The SCAP Workbench tool is an interactive, GUI-based tool for running SCAP scans. It has almost the same capabilities as the oscap command-line tool, except that it can scan both remote hosts over SSH (similarly to the OpenSCAP Daemon). The high-level process for using SCAP Workbench is the same as for oscap—you select your policy file from the policy you downloaded, select the profile from within it, and then run the scan. 

This time, however, the results are displayed in the GUI and are easily interpretable without the need to generate an HTML report and load it in a browser. The following screenshot shows the equivalent of running the following on the command line with oscap:

$ sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard ./scap-security-guide-0.1.47/ssg-ubuntu1804-ds.xml

It is important to state that no report file is generated by the scan, but you can generate either an HTML- or XML-based one by clicking on the Save Results button at the bottom of the screen:

As you can clearly see, if you need to run an interactive and immediate scan of a system, SCAP Workbench is the easiest way to do it. The only limitation is that it can only process XCCDF files, so the OVAL files used to establish whether you have package vulnerabilities cannot be used here.

Throughout this section, we have explored ways that you can use the various OpenSCAP tools to scan your infrastructure. We have also shown a variety of scans, and their output is generally quite easy to interpret. However, in the next section, we will explore these in a little more depth before we complete our work on OpenSCAP.