Chapter 11 Using OpenSCAP to Audit of Client Systems

This chapter describes how to audit systems for security compliance within an Oracle Linux Manager setup by using the SCAP Security Guide or any OpenSCAP compliant SCDDF or OVAL files. Oracle provides OVAL files at https://linux.oracle.com/security.

For more information about OpenSCAP and its implementation on Oracle Linux, refer to the security guides corresponding to the Oracle Linux release on your systems at Oracle® Linux Documentation

See also the oscap(8) manual page for more information about the oscap command that is typically used with Oracle Linux Manager for system audits.

11.1 Requirements for Using OpenSCAP in Oracle Linux Manager

To run audit operations using OpenSCAP in Oracle Linux Manager, complete the following requirements:

To be able to run scan operations on a client, the client must have at least the following packages installed:

  • openscap-utils

  • openscap-scanner

  • spacewalk-oscap

Optionally, you can also install scap-security-guide that provides all the content in /usr/share/xml/scap/ssg/content/.

11.2 Performing Audit Scans

This section describes how to schedule system scans on the web interface. You can schedule scans and audits for different systems or system groups.

11.2.1 Using the Oracle Linux Manager Web Interface

Figure 11.1 Schedule New XCCDF Scan Page

  1. On the browser, log in to Oracle Linux Manager server (https://server-fqdn)

  2. Go to Systems.

  3. Select the target for scanning depending on the target.

    • To scan a system:

      1. Click the system name.

      2. Select the Audit tab.

      3. Select the Schedule tab.

    • To scan a system group:

      1. Select System Groups.

      2. Click the system group name.

      3. On the Details page, click Work With Group.

        Oracle Linux Manager loads the group into the System Set Manager.

      4. Select the Audit tab.

  4. On the Schedule New XCCDF Scan page, enter the scan settings in the following fields:

    • Command-line arguments, for example, --profile server

    • Path to XCCDF document, for example, /usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml or com.oracle.elsa-2018.xml.

      Note

      If necessary, download the XCCDF file from https:linux.network.com/security.

  5. Change the schedule if required.

  6. Click Schedule.

    When the scan is complete, a summary of the results of the scan are displayed under the List Scans tab. Oracle recommends that you schedule regular scans to check for security regressions.

11.2.2 Using the scap_schedulexccdfscan Command

The spacecmd command only supports XCCDF scans. For OVAL scans, use Oracle Linux Manager's remote command execution facility to run oscap oval eval on Oracle Linux Manager clients.

The following are examples of various spacecmd commands for auditing client systems.

  • Scheduling an XCCDF scan:

    spacecmd {SSM:0}> scap_schedulexccdfscan '/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml' 'profile server' svr1.mydom.com
  • Listing scheduled auditing scans:

    spacecmd {SSM:0}> schedule_list

    See Section 10.2, “Working With Scheduled Events”.

  • Listing summary results of completed scans:

    spacecmd {SSM:0}> scap_listxccdfscans svr1.mydom.com
  • Listing details and results of an XCCDF scan:

    spacecmd {SSM:0}> scap_getxccdfscandetails scan_ID
    spacecmd {SSM:0}> scap_getxccdfscanruleresults scan_ID