oscap-ssh(8)

1oscap-ssh(8)            System Administration Utilities           oscap-ssh(8)
2
3
4

NAME

6       oscap-ssh - Tool for running oscap over SSH and collecting results.
7

DESCRIPTION

9       oscap-ssh  runs  oscap  tool on a remote system through SSH connection.
10       The input files are transferred to the target system and after the scan
11       finishes  result  files are transferred back. No temporary data remains
12       on the remote machine.
13
14       The tool requires bash, ssh, scp and mktemp to perform OVAL  and  XCCDF
15       evaluation  of remote machines. The remote machine also has to have os‐
16       cap installed and in $PATH. This  can  be  accomplished  by  installing
17       openscap-scanner.
18
19       Usage of the tool mimics usage and options of oscap(8) tool.
20
21

USAGE

23   Evaluation of XCCDF content
24       $ oscap-ssh user@host 22 xccdf eval [options] INPUT_CONTENT
25
26       Only source data streams are supported as INPUT_CONTENT!
27
28       Supported options are:
29         --profile
30         --tailoring-file
31         --tailoring-id
32         --cpe
33         --results
34         --results-arf
35         --report
36         --skip-valid
37         --skip-validation
38         --fetch-remote-resources
39         --local-files
40         --progress
41         --datastream-id
42         --xccdf-id
43         --benchmark-id
44         --remediate
45
46
47   Evaluation of OVAL content
48       $ oscap-ssh user@host 22 oval eval [options] INPUT_CONTENT
49
50       Supported options are:
51         --id
52         --variables
53         --directives
54         --results
55         --report
56         --skip-valid
57         --skip-validation
58         --datastream-id
59         --oval-id
60
61
62   Collection of OVAL System Characteristic
63       $ oscap-ssh user@host 22 oval collect [options] INPUT_CONTENT
64
65       Supported options are:
66         --id
67         --syschar
68         --variables
69         --skip-valid
70         --skip-validation
71
72       Specific option for oscap-ssh (must be first argument):
73         --sudo
74
75
76   Environment variables
77       oscap-ssh  checks  out the SSH_ADDITIONAL_OPTIONS environment variable,
78       and pastes its contents into the command-line of ssh  to  the  location
79       where  options  are  expected.  Supply the variable in form of a string
80       that corresponds to a section of the ssh command-line and that consists
81       of options you want to pass.
82
83
84   Using --local-files option
85       The  oscap-ssh  command supports the --local-files option, but it isn't
86       possible to pass './' and '../' as an argument. Use  a  full  directory
87       path instead.
88
89

EXAMPLE USAGE

91   Simple XCCDF evaluation
92       The  following  command evaluates a remote Fedora machine as root. HTML
93       report is written out as report.html on the local machine. Can be  exe‐
94       cuted  from  any  machine that has ssh, scp and bash. The local machine
95       does not need to have openscap installed.  It also uses  the  SSH_ADDI‐
96       TIONAL_OPTIONS  variable  to configure ssh in such way that contents of
97       the known_hosts file are ignored.
98
99       $ export SSH_ADDITIONAL_OPTIONS="-o StrictHostKeyChecking=no  -o  User‐
100       KnownHostsFile=/dev/null"  $  oscap-ssh root@192.168.1.13 22 xccdf eval
101       --profile  xccdf_org.ssgproject.content_profile_common   --report   re‐
102       port.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
103
104
105   XCCDF Evaluation with tailoring file
106       The  following  command  uses a tailoring file and also copies back ARF
107       and XCCDF results. The tailoring file is automatically copied from  lo‐
108       cal machine to remote.
109
110       $  oscap-ssh --sudo oscap-user@192.168.1.13 22 xccdf eval --profile xc‐
111       cdf_org.ssgproject.content_profile_common  --report  report.html  --re‐
112       sults results.xml --results-arf arf.xml --tailoring-file ssg-fedora-ds-
113       tailoring.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
114
115
116   Running remotely as root
117       Note that the openscap scanner is best run by the 'root' user as in the
118       first  example  above. To do this, the "PermitRootLogin" directive must
119       be enabled in /etc/ssh/sshd_config, which is itself a  security  viola‐
120       tion. A safer approach is to enable a non-privileged user ('oscap-user'
121       in the second example above) to run only the oscap binary as root (with
122       the  '--sudo'  flag) by updating the remote machine's 'sudoers' file or
123       adding a file like /etc/sudoers.d/99-oscap-user:
124         # allow oscap-user to run openscap scanner
125         Defaults!/usr/bin/oscap !requiretty
126         oscap-user ALL=(root) NOPASSWD: /usr/bin/oscap
127
128

REPORTING BUGS

130       Please report bugs using https://github.com/OpenSCAP/openscap/issues
131
132

AUTHORS

134       Martin Preisler <mpreisle@redhat.com>
135       Šimon Lukašík <slukasik@redhat.com>
136
137
138
139Red Hat, Inc.                    January 2016                     oscap-ssh(8)