1OSCAP(8)                System Administration Utilities               OSCAP(8)
2
3
4

NAME

6       oscap - OpenSCAP command line tool
7
8

SYNOPSIS

10       oscap  [general-options]  module operation [operation-options-and-argu‐
11       ments]
12
13

DESCRIPTION

15       oscap is Security Content Automation Protocol (SCAP) toolkit  based  on
16       OpenSCAP  library.  It  provides  various  functions for different SCAP
17       specifications (modules).
18
19       OpenSCAP tool claims to provide capabilities of Authenticated  Configu‐
20       ration  Scanner  and  Authenticated Vulnerability Scanner as defined by
21       The National Institute of Standards and Technology.
22
23

GENERAL OPTIONS

25       -V, --version
26              Print supported SCAP specification, location  of  schema  files,
27              schematron  files, CPE files, probes and supported OVAL objects.
28              Displays a list of inbuilt CPE names.
29
30       -h, --help
31              Help screen.
32
33

MODULES

35       info   Determine type and print information about a file.
36
37       xccdf  The eXtensible Configuration Checklist Description Format.
38
39       oval   Open Vulnerability and Assessment Language.
40
41       ds     SCAP Data Stream
42
43       cpe    Common Platform Enumeration.
44
45       cvss   Common Vulnerability Scoring System
46
47       cve    Common Vulnerabilities and Exposures
48
49

INFO OPERATIONS

51       [options] any-scap-file.xml
52              This module prints information about  SCAP  content  in  a  file
53              specified  on  a  command line. It determines SCAP content type,
54              specification version, date of creation, date of import  and  so
55              on.  Info  module  doesn't  require  any  additional  opperation
56              switch.
57
58              For XCCDF or Datastream files, info module  prints  out  IDs  of
59              incorporated  profiles,  components,  and datastreams. These IDs
60              can be used to specify the target for  evaluation.  Use  options
61              --profile,   --xccdf-id   (or  --oval-id),  and  --datastream-id
62              respectively.
63
64              --fetch-remote-resources
65                     Allow  download  of  remote  components  referenced  from
66                     Datastream.
67
68              --profile PROFILE
69                     Show info of the profile with the given ID.
70
71              --profiles
72                     Show  profiles  from  the  input file in the <id>:<title>
73                     format, one line per profile.
74
75

