OpenSCAP represents both a library and a command line tool which can be used to parse and evaluate each component of the SCAP standard. The library approach allows for the swift creation of new SCAP tools rather than spending time learning existing file structure. The command-line tool, called oscap, offers a multi-purpose tool designed to format content into documents or scan the system based on this content. Whether you want to evaluate DISA STIGs, NIST‘s USGCB, or Red Hat’s Security Response Team’s content, all are supported by OpenSCAP.
If your main goal is to perform configuration and vulnerability scans of a local system then oscap can be the right tool for you. It can evaluate both XCCDF benchmarks and OVAL definitions and generate the appropriate results.
The OpenSCAP library is the core building block used in a content tailoring program called SCAP Workbench, integrated in Red Hat Satellite by SCAPTimony and used for all SCAP evaluation by OpenSCAP Daemon.
OpenSCAP is available on various Linux distributions, including Red Hat Enterprise Linux, Fedora and Ubuntu. Since version 1.3.0 OpenSCAP supports also Microsoft Windows.
With the oscap tool you can perform configuration and vulnerability scans, validate your SCAP content in line with SCAP standard XML schemas, display basic information about your content, or list profiles in an XCCDF benchmark.
$ oscap -V
The oscap tool can help you evaluate a Security Technical Implementation Guide (STIG) from the Defense Information Systems Agency (DISA) on your local machine with the following command:
$ oscap xccdf eval --profile selected_profile --results result_file --cpe cpe_dictionary disa_stig_content
If you are looking for a detailed step by step instruction please refer to the user manual.
You can use the oscap tool to evaluate a Payment Card Industry Data Security Standard (PCI-DSS) on your machine with the following command which assumes that you have the SCAP Security Guide installed already:
$ oscap xccdf eval --report report.html --profile xccdf_org.ssgproject.content_profile_pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
OPTION 1: Join the mailing list.
OPTION 2: You can also join the #openscap IRC channel on chat.freenode.net.