1OSCAP(8) System Administration Utilities OSCAP(8)
2
6 oscap - OpenSCAP command line tool
7
10 oscap [general-options] module operation [operation-options-and-argu‐
11 ments]
12
15 oscap is Security Content Automation Protocol (SCAP) toolkit based on
16 OpenSCAP library. It provides various functions for different SCAP
17 specifications (modules).
18 OpenSCAP tool claims to provide capabilities of Authenticated Configu‐
20 ration Scanner and Authenticated Vulnerability Scanner as defined by
21 The National Institute of Standards and Technology.
22
25 -V, --version
26 Print supported SCAP specifications, location of schema files,
27 schematron files, CPE files, probes and supported OVAL objects.
28 Displays a list of inbuilt CPE names.
29 -h, --help
31 Help screen.
32
35 info Determine type and print information about a file.
36 xccdf The eXtensible Configuration Checklist Description Format.
38 oval Open Vulnerability and Assessment Language.
40 ds SCAP Data Stream
42 cpe Common Platform Enumeration.
44 cvss Common Vulnerability Scoring System
46 cve Common Vulnerabilities and Exposures
48
52Turn on verbose mode at specified verbosity level. VERBOSITY_LEVEL is one of:
53DEVEL, INFO, WARNING, ERROR.
54
56Set filename to write additional information.
57
60 [options] any-scap-file.xml
61 This module prints information about SCAP content in a file
62 specified on a command line. It determines SCAP content type,
63 specification version, date of creation, date of import and so
64 on. Info module doesn't require any additional operation switch.
65 For XCCDF or Datastream files, info module prints out IDs of
67 incorporated profiles, components, and datastreams. These IDs
68 can be used to specify the target for evaluation. Use options
69 --profile, --xccdf-id (or --oval-id), and --datastream-id
70 respectively.
71 --fetch-remote-resources
73 Allow download of remote components referenced from
74 Datastream.
75 --profile PROFILE
77 Show info of the profile with the given ID.
78 --profiles
80 Show profiles from the input file in the <id>:<title>
81 format, one line per profile.
82
85 eval [options] INPUT_FILE [oval-definitions-files]
86 Perform evaluation of XCCDF document file given as INPUT_FILE.
87 Print result of each rule to standard output, including rule
88 title, rule id and security identifier(CVE, CCE). Optionally you
89 can give a source datastream as the INPUT_FILE instead of an
90 XCCDF file (see --datastream-id).
91 oscap returns 0 if all rules pass. If there is an error during
93 evaluation, the return code is 1. If there is at least one rule
94 with either fail or unknown result, oscap-scan finishes with
95 return code 2.
96 Unless --skip-valid is used, the INPUT_FILE is validated using
98 XSD schemas (depending on document type of INPUT_FILE) and
99 rejected if invalid.
100 You may specify OVAL Definition files as the last parameter,
102 XCCDF evaluation will then proceed only with those specified
103 files. Otherwise, when oval-definitions-files parameter is miss‐
104 ing, oscap tool will try to load all OVAL Definition files ref‐
105 erenced from XCCDF automatically (search in the same path as
106 XCCDF).
107 --profile PROFILE
109 Select a particular profile from XCCDF document. If
110 "(all)" is given a virtual profile that selects all
111 groups and rules will be used.
112 --rule RULE
114 Select a particular rule from XCCDF document. Only this
115 rule will be evaluated. Rule will use values according to
116 the selected profile. If no profile is selected, default
117 values are used.
118 --tailoring-file TAILORING_FILE
120 Use given file for XCCDF tailoring. Select profile from
121 tailoring file to apply using --profile. If both --tai‐
122 loring-file and --tailoring-id are specified, --tailor‐
123 ing-file takes priority.
124 --tailoring-id COMPONENT_REF_ID
126 Use tailoring component in input source datastream for
127 XCCDF tailoring. The tailoring component must be speci‐
128 fied by its Ref-ID (value of component-ref/@id attribute
129 in input source datastream). Select profile from tailor‐
130 ing component to apply using --profile. If both --tailor‐
131 ing-file and --tailoring-id are specified, --tailoring-
132 file takes priority.
133 --cpe CPE_FILE
135 Use given CPE dictionary or language (auto-detected) for
136 applicability checks. (Some CPE names are provided by
137 openscap, see oscap --version for Inbuilt CPE names)
138 --results FILE
140 Write XCCDF results into FILE.
141 --results-arf FILE
143 Writes results to a given FILE in Asset Reporting Format.
144 It is recommended to use this option instead of --results
145 when dealing with datastreams.
146 --stig-viewer FILE
148 Writes XCCDF results into FILE in a format readable by
149 DISA STIG Viewer. See
150 http://iase.disa.mil/stigs/Pages/stig-viewing-guid‐
151 ance.aspx. This option should be used to generate
152 results for DISA STIG Viewer older than 2.6. To use DISA
153 STIG Viewer 2.6 or newer, use --results instead.
154 --thin-results
156 Thin Results provides only minimal amount of information
157 in OVAL/ARF results. The option --without-syschar is
158 automatically enabled when you use Thin Results.
159 --without-syschar
161 Don't provide system characteristics in OVAL/ARF result
162 files.
