to have openscap installed.
79 $ oscap-ssh root@192.168.1.13 22 xccdf eval --profile xccdf_org.ssgpro‐
81 ject.content_profile_common --report report.html
82 /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
83 XCCDF Evaluation with tailoring file
86 The following command uses a tailoring file and also copies back ARF
87 and XCCDF results. The tailoring file is automatically copied from
88 local machine to remote.
89 $ oscap-ssh --sudo oscap-user@192.168.1.13 22 xccdf eval --profile
91 xccdf_org.ssgproject.content_profile_common --report report.html
92 --results results.xml --results-arf arf.xml --tailoring-file ssg-
93 fedora-ds-tailoring.xml /usr/share/xml/scap/ssg/content/ssg-fedora-
94 ds.xml
95 Running remotely as root
98 Note that the openscap scanner is best run by the 'root' user as in the
99 first example above. To do this, the "PermitRootLogin" directive must
100 be enabled in /etc/ssh/sshd_config, which is itself a security viola‐
101 tion. A safer approach is to enable a non-privileged user ('oscap-user'
102 in the second example above) to run only the oscap binary as root (with
103 the '--sudo' flag) by updating the remote machine's 'sudoers' file or
104 adding a file like /etc/sudoers.d/99-oscap-user:
105 # allow oscap-user to run openscap scanner
106 Defaults!/usr/bin/oscap !requiretty
107 oscap-user ALL=(root) NOPASSWD: /usr/bin/oscap
108
111 Please report bugs using https://github.com/OpenSCAP/openscap/issues
112
115 Martin Preisler <mpreisle@redhat.com>
116 Šimon Lukašík <slukasik@redhat.com>
117Red Hat, Inc. January 2016 oscap-ssh(8)