XCCDF OPERATIONS

77       eval [options] INPUT_FILE [oval-definitions-files]
78              Perform evaluation of XCCDF document file given  as  INPUT_FILE.
79              Print  result  of  each  rule to standard output, including rule
80              title, rule id and security identifier(CVE, CCE). Optionally you
81              can  give  a  source  datastream as the INPUT_FILE instead of an
82              XCCDF file (see --datastream-id).
83
84              oscap returns 0 if all rules pass. If there is an  error  during
85              evaluation,  the return code is 1. If there is at least one rule
86              with either fail or unknown  result,  oscap-scan  finishes  with
87              return code 2.
88
89              Unless  --skip-valid  is used, the INPUT_FILE is validated using
90              XSD schemas (depending  on  document  type  of  INPUT_FILE)  and
91              rejected if invalid.
92
93              You  may  specify  OVAL  Definition files as the last parameter,
94              XCCDF evaluation will then proceed  only  with  those  specified
95              files. Otherwise, when oval-definitions-files parameter is miss‐
96              ing, oscap tool will try to load all OVAL Definition files  ref‐
97              erenced  from  XCCDF  automatically  (search in the same path as
98              XCCDF).
99
100              --profile PROFILE
101                     Select a particular profile from XCCDF document.
102
103              --rule RULE
104                     Select a particular rule from XCCDF document.  Only  this
105                     rule will be evaluated. Rule will use values according to
106                     the selected profile. If no profile is selected,  default
107                     values are used.
108
109              --tailoring-file TAILORING_FILE
110                     Use  given  file for XCCDF tailoring. Select profile from
111                     tailoring file to apply using --profile. If  both  --tai‐
112                     loring-file  and  --tailoring-id are specified, --tailor‐
113                     ing-file takes priority.
114
115              --tailoring-id COMPONENT_REF_ID
116                     Use tailoring component in input  source  datastream  for
117                     XCCDF  tailoring.  The tailoring component must be speci‐
118                     fied by its Ref-ID (value of component-ref/@id  attribute
119                     in  input source datastream). Select profile from tailor‐
120                     ing component to apply using --profile. If both --tailor‐
121                     ing-file  and  --tailoring-id are specified, --tailoring-
122                     file takes priority.
123
124              --cpe CPE_FILE
125                     Use given CPE dictionary or language (auto-detected)  for
126                     applicability  checks.  (Some  CPE  names are provided by
127                     openscap, see oscap --version for Inbuilt CPE names)
128
129              --results FILE
130                     Write XCCDF results into FILE.
131
132              --results-arf FILE
133                     Writes results to a given FILE in Asset Reporting Format.
134                     It is recommended to use this option instead of --results
135                     when dealing with datastreams.
136
137              --stig-viewer FILE
138                     Writes XCCDF results into FILE in a  format  readable  by
139                     DISA             STIG             Viewer.             See
140                     http://iase.disa.mil/stigs/Pages/stig-viewing-guid
141                     ance.aspx
142
143              --thin-results
144                     Thin  Results provides only minimal amount of information
145                     in OVAL/ARF  results.  The  option  --without-syschar  is
146                     automatically enabled when you use Thin Results.
147
148              --without-syschar
149                     Don't  provide  system characteristics in OVAL/ARF result
150                     files.
151
152              --report FILE
153                     Write HTML report into FILE. You  also  have  to  specify
154                     --results  for  this  feature to work. Please see --oval-
155                     results to enable additional information in the report.
156
157              --oval-results
158                     Generate OVAL Result file for each OVAL session used  for
159                     evaluation.  File  with  name 'original-oval-definitions-
160                     filename.result.xml' will be generated  for  each  refer‐
161                     enced OVAL file in current working directory. This option
162                     (in conjunction with the --report  option)  also  enables
163                     inclusion  of  additional  OVAL  information in the XCCDF
164                     report. To change the directory where OVAL files are gen‐
165                     erated change the CWD using the `cd` command.
166
167              --check-engine-results
168                     After  evaluation  is  finished, each loaded check engine
169                     plugin is asked to export its results. The export  itself
170                     is  plugin specific, please refer to documentation of the
171                     plugin for more details.
172
173              --export-variables
174                     Generate OVAL Variables documents which contain  external
175                     variables' values that were provided to the OVAL checking
176                     engine during evaluation. The filename format is  'origi‐
177                     nal-oval-definitions-filename-session-index.variables-
178                     variables-index.xml'.
179
180              --datastream-id ID
181                     Uses a datastream with that particular ID from the  given
182                     datastream  collection. If not given the first datastream
183                     is used. Only applies if you give  source  datastream  in
184                     place of an XCCDF file.
185
186              --xccdf-id ID
