Getting Started with OpenSCAP
The Security Content Automation Protocol, generally recognized as SCAP, enables automated vulnerability management, measurement and policy compliance evaluation of systems based on a method of using specific standards.
OpenSCAP is a free implementation of SCAP. The SCAP Security Guide along with SCAP Components can be utilized in order to automate continuous security management within an organization.
OpenSCAP is comprised of:
- SCAP Workbench, a tool that provides a graphical user interface for OpenSCAP.
- SCAP Scanner. an application that reads SCAP security policy and checks whether the system is compliant or not.
- SCAP Content, the term to define Security policies in the SCAP realm, it is the centerpoint of any compliance strategy.
- Script Check Engine, empowers administrators to write Security content using a scripting language.
The following is a step by step guide of how to produce a report in an Ubuntu 18.04.2 LTS operating system:
1. Download and install OpenSCAP for Ubuntu
$ sudo apt-get install -y libopenscap8
2. Make sure the oscap tool has been correctly installed
$ oscap -V
3. Download the appropriate OVAL (Open Vulnerability and Assessment Language) definition file for the Operating System
$ wget https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.bionic.cve.oval.xml -O /tmp/com.ubuntu.bionic.cve.oval.xml
4. Check the integrity of the downloaded file
$ oscap info /tmp/com.ubuntu.bionic.cve.oval.xml
5. Run the analysis and output the reports in XML and HTML formats
$ oscap oval eval –results /tmp/results-bionic.xml –report /tmp/report-bionic.html /tmp/com.ubuntu.bionic.cve.oval.xml
The most important section of the HTML report that needs focus indicates the number of Non-Compliant/Vunerable/Unpatched items (for instance, 656 in this report). In the OVAL Definition Results section are listed the Common Vulnerability and Exposures (CVE) with a link to the description of each vulnerability found.