installation

openscap/xml/article_openscap.xml

@@ -78,6 +78,68 @@
       tools.
     </para>
   </sect1>
+  <sect1 xml:id="openscap-installation">
+    <title>Installation</title>
+
+    <para>
+      To use the &openscap; tools and the <literal>&ssg;</literal> for scanning
+      and remediating vulnerabilities, install the following packages:
+    </para>
+
+    <itemizedlist>
+      <listitem>
+        <para>
+          <package>openscap</package>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <package>openscap-utils</package>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <package>scap-security-guide</package>
+        </para>
+      </listitem>
+    </itemizedlist>
+
+<screen>&prompt.sudo;<command>zypper install openscap openscap-utils scap-security-guide</command>
+</screen>
+
+    <para>
+      Optionally, install the following pacakges:
+    </para>
+
+    <itemizedlist>
+      <listitem>
+        <para>
+          <package>scap-workbench</package>: This package provides the SCAP
+          Workbench graphical utility to perform common
+          <systemitem>oscap</systemitem> tasks.
+        </para>
+<screen>&prompt.sudo;<command>zypper install scap-workbench scap-workbench-doc</command></screen>
+        <tip>
+          <para>
+            As a security best practice, avoid installing an application
+            software such as SCAP Workbench on the system that you are planning
+            to harden. Instead, install SCAP Workbench on a client machine and
+            apply the hardening on the target system, while maintaining an air
+            gap before the target system before the target system is connected
+            to a potentially insecure network.
+          </para>
+        </tip>
+      </listitem>
+      <listitem>
+        <para>
+          <package>ssg-apply</package>: When used along with SCAP Workbench,
+          this package helps you conveniently apply a tailoring file for
+          customized hardening.
+        </para>
+<screen>&prompt.sudo;<command>zypper install ssg-apply</command></screen>
+      </listitem>
+    </itemizedlist>
+  </sect1>
   <sect1 xml:id="openscap-components">
     <title>Important SCAP components</title>
 
@@ -140,28 +202,40 @@
         </listitem>
       </varlistentry>
     </variablelist>
-  </sect1>
-  <sect1 xml:id="openscap-installation">
-    <title>Installation</title>
 
     <para>
-      To use the &openscap; tools, together with the <literal>&ssg;</literal>,
-      install the following packages: <package>openscap</package>,
-      <package>openscap-utils</package>, and <package>scap-workbench</package>
-      packages.
+      To test whether these components are available to you, use the following
+      command:
     </para>
-    <simplelist>
-     <member><package>openscap</package></member>
-     <member><package>openscap-utils</package></member>
-     <member><package>scap-security-guide</package></member>
-     <member><package>scap-workbench</package></member>
-    </simplelist>
 
-<screen>&prompt.sudo;<command>zypper install \
- openscap \
- openscap-utils \
- scap-security-guide \
- scap-workbench</command>
+<screen>
+ &prompt.user;<command>oscap -h</command>
+ oscap
+
+ OpenSCAP command-line tool
+
+ Usage: oscap [options] module operation [operation-options-and-arguments]
+
+ Common options:
+    --verbose &lt;verbosity_level&gt;   - Turn on verbose mode at specified verbosity level.
+                                    Verbosity level must be one of: DEVEL, INFO, WARNING, ERROR.
+    --verbose-log-file &lt;file&gt;     - Write verbose information into file.
+
+ oscap options:
+    -h --help                     - show this help
+    -q --quiet                    - quiet mode
+    -V --version                  - print info about supported SCAP versions
+
+ Commands:
+     ds - Data stream utilities
+     oval - Open Vulnerability and Assessment Language
+     xccdf - eXtensible Configuration Checklist Description Format
+     cvss - Common Vulnerability Scoring System
+     cpe - Common Platform Enumeration
+     cve - Common Vulnerabilities and Exposures
+     cvrf - Common Vulnerability Reporting Framework
+     info - Print information about a SCAP file.
+
 </screen>
   </sect1>
   <sect1 xml:id="openscap-ssg">
@@ -543,7 +617,7 @@
       <itemizedlist>
         <listitem>
           <para>
-            bare-metal machines
+            bare metal machines
           </para>
         </listitem>
         <listitem>
@@ -570,7 +644,7 @@
       <para>
         Automated checks help to identify the target and to select only the
         rules that make sense for this specific target. For example, checks for
-        separate partitions make sense for bare-metal machines but not for
+        separate partitions make sense for bare metal machines but not for
         containers.
       </para>
     </sect2>