Chapter 11 Performing OpenSCAP Auditing of Client Systems

The scap-security-guide package, which is available for Oracle Linux 6 and Oracle Linux 7, provides SCAP Security Guides in eXtensible Configuration Checklist Description Format (XCCDF) that have been updated to include Common Platform Enumeration (CPE) definitions for Oracle Linux.

You can use the SCAP Security Guide or any OpenSCAP compliant XCDDF or Open Vulnerability and Assessment Language (OVAL) files. Oracle provides OVAL files at


The client system must permit the Spacewalk Server to run remote commands. See Section 7.1, “Enabling Remote Configuration in a Kickstart Profile by Using the Spacewalk Web Interface” and Section 7.3, “Enabling Remote Configuration Manually”.

To be able to run OpenSCAP scans on a client system, install the spacewalk-oscap package on that system.

For more information about using OpenSCAP compliance checking with Oracle Linux, see Running OpenSCAP Compliance Checks on Oracle Linux.

11.1 Performing OpenSCAP Auditing of Client Systems by Using the Spacewalk Web Interface

Typically, you would use the oscap command with Spacewalk to perform scans. See Oracle® Linux 6: Security Guide and Oracle® Linux 7: Security Guide for more information about using this command.

Figure 11.1 Schedule New XCCDF Scan Page

To schedule a scan for a system or system group:

  1. For a system:

    • Go to Systems, click the system name, select the Audit tab, and then select the Schedule tab.

    For a system group:

    1. Go to Systems and select System Groups.

    2. Click the system group name.

    3. On the Details page, click Work With Group.

      Spacewalk loads the group into the System Set Manager.

    4. Select the Audit tab.

  2. On the Schedule New XCCDF Scan page, enter the scan settings in the following fields:

    Command-line arguments

    Enter any command-line arguments to the command that you are using to perform the scan. For example: --profile server.

    Path to XCCDF document

    Enter the path of the XCCDF checklist file, for example /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml, or downloaded OVAL definition file, for example

  3. Change the schedule if required, and click Schedule.

    When the scan is complete, a summary of the results of the scan are displayed under the List Scans tab. Oracle recommends that you schedule regular scans to check for security regressions.

11.2 Performing OpenSCAP Auditing of Client Systems by Using the spacecmd Command


The spacecmd command supports XCCDF scans but not OVAL scans. Instead, you can use Spacewalk's remote command execution facility to run oscap oval eval on Spacewalk clients.

See Oracle® Linux 6: Security Guide and Oracle® Linux 7: Security Guide for more information about using the oscap command.

To schedule an XCCDF scan for systems, use the scap_schedulexccdfscan command as follows:

spacecmd {SSM:0}> scap_schedulexccdfscan '/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml' \
'profile server'

To list scheduled auditing scans, use the schedule_list command:

spacecmd {SSM:0}> schedule_list
ID      Date                 C    F    P     Action
--      ----                ---  ---  ---    ------
522     20150625T12:56:01     0    0    1    OpenSCAP xccdf scanning

See Section 10.3, “Working With Scheduled Events”.

To list the summary results of completed XCCDF scans, use the scap_listxccdfscans command:

spacecmd {SSM:0}> scap_listxccdfscans

To list the details and results of an XCCDF scan, specified by its scan ID, use the scap_getxccdfscandetails and scap_getxccdfscanruleresults commands, as shown in the following example:

spacecmd {SSM:0}> scap_getxccdfscandetails scan_ID
spacecmd {SSM:0}> scap_getxccdfscanruleresults scan_ID