oscap-ssh - Tool for running oscap over SSH and collecting results.
Please see following description for synopsis
System Administration Utilities oscap-ssh(8)
NAME
oscap-ssh - Tool for running oscap over SSH and collecting results.
DESCRIPTION
oscap-ssh runs oscap tool on a remote system through SSH connection.
The input files are transfered to the target system and after the scan
finishes result files are transfered back. No temporary data remains on
the remote machine.
The tool requires bash, ssh, scp and mktemp to perform OVAL and XCCDF
evaluation of remote machines. The remote machine also has to have
oscap installed and in $PATH. This can be accomplished by installing
openscap-scanner.
Usage of the tool mimics usage and options of oscap(8) tool.
USAGE
Evaluation of XCCDF content
$ oscap-ssh user@host 22 xccdf eval [options] INPUT_CONTENT
Only source datastreams are supported as INPUT_CONTENT!
Supported options are:
--profile
--tailoring-file
--tailoring-id
--cpe
--results
--results-arf
--report
--skip-valid
--fetch-remote-resources
--progress
--datastream-id
--xccdf-id
--benchmark-id
--remediate
Evaluation of OVAL content
$ oscap-ssh user@host 22 oval eval [options] INPUT_CONTENT
Supported options are:
--id
--variables
--directives
--results
--report
--skip-valid
--datastream-id
--oval-id
Collection of OVAL System Characteristic
$ oscap-ssh user@host 22 oval collect [options] INPUT_CONTENT
Supported options are:
--id
--syschar
--variables
--skip-valid
Specific option for oscap-ssh (must be first argument):
--sudo
Environment variables
oscap-ssh checks out the SSH_ADDITIONAL_OPTIONS environment variable,
and pastes its contents into the command-line of ssh to the location
where options are expected. Supply the variable in form of a string
that corresponds to a section of the ssh command-line and that consists
of options you want to pass.
EXAMPLE USAGE
Simple XCCDF evaluation
The following command evaluates a remote Fedora machine as root. HTML
report is written out as report.html on the local machine. Can be exe-
cuted from any machine that has ssh, scp and bash. The local machine
does not need to have openscap installed. It also uses the SSH_ADDI-
TIONAL_OPTIONS variable to configure ssh in such way that contents of
the known_hosts file are ignored.
$ export SSH_ADDITIONAL_OPTIONS="-o StrictHostKeyChecking=no -o User-
KnownHostsFile=/dev/null" $ oscap-ssh root@192.168.1.13 22 xccdf eval
--profile xccdf_org.ssgproject.content_profile_common --report
report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
XCCDF Evaluation with tailoring file
The following command uses a tailoring file and also copies back ARF
and XCCDF results. The tailoring file is automatically copied from
local machine to remote.
$ oscap-ssh --sudo oscap-user@192.168.1.13 22 xccdf eval --profile
xccdf_org.ssgproject.content_profile_common --report report.html
--results results.xml --results-arf arf.xml --tailoring-file ssg-
fedora-ds-tailoring.xml /usr/share/xml/scap/ssg/content/ssg-fedora-
ds.xml
Running remotely as root
Note that the openscap scanner is best run by the 'root' user as in the
first example above. To do this, the "PermitRootLogin" directive must
be enabled in /etc/ssh/sshd_config, which is itself a security viola-
tion. A safer approach is to enable a non-privileged user ('oscap-user'
in the second example above) to run only the oscap binary as root (with
the '--sudo' flag) by updating the remote machine's 'sudoers' file or
adding a file like /etc/sudoers.d/99-oscap-user:
# allow oscap-user to run openscap scanner
Defaults!/usr/bin/oscap !requiretty
oscap-user ALL=(root) NOPASSWD: /usr/bin/oscap
REPORTING BUGS
Please report bugs using https://github.com/OpenSCAP/openscap/issues
AUTHORS
Martin Preisler <mpreisle@redhat.com>
imon Lukak <slukasik@redhat.com>
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
+---------------+------------------------------+
|ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------+------------------------------+
|Availability | security/compliance/openscap |
+---------------+------------------------------+
|Stability | Uncommitted |
+---------------+------------------------------+
NOTES
Source code for open source software components in Oracle Solaris can
be found at https://www.oracle.com/downloads/opensource/solaris-source-
code-downloads.html.
This software was built from source available at
https://github.com/oracle/solaris-userland. The original community
source was downloaded from https://github.com/OpenSCAP/open-
scap/releases/download/1.3.4/openscap-1.3.4.tar.gz.
Further information about this software can be found on the open source
community website at http://www.open-scap.org.
Red Hat, Inc. January 2016 oscap-ssh(8)