Manual installation of openSCAP and SCAP Security Guide

Step 1. Log into your server running CentOS 6.x. If a command does not work, run with sudo

Step 2. Add epel RPM repository CentOS 6

su -c 'rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm'

Alternatively:

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
sudo rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

Step 3. Install openSCAP

yum install -y openscap openscap-utils openscap-content

Step 4. Install SCAP Security Guide

yum install -y scap-security-guide

Running openSCAP system scan

Here’s an example of running openSCAP against the

cd ~/
oscap xccdf eval --profile usgcb-rhel6-server \
    --results ~/usgcb-rhel6-server.xml \
    --report ~/usgcb-rhel6-server.html \
    --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \
    /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml ; true

Command-line Arguments:

Optional arguments to the oscap command, either:

–profile PROFILE: Specifies a particular profile from the XCCDF document.

Profiles are determined by the Profile tag in the XCCDF XML file. Use the oscap command to see a list of profiles within a given XCCDF file, for example:

$ oscap info /usr/local/share/scap/dist_sles11_scap-sles11-oval.xml
Document type: XCCDF Checklist
Checklist version: 1.1
Status: draft
Generated: 2011-10-12
Imported: 2012-11-15T22:10:41
Resolved: false
Profiles: SLES11-Default

If not specified, the default profile is used. Some early versions of OpenSCAP in require that you use the –profile option or the scan will fail.

–skip-valid: Do not validate input and output files. You can use this option to bypass the file validation process if you do not have well-formed XCCDF content.

Path to XCCDF Document:

This is a required field. The path parameter points to the XCCDF content location on the client system. For example: /usr/local/scap/dist_rhel6_scap-rhel6-oval.xml