oracular (8) oscap-ssh.8.gz

Provided by: openscap-utils_1.3.10+dfsg-3_amd64 bug

NAME

       oscap-ssh - Tool for running oscap over SSH and collecting results.

DESCRIPTION

       oscap-ssh  runs  oscap tool on a remote system through SSH connection. The input files are
       transferred to the target system and after the scan finishes result files are  transferred
       back. No temporary data remains on the remote machine.

       The tool requires bash, ssh, scp and mktemp to perform OVAL and XCCDF evaluation of remote
       machines. The remote machine also has to have oscap installed and in $PATH.  This  can  be
       accomplished by installing openscap-scanner.

       Usage of the tool mimics usage and options of oscap(8) tool.

USAGE

   Evaluation of XCCDF content
       $ oscap-ssh user@host 22 xccdf eval [options] INPUT_CONTENT

       Only source data streams are supported as INPUT_CONTENT!

       Supported options are:
         --profile
         --tailoring-file
         --tailoring-id
         --cpe
         --results
         --results-arf
         --report
         --skip-valid
         --skip-validation
         --fetch-remote-resources
         --local-files
         --progress
         --datastream-id
         --xccdf-id
         --benchmark-id
         --remediate

   Evaluation of OVAL content
       $ oscap-ssh user@host 22 oval eval [options] INPUT_CONTENT

       Supported options are:
         --id
         --variables
         --directives
         --results
         --report
         --skip-valid
         --skip-validation
         --datastream-id
         --oval-id

   Collection of OVAL System Characteristic
       $ oscap-ssh user@host 22 oval collect [options] INPUT_CONTENT

       Supported options are:
         --id
         --syschar
         --variables
         --skip-valid
         --skip-validation

       Specific option for oscap-ssh (must be first argument):
         --sudo

   Environment variables
       oscap-ssh  checks  out  the  SSH_ADDITIONAL_OPTIONS  environment  variable, and pastes its
       contents into the command-line of ssh to the location where options are expected.   Supply
       the variable in form of a string that corresponds to a section of the ssh command-line and
       that consists of options you want to pass.

   Using --local-files option
       The oscap-ssh command supports the --local-files option, but it  isn't  possible  to  pass
       './' and '../' as an argument. Use a full directory path instead.

EXAMPLE USAGE

   Simple XCCDF evaluation
       The  following  command  evaluates a remote Fedora machine as root. HTML report is written
       out as report.html on the local machine. Can be executed from any machine  that  has  ssh,
       scp  and  bash.  The local machine does not need to have openscap installed.  It also uses
       the SSH_ADDITIONAL_OPTIONS variable to configure ssh in such  way  that  contents  of  the
       known_hosts file are ignored.

       $        export        SSH_ADDITIONAL_OPTIONS="-o        StrictHostKeyChecking=no       -o
       UserKnownHostsFile=/dev/null"  $  oscap-ssh  root@192.168.1.13  22  xccdf  eval  --profile
       xccdf_org.ssgproject.content_profile_common              --report              report.html
       /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

   XCCDF Evaluation with tailoring file
       The following command uses a tailoring file and also copies back ARF  and  XCCDF  results.
       The tailoring file is automatically copied from local machine to remote.

       $     oscap-ssh     --sudo     oscap-user@192.168.1.13    22    xccdf    eval    --profile
       xccdf_org.ssgproject.content_profile_common  --report  report.html  --results  results.xml
       --results-arf         arf.xml         --tailoring-file         ssg-fedora-ds-tailoring.xml
       /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

   Running remotely as root
       Note that the openscap scanner is best run by the 'root' user  as  in  the  first  example
       above.    To   do   this,   the   "PermitRootLogin"   directive   must   be   enabled   in
       /etc/ssh/sshd_config, which is itself a security violation. A safer approach is to  enable
       a  non-privileged  user  ('oscap-user'  in the second example above) to run only the oscap
       binary as root (with the '--sudo' flag) by updating the remote machine's 'sudoers' file or
       adding a file like /etc/sudoers.d/99-oscap-user:
         # allow oscap-user to run openscap scanner
         Defaults!/usr/bin/oscap !requiretty
         oscap-user ALL=(root) NOPASSWD: /usr/bin/oscap

REPORTING BUGS

       Please report bugs using https://github.com/OpenSCAP/openscap/issues

AUTHORS

       Martin Preisler <mpreisle@redhat.com>
       Šimon Lukašík <slukasik@redhat.com>