logo

SCAP Workbench is a tool that can open XCCDF [1] or SDS [2] files and allows the user to evaluate either local or remote machine using the content in the opened file.

Feature Highlights

intro screenshot

  • XCCDF 1.1 and 1.2 support

  • Source DataStream 1.2 support

  • XCCDF 1.2 Tailoring file support

  • Evaluation of local machine

  • Evaluation of remote machine (using SSH)

  • Limited tailoring support - selection, unselection and set value

  • Saving results as XCCDF 1.1 or 1.2 (depending on input) or ARF 1.1

  • Loading content bundle from RPM

  • Exporting content bundle as RPM or into a folder

Requirements

Build Dependencies

  • cmake >= 2.6

  • Qt4 (Core, GUI, XmlPatterns)

  • openscap >= 1.2.11

  • cmake-gui [optional]

Runtime Dependencies (workbench machine)

  • setsid

  • nice

  • ssh and scp (if you want remote scanning)

Runtime Dependencies (evaluated machine)

  • oscap >= 0.8.0

Installation

From package repository (YUM)

# yum install scap-workbench

From package repository (APT)

# apt-get install scap-workbench

From source

  1. $ mkdir build ; cd build

  2. $ cmake ../

  3. $ make

  4. # make install

From source (custom options)

  1. $ mkdir build ; cd build

  2. $ cmake-gui ../

  3. (select appropriate options in cmake-gui)

  4. $ make

  5. # make install

Typical Use Case

Let us go over a common use case. Any section marked (optional) can be skipped if you do not need the feature explained in it.

Obtain SCAP content

Even before we start the workbench we need to find content to open. Probably the best choice right now is scap-security-guide [3].

It is possible that scap-security-guide has already been installed on your system as a dependency of scap-workbench. If it isn’t, install it:

From the package repository (YUM)

# yum install scap-security-guide

From the package repository (APT)

# apt-get install scap-security-guide

From upstream source (for advanced users or content developers)

  1. $ git clone https://git.fedorahosted.org/git/scap-security-guide.git ; cd scap-security-guide

  2. $ make

Alternative SCAP content (optional)

Start SCAP Workbench

After installation a new application entry for SCAP Workbench should appear in your desktop environments application menu.

starting scap workbench
Figure 1. SCAP Workbench application entry in GNOME 3

In case you cannot find any SCAP Workbench application icon / entry to click, press Alt+F2 to bring up the run command dialog (works in Gnome 3 and KDE 4), type 'scap-workbench' and confirm.

SCAP Workbench should start and if you installed scap-security-guide from your package repository, workbench will immediately open a dialog letting you choose which SSG variant you want to open.

ssg integration
Figure 2. SSG integration dialog

For the remainder of this guide let us assume that you chose Fedora. All the instructions are similar on other variants.

default content opened
Figure 3. Fedora SSG content opened in workbench

Open Different Content (optional)

Clicking Open Other content in the SSG integration dialog or choosing the Open Other content action from the File menu (top of the main window) will enable you to change opened content. Keep in mind that workbench only supports opening XCCDF, Source DataStream, SCAP RPM files or their bzip2 variants. Everything else will result in an error dialog being shown.

If your content provider ships both XCCDF and Source DataStream files you are better off using Source DataStream. Especially if you want to perform remote scans where workbench only supports datastreams so far.

SCAP RPM will usually contain a tailoring file, as well as input file in the form of XCCDF or Source DataStream.

Only one content file can be opened by a single SCAP Workbench instance. Opening a different content file will DESTROY all your customization changes and you will also LOSE profile selection.

The one content file however can contain multiple checklists if it is a datastream. Changing the checklist will CHANGE profile selection and MAY make your customization unusable / not applicable to the newly selected checklist.

As a general rule, make sure you have the right file and right checklist selected before proceeding to customization and/or profile selection.

To prevent workbench from opening default content when it starts you can either uninstall the content or pass a different path via command line.

scap-workbench PATH_TO_SCAP_CONTENT

See alternative contents for more content choices.

If you pass a path that is invalid or points to a file that is not valid XCCDF or SDS, workbench will show an error dialog and open default content automatically.

Load a Ready-Made Customization (XCCDF tailoring file) (optional)

In case you have prepared or were given a tailoring file for your specific evaluation use-case, you can load by clicking on the Customization combobox and selecting the (open customization file…​) option. This will bring up a file open dialog where you can select your customization file (XCCDF tailoring file).

Loading a customization file will DESTROY all your customization changes that you have done either by customizing profiles or loaded from another customization file.

Only XCCDF 1.2 supports tailoring officially. The OpenSCAP project has an extension that allows tailoring files to be used with XCCDF 1.1 so SCAP Workbench supports that as well. The details are out of scope of this document but keep in mind that tailoring of an XCCDF 1.1 file might not work with scanners other than openscap.