SCAP,Security Content Automation Protocol,即安全内容自动化协议。是由NIST(National Institute of Standards and Technology,美国国家标准与技术研究院)提出,而且NIST还建立了信息安全类产品的SCAP兼容性认证机制。
SCAP包含了Protocol(协议)与Content(内容),协议是指SCAP由一系列现有的公开标准构成,这些公开标准被称为SCAP Element(SCAP元素),Protocol规范了这些Element之间如何协同工作。Content指按照Protocol的约定,利用Element描述的生成应用于实际检查工作的数据。
openscap由工具集(oscap)及基线库(SSG)组成,其中工具集包括如下:
ssg 的xml默认保存目
/usr/share/xml/scap/ssg/content/ 可从以下资料库查找:
https://nvd.nist.gov/ncp/repository
https://oval.cisecurity.org/repository/download
支持的扫描安全类型
安装OpenScap:
yum install openscap-scanner scap-security-guide
如果不支持yum安装的,需要从源码编译安装OpenSCAP。
OpenScap官方网站最新源代码:
下载地址 -> https://fedorahosted.org/releases/o/p/openscap/
源码编译安装:
yum install gcc swig pkg-config xml2 libxml2-dev xsltproc libxslt-dev libgcrypt11-dev libpcre3-dev python-dev
cd openscap-1.2.10
./configure && make
make install
源码地址 -> https://github.com/OpenSCAP/
1、OpenSCAP Base
OpenSCAP Base provides a command line tool which enables various SCAP capabilities such as displaying the information about specific security content, vulnerability and configuration scanning, or converting between different SCAP formats.
安装: yum install openscap-scanner
2、OpenSCAP Daemon
The Daemon is a service that makes sure your machines and containers are evaluated according to the schedule.
安装: yum install openscap-daemon
3、SCAP Workbench
This user friendly graphical utility offers an easy way to tailor SCAP content to your needs, perform local or remote scans, and export results.
安装: yum install scap-workbench
4、SCAPtimony
SCAPtimony is open source compliance center built on top of SCAP. It gives full testimony about compliance of your infrastructure.
5、OSCAP Anaconda Add-on
An add-on for installer used by Fedora and Red Hat Enterprise Linux 7. It enables you to enforce a system’s compliance with the targeted security profile before the first boot.
6、SCAP Security Guide
OpenSCAP content primarily for Red Hat Enterprise Linux. The Security Guide provides practical hardening advice and links it to compliance requirements in order to ease deployment activities such as certification and accreditation.
The purpose of this project is to create open SCAP content for open source projects. "SCAP content" refers to documents in the XCCDF and OVAL formats. These documents can be presented in different forms and by different organizations to meet their security automation and technical implementation needs.
安装:yum install scap-security-guide
常用命令使用方法简要的说明:
#将scap-xccdf.xml转成易读的guild.html
$oscap xccdf generate guide scap-xccdf.xml > guide.html
#将scap-xccdf.xml中的Desktop profile中的内容转为html
$oscap xccdf generate guide --profile Desktop scap-xccdf.
xml > guide.html
#将扫描完成后生成的xccdf-results.xml结果文件转为易读的report.html
$oscap xccdf generate report xccdf-results.xml > report.html
#对scap-xccdf.xml文档进行语法验证
$oscap xccdf validate-xml scap-xccdf.xml
#使用scap-xccdf.xml中的Desktop Profile对当前系统进行扫描,并将结果输出到xccdf-results.xml中
$oscap xccdf eval --profile Desktop --results xccdf-results.
xml scap-xccdf.xml
#对scap-oval.xml中的所有检测项进行扫描,并将结果输出到oval-results.xml中
$oscap oval eval --results oval-results.xml scap-oval.xml
#对scap-oval.xml中的某个检查项进行扫描
$oscap oval eval --id oval:rhel:def:1000 --results ovalresults.
xml scap-oval.xml
使用SCAP Security Guide扫描:
You can use the content with the oscap tool. It is a command line interface of the OpenSCAP scanner. Its purpose is to scan the local machine. Concrete security policy is selected by choosing a profile. You can display all available profiles using the info command upon the datastream like in this example:
oscap info /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
If you need help with choosing a profile, address: https://www.open-scap.org/security-policies/choosing-policy/
Then run the scan using:
oscap xccdf eval --profile selected_profile --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
OpenScap的API和用户手册:
地址:http://static.open-scap.org/
用户手册1.0:http://static.open-scap.org/openscap-1.0/oscap_user_manual.html
用户手册1.2:http://static.open-scap.org/openscap-1.2/oscap_user_manual.html