6.8 Running a Scan Against a Profile

To scan a system against an XCCDF profile, use the oscap xccdf eval command, for example:

# oscap xccdf eval --profile server \
  --results /tmp/`hostname`-ssg-results.xml \
  --report /var/www/html/`hostname`-ssg-results.html \
  --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \
        /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Title   Ensure /tmp Located On Separate Partition
Rule    partition_for_tmp
Ident   CCE-26435-8
Result  fail

Title   Ensure /var Located On Separate Partition
Rule    partition_for_var
Ident   CCE-26639-5
Result  fail

Title   Ensure /var/log Located On Separate Partition
Rule    partition_for_var_log
Ident   CCE-26215-4
Result  fail

...

Title   Mount Remote Filesystems with nosuid
Rule    use_nosuid_option_on_nfs_mounts
Ident   CCE-26972-0
Result  pass

Title   Require Client SMB Packet Signing, if using smbclient
Rule    require_smb_client_signing
Ident   CCE-26328-5
Result  fail

Title   Require Client SMB Packet Signing, if using mount.cifs
Rule    require_smb_client_signing_mount.cifs
Ident   CCE-26792-2
Result  pass

This example scan performs the scan against the server profile of the ssg-rhel6-xccdf.xml checklist using the ssg-rhel6-cpe-dictionary.xml CPE dictionary, and outputs the XML results and HTML report files to /tmp and /var/www/html respectively. Any rule in a profile that results in a fail potentially requires the system to be reconfigured.

You can view the HTML report in a browser as shown in Figure 6.1.

Figure 6.1 Sample Scan Report