The Security Content Automation Protocol (SCAP) enables automated vulnerability scanning , measurement and policy compliance evaluation of systems based on a method of using specific standards (managed by NIST).
It was created to provide a standardized approach to maintain the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.
OpenSCAP is a free implementation of SCAP. The SCAP Security Guide along with SCAP components can be utilized in order to automate continuous security management within an organization.
Almost every OS vendor, including RedHat, Ubuntu, and Oracle, supports SCAP to get an overview of which security vulnerabilities are on your system using OpenSCAP. And every OS vendor will provide OVAL, Open Vulnerability and Assessment Language XML file which cab be used in combination with OpenSCAP to get a quick overview of a system.
The following is a step by step guide of how to produce a report in an Ubuntu OS based on Ubuntu OVAL.
Download and install OpenCAP for Ubuntu:
$ sudo apt install libopenscap8
Verify the oscap tool
$ oscap -V
Download Ubuntu OVAL:
$ wget https://security-metadata.canonical.com/oval/com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
Uncompress the data:
$ bunzip2 com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
Check the integrity of the OVAL XML:
$ oscap info com.ubuntu.$(lsb_release -cs).usn.oval.xml
Use OpenSCAP to evaluate OVAL against localhost and generate an HTML report:
$ oscap oval eval --report report.html com.ubuntu.$(lsb_release -cs).usn.oval.xml
Lastly, open the report.html with any borwser.
report.html |
Links: