OpenSCAP ‐ Configuring scans - mluchettii/github-wiki-mluchetti GitHub Wiki
Use the following command to list all of the available security policies:
ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml
The output should look something like this:
Each of these policies have multiple profiles, including DISA STIGs and CIS Benchmarks. For my evaluations, I chose the ssg-firefox-ds.xml and ssg-fedora-ds.xml policies. Be sure to copy the full paths to these files and paste them into a notepad for later.
To view the available profiles within a security policy, use this command:
oscap info /usr/share/xml/scap/ssg/content/<your-policy>.xml
ssg-fedora-ds.xml policy profiles:
For my evaluation, I copied the ID of the 'DRAFT - CIS Fedora Benchmark for Level 2 - Server' profile and pasted it into my notepad:
xccdf_org.ssgproject.content_profile_cis
ssg-firefox-ds.xml policy profiles:
I did the same for the 'Mozilla Firefox STIG' listed here:
xccdf_org.ssgproject.content_profile_stig
Using the information we have in our notepad, we can now create the command-line invocations for our scans. Use the following template:
sudo oscap xccdf eval \
--profile <profile-id> \
--results-arf arf.xml \
--report report.html \
<full-path-to-policy-xml-file>
To clarify:
--results-arf tells OSCAP that we want the results stored as an ARF in a file called arf.xml.
--report requests that OSCAP also generates an HTML report alongside the ARF.
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--results-arf arf.xml \
--report report.html \
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
--results-arf arf.xml \
--report report.html \
/usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml
Scan results are on the next page.