8 Scanning Remote Systems
Use oscap-ssh
to scan remote systems over an SSH connection. By using remote
scanning you can audit systems that you do not have physical access to and that may not have a
current version of the SCAP Security Guide or current OVAL definitions available. Most
typically, this command can be used to scan multiple remote systems against a single locally
stored and maintained OVAL definition file. The oscap-ssh
command is provided
in the openscap-utils
package.
The remote system must have the openscap-scanner
package installed, which
provides the oscap
command. This system should also be configured with a user
account that you connect with and that has sudo privileges to be able to run the scan
correctly.
The oscap-ssh
utility accepts the same sub-commands and options as the
oscap
utility, but requires that you specify the hostname or IP address of
the remote system to scan and the port number that SSH is listening on. Use the
--sudo
option to escalate user privileges before running the scan. Note
that you are only able to use a data stream file when using oscap-ssh
to
perform an XCCDF scan on a remote system.
To scan a system remotely, run the oscap-ssh
command as in the following
example:
oscap-ssh --sudo oscap-user@198.51.100.157 22 \
oval eval --results elsa-results-oval-198.51.100.157.xml \
--report elsa-report-oval-198.51.100.157.html \
com.oracle.elsa-ol9.xml
You can configure SSH options, such as the location of SSH keys, in your local user SSH configuration file or by setting the environment variable SSH_ADDITIONAL_OPTIONS. For more information about configuring your SSH connections, see Oracle Linux: Connecting to Remote Systems With OpenSSH.
Although, it may be possible to connect as the root user on a remote system directly over
SSH, Oracle recommends against this practice. Always use oscap-ssh
with the
--sudo
option and configure an appropriate user on the remote system for
this task. See Oracle Linux 9: Setting Up System Users and
Authentication for more information.