187                     Takes  component  ref with given ID from checklists. This
188                     allows to select a particular  XCCDF  component  even  in
189                     cases where there are 2 XCCDFs in one datastream. If none
190                     is given, the first component from the checklists element
191                     is used.
192
193              --benchmark-id ID
194                     Selects  a  component ref from any datastream that refer‐
195                     ences a component with XCCDF Benchmark such that its  @id
196                     attribute  matches given string exactly. Please note that
197                     this is not the recommended way of selecting a component-
198                     ref.  You  are  advised to use --xccdf-id AND/OR --datas‐
199                     tream-id for more precision. --benchmark-id is only  used
200                     when  both --xccdf-id and --datastream-id are not present
201                     on the command line!
202
203              --skip-valid
204                     Do not validate input/output files.
205
206              --fetch-remote-resources
207                     Allow download of remote  OVAL  content  referenced  from
208                     XCCDF by check-content-ref/@href.
209
210              --remediate
211                     Execute XCCDF remediation in the process of XCCDF evalua‐
212                     tion. This option automatically executes content of XCCDF
213                     fix  elements  for  failed  rules, and thus this shall be
214                     avoided unless for trusted content. Use of this option is
215                     always at your own risk.
216
217              --verbose VERBOSITY_LEVEL
218                     Turn  on  verbose mode at specified verbosity level. VER‐
219                     BOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
220
221              --verbose-log-file FILE
222                     Set filename to write additional information.
223
224       remediate [options] INPUT_FILE [oval-definitions-files]
225              This module provides post-scan remediation. It assumes that  the
226              INPUT_FILE  is result of `oscap xccdf eval` operation. The input
227              file must contain TestResult element. This module executes XCCDF
228              fix  elements  for  failed  rule-result  contained  in the given
229              TestResult. Use of this option is always at your own risk and it
230              shall be avoided unless for trusted content.
231
232              --result-id ID
233                     ID  of  the XCCDF TestResult element which shall be reme‐
234                     died. If this option is missing the last  TestResult  (in
235                     top-down processing) will be remedied.
236
237              --skip-valid
238                     Do not validate input/output files.
239
240              --fetch-remote-resources
241                     Allow  download  of  remote  OVAL content referenced from
242                     XCCDF by check-content-ref/@href.
243
244              --cpe CPE_FILE
245                     Use given CPE dictionary or language (auto-detected)  for
246                     applicability checks.
247
248              --results FILE
249                     Write XCCDF results into FILE.
250
251              --results-arf FILE
252                     Writes results to a given FILE in Asset Reporting Format.
253                     It is recommended to use this option instead of --results
254                     when dealing with datastreams.
255
256              --stig-viewer FILE
257                     Writes  XCCDF  results  into FILE in a format readable by
258                     DISA             STIG             Viewer.             See
259                     http://iase.disa.mil/stigs/Pages/stig-viewing-guid
260                     ance.aspx
261
262              --report FILE
263                     Write HTML report into FILE. You  also  have  to  specify
264                     --results for this feature to work.
265
266              --oval-results
267                     Generate  OVAL Result file for each OVAL session used for
268                     evaluation. File  with  name  'original-oval-definitions-
269                     filename.result.xml'  will  be  generated for each refer‐
270                     enced OVAL file. This option (with conjunction  with  the
271                     --report  option)  also  enables  inclusion of additional
272                     OVAL information in the XCCDF report.
273
274              --check-engine-results
275                     After evaluation is finished, each  loaded  check  engine
276                     plugin  is asked to export its results. The export itself
277                     is plugin specific, please refer to documentation of  the
278                     plugin for more details.
279
280              --export-variables
281                     Generate  OVAL Variables documents which contain external
282                     variables' values that were provided to the OVAL checking
283                     engine  during evaluation. The filename format is 'origi‐
284                     nal-oval-definitions-filename-session-index.variables-
285                     variables-index.xml'.
286
287       resolve -o output-file xccdf-file
288              Resolve  an  XCCDF file as described in the XCCDF specification.
289              It will flatten inheritance hierarchy of XCCDF profiles, groups,
290              rules,  and values. Result is another XCCDF document, which will
291              be written to output-file.
292
293              --force
294                     Force resolving XCCDF document  even  if  it  is  already
295                     marked as resolved.
296
297       validate [options] xccdf-file
298              Validate  given  XCCDF  file  against  a XML schema. Every found
299              error is printed to the standard error. Return code is 0 if val‐
300              idation  succeeds, 1 if validation could not be performed due to
