1oscap-ssh(8) System Administration Utilities oscap-ssh(8)
2
6 oscap-ssh - Tool for running oscap over SSH and collecting results.
7
9 oscap-ssh runs oscap tool on a remote system through SSH connection.
10 The input files are transfered to the target system and after the scan
11 finishes result files are transfered back. No temporary data remains on
12 the remote machine.
13 The tool requires bash, ssh, scp and mktemp to perform OVAL and XCCDF
15 evaluation of remote machines. The remote machine also has to have os‐
16 cap installed and in $PATH. This can be accomplished by installing
17 openscap-scanner.
18 Usage of the tool mimics usage and options of oscap(8) tool.
20
23 Evaluation of XCCDF content
24 $ oscap-ssh user@host 22 xccdf eval [options] INPUT_CONTENT
25 Only source data streams are supported as INPUT_CONTENT!
27 Supported options are:
29 --profile
30 --tailoring-file
31 --tailoring-id
32 --cpe
33 --results
34 --results-arf
35 --report
36 --skip-valid
37 --skip-validation
38 --fetch-remote-resources
39 --progress
40 --datastream-id
41 --xccdf-id
42 --benchmark-id
43 --remediate
44 Evaluation of OVAL content
47 $ oscap-ssh user@host 22 oval eval [options] INPUT_CONTENT
48 Supported options are:
50 --id
51 --variables
52 --directives
53 --results
54 --report
55 --skip-valid
56 --skip-validation
57 --datastream-id
58 --oval-id
59 Collection of OVAL System Characteristic
62 $ oscap-ssh user@host 22 oval collect [options] INPUT_CONTENT
63 Supported options are:
65 --id
66 --syschar
67 --variables
68 --skip-valid
69 --skip-validation
70 Specific option for oscap-ssh (must be first argument):
72 --sudo
73 Environment variables
76 oscap-ssh checks out the SSH_ADDITIONAL_OPTIONS environment variable,
77 and pastes its contents into the command-line of ssh to the location
78 where options are expected. Supply the variable in form of a string
79 that corresponds to a section of the ssh command-line and that consists
80 of options you want to pass.
81
84 Simple XCCDF evaluation
85 The following command evaluates a remote Fedora machine as root. HTML
86 report is written out as report.html on the local machine. Can be exe‐
87 cuted from any machine that has ssh, scp and bash. The local machine
88 does not need to have openscap installed. It also uses the SSH_ADDI‐
89 TIONAL_OPTIONS variable to configure ssh in such way that contents of
90 the known_hosts file are ignored.
91 $ export SSH_ADDITIONAL_OPTIONS="-o StrictHostKeyChecking=no -o User‐
93 KnownHostsFile=/dev/null" $ oscap-ssh root@192.168.1.13 22 xccdf eval
94 --profile xccdf_org.ssgproject.content_profile_common --report re‐
95 port.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
96 XCCDF Evaluation with tailoring file
99 The following command uses a tailoring file and also copies back ARF
100 and XCCDF results. The tailoring file is automatically copied from lo‐
101 cal machine to remote.
102 $ oscap-ssh --sudo oscap-user@192.168.1.13 22 xccdf eval --profile xc‐
104 cdf_org.ssgproject.content_profile_common --report report.html --re‐
105 sults results.xml --results-arf arf.xml --tailoring-file ssg-fedora-ds-
106 tailoring.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
107 Running remotely as root
110 Note that the openscap scanner is best run by the 'root' user as in the
111 first example above. To do this, the "PermitRootLogin" directive must
112 be enabled in /etc/ssh/sshd_config, which is itself a security viola‐
113 tion. A safer approach is to enable a non-privileged user ('oscap-user'
114 in the second example above) to run only the oscap binary as root (with
115 the '--sudo' flag) by updating the remote machine's 'sudoers' file or
116 adding a file like /etc/sudoers.d/99-oscap-user:
117 # allow oscap-user to run openscap scanner
118 Defaults!/usr/bin/oscap !requiretty
119 oscap-user ALL=(root) NOPASSWD: /usr/bin/oscap
120
123 Please report bugs using https://github.com/OpenSCAP/openscap/issues
124
127 Martin Preisler <mpreisle@redhat.com>
128 Šimon Lukašík <slukasik@redhat.com>
129Red Hat, Inc. January 2016 oscap-ssh(8)