OpenSCAP Part 3: Running Scans from the Command Line in RHEL 7



In part 1 of this series we were introduced to OpenSCAP and the process of running scans via the SCAP workbench. In part 2, we explored concepts and components that define security/vulnerability scans. In this 3rd post we are going to dive into the command line operation.

Let’s get started with oscap.

Installing oscap

In RHEL 7 oscap can be installed with the following command

# yum -y install scap-security-guide openscap-scanner

Content is installed under the following directory. Note that ssg is short for SCAP Security Guide.


Lets change directories to the one listed above and view the installed files.

Screenshot from 2019-07-24 15-58-04

Using oscap we can view more info on each file shown above. In this example we are going to inspect the ssg-rhel7-ds.xml file.

# oscap info ssg-rhel7-ds.xml

Screenshot from 2019-07-25 16-16-27

Let’s look at the profiles that are available.

Running oscap Scan

The format for running a scan is shown below

In the example below we are kicking off a scan using the oval (Open Vulnerability Assessment Language) file format. Output below

# oscap oval eval –results scan-oval-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Neat. Now consider a scenario were we only want to evaluate one oval definition.

For example let’s only check to see if named is disabled.

oscap oval eval –id oval:ssg-service_named_disabled:def:1 /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Coo. Now let’s choose a profile and use that to perform a scan. We will need to first determine the appropriate profile name and ID.  This can be accomplished a simple command.

# oscap info ssg-rhel7-ds.xml | grep Title -A1

Output shown below.

Screenshot from 2019-07-25 16-33-46

Note that the profile id that we are looking is below.


So let’s run the command.  File format will be XCCDF.

#oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa –results rhel7-stig-out ssg-rhel7-ds.xml

Excerpt from console output shown below.

Screenshot from 2019-07-25 16-43-09.png

We can also take a look at our output file. Again, just an excerpt from the XML.

Screenshot from 2019-07-25 16-46-39.png

The example command shown below will run the same scan as we ran in the previous step, however it will output the results to html

# oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa –results rhel7-stig-out –report report.html ssg-rhel7-ds.xml

Remediation via the Cli

Via the CLI there are 3 ways to remediate vulnerabilities. Online, Offline, and via a script.

Online Remediation

Online remediation executes fixes at the time of scanning. Output will either show as Fixed or as Error. Example command below.

#oscap xccdf eval –remediate –profile xccdf_org.ssgproject.content_profile_rht-ccp –results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Offline Remediation

The process of offline remediation used as results file as input. For example – here we run a scan and generate an output file

oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_rht-ccp –results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Then we use the output to run remediation

# oscap xccdf remediate –results scan-xccdf-results.xml scan-xccdf-results.xml

Script Generation

In the example below we are going to generate an ansible remediation script. Other fix-types are available as well (puppet and bash).

oscap xccdf generate fix –fix-type ansible –profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa –output stig-rhel7-role.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Using oscap-docker to Scan Containers

You can also use oscap to scan container images or running containers.  Below I have a running RHEL7 container named rhel7-test-tainer.

# oscap-docker container rhel7-test-tainer oval eval \
> –results oval-results.xml –report report.html \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml

Below is an example of a scan run against a container image.

oscap-docker image oval eval –results oval-results.xml –report report.html  /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml

Additional Resources

Honestly if you have come this far, it would be in your best interest to do a bit more research. Links provided below.

Next Steps

Read Part 4

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.