301              some error, 2 if the XCCDF document is not valid.
302
303              --schematron
304                     Turn on Schematron-based validation. It is able  to  find
305                     more  errors  and  inconsistencies  but  is  much slower.
306                     Schematron is available only for XCCDF version 1.2.
307
308       export-oval-variables [options] xccdf-file [oval-definitions-files]
309              Collect all the XCCDF values that would be used by  OVAL  during
310              evaluation  of  a certain profile and export them as OVAL exter‐
311              nal-variables document(s). The  filename  format  is  'original-
312              oval-definitions-filename-session-index.variables-variables-
313              index.xml'.
314
315              --profile PROFILE
316                     Select a particular profile from XCCDF document.
317
318              --fetch-remote-resources
319                     Allow download of remote  OVAL  content  referenced  from
320                     XCCDF by check-content-ref/@href.
321
322              --skip-valid
323                     Do not validate input/output files.
324
325              --datastream-id ID
326                     Uses  a datastream with that particular ID from the given
327                     datastream collection. If not given the first  datastream
328                     is  used.  Only  applies if you give source datastream in
329                     place of an XCCDF file.
330
331              --xccdf-id ID
332                     Takes component ref with given ID from  checklists.  This
333                     allows  to  select  a  particular XCCDF component even in
334                     cases where there are 2 XCCDFs in one datastream.
335
336              --cpe CPE_FILE
337                     Use given CPE dictionary or language (auto-detected)  for
338                     applicability checks. The variables documents are created
339                     only for xccdf:Rules which are applicable.
340
341       generate [options] <submodule> [submodule-specific-options]
342              Generate another document form an XCCDF file  such  as  security
343              guide or result report.
344
345              --profile ID
346                     Apply  profile with given ID to the Benchmark before fur‐
347                     ther processing takes place.
348
349              Available submodules:
350
351              guide [options] xccdf-file
352                     Generate a formatted document containing a security guide
353                     from  a  XCCDF  Benchmark.  Unless the --output option is
354                     specified it will be  written  to  the  standard  output.
355                     Without profile being set only groups (not rules) will be
356                     included in the output.
357
358                     --output FILE
359                            Write the guide to this file instead  of  standard
360                            output.
361
362                     --hide-profile-info
363                            Information on chosen profile (e.g. rules selected
364                            by the profile) will be excluded  from  the  docu‐
365                            ment.
366
367              report [options] xccdf-file
368                     Generate  a document containing results of a XCCDF Bench‐
369                     mark execution. Unless the --output option  is  specified
370                     it  will  be  written  to  the standard output. ID of the
371                     TestResult element to  visualise  defaults  to  the  most
372                     recent result (according to the end-time attribute).
373
374                     --output FILE
375                            Write  the report to this file instead of standard
376                            output.
377
378                     --result-id ID
379                            ID of the XCCDF TestResult from which  the  report
380                            will be generated.
381
382                     --show what
383                            Specify  what  result  types shall be displayed in
384                            the result report. The default is to  show  every‐
385                            thing  except  for  rules with results notselected
386                            and notapplicable. The what part is a  comma-sepa‐
387                            rated  list of result types to display in addition
388                            to the default. If result type is  prefixed  by  a
389                            dash '-', it will be excluded from the results. If
390                            what is prefixed by an equality sign '=',  a  fol‐
391                            lowing  list  specifies exactly what rule types to
392                            include in the report.  Result  types  are:  pass,
393                            fixed,   notchecked,  notapplicable,  notselected,
394                            informational, unknown, error, fail.
395
396                     --oval-template template-string
397                            To use the ability to include additional  informa‐
398                            tion  from  OVAL  in xccdf result file, a template
399                            which will be used  to  obtain  OVAL  result  file
400                            names  has  to  be  specified. The template can be
401                            either a filename or a string containing  wildcard
402                            character  (percent  sign  '%').  Wildcard will be
403                            replaced by the original OVAL definition file name
404                            as  referenced from the XCCDF file. This way it is
405                            possible to  obtain  OVAL  information  even  from
406                            XCCDF documents referencing several OVAL files. To
407                            use this option with results from an XCCDF evalua‐
408                            tion,  specify  %.result.xml  as  a OVAL file name
409                            template.
