Security auditing is not a one-time task—given administrator-level (that is, root) access in a Linux environment, someone could make a Linux server non-compliant at any given time, either deliberately or through a well-meaning change. Hence, the results of a security scan really only guarantee that the server being scanned was compliant (or not) at the time of the scan itself.
Hence, regular scanning of the environment is extremely important. There is a myriad of ways to achieve this, and you could even run the oscap command-line tool using a scheduler such as cron or via a scheduled Ansible playbook in AWX or Ansible Tower. However, the OpenSCAP Daemon is a native tool provided as part of the suite of OpenSCAP tools. Its purpose is to run in the background and perform scheduled scans against a given target or set of targets. This might be the local machine running the daemon, or it might be a set of remote machines, all accessed over SSH.
The process of installation is again extremely simple—if you were to do this manually, you would, on an EL7 system (for example, RHEL7 or CentOS 7), run the following:
$ sudo yum -y install openscap-daemon
On Ubuntu systems, the package name is identical, so you would run the following to install it:
$ sudo apt -y install openscap-daemon
Although you could set up every machine in your Linux environment with this daemon and configure a job for each to scan itself regularly, this is prone to abuse as it would be easy for someone with root access to disable or otherwise tamper with the scan. As a result, we recommend that you consider setting up a centralized scanning architecture, with one central secure server performing remote scans across your network.
It is upon such a server that you would install the OpenSCAP Daemon and, once completed, you can use the oscapd-cli utility to configure your regular scans. We will take a more detailed look at this later in this chapter, in the section entitled Scanning the enterprise with OpenSCAP.
Although both of the tools we have considered so far are extremely powerful and can perform all of your auditing needs, they are entirely command-line-based and so might not be suited to users who are not comfortable in a shell environment or who are responsible for auditing scan results but not necessarily running them. This requirement is fulfilled by another tool in the OpenSCAP armory—SCAP Workbench. We shall look at installing this in the next section.