The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
To scan a system against an XCCDF profile, use the oscap xccdf eval command, for example:
#oscap xccdf eval --profile server
\--results /tmp/`hostname`-ssg-results.xml
\--report /var/www/html/`hostname`-ssg-results.html
\--cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml
\/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Title Ensure /tmp Located On Separate Partition Rule partition_for_tmp Ident CCE-26435-8 Result fail Title Ensure /var Located On Separate Partition Rule partition_for_var Ident CCE-26639-5 Result fail Title Ensure /var/log Located On Separate Partition Rule partition_for_var_log Ident CCE-26215-4 Result fail ... Title Mount Remote Filesystems with nosuid Rule use_nosuid_option_on_nfs_mounts Ident CCE-26972-0 Result pass Title Require Client SMB Packet Signing, if using smbclient Rule require_smb_client_signing Ident CCE-26328-5 Result fail Title Require Client SMB Packet Signing, if using mount.cifs Rule require_smb_client_signing_mount.cifs Ident CCE-26792-2 Result pass
This example scan performs the scan against the
server
profile of the
ssg-rhel6-xccdf.xml
checklist using the
ssg-rhel6-cpe-dictionary.xml
CPE dictionary,
and outputs the XML results and HTML report files to
/tmp
and /var/www/html
respectively. Any rule in a profile that results in a
fail
potentially requires the system to be
reconfigured.
You can view the HTML report in a browser as shown in Figure 6.1.