410
411                     --sce-template template-string
412                            To use the ability to include additional  informa‐
413                            tion  from  SCE  in  XCCDF result file, a template
414                            which will be used to obtain SCE result file names
415                            has  to be specified. The template can be either a
416                            filename or a string containing wildcard character
417                            (percent  sign  '%'). Wildcard will be replaced by
418                            the original SCE script file  name  as  referenced
419                            from  the  XCCDF  file. This way it is possible to
420                            obtain SCE information even from  XCCDF  documents
421                            referencing  several SCE files. To use this option
422                            with results from  an  XCCDF  evaluation,  specify
423                            %.result.xml as a SCE file name template.
424
425              fix [options] xccdf-file
426                     Generate  a script that shall bring the system to a state
427                     of compliance with given XCCDF  Benchmark.  There  are  2
428                     possibilities   when  generating  fixes:  Result-oriented
429                     fixes (--result-id)  or  Profile-oriented  fixes  (--pro‐
430                     file).  Result-oriented  takes  precedences over Profile-
431                     oriented, if result-id is given, oscap  will  ignore  any
432                     profile provided.
433
434                     Result-oriented  fixes are generated using result-id pro‐
435                     vided to select only the failing rules  from  results  in
436                     xccdf-file, it skips all other rules.
437
438                     Profile-oriented  fixes  are  generated  using  all rules
439                     within the provided profile. If no result-id/profile  are
440                     provided,  (default)  profile  will  be  used to generate
441                     fixes.
442
443                     --fix-type TYPE
444                            Specify fix type. There are  multiple  programming
445                            languages  in  which  the fix script can be gener‐
446                            ated. TYPE should be one of: bash,  ansible,  pup‐
447                            pet,  anaconda.  Default  is  bash. This option is
448                            mutually exclusive with  --template,  because  fix
449                            type already determines the template URN.
450
451                     --output FILE
452                            Write  the report to this file instead of standard
453                            output.
454
455                     --result-id ID
456                            Fixes will be generated for failed rule-results of
457                            the specified TestResult.
458
459                     --template ID|FILE
460                            Template  to be used to generate the script. If it
461                            contains a dot '.' it is interpreted as a location
462                            of  a file with the template definition. Otherwise
463                            it identifies a template from standard  set  which
464                            currently includes: bash (default if no --template
465                            switch present). Brief explanation of the  process
466                            of  writing  your own templates is in the XSL file
467                            xsl/legacy-fix.xsl in the openscap data directory.
468                            You  can  also take a look at the default template
469                            xsl/legacy-fixtpl-bash.xml.
470
471                     --xccdf-id ID
472                            Takes component ref with given ID from checklists.
473                            This allows to select a particular XCCDF component
474                            even in cases where there  are  2  XCCDFs  in  one
475                            datastream.  If none is given, the first component
476                            from the checklists element is used.
477
478                     --benchmark-id ID
479                            Selects a component ref from any  datastream  that
480                            references  a  component with XCCDF Benchmark such
481                            that  its  @id  attribute  matches  given   string
482                            exactly.
483
484                     --tailoring-file TAILORING_FILE
485                            Use given file for XCCDF tailoring. Select profile
486                            from tailoring file to apply using  --profile.  If
487                            both --tailoring-file and --tailoring-id are spec‐
488                            ified, --tailoring-file takes priority.
489
490                     --tailoring-id COMPONENT_REF_ID
491                            Use tailoring component in input source datastream
492                            for  XCCDF tailoring. The tailoring component must
493                            be specified by its Ref-ID  (value  of  component-
494                            ref/@id  attribute  in  input  source datastream).
495                            Select profile from tailoring component  to  apply
496                            using  --profile.  If  both  --tailoring-file  and
497                            --tailoring-id  are  specified,   --tailoring-file
498                            takes priority.
499
500              custom --stylesheet xslt-file [options] xccdf-file
501                     Generate  a  custom output (depending on given XSLT file)
502                     from an XCCDF file.
503
504                     --stylesheet FILE
505                            Specify an absolute path to a custom stylesheet to
506                            format the output.
507
508                     --output FILE
509                             Write the document into file.
510
511

