scap-security-guide for Debian ------------------------------ The OpenSCAP team has separated the SCAP implementation (OpenSCAP project) and the Guides and benchmarks (SCAP-security-guide project), used by the oscap binary to validate the local system. This package suite deploy all guides and benchmarks that are not a part of the openSCAP project directly (deployed through libopenscap8). Using the XCCDF benchmarks locally ---------------------------------- benchmarks and Oval files are deployed in /usr/share// You can start a local bench using the following command. See the associated guides to be informed of the profiles name. # oscap xccdf eval --profile anssi_np_nt28_high \ --cpe /usr/share/ssg/ssg-debian8-cpe-dictionary.xml \ --results scan_results.xml \ --report scan_report.html \ /usr/share/ssg/ssg-debian8-xccdf.xml results and report are generated during oscap execution. In the case of using benchmark and Oval files over a complete infrastructure, libopenscap8 is not a real requirement on the host hosting the XCCDF profiles if they are executed on remote targets only (for e.g. using Ansible, Foreman, etc.). In that case, the tool deploying them has to copy the file to the remote target and run the oscap tool locally. The remote target don't need these files to be installed through apt. Using the XCCDF benchmarks remotely ----------------------------------- this is the case of a security server used to scan a local infrastructure. In this case, only scap-security-guide packages and its required dependencies are needed locally. It is possible to launch scan to heterogeneous distributions (RHEL, Ubuntu, etc.). Reports are saved locally. $ oscap-ssh user@ubuntu-xenial 22 xccdf eval --profile anssi_np_nt28_restrictive \ /usr/share/ssg/ssg-ubuntu1604-ds.xml -- Philippe Thierry Mon, 10 Apr 2017 13:04:21 +0200