Getting Started with OpenSCAP

The Security Content Automation Protocol, generally recognized as SCAP, enables automated vulnerability management, measurement and policy compliance evaluation of systems based on a method of using specific standards.

OpenSCAP is a free implementation of SCAP. The SCAP Security Guide along with SCAP Components can be utilized in order to automate continuous security management within an organization.

OpenSCAP is comprised of:

  • SCAP Workbench, a tool that provides a graphical user interface for OpenSCAP.
  • SCAP Scanner. an application that reads SCAP security policy and checks whether the system is compliant or not.
  • SCAP Content, the term to define Security policies in the SCAP realm, it is the centerpoint of any compliance strategy.
  • Script Check Engine, empowers administrators to write Security content using a scripting language.

The following is a step by step guide of how to produce a report in an Ubuntu 18.04.2 LTS operating system:

1. Download and install OpenSCAP for Ubuntu

$ sudo apt-get install -y libopenscap8

2. Make sure the oscap tool has been correctly installed

$ oscap -V

3. Download the appropriate OVAL (Open Vulnerability and Assessment Language) definition file for the Operating System

$ wget https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.bionic.cve.oval.xml -O /tmp/com.ubuntu.bionic.cve.oval.xml

4. Check the integrity of the downloaded file

$ oscap info /tmp/com.ubuntu.bionic.cve.oval.xml

5. Run the analysis and output the reports in XML and HTML formats

$ oscap oval eval –results /tmp/results-bionic.xml –report /tmp/report-bionic.html /tmp/com.ubuntu.bionic.cve.oval.xml

OVAL Results General Information

The most important section of the HTML report that needs focus indicates the number of Non-Compliant/Vunerable/Unpatched items (for instance, 656 in this report). In the OVAL Definition Results section are listed the Common Vulnerability and Exposures (CVE) with a link to the description of each vulnerability found.