The OpenSCAP Base tool provides the very fundamentals required to scan a single Linux machine and report on its compliance against a given policy. It actually consists of two components and so is a requirement for some of the other tools we will look at in the following subsections. 

The first component of this tool is a command-line utility called oscap. This tool can be run on the local machine using an appropriate security policy and profile to produce a report of compliance. The report is generated in HTML and so although the process of report creation is very much manual, the final report is very easy to read and so is well suited for sending to a security or compliance team for audit or evaluation.

The second component of OpenSCAP Base includes a library that is used as a building block for other OpenSCAP services such as SCAP Workbench and the OpenSCAP Daemon—we will cover these in greater detail later in this section.

In this book, we will only make use of the library when we use other OpenSCAP tools. We will see these tools in action later in this chapter in the section entitled Scanning the enterprise with OpenSCAP. For now, though, we will concern ourselves with the installation of OpenSCAP Base.

Installing OpenSCAP Base by hand on a single machine is incredibly easy—it already comes pre-packaged for the two key Linux distributions we have explored in this book—Ubuntu Server and CentOS (and hence, by extension, Red Hat Enterprise Linux). To install it on CentOS 7 or RHEL 7, you would simply run the following command:

$ sudo yum -y install openscap-scanner

Similarly, on Ubuntu Server 18.04 LTS, you would run this:

$ sudo apt -y install libopenscap8

It is important to remember that these packages include both the oscap command-line tool and the library as stated earlier in this section. Hence, even if you never intend to run OpenSCAP using the oscap CLI tool, the libraries that these packages contain could still be required for your given use case (for example, performing remote scans using SCAP Workbench).

As a result, it is important to consider deploying these packages using Ansible, and it may even be desirable to include them in your standard build image so that you know that you can remotely scan any given Linux server for compliance without needing to perform any prerequisite steps. We will look at how to run scans with the oscap tool in a subsequent section, entitled Scanning the enterprise with OpenSCAP—however, for now, it is sufficient to understand what this package is and why it might be required.

In the next section, we will look at installing the OpenSCAP Daemon, another part of the OpenSCAP toolset.