Feature Highlights
-
XCCDF 1.1 and 1.2 support
-
Source DataStream 1.2 support
-
XCCDF 1.2 Tailoring file support
-
Evaluation of local machine
-
Evaluation of remote machine (using SSH)
-
Limited tailoring support - selection and unselection
-
Saving results as XCCDF 1.1 or 1.2 (depending on input) or ARF 1.1
-
Loading content bundle from RPM
-
Exporting content bundle as RPM or into a folder
Requirements
Build Dependencies
-
cmake >= 2.6
-
Qt4 (Core, GUI, XmlPatterns)
-
openscap >= 1.0.9
-
cmake-gui [optional]
Runtime Dependencies (workbench machine)
-
setsid
-
nice
-
ssh and scp (if you want remote scanning)
Runtime Dependencies (evaluated machine)
-
oscap >= 0.8.0
Installation
- From package repository (YUM)
-
# yum install scap-workbench
- From package repository (APT)
-
# apt-get install scap-workbench
- From source
-
-
$ mkdir build ; cd build
-
$ cmake ../
-
$ make
-
# make install
-
- From source (custom options)
-
-
$ mkdir build ; cd build
-
$ cmake-gui ../
-
(select appropriate options in cmake-gui)
-
$ make
-
# make install
-
Typical Use Case
Let us go over a common use case. Any section marked (optional) can be skipped if you do not need the feature explained in it.
Obtain SCAP content
Even before we start the workbench we need to find content to open. Probably the best choice right now is scap-security-guide [3].
- From the package repository (YUM)
-
# yum install scap-security-guide
- From the package repository (APT)
-
# apt-get install scap-security-guide
- From upstream source (for advanced users or content developers)
-
-
$ git clone https://git.fedorahosted.org/git/scap-security-guide.git ; cd scap-security-guide
-
$ make
-
Alternative SCAP content (optional)
-
USGCB for RHEL5 - XCCDF and OVAL, only suitable for RHEL5.
-
SCE Community Content - Uses SCE, only suitable for Fedora.
Start scap-workbench
After installation a new application entry for scap-workbench should appear in your desktop environments application menu.
In case you cannot find any scap-workbench application icon / entry to click, press Alt+F2 to bring up the run command dialog (works in Gnome 3 and KDE 4), type 'scap-workbench' and confirm.
scap-workbench should start and if you installed scap-security-guide from your package repository, workbench will immediately open it without any interaction being necessary.
Open Different Content (optional)
Choosing the Open content action from the File menu (top of the main window) will enable you to change opened content. Keep in mind that workbench only supports opening XCCDF, Source DataStream or SCAP RPM files. Everything else will result in an error dialog being shown.
If your content provider ships both XCCDF and Source DataStream files you are better off using Source DataStream. Especially if you want to perform remote scans where workbench only supports datastreams so far.
SCAP RPM will usually contain a tailoring file, as well as input file in the form of XCCDF or Source DataStream.
To prevent workbench from opening default content when it starts you can either uninstall the content or pass a different path via command line.
scap-workbench PATH_TO_SCAP_CONTENT
See alternative contents for more content choices.
Load a Ready-Made Tailoring File (optional)
In case you have prepared or were given a tailoring file for your specific evaluation use-case, you can load by clicking on the Tailoring file combobox and selecting the (open tailoring file…) option. This will bring up a file open dialog where you can select your tailoring file.
Choose a Profile
All SCAP content has at least one profile - the (default) profile which is an empty profile that does not change selection of any rules and does not affect values passed to any of the checks. Only rules with the selection attribute equal to "true" and all their ancestor xccdf:Group selection attribute also being "true" are evaluated in a (default) profile.
It depends on the content, but the (default) profile is unlikely to be the choice you want. scap-workbench will only choose it implicitly if there are no other profiles. The first profile that is not the (default) profile will be chosen.
Use the Profile combobox to change which profile will be used for subsequent evaluation. When scap-workbench is not evaluating, it previews selected rules of the current profile. This list will refresh every time you customize a profile or select a different one.
Customize the Selected Profile (optional)
After you have selected the profile suitable for your desired evaluation, you still may want to make slight alterations to it. Most commonly, it would be unselecting that one undesirable rule that makes no sense on this particular machine.
Make sure your desired profile is selected and click Customize.
In case the tailoring action will create a new profile you will be presented with a dialog that lets you choose an ID for that new profile. Choose the ID wisely, you may need it later.
A new modal window will be shown, you cannot interact with the rest of the application until you either confirm or discard your tailoring changes.
In the example case, we do not care about minimum and maximum age for passwords and do not want the rules failing for our configuration. Let us expand the tree until we find the offending rules and unselect them both.