Professional Documents
Culture Documents
Oracle SCAP PDF
Oracle SCAP PDF
Oracle SCAP PDF
F28156-01
February 2020
Oracle Legal Notices
This software and related documentation are provided under a license agreement containing restrictions on use and
disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement
or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute,
exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or
decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find
any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of
the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any
programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial
computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental
regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any
operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be
subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S.
Government.
This software or hardware is developed for general use in a variety of information management applications. It is not
developed or intended for use in any inherently dangerous applications, including applications that may create a risk
of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to
take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation
and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous
applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their
respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used
under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD
logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a
registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and
services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all
warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an
applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any
loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as
set forth in an applicable agreement between you and Oracle.
Abstract
Oracle® Linux 8: Using OpenSCAP for Security Compliance describes tasks for using OpenSCAP to scan your
Oracle Linux system for security vulnerabilities to make them comply to security standards.
iii
iv
Preface
Oracle® Linux 8: Using OpenSCAP for Security Compliance describes how to use OpenSCAP tools
to inspect your Oracle Linux systems for security compliance by checking vulnerabilities to prevent the
system from risk of security breaches.
Audience
This document is intended for administrators who need to configure and administer Oracle Linux systems.
It is assumed that readers are familiar with web technologies and have a general understanding of using
the Linux operating system, including knowledge of how to use a text editor such as emacs or vim,
essential commands such as cd, chmod, chown, ls, mkdir, mv, ps, pwd, and rm, and using the man
command to view manual pages.
Related Documents
The documentation for this product is available at:
Conventions
The following text conventions are used in this document:
Convention Meaning
boldface Boldface type indicates graphical user interface elements associated with an
action, or terms defined in text or the glossary.
italic Italic type indicates book titles, emphasis, or placeholder variables for which
you supply particular values.
monospace Monospace type indicates commands within a paragraph, URLs, code in
examples, text that appears on the screen, or text that you enter.
Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website
at
https://www.oracle.com/corporate/accessibility/.
v
vi
Chapter 1 Using OpenSCAP to Scan for Vulnerabilities
Table of Contents
1.1 About SCAP ................................................................................................................................. 1
1.2 Installing the SCAP Packages ....................................................................................................... 1
1.3 About the oscap Command .......................................................................................................... 2
1.4 Displaying Available SCAP Information .......................................................................................... 2
1.5 Displaying Information About a SCAP File ..................................................................................... 3
1.6 Displaying Available Profiles ......................................................................................................... 4
1.7 Validating OVAL and XCCDF Files ............................................................................................... 4
1.8 Running a Scan Against a Profile ................................................................................................. 4
1.9 Generating a Full Security Guide .................................................................................................. 6
1.10 Running an OVAL Auditing Scan ................................................................................................ 7
This chapter describes the OpenSCAP tool and how to use it to ensure that your systems comply to
security standards.
Oracle Linux provides the following SCAP packages for Oracle Linux 8:
For information about SCAP package features and other changes in Oracle Linux 8, see the release notes
for the various Oracle Linux 8 releases at https://docs.oracle.com/en/operating-systems/oracle-linux/8/.
1
About the oscap Command
Note
info Determines a file's type and prints information about the file.
The info, oval, and xccdf modules are the most generally useful for scanning Oracle Linux systems.
The operations that oscap can perform depend on the module type. For Oracle Linux systems, the
following operations are the most useful to run and using the oval and xccdf modules:
eval For an OVAL file, oscap probes the system, evaluates each definition
in the file, and then prints the results to the standard output.
For a specified profile in an XCCDF file, oscap tests the system against
each rule in the file and prints the results to the standard output.
generate For an OVAL XML results file, generate report converts the
specified file to an HTML report.
For an XCCDF file, generate guide outputs a full security guide for a
specified profile.
validate Validates an OVAL or XCCDF file against an XML schema to check for
errors.
2
Displaying Information About a SCAP File
The previous output shows that the file com.oracle.elsa-2019.xml is an OVAL definitions file.
Note
3
Displaying Available Profiles
In the previous output, one of the supported files is the Health Insurance Portability and Accountability Act
(HIPAA) profile.
Note
The profiles that are listed might not necessarily be appropriate to your system;
however, you can use them to create new profiles that test compliance with your
site's security policies.
The following example shows a scan operation that is run against the hipaa profile of the ssg-ol8-
xccdf.xml checklist by using the ssg-ol8-cpe-dictionary.xml CPE dictionary. The results are
4
Running a Scan Against a Profile
displayed in a terminal window, as well as saved in XML and HTML formats in the /tmp and /var/www/
html directories, respectively. Any rule in a profile that results in a fail potentially requires the system to
be reconfigured.
...
You can view the HTML report in a browser, as shown in the following figure.
5
Generating a Full Security Guide
You can view the security guide in a browser, as shown in the following figure.
6
Running an OVAL Auditing Scan
1. Download the file from https://linux.oracle.com/security by using either of the following methods:
7
Running an OVAL Auditing Scan
$ wget https://linux.oracle.com/security/oval/com.oracle.elsa-2019.xml.bz2
$ bzip2 -d com.oracle.elsa-2019.xml.bz2
Caution
The flags for the patches have meanings that are different from what you might
expect. For example, the true flag means that the patch has not been applied
to a system, while the false flag means that the patch has been applied.
Note
If you omitted the --report option in the command to audit the system, you can
still create the report later from the results file, for example:
8
Running an OVAL Auditing Scan
9
10