Introduction
oscap-ssh has recently been merged into OpenSCAP 1.2.x and is available in the OpenSCAP 1.2.3 release, see https://github.com/OpenSCAP/openscap/pull/69. This new tool enables painless transparent remote machine scanning with the familiar oscap argument syntax. The functionality was inspired by SCAP Workbench remote scan.
Prerequisites
The script is designed to be as lean as possible. It is usable even outside the openscap context. It requires just bash, ssh, scp and mktemp to perform OVAL and XCCDF evaluation of remote machines. These tools are readily available on all Linux distributions, BSDs, MacOS X and even Windows via Cygwin.
The remote machine has to have oscap
installed and in $PATH. This can be accomplished by installing openscap-scanner
(or openscap-utils
if openscap-scanner
is not available) on the remote machine. On the local machine in most cases you just need to download the script and chmod +x it.
What follows is a walk through a typical usage of the script. The output has been shortened for brevity. OVAL evaluation would be very similar, the documentation included in the script should be enough to get it working.
Usage
oscap-ssh user@host SSH_PORT --v oscap-ssh user@host SSH_PORT info INPUT_CONTENT oscap-ssh user@host SSH_PORT xccdf eval INPUT_CONTENT oscap-ssh user@host SSH_PORT oval eval INPUT_CONTENT
Example 1
The following command evaluates a remote Fedora machine as root. HTML report is written out as report.html on the local machine. Can be executed from any machine that has ssh, scp and bash. The local machine does not need to have openscap installed.
$ oscap-ssh root@192.168.1.13 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_common --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
The output:
Connecting to 'root@192.168.1.13' on port '22'... root@192.168.1.13's password: Connected! Copying input file '/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml' to remote working directory '/tmp/tmp.yEsdWV54ry'... Starting the evaluation... Title gpgcheck Enabled In Main Yum Configuration Rule xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated Result pass Title gpgcheck Enabled For All Yum Package Repositories Rule xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled Result fail [snip] Title Enable the NTP Daemon Rule xccdf_org.ssgproject.content_rule_service_ntpd_enabled Result fail Title Specify a Remote NTP Server Rule xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server Result fail oscap exit code: 2 Copying back requested files... Removing remote temporary directory... Disconnecting ssh and removing master ssh socket directory...
report.html is now on the local machine and can be opened there. The connection to the remote machine is closed, no temporary data remains on the remote machine.
Example 2
A more full example, uses a tailoring file and also copies back ARF and XCCDF results. The tailoring file is automatically copied from local machine to remote.
$ oscap-ssh root@192.168.1.13 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_common --report report.html --results results.xml --results-arf arf.xml --tailoring-file ssg-fedora-ds-tailoring.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
The output:
Connecting to 'root@192.168.1.13' on port '22'... root@192.168.1.13's password: Connected! Copying input file '/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml' to remote working directory '/tmp/tmp.yVy6snyC88'... Copying tailoring file 'ssg-fedora-ds-tailoring.xml' to remote working directory '/tmp/tmp.yVy6snyC88'... Starting the evaluation... Title gpgcheck Enabled In Main Yum Configuration Rule xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated Result pass Title gpgcheck Enabled For All Yum Package Repositories Rule xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled Result fail [snip] Title Enable the NTP Daemon Rule xccdf_org.ssgproject.content_rule_service_ntpd_enabled Result fail Title Specify a Remote NTP Server Rule xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server Result fail oscap exit code: 2 Copying back requested files... Removing remote temporary directory... Disconnecting ssh and removing master ssh socket directory...
Future plans
Most if not all SCAP content requires root access to evaluate. So it is expected that the user will login as root to a remote machine. At the same time the guidances recommend to disallow root ssh access. This creates ironic situations where remote scanning and remediating the machine cuts of the access.
We hope to solve this in the future by logging in as normal user and running sudo before scanning.
Conclusion
Scanning remote machines is now almost as easy as scanning local ones. For use-cases where the user has public-key authentication setup the scanning is truly painless.
I believe this script might be very valuable for content authors and auditors. In the future I expect SCAP Workbench to use this script instead of its own code for remote scanning. The migration will have to wait until OpenSCAP 1.2.3+ is available on platforms where Workbench ships.
bookmarked, great blog!
Hi,
Any chance you are looking into adding or would be interested in looking at adding providers to ansible, chef and puppet for oscap and oscap-ssh for use in those workflows?
The argument could be made that a strait exec command could be used but as always those approaches are brittle.
The ability to easily execute and report on oscap scan results via a ansible or chef job would be very useful.
Hi, definitely interested in that. After all, oscap-ssh is supposed to be a small cog in a bigger machine. Right now I don’t have any specific plans to implement the providers myself though.
Do you have experience with writing providers for those tools?
There is already puppet-openscap provider. https://github.com/OpenSCAP/puppet-openscap
Does it match your use case?
Does this work with public-key authentication over SSH? Or does password authentication need to be enabled?
Yeah, works with any SSH authentication method.