08/05 漏洞渗透注入 阅读 3971 views 次 人气 0

OpenSCAP,使用C/C++编写的一个开源SCAP实现。 OpenSCAP基本上是一种用开放性标准实现自动化脆弱性管理、衡量和策略 符合性评估的方法。


yum install openscap-scanner scap-security-guide



下载地址 ->


yum install gcc swig pkg-config xml2 libxml2-dev xsltproc libxslt-dev libgcrypt11-dev libpcre3-dev python-dev
cd openscap-1.2.10
./configure && make
make install



源码地址 ->

1、OpenSCAP Base

OpenSCAP Base provides a command line tool which enables various SCAP capabilities such as displaying the information about specific security content, vulnerability and configuration scanning, or converting between different SCAP formats.

安装: yum install openscap-scanner

2、OpenSCAP Daemon

The Daemon is a service that makes sure your machines and containers are evaluated according to the schedule.

安装: yum install openscap-daemon

3、SCAP Workbench

This user friendly graphical utility offers an easy way to tailor SCAP content to your needs, perform local or remote scans, and export results.

安装: yum install scap-workbench


SCAPtimony is open source compliance center built on top of SCAP. It gives full testimony about compliance of your infrastructure.

5、OSCAP Anaconda Add-on

An add-on for installer used by Fedora and Red Hat Enterprise Linux 7. It enables you to enforce a system’s compliance with the targeted security profile before the first boot.

6、SCAP Security Guide

OpenSCAP content primarily for Red Hat Enterprise Linux. The Security Guide provides practical hardening advice and links it to compliance requirements in order to ease deployment activities such as certification and accreditation.

The purpose of this project is to create open SCAP content for open source projects. "SCAP content" refers to documents in the XCCDF and OVAL formats. These documents can be presented in different forms and by different organizations to meet their security automation and technical implementation needs.

安装:yum install scap-security-guide


$oscap xccdf generate guide scap-xccdf.xml > guide.html
#将scap-xccdf.xml中的Desktop profile中的内容转为html
$oscap xccdf generate guide --profile Desktop scap-xccdf.
xml > guide.html
$oscap xccdf generate report xccdf-results.xml > report.html
$oscap xccdf validate-xml scap-xccdf.xml
#使用scap-xccdf.xml中的Desktop Profile对当前系统进行扫描,并将结果输出到xccdf-results.xml中
$oscap xccdf eval --profile Desktop --results xccdf-results.
xml scap-xccdf.xml
$oscap oval eval --results oval-results.xml scap-oval.xml
$oscap oval eval --id oval:rhel:def:1000 --results ovalresults.
xml scap-oval.xml

使用SCAP Security Guide扫描:

You can use the content with the oscap tool. It is a command line interface of the OpenSCAP scanner. Its purpose is to scan the local machine. Concrete security policy is selected by choosing a profile. You can display all available profiles using the info command upon the datastream like in this example:

oscap info /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml

If you need help with choosing a profile, address:
Then run the scan using:

oscap xccdf eval --profile selected_profile --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml