OpenSCAP Cheat Sheet
CLI
Get XCCDF ruleset infos
oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
oscap info /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
...
Use the printed profile names as input for --profile for xccdf eval runs
Output control
--report <file> # For HTML table output
--results <file> # For XML result output
XCCDF evaluation example
# Fedora
oscap xccdf eval \
--report report.html \
--profile xccdf_org.ssgproject.content_profile_pci-dss \
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
# Redhat
oscap xccdf eval \
--report report.html \
--profile xccdf_org.ssgproject.content_profile_pci-dss \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Evaluate and remediate
oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
Generate remediation shell script for review
oscap xccdf generate fix --template urn:xccdf:fix:script:sh --profile xccdf_org.ssgproject.content_profile_rht-ccp --output my-remediation-script.sh /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
OVAL evaluation example
For Ubuntu download USN feed
type="usn" # or "cve" for more details
input="com.ubuntu.$(lsb_release -cs).${type}.oval.xml"
wget "https://security-metadata.canonical.com/oval/${input}.bz2"
bunzip "${input}.bz2"
and check it with
oscap oval eval "${input}"
Install
apt-get install libopenscap8 # Ubuntu + Debian
apt-get install ssg-debian # Debian SSG profiles (for Ubuntu see next section)
yum install scap-security-guide # Fedora/Redhat
Ubuntu Audit
For full Ubuntu server profiles “Ubuntu Advantage” subscription is required
ua status # See status
ua enable cis # Enable CIS auditing
ua audit <level> # Perform scan, level is e.g. "server_level1"