OpenScap的介绍与安装说明

漏洞渗透注入 08/05 阅读 4252 views次 人气 0
摘要:

OpenSCAP,使用C/C++编写的一个开源SCAP实现。 OpenSCAP基本上是一种用开放性标准实现自动化脆弱性管理、衡量和策略 符合性评估的方法。

安装OpenScap:

yum install openscap-scanner scap-security-guide

如果不支持yum安装的,需要从源码编译安装OpenSCAP。

OpenScap官方网站最新源代码:

下载地址 -> https://fedorahosted.org/releases/o/p/openscap/

源码编译安装:

yum install gcc swig pkg-config xml2 libxml2-dev xsltproc libxslt-dev libgcrypt11-dev libpcre3-dev python-dev
cd openscap-1.2.10
./configure && make
make install



OpenScap组件说明:

openscap.png

源码地址 -> https://github.com/OpenSCAP/

1、OpenSCAP Base

OpenSCAP Base provides a command line tool which enables various SCAP capabilities such as displaying the information about specific security content, vulnerability and configuration scanning, or converting between different SCAP formats.

安装: yum install openscap-scanner

2、OpenSCAP Daemon

The Daemon is a service that makes sure your machines and containers are evaluated according to the schedule.

安装: yum install openscap-daemon

3、SCAP Workbench

This user friendly graphical utility offers an easy way to tailor SCAP content to your needs, perform local or remote scans, and export results.

安装: yum install scap-workbench

4、SCAPtimony

SCAPtimony is open source compliance center built on top of SCAP. It gives full testimony about compliance of your infrastructure.

5、OSCAP Anaconda Add-on

An add-on for installer used by Fedora and Red Hat Enterprise Linux 7. It enables you to enforce a system’s compliance with the targeted security profile before the first boot.

6、SCAP Security Guide

OpenSCAP content primarily for Red Hat Enterprise Linux. The Security Guide provides practical hardening advice and links it to compliance requirements in order to ease deployment activities such as certification and accreditation.

The purpose of this project is to create open SCAP content for open source projects. "SCAP content" refers to documents in the XCCDF and OVAL formats. These documents can be presented in different forms and by different organizations to meet their security automation and technical implementation needs.

安装:yum install scap-security-guide

常用命令使用方法简要的说明:

#将scap-xccdf.xml转成易读的guild.html
$oscap xccdf generate guide scap-xccdf.xml > guide.html
#将scap-xccdf.xml中的Desktop profile中的内容转为html
$oscap xccdf generate guide --profile Desktop scap-xccdf.
xml > guide.html
#将扫描完成后生成的xccdf-results.xml结果文件转为易读的report.html
$oscap xccdf generate report xccdf-results.xml > report.html
#对scap-xccdf.xml文档进行语法验证
$oscap xccdf validate-xml scap-xccdf.xml
#使用scap-xccdf.xml中的Desktop Profile对当前系统进行扫描,并将结果输出到xccdf-results.xml中
$oscap xccdf eval --profile Desktop --results xccdf-results.
xml scap-xccdf.xml
#对scap-oval.xml中的所有检测项进行扫描,并将结果输出到oval-results.xml中
$oscap oval eval --results oval-results.xml scap-oval.xml
#对scap-oval.xml中的某个检查项进行扫描
$oscap oval eval --id oval:rhel:def:1000 --results ovalresults.
xml scap-oval.xml


使用SCAP Security Guide扫描:

You can use the content with the oscap tool. It is a command line interface of the OpenSCAP scanner. Its purpose is to scan the local machine. Concrete security policy is selected by choosing a profile. You can display all available profiles using the info command upon the datastream like in this example:

oscap info /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml

If you need help with choosing a profile, address: https://www.open-scap.org/security-policies/choosing-policy/
Then run the scan using:

oscap xccdf eval --profile selected_profile --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml


OpenScap的API和用户手册:

地址:http://static.open-scap.org/

用户手册1.0:http://static.open-scap.org/openscap-1.0/oscap_user_manual.html

用户手册1.2:http://static.open-scap.org/openscap-1.2/oscap_user_manual.html


评论

该文章不支持评论!

分享到: