scap-workbench User Manual

Even before we start the workbench we need to find content to open. Probably the best choice right now is scap-security-guide [3].

After installation a new application entry for scap-workbench should appear in your desktop environments application menu.

In case you cannot find any scap-workbench application icon / entry to click, press Alt+F2 to bring up the run command dialog (works in Gnome 3 and KDE 4), type scap-workbench and confirm.

scap-workbench should start and if you installed scap-security-guide from your package repository, workbench will immediately open it without any interaction being necessary.

Clicking Browse will enable you to change opened content. Keep in mind that workbench only supports opening XCCDF and Source DataStream files. Everything else will result in an error dialog being shown.

To prevent workbench from opening default content when it starts you can either uninstall it or pass a different path via command line.

See alternative contents for more content choices.

In case you were given a tailoring file for your specific evaluation use-case, you can load by clicking on the Tailoring file combobox and selecting the (open tailoring file…) option. This will bring up a file open dialog where you can select your tailoring file.

Every SCAP content will have at least one profile - the (default) profile which is an empty profile that does not change selection of any rules and does not affect values passed to any of the checks. Only rules with the selection attribute equal to "true" and all their ancestor Group selection attribute also being "true" are evaluated in a (default) profile.

The (default) profile is very unlikely the choice you want to use though, so scap-workbench will only choose it implicitly if there are no other profiles. By default the first profile that is not the default profile will be chosen.

Use the Profile combobox to change which profile will be used for subsequent evaluation. When scap-workbench is not evaluating it previews selected rules of current profile in the list labeled Selected Rules. This list will refresh every time you customize a profile or select a different one.

After you have selected the profile suitable for your desired evaluation you still may want to make slight alterations to it. Most commonly it would be deselecting that one undesirable rule that makes no sense on this particular machine.

Make sure your desired profile is selected and click Customize.

A new modal dialog will be spawned, you cannot interact with the rest of the application until you finish your tailoring changes.

In our example case we do not care about minimum and maximum age for passwords and do not want the rules failing for our configuration. Let us expand the tree until we find the offending rules and unselect both of them.

After desired tailoring changes are done, click Finish tailoring to get back to the previous GUI.

The content that you carefully tailored can be saved for later deployment.

scap-workbench will scan local machine by default. However you can also scan remote machines using ssh.

To scan a remote machine, select remote machine (over ssh) in the Target combobox. A pair of input boxes will appear. Input the desired username and hostname and select proper port. Make sure the machine is reachable, selected user can login over ssh and has enough privileges to evaluate the machine.

The Online Remediation checkbox will do remediation as part of the evaluation itself. After evaluation is done, oscap will go over failed rules and attempt to remedy each of them.

The rules that were remedied will show up as fixed in the rule result list.

Everything is set up now we can start the evaluation. Click the Scan button to start evaluation. If you selected a remote machine target ssh may ask you for a password at this point.

If you selected to scan the local machine, workbench will show a dialog that allows you to authenticate and scan the machine with superuser rights. You can click cancel if you wish to scan using your current permissions.

The application now starts the oscap tool and waits for it to finish, reporting partial results along the way in the rule result list. Keep in mind that the tool cannot guess how long will processing of any particular rule take. Only the amount of rules that have been processed and the amount that is remaining are used to estimate progress. Please be patient and wait for oscap to finish evaluation.

After you press the Scan button all the previous options will be disabled and greyed-out. You cannot change them until you press the Clear button which will drop all results.

After evaluation finishes you should see two new buttons - Clear and Results.

Pressing Results will bring up a new window. In case scap-workbench was compiled with WebKit support you should see the HTML report right in the application. Otherwise, press Open HTML report to open the report using your internet browser.

Your evaluation results can be saved in several formats:

If you are unsure which format to choose for result archiving you can choose Save XCCDF Result. It is commonly supported and you can easily generate an HTML report from it using the oscap tool.