OVAL OPERATIONS

513       eval [options] INPUT_FILE
514              Probe  the system and evaluate all definitions from OVAL Defini‐
515              tion file. Print result of each definition to  standard  output.
516              The  return  code is 0 after a  successful evaluation. On error,
517              value 1 is returned.
518
519              INPUT_FILE can be either OVAL Definition  File  or  SCAP  Source
520              Datastream, it depends on used options.
521
522              Unless  --skip-valid  is used, the INPUT_FILE is validated using
523              XSD schemas (depending  on  document  type  of  INPUT_FILE)  and
524              rejected if invalid.
525
526              --id DEFINITION-ID
527                     Evaluate ONLY specified OVAL Definition from OVAL Defini‐
528                     tion File.
529
530              --variables FILE
531                     Provide external variables expected  by  OVAL  Definition
532                     File.
533
534              --directives FILE
535                     Use  OVAL  Directives  content to specify desired results
536                     content.
537
538              --without-syschar
539                     Don't provide system characteristics in result file.
540
541              --results FILE
542                     Write OVAL Results into file.
543
544              --report FILE
545                     Create human readable (HTML) report from OVAL Results.
546
547              --datastream-id ID
548                     Uses a datastream with that particular ID from the  given
549                     datastream  collection. If not given the first datastream
550                     is used. Only applies if you give  source  datastream  in
551                     place of an OVAL file.
552
553              --oval-id ID
554                     Takes  component  ref  with  given  ID  from checks. This
555                     allows to select a  particular  OVAL  component  even  in
556                     cases where there are 2 OVALs in one datastream.
557
558              --skip-valid
559                     Do not validate input/output files.
560
561              --fetch-remote-resources
562              Allow download of remote components referenced from Datastream.
563
564       --verbose VERBOSITY_LEVEL
565              Turn   on  verbose  mode  at  specified  verbosity  level.  VER‐
566              BOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
567
568       --verbose-log-file FILE
569              Set filename to write additional information.
570
571
572       collect [options] definitions-file
573              Probe the system  and  gather  system  characteristics  for  all
574              objects in OVAL Definition file.
575
576              --id OBJECT-ID
577                     Collect  system  characteristics  ONLY for specified OVAL
578                     Object.
579
580              --variables FILE
581                     Provide external variables expected by OVAL Definitions.
582
583              --syschar FILE
584                     Write OVAL System Characteristic into file.
585
586              --skip-valid
587                     Do not validate input/output files.
588
589              --verbose VERBOSITY_LEVEL
590                     Turn on verbose mode at specified verbosity  level.  VER‐
591                     BOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
592
593              --verbose-log-file FILE
594                     Set filename to write additional information.
595
596
597       analyse [options] --results FILE definitions-file syschar-file
598              In this mode, the oscap tool does not perform data collection on
599              the local system, but relies upon the input file, which may have
600              been  generated  on another system. The output (OVAL Results) is
601              printed to file specified by --results parameter.
602
603              --variables FILE
604                     Provide external variables expected by OVAL Definitions.
605
606              --directives FILE
607                     Use OVAL Directives content to  specify  desired  results
608                     content.
609
610              --skip-valid
611                     Do not validate input/output files.
612
613              --verbose VERBOSITY_LEVEL
614                     Turn  on  verbose mode at specified verbosity level. VER‐
615                     BOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
616
617              --verbose-log-file FILE
618                     Set filename to write additional information.
619
620
621       validate [options] oval-file
622              Validate given OVAL file against a XML schema. Every found error
623              is printed to the standard error. Return code is 0 if validation
624              succeeds, 1 if validation could not be  performed  due  to  some
625              error, 2 if the OVAL document is not valid.
626
627              --definitions, --variables, --syschar, --results --directives
628                     Type  of  the  OVAL document is automatically detected by
629                     default. If you want enforce certain document  type,  you
630                     can use one of these options.
631
632              --schematron
633                     Turn  on  Schematron-based validation. It is able to find
634                     more errors and inconsistencies but is much slower.
635
636       generate <submodule> [submodule-specific-options]
637              Generate another document form an OVAL file.
638
639              Available submodules:
640
641              report [options] oval-results-file
642                     Generate a formatted HTML page  containing  visualisation
643                     of  an  OVAL  results file. Unless the --output option is
644                     specified it will be written to the standard output.
645
646                     --output FILE
647                            Write the report to this file instead of  standard
648                            output.
649
650       list-probes [options]
651              List supported object types (i.e. probes)
652
653              --static
654                     List all probes defined in the internal tables.
655
656              --dynamic
657                     List  all probes supported on the current system (this is
658                     default behavior).
659
660              --verbose
661                     Be verbose.
662
663
664

