9 Scanning Remote Systems
Use oscap-ssh to scan remote systems over an SSH connection. By using remote scanning you can audit systems that you don't have physical access to and that might not have a current version of the SCAP Security Guide or current OVAL definitions available. The oscap-ssh is often used to scan several remote systems against a single locally stored and maintained OVAL definition file. The oscap-ssh command is provided in the openscap-utils package.
The remote system must have the openscap-scanner package installed, which provides the oscap command. This system must also be configured with a user account that you can connect with that has sudo privileges so you can run the scan correctly.
The oscap-ssh utility accepts the same sub commands and options as the oscap utility, but requires that you specify the hostname or IP address of the remote system to scan and the port number that SSH is listening on. Use the --sudo option to escalate user privileges before running the scan. Note that you're only able to use a data stream file when using oscap-ssh to perform an XCCDF scan on a remote system.
To scan a system remotely, run the oscap-ssh command as in the following
example:
oscap-ssh --sudo oscap-user@198.51.100.157 22 \
oval eval --results elsa-results-oval-198.51.100.157.xml \
--report elsa-report-oval-198.51.100.157.html \
com.oracle.elsa-ol9.xmlYou can configure SSH options, such as the location of SSH keys, in the local user SSH configuration file or by setting the SSH_ADDITIONAL_OPTIONS environment variable . For more information about configuring SSH connections, see Oracle Linux: Connecting to Remote Systems With
OpenSSH.
Although it might be possible to connect as the root user on a remote system directly over SSH, we recommend not doing this. Always use oscap-ssh with the --sudo option and configure an appropriate user on the remote system for this task. See Oracle Linux 9: Setting Up System Users and
Authentication for more information.