I would like to test a CentOS system with OpenSCAP run from my Windows PC. The problem is that I can ssh to the CentOS with keyfile only, as per company policy. I did not find whether SCAP workbench supports this. Can it be done or I need ssh password?
At least on scap-workbench 1.2.1 you can run the scan with
Dry run
toggled and this will give you the command line to be executed for the scan. With this command line you can override ssh options using the variable as seen in the oscap-ssh help:To supply additional options to ssh/scp, define the SSH_ADDITIONAL_OPTIONS variable For instance, to ignore known hosts records, define SSH_ADDITIONAL_OPTIONS='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
And from ssh options you can use the option
-i identity_file
to provide the filepath of the private key you want to use for authentication.In the end you will have something like:
$ export SSH_ADDITIONAL_OPTIONS='-i /path/to/private/key'
$ oscap-ssh [email protected] 22 xccdf eval --datastream-id scap_org.open-scap_datastream_from_xccdf_ssg-fedora-xccdf-1.2.xml --xccdf-id scap_org.open-scap_cref_ssg-fedora-xccdf-1.2.xml --profile xccdf_org.ssgproject.content_profile_ospp --oval-results --results /tmp/xccdf-results.xml --results-arf /tmp/arf.xml --report /tmp/report.html /tmp/scap-workbench-XDOICh/ssg-fedora-ds.xml