CPE OPERATIONS

666       check name
667              Check whether name is in correct CPE format.
668
669       match name dictionary.xml
670              Find an exact match of CPE name in the dictionary.
671
672       validate cpe-dict-file
673              Validate given CPE dictionary file against a XML  schema.  Every
674              found  error  is printed to the standard error. Return code is 0
675              if validation succeeds, 1 if validation could not  be  performed
676              due to some error, 2 if the XCCDF document is not valid.
677
678

CVSS OPERATIONS

680       score cvss_vector
681              Calculate  score  from a CVSS vector. Prints base score for base
682              CVSS vector, base and temporal score for temporal  CVSS  vector,
683              base and temporal and environmental score for environmental CVSS
684              vector.
685
686       describe cvss_vector
687              Describe individual components of a CVSS vector in a human-read‐
688              able format and print partial scores.
689
690       CVSS vector consists of several slash-separated components specified as
691       key-value pairs. Each key can be specified at  most  once.  Valid  CVSS
692       vector  has  to contain at least base CVSS metrics, i.e. AV, AC, AU, C,
693       I, and A. Following table summarizes the components and possible values
694       (second  column  is  metric category: B for base, T for temporal, E for
695       environmental):
696
697              AV:[L|A|N]            B   Access vector:  Local,  Adjacent  net‐
698              work, Network
699
700              AC:[H|M|L]            B   Access complexity: High, Medium, Low
701
702              AU:[M|S|N]              B    Required  authentication:  Multiple
703              instances, Single instance, None
704
705              C:[N|P|C]             B   Confidentiality impact: None, Partial,
706              Complete
707
708              I:[N|P|C]              B   Integrity impact: None, Partial, Com‐
709              plete
710
711              A:[N|P|C]             B   Availability  impact:  None,  Partial,
712              Complete
713
714              E:[ND|U|POC|F|H]      T   Exploitability: Not Defined, Unproven,
715              Proof of Concept, Functional, High
716
717              RL:[ND|OF|TF|W|U]     T   Remediation Level: Not Defined,  Offi‐
718              cial Fix, Temporary Fix, Workaround, Unavailable
719
720              RC:[ND|UC|UR|C]       T   Report Confidence: Not Defined, Uncon‐
721              firmed, Uncorroborated, Confirmed
722
723              CDP:[ND|N|L|LM|MH|H]   E    Collateral  Damage  Potential:   Not
724              Defined, None, Low, Low-Medium, Medium-High, High
725
726              TD:[ND|N|L|M|H]        E    Target  Distribution:  Not  Defined,
727              None, Low, Medium, High
728
729              CR:[ND|L|M|H]          E    Confidentiality   requirement:   Not
730              Defined, Low, Medium, High
731
732              IR:[ND|L|M|H]          E    Integrity  requirement: Not Defined,
733              Low, Medium, High
734
735              AR:[ND|L|M|H]         E   Availability requirement: Not Defined,
736              Low, Medium, High
737

