----- Original Message ----- > From: "Sachin Vyas" <sachin_vya...@yahoo.com> > To: "Open-scap-list" <open-scap-list@redhat.com>, "Marek Haicman" > <mhaic...@redhat.com> > Sent: Friday, August 24, 2018 1:07:31 PM > Subject: Re: [Open-scap] How to list available SCAP profiles using oscap > > Hi Marek, > > Thank you for quick response. > > I want to use one particular profile, not all of them, and not "any" of them > but I want to list all the available profiles available on machine and then > select one of them, so was looking for a option. > Using $ oscap info or $ oscap info --profiles gives error stating > some-file.xml is required. As per oscap man page, info requires > any-scap-file.xml but I was looking for option to list all the profiles > without specifying the any-scap-file.xml file.
Hello! So OpenSCAP (oscap) is a scanner which supports the SCAP format. While OpenSCAP (the scanner) and SCAP Security Guide are coupled in several regards, we don't mandate use of SSG with the oscap scanner, and don't restrict SSG usage to only being run under oscap. Indeed, oscap lets you scan with _any_ content, and there are third party vendors who provide SCAP formatted content. That in mind... oscap has no specific knowledge of where SSG content is installed, as it might depend on how it is installed (through the repositories, which distribution it is currently running on, etc.). The other factor to consider here is what SSG calls "products". RHEL6, RHEL7, Fedora, and Debian 8 are all examples of products in SSG. While, e.g., scanning a RHEL7 machine against RHEL6 content wouldn't be a good idea, it would make sense to run `oscap info --profiles rhel6` on a RHEL7 machine, especially if building SSG or testing commands. Also, profiles differ between RHEL7, Fedora, RHEL6, etc... And they are product specific. So I think you'll have to pass the xml path. :/ I'm not completely familiar with the argument parsing logic in oscap, but if you want to dive in and try and make the XML default to a sane, platform-specific value, we're happy to try it out... but we might need to keep an eye out for Debian-like and other RPM based distributions to see where content is installed. It's probably fairly tricky. Also, we're trying to make sure upstream supports Windows and macOS so that adds another layer of complexity..... Yeah, TL;DR: it is usually easier as the sys-admin to pass in the correct XML path than it is for oscap to maintain default parsing logic. What's your use case though for querying profiles without passing the XML? You'll need the XML for doing anything else with oscap usually too... -- Alex > > Sachin > > > On Friday, August 24, 2018, 9:58:57 PM GMT+5:30, Marek Haicman > <mhaic...@redhat.com> wrote: > > On 08/24/2018 06:06 PM, Sachin Vyas wrote: > > Hi, > > > > Greetings. > > > > I need to perform OpenSCAP scan in an automated manner using command > > line tool 'oscap' on a RHEL 6.5 machine but not able to find a way to > > list all the available profiles ( installed by scap-security-guide rpm > > package ). Is it possible to list all the available profiles on a RHEL > > 6.5 machine using oscap or by constructing a os command so that I can > > choose one of the available profiles and feed it into oscap and perform > > the scan. > > > > Thanks > > Hello Sachin, > I am slightly confused. I have just checked, and there is no > scap-security-guide rpm for RHEL 6.5. Package was first shipped in > RHEL6.6, and in RHEL6.5 there has been openscap-content rpm that had one > profile only. > > For the list of profiles, you can use `oscap info`, (in newest versions > of openscap it's even more convenient `oscap info --profiles`. But > anyway I would strongly suggest to not automate profile selection. What > you want to use is one particular profile, not all of them, and not > "any" of them. But maybe there is a use case - can you clarify why do > you need to automate profile picking? > > Marek > > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
