| Current File : //usr/share/man/man8/oscap-ssh.8 |
'\" te
.TH oscap-ssh "8" "June 2015" "Red Hat, Inc." "System Administration Utilities"
.SH NAME
oscap-ssh \- Tool for running oscap over SSH and collecting results.
.SH DESCRIPTION
oscap-ssh runs oscap tool on a remote system through SSH connection. The input files are
transfered to the target system and after the scan finishes result files are transfered
back. No temporary data remains on the remote machine.
The tool requires bash, ssh, scp and mktemp to perform OVAL and XCCDF evaluation of remote
machines. The remote machine also has to have oscap installed and in $PATH. This can be
accomplished by installing openscap-scanner.
Usage of the tool mimics usage and options of oscap(8) tool.
.SH USAGE
.SS Evaluation of XCCDF content
$ oscap-ssh user@host 22 xccdf eval [options] INPUT_CONTENT
Only source datastreams are supported as INPUT_CONTENT!
Supported options are:
--profile
--tailoring-file
--tailoring-id
--cpe
--results
--results-arf
--report
--skip-valid
--fetch-remote-resources
--progress
--datastream-id
--xccdf-id
--benchmark-id
--remediate
.SS Evaluation of OVAL content
$ oscap-ssh user@host 22 oval eval [options] INPUT_CONTENT
Supported options are:
--id
--variables
--directives
--results
--report
--skip-valid
--datastream-id
--oval-id
--probe-root (has to be remote path)
.SS Collection of OVAL System Characteristic
$ oscap-ssh user@host 22 oval collect [options] INPUT_CONTENT
Supported options are:
--id
--syschar
--variables
--skip-valid
Specific option for oscap-ssh (must be first argument):
--sudo
.SH EXEMPLARY USAGE
.SS Simple XCCDF evaluation
The following command evaluates a remote Fedora machine as root. HTML report is written out as report.html on the local machine. Can be executed from any machine that has ssh, scp and bash. The local machine does not need to have openscap installed.
$ oscap-ssh root@192.168.1.13 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_common --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
.SS XCCDF Evaluation with tailoring file
The following command uses a tailoring file and also copies back ARF and XCCDF results. The tailoring file is automatically copied from local machine to remote.
$ oscap-ssh --sudo oscap-user@192.168.1.13 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_common --report report.html --results results.xml --results-arf arf.xml --tailoring-file ssg-fedora-ds-tailoring.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
.SS Running remotely as root
Note that the openscap scanner is best run by the 'root' user as in the first example above. To do this, the "PermitRootLogin" directive must be enabled in /etc/ssh/sshd_config, which is itself a security violation. A safer approach is to enable a non-privileged user ('oscap-user' in the second example above) to run only the oscap binary as root (with the '--sudo' flag) by updating the remote machine's 'sudoers' file or adding a file like /etc/sudoers.d/99-oscap-user:
# allow oscap-user to run openscap scanner
Defaults!/bin/oscap !requiretty
oscap-user ALL=(root) NOPASSWD: /bin/oscap
.SH REPORTING BUGS
.nf
Please report bugs using https://fedorahosted.org/openscap/
.SH AUTHORS
.nf
Martin Preisler <mpreisle@redhat.com>
Šimon Lukašík <slukasik@redhat.com>
.fi
.\" Oracle has added the ARC stability level to this manual page
.SH ATTRIBUTES
See
.BR attributes (5)
for descriptions of the following attributes:
.sp
.TS
box;
cbp-1 | cbp-1
l | l .
ATTRIBUTE TYPE ATTRIBUTE VALUE
=
Availability security/compliance/openscap
=
Stability Uncommitted
.TE
.PP
.SH NOTES
.\" Oracle has added source availability information to this manual page
This software was built from source available at https://java.net/projects/solaris-userland. The original community source was downloaded from https://fedorahosted.org/releases/o/p/openscap/openscap-1.2.6.tar.gz
Further information about this software can be found on the open source community website at http://www.open-scap.org.