Skip to content

Commit

Permalink
padding content
Browse files Browse the repository at this point in the history
  • Loading branch information
@sounix000
sounix000 committed Jan 24, 2024
1 parent 070c8ed commit 2ac8afa
Show file tree
Hide file tree
Showing 2 changed files with 179 additions and 61 deletions.
Binary file added openscap/images/src/png/scap-workbench.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
240 changes: 179 additions & 61 deletions openscap/xml/article_openscap.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,9 @@
<title>Installation</title>

<para>
To use the &openscap; tools and the <literal>&ssg;</literal> for scanning
and remediating vulnerabilities, install the following packages:
To use the &openscap; tools and the <literal>&ssg;</literal> for
hardening your target system by scanning and remediating vulnerabilities,
install the following core packages:
</para>

<itemizedlist>
Expand All @@ -107,8 +108,15 @@
<screen>&prompt.sudo;<command>zypper install openscap openscap-utils scap-security-guide</command>
</screen>

<note>
<para>
These packages are dependencies for other optional packages discussed
below.
</para>
</note>

<para>
Optionally, install the following pacakges:
Optionally, install the following packages:
</para>

<itemizedlist>
Expand All @@ -118,27 +126,28 @@
Workbench graphical utility to perform common
<systemitem>oscap</systemitem> tasks.
</para>
<screen>&prompt.sudo;<command>zypper install scap-workbench scap-workbench-doc</command></screen>
<tip>
<para>
As a security best practice, avoid installing an application
software such as SCAP Workbench on the system that you are planning
to harden. Instead, install SCAP Workbench on a client machine and
apply the hardening on the target system, while maintaining an air
gap before the target system before the target system is connected
to a potentially insecure network.
</para>
</tip>
</listitem>
<listitem>
<para>
<package>ssg-apply</package>: When used along with SCAP Workbench,
this package helps you conveniently apply a tailoring file for
customized hardening.
</para>
<screen>&prompt.sudo;<command>zypper install ssg-apply</command></screen>
</listitem>
</itemizedlist>

<screen>&prompt.sudo;<command>zypper install scap-workbench scap-workbench-doc ssg-apply</command></screen>

<tip>
<title>Security best practice for SCAP Workbench</title>
<para>
As a security best practice, avoid installing an application software
such as SCAP Workbench on the target system that you are planning to
harden. Instead, install SCAP Workbench on a client machine and apply
the hardening on the target system, while maintaining an air gap before
the target system is connected to a potentially insecure network.
</para>
</tip>
</sect1>
<sect1 xml:id="openscap-components">
<title>Important SCAP components</title>
Expand Down Expand Up @@ -202,41 +211,6 @@
</listitem>
</varlistentry>
</variablelist>

<para>
To test whether these components are available to you, use the following
command:
</para>

<screen>
&prompt.user;<command>oscap -h</command>
oscap

OpenSCAP command-line tool

Usage: oscap [options] module operation [operation-options-and-arguments]

Common options:
--verbose &lt;verbosity_level&gt; - Turn on verbose mode at specified verbosity level.
Verbosity level must be one of: DEVEL, INFO, WARNING, ERROR.
--verbose-log-file &lt;file&gt; - Write verbose information into file.

oscap options:
-h --help - show this help
-q --quiet - quiet mode
-V --version - print info about supported SCAP versions

Commands:
ds - Data stream utilities
oval - Open Vulnerability and Assessment Language
xccdf - eXtensible Configuration Checklist Description Format
cvss - Common Vulnerability Scoring System
cpe - Common Platform Enumeration
cve - Common Vulnerabilities and Exposures
cvrf - Common Vulnerability Reporting Framework
info - Print information about a SCAP file.

</screen>
</sect1>
<sect1 xml:id="openscap-ssg">
<title>&ssg; content and directories</title>
Expand Down Expand Up @@ -651,6 +625,14 @@

<sect2 xml:id="openscap-scan-tools">
<title>Tools for scanning</title>
<note>
<para>
Before using the tools described in this section, ensure that you
have installed them as described in
<xref linkend="openscap-installation"></xref>, as they are
inter-dependent.
</para>
</note>
<para>
Depending on your setup and the target to scan (remote or local), you
can use either of the following tools:
Expand All @@ -665,18 +647,42 @@
<package>scap-security-guide</package> package need to be
installed on the local machine.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SCAP Workbench</term>
<listitem>
<para>
A graphical user interface that can be used for scanning a single
machine, either local or remote (via SSH). Both the
<package>scap-workbench</package> and
<package>scap-security-guide</package> packages need to be
installed on the local machine. On the remote machine, the
<package>openscap-utils</package> package needs to be installed.
To understand the basic usage of <command>oscap</command>, run it
with the <command>-h</command> option:
</para>
<screen>&prompt.user;<command>oscap -h</command>

oscap

OpenSCAP command-line tool

Usage: oscap [options] module operation [operation-options-and-arguments]