DS OPERATIONS

739       sds-compose [options] SOURCE_XCCDF TARGET_SDS
740              Creates  a  source  datastream  from  the  XCCDF  file  given in
741              SOURCE_XCCDF and stores the result in  TARGET_SDS.  Dependencies
742              like OVAL files are automatically detected and bundled in target
743              source datastream.
744
745              --skip-valid
746                     Do not validate input/output files.
747
748       sds-add [options] NEW_COMPONENT EXISTING_SDS
749              Adds given NEW_COMPONENT file to the existing source  datastream
750              (EXISTING_SDS).  Component file might be OVAL, XCCDF or CPE Dic‐
751              tionary file. Dependencies like  OVAL  files  are  automatically
752              detected  an bundled in target source datastream.
753
754              --datastream-id DATASTREAM_ID
755                     Uses  a datastream with that particular ID from the given
756                     datastream collection. If not given the first  datastream
757                     is used.
758
759              --skip-valid
760                     Do not validate input/output files.
761
762       sds-split [options] SOURCE_DS TARGET_DIR
763              Splits  given  source  datastream into multiple files and stores
764              all the files in TARGET_DIR.
765
766              --datastream-id DATASTREAM_ID
767                     Uses a datastream with that particular ID from the  given
768                     datastream  collection. If not given the first datastream
769                     is used.
770
771              --xccdf-id XCCDF_ID
772                     Takes component ref with given ID from  checklists.  This
773                     allows  to  select  a  particular XCCDF component even in
774                     cases where there are 2 XCCDFs in one datastream.
775
776              --skip-valid
777                     Do not validate input/output files.
778
779              --fetch-remote-resources
780                     Allow  download  of  remote  components  referenced  from
781                     Datastream.
782
783       sds-validate SOURCE_DS
784              Validate  given  source  datastream  file  against a XML schema.
785              Every found error is printed to the standard error. Return  code
786              is  0  if validation succeeds, 1 if validation could not be per‐
787              formed due to some error, 2 if  the  source  datastream  is  not
788              valid.
789
790       rds-create   [options]   SDS   TARGET_ARF  XCCDF_RESULTS  [OVAL_RESULTS
791       [OVAL_RESULTS ..]]
792              Takes given source datastream, XCCDF and OVAL results  and  cre‐
793              ates  a  result datastream (in Asset Reporting Format) and saves
794              it to file given in TARGET_ARF.
795
796              --skip-valid
797                     Do not validate input/output files.
798
799       rds-split [options] [--report-id REPORT_ID] RDS TARGET_DIR
800              Takes given result datastream (also called ARF = asset reporting
801              format)  and  splits  given  report  and  its respective report-
802              request to given target directory. If no report-id is given,  we
803              assume  user wants the first applicable report in top-down order
804              in the file.
805
806              --skip-valid
807                     Do not validate input/output files.
808
809       rds-validate SOURCE_RDS
810              Validate given result datastream  file  against  a  XML  schema.
811              Every  found error is printed to the standard error. Return code
812              is 0 if validation succeeds, 1 if validation could not  be  per‐
813              formed  due  to  some  error,  2 if the result datastream is not
814              valid.
815
816

CVE OPERATIONS

818       validate cve-nvd-feed.xml
819              Validate given CVE data feed.
820
821       find CVE cve-nvd-feed.xml
822              Find given CVE in data feed and report base score, vector string
823              and vulnerable software list.
824
825

EXIT STATUS

827       Normally, the exit status is 0 when operation finished successfully and
828       1 otherwise. In cases when oscap performs evaluation of the  system  it
829       may  return  2  indicating success of the operation but incompliance of
830       the assessed system.
831
832

EXAMPLES

834       Evaluate XCCDF content using CPE dictionary and produce html report. In
835       this  case  we  use  United  States  Government  Configuration Baseline
836       (USGCB) for Red Hat Enterprise Linux 5 Desktop.
837
838               oscap xccdf eval --fetch-remote-resources --oval-results \
839                       --profile united_states_government_configuration_baseline \
840                       --report usgcb-rhel5desktop.report.html \
841                       --results usgcb-rhel5desktop-xccdf.xml.result.xml \
842                       --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
843                       usgcb-rhel5desktop-xccdf.xml
844

CONTENT

846        SCAP Security Guide - https://github.com/OpenSCAP/scap-security-guide/
847
848        National             Vulnerability             Database              -
849       http://web.nvd.nist.gov/view/ncp/repository
850
851        Red Hat content repository - http://www.redhat.com/security/data/oval/
852
853
854

REPORTING BUGS

856       Please report bugs using https://github.com/OpenSCAP/openscap/issues
857       Make sure you include the full output of `oscap --v` in the bug report.
858
859

AUTHORS

861       Peter Vrabec <pvrabec@redhat.com>
862       Šimon Lukašík
863       Martin Preisler <mpreisle@redhat.com>
864
865
866
867Red Hat                           March 2017                          OSCAP(8)
Impressum