Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, February 9, 2022
 
 

oscap-ssh (8)

Name

oscap-ssh - Tool for running oscap over SSH and collecting results.

Synopsis

Please see following description for synopsis

Description

System Administration Utilities                                   oscap-ssh(8)



NAME
       oscap-ssh - Tool for running oscap over SSH and collecting results.

DESCRIPTION
       oscap-ssh  runs  oscap  tool on a remote system through SSH connection.
       The input files are transfered to the target system and after the  scan
       finishes result files are transfered back. No temporary data remains on
       the remote machine.

       The tool requires bash, ssh, scp and mktemp to perform OVAL  and  XCCDF
       evaluation  of  remote  machines.  The  remote machine also has to have
       oscap installed and in $PATH. This can be  accomplished  by  installing
       openscap-scanner.

       Usage of the tool mimics usage and options of oscap(8) tool.


USAGE
   Evaluation of XCCDF content
       $ oscap-ssh user@host 22 xccdf eval [options] INPUT_CONTENT

       Only source datastreams are supported as INPUT_CONTENT!

       Supported options are:
         --profile
         --tailoring-file
         --tailoring-id
         --cpe
         --results
         --results-arf
         --report
         --skip-valid
         --fetch-remote-resources
         --progress
         --datastream-id
         --xccdf-id
         --benchmark-id
         --remediate


   Evaluation of OVAL content
       $ oscap-ssh user@host 22 oval eval [options] INPUT_CONTENT

       Supported options are:
         --id
         --variables
         --directives
         --results
         --report
         --skip-valid
         --datastream-id
         --oval-id


   Collection of OVAL System Characteristic
       $ oscap-ssh user@host 22 oval collect [options] INPUT_CONTENT

       Supported options are:
         --id
         --syschar
         --variables
         --skip-valid

       Specific option for oscap-ssh (must be first argument):
         --sudo


   Environment variables
       oscap-ssh  checks  out the SSH_ADDITIONAL_OPTIONS environment variable,
       and pastes its contents into the command-line of ssh  to  the  location
       where  options  are  expected.  Supply the variable in form of a string
       that corresponds to a section of the ssh command-line and that consists
       of options you want to pass.


EXAMPLE USAGE
   Simple XCCDF evaluation
       The  following  command evaluates a remote Fedora machine as root. HTML
       report is written out as report.html on the local machine. Can be  exe-
       cuted  from  any  machine that has ssh, scp and bash. The local machine
       does not need to have openscap installed.  It also uses  the  SSH_ADDI-
       TIONAL_OPTIONS  variable  to configure ssh in such way that contents of
       the known_hosts file are ignored.

       $ export SSH_ADDITIONAL_OPTIONS="-o StrictHostKeyChecking=no  -o  User-
       KnownHostsFile=/dev/null"  $  oscap-ssh root@192.168.1.13 22 xccdf eval
       --profile     xccdf_org.ssgproject.content_profile_common      --report
       report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml


   XCCDF Evaluation with tailoring file
       The  following  command  uses a tailoring file and also copies back ARF
       and XCCDF results. The tailoring  file  is  automatically  copied  from
       local machine to remote.

       $  oscap-ssh  --sudo  oscap-user@192.168.1.13  22  xccdf eval --profile
       xccdf_org.ssgproject.content_profile_common    --report     report.html
       --results   results.xml  --results-arf  arf.xml  --tailoring-file  ssg-
       fedora-ds-tailoring.xml     /usr/share/xml/scap/ssg/content/ssg-fedora-
       ds.xml


   Running remotely as root
       Note that the openscap scanner is best run by the 'root' user as in the
       first example above. To do this, the "PermitRootLogin"  directive  must
       be  enabled  in /etc/ssh/sshd_config, which is itself a security viola-
       tion. A safer approach is to enable a non-privileged user ('oscap-user'
       in the second example above) to run only the oscap binary as root (with
       the '--sudo' flag) by updating the remote machine's 'sudoers'  file  or
       adding a file like /etc/sudoers.d/99-oscap-user:
         # allow oscap-user to run openscap scanner
         Defaults!/usr/bin/oscap !requiretty
         oscap-user ALL=(root) NOPASSWD: /usr/bin/oscap


REPORTING BUGS
       Please report bugs using https://github.com/OpenSCAP/openscap/issues


AUTHORS
       Martin Preisler <mpreisle@redhat.com>
       imon Lukak <slukasik@redhat.com>



ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+------------------------------+
       |ATTRIBUTE TYPE |       ATTRIBUTE VALUE        |
       +---------------+------------------------------+
       |Availability   | security/compliance/openscap |
       +---------------+------------------------------+
       |Stability      | Uncommitted                  |
       +---------------+------------------------------+

NOTES
       Source  code  for open source software components in Oracle Solaris can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-
       code-downloads.html.

       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source    was    downloaded   from    https://github.com/OpenSCAP/open-
       scap/releases/download/1.3.4/openscap-1.3.4.tar.gz.

       Further information about this software can be found on the open source
       community website at http://www.open-scap.org.



Red Hat, Inc.                    January 2016                     oscap-ssh(8)