Common options:
--verbose &lt;verbosity_level&gt; - Turn on verbose mode at specified verbosity level.
Verbosity level must be one of: DEVEL, INFO, WARNING, ERROR.
--verbose-log-file &lt;file&gt; - Write verbose information into file.

oscap options:
-h --help - show this help
-q --quiet - quiet mode
-V --version - print info about supported SCAP versions

Commands:
ds - Data stream utilities
oval - Open Vulnerability and Assessment Language
xccdf - eXtensible Configuration Checklist Description Format
cvss - Common Vulnerability Scoring System
cpe - Common Platform Enumeration
cve - Common Vulnerabilities and Exposures
cvrf - Common Vulnerability Reporting Framework
info - Print information about a SCAP file.

</screen>
<para>
To understand <literal>oscap</literal> in greater detail, read
its manual pages by running the <command>man oscap</command>.
</para>
</listitem>
</varlistentry>
Expand All @@ -691,6 +697,118 @@
remote machine, the <package>openscap-utils</package> package
needs to be installed.
</para>
<para>
To understand the basic usage of <command>oscap-ssh</command>,
run it with the <command>-h</command> option:
</para>
<screen>&prompt.user;<command>oscap -h</command>

oscap-ssh -- Tool for running oscap over SSH and collecting results.

Usage:

$ oscap-ssh user@host 22 info INPUT_CONTENT
$ oscap-ssh user@host 22 xccdf eval [options] INPUT_CONTENT

Only source data streams are supported as INPUT_CONTENT!

supported oscap xccdf eval options are:
--profile
--tailoring-file
--tailoring-id
--cpe (external OVAL dependencies are not supported yet!)
--oval-results
--results
--results-arf
--report
--skip-valid
--skip-validation
--fetch-remote-resources
--local-files
--progress
--datastream-id
--xccdf-id
--benchmark-id
--remediate

$ oscap-ssh user@host 22 oval eval [options] INPUT_CONTENT

supported oscap oval eval options are:
--id
--variables
--directives
--results
--report
--skip-valid
--skip-validation
--datastream-id
--oval-id

$ oscap-ssh user@host 22 oval collect [options] INPUT_CONTENT

supported oscap oval collect options are:
--id
--syschar
--variables
--skip-valid
--skip-validation

specific option for oscap-ssh (must be first argument):
--sudo

To supply additional options to ssh/scp, define the SSH_ADDITIONAL_OPTIONS variable
For instance, to ignore known hosts records, define SSH_ADDITIONAL_OPTIONS='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'

specific option for oscap-ssh (must be first argument):

See `man oscap` to learn more about semantics of these options.

</screen>
<para>
To understand <literal>oscap-ssh</literal> in greater detail,
read its manual pages by running <command>man
oscap-ssh</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SCAP Workbench</term>
<listitem>
<para>
SCAP Workbench is a graphical user interface for &openscap;. You
can use it for convenience instead of using
<literal>oscap</literal>. For example, you can use SCAP Workbench
for scanning a single machine, either local or remote (via SSH).
</para>
<para>
To use SCAP Workbench, both the <package>scap-workbench</package>
and <package>scap-security-guide</package> packages need to be
installed on the local machine. On the remote machine, the
<package>openscap-utils</package> package needs to be installed.
</para>
<para>
To start SCAP Workbench, run the following command:
</para>
<screen>&prompt.user;<command>scap-workbench</command></screen>
<figure>
<title>SCAP Workbench</title>
<mediaobject>
<imageobject>
<imagedata fileref="scap-workbench.png" width="95%"/>
</imageobject>
<textobject role="description"><phrase>Start screen of SCAP Workbench</phrase>
</textobject>
</mediaobject>
</figure>
<tip>
<title>CLI usage of SCAP Workbench</title>
<para>
Although not recommended, you can invoke and perform certain
basic operations by using SCAP Workbench as a command-line
tool. To know more, read its manual page by running
<command>man scap-workbench</command>.
</para>
</tip>
</listitem>
</varlistentry>
</variablelist>
Expand Down

0 comments on commit 2ac8afa

Please sign in to comment.