8 Scanning Remote Systems

Use oscap-ssh to scan remote systems over an SSH connection. By using remote scanning you can audit systems that you do not have physical access to and that may not have a current version of the SCAP Security Guide or current OVAL definitions available. Most typically, this command can be used to scan multiple remote systems against a single locally stored and maintained OVAL definition file. The oscap-ssh command is provided in the openscap-utils package.

The remote system must have the openscap-scanner package installed, which provides the oscap command. This system should also be configured with a user account that you connect with and that has sudo privileges to be able to run the scan correctly.

The oscap-ssh utility accepts the same sub-commands and options as the oscap utility, but requires that you specify the hostname or IP address of the remote system to scan and the port number that SSH is listening on. Use the --sudo option to escalate user privileges before running the scan. Note that you are only able to use a data stream file when using oscap-ssh to perform an XCCDF scan on a remote system.

To scan a system remotely, run the oscap-ssh command as in the following example:

oscap-ssh --sudo oscap-user@ 22 \
  oval eval --results elsa-results-oval- \
  --report elsa-report-oval- \

You can configure SSH options, such as the location of SSH keys, in your local user SSH configuration file or by setting the environment variable SSH_ADDITIONAL_OPTIONS. For more information about configuring your SSH connections, see Oracle Linux: Connecting to Remote Systems With OpenSSH.

Although, it may be possible to connect as the root user on a remote system directly over SSH, Oracle recommends against this practice. Always use oscap-ssh with the --sudo option and configure an appropriate user on the remote system for this task. See Oracle Linux 8: Setting Up System Users and Authentication for more information.