8 Scanning Remote Systems
Use oscap-ssh to scan remote systems over an SSH connection. By using remote
scanning you can audit systems that you do not have physical access to and that may not have a
current version of the SCAP Security Guide or current OVAL definitions available. Most
typically, this command can be used to scan multiple remote systems against a single locally
stored and maintained OVAL definition file. The oscap-ssh command is provided
in the openscap-utils package.
The remote system must have the openscap-scanner package installed, which
provides the oscap command. This system should also be configured with a user
account that you connect with and that has sudo privileges to be able to run the scan
correctly.
The oscap-ssh utility accepts the same sub-commands and options as the
oscap utility, but requires that you specify the hostname or IP address of
the remote system to scan and the port number that SSH is listening on. Use the
--sudo option to escalate user privileges before running the scan. Note
that you are only able to use a data stream file when using oscap-ssh to
perform an XCCDF scan on a remote system.
To scan a system remotely, run the oscap-ssh command as in the following
example:
oscap-ssh --sudo oscap-user@198.51.100.157 22 \
oval eval --results elsa-results-oval-198.51.100.157.xml \
--report elsa-report-oval-198.51.100.157.html \
com.oracle.elsa-ol8.xmlYou can configure SSH options, such as the location of SSH keys, in your local user SSH configuration file or by setting the environment variable SSH_ADDITIONAL_OPTIONS. For more information about configuring your SSH connections, see Oracle Linux: Connecting to Remote Systems With OpenSSH.
Although, it may be possible to connect as the root user on a remote system directly over
SSH, Oracle recommends against this practice. Always use oscap-ssh with the
--sudo option and configure an appropriate user on the remote system for
this task. See Oracle Linux 8: Setting Up System Users and Authentication for more information.