163 --report FILE
165 Write HTML report into FILE.
166 --oval-results
168 Generate OVAL Result file for each OVAL session used for
169 evaluation. File with name 'original-oval-definitions-
170 filename.result.xml' will be generated for each refer‐
171 enced OVAL file in current working directory. To change
172 the directory where OVAL files are generated change the
173 CWD using the `cd` command.
174 --check-engine-results
176 After evaluation is finished, each loaded check engine
177 plugin is asked to export its results. The export itself
178 is plugin specific, please refer to documentation of the
179 plugin for more details.
180 --export-variables
182 Generate OVAL Variables documents which contain external
183 variables' values that were provided to the OVAL checking
184 engine during evaluation. The filename format is 'origi‐
185 nal-oval-definitions-filename-session-index.variables-
186 variables-index.xml'.
187 --datastream-id ID
189 Uses a datastream with that particular ID from the given
190 datastream collection. If not given the first datastream
191 is used. Only applies if you give source datastream in
192 place of an XCCDF file.
193 --xccdf-id ID
195 Takes component ref with given ID from checklists. This
196 allows to select a particular XCCDF component even in
197 cases where there are 2 XCCDFs in one datastream. If none
198 is given, the first component from the checklists element
199 is used.
200 --benchmark-id ID
202 Selects a component ref from any datastream that refer‐
203 ences a component with XCCDF Benchmark such that its @id
204 attribute matches given string exactly. Please note that
205 this is not the recommended way of selecting a component-
206 ref. You are advised to use --xccdf-id AND/OR --datas‐
207 tream-id for more precision. --benchmark-id is only used
208 when both --xccdf-id and --datastream-id are not present
209 on the command line!
210 --skip-valid
212 Do not validate input/output files.
213 --fetch-remote-resources
215 Allow download of remote OVAL content referenced from
216 XCCDF by check-content-ref/@href.
217 --remediate
219 Execute XCCDF remediation in the process of XCCDF evalua‐
220 tion. This option automatically executes content of XCCDF
221 fix elements for failed rules, and thus this shall be
222 avoided unless for trusted content. Use of this option is
223 always at your own risk.
224 remediate [options] INPUT_FILE [oval-definitions-files]
226 This module provides post-scan remediation. It assumes that the
227 INPUT_FILE is result of `oscap xccdf eval` operation. The input
228 file must contain TestResult element. This module executes XCCDF
229 fix elements for failed rule-result contained in the given
230 TestResult. Use of this option is always at your own risk and it
231 shall be avoided unless for trusted content.
232 --result-id ID
234 ID of the XCCDF TestResult element which shall be reme‐
235 died. If this option is missing the last TestResult (in
236 top-down processing) will be remedied.
237 --skip-valid
239 Do not validate input/output files.
240 --fetch-remote-resources
242 Allow download of remote OVAL content referenced from
243 XCCDF by check-content-ref/@href.
244 --cpe CPE_FILE
246 Use given CPE dictionary or language (auto-detected) for
247 applicability checks.
248 --results FILE
250 Write XCCDF results into FILE.
251 --results-arf FILE
253 Writes results to a given FILE in Asset Reporting Format.
254 It is recommended to use this option instead of --results
255 when dealing with datastreams.
256 --stig-viewer FILE
258 Writes XCCDF results into FILE in a format readable by
259 DISA STIG Viewer. See
260 http://iase.disa.mil/stigs/Pages/stig-viewing-guid‐
261 ance.aspx. This option should be used to generate
262 results for DISA STIG Viewer older than 2.6. To use DISA
263 STIG Viewer 2.6 or newer, use --results instead.
264 --report FILE
266 Write HTML report into FILE.
267 --oval-results
269 Generate OVAL Result file for each OVAL session used for
270 evaluation. File with name 'original-oval-definitions-
271 filename.result.xml' will be generated for each refer‐
272 enced OVAL file.
273 --check-engine-results
275 After evaluation is finished, each loaded check engine
276 plugin is asked to export its results. The export itself
277 is plugin specific, please refer to documentation of the
278 plugin for more details.
279 --export-variables
281 Generate OVAL Variables documents which contain external
282 variables' values that were provided to the OVAL checking
283 engine during evaluation. The filename format is 'origi‐
284 nal-oval-definitions-filename-session-index.variables-
285 variables-index.xml'.
286 --progress
288 Switch to sparse output suitable for progress reporting.
289 Format of the output is "$rule_id:$result\n".
290 resolve -o output-file xccdf-file
292 Resolve an XCCDF file as described in the XCCDF specification.
293 It will flatten inheritance hierarchy of XCCDF profiles, groups,
294 rules, and values. Result is another XCCDF document, which will
295 be written to output-file.
296 --force
298 Force resolving XCCDF document even if it is already
299 marked as resolved.
300 validate [options] xccdf-file
302 Validate given XCCDF file against a XML schema. Every found
303 error is printed to the standard error. Return code is 0 if val‐
304 idation succeeds, 1 if validation could not be performed due to
305 some error, 2 if the XCCDF document is not valid.
306 --schematron
308 Turn on Schematron-based validation. It is able to find
309 more errors and inconsistencies but is much slower.
310 Schematron is available only for XCCDF version 1.2.
311 export-oval-variables [options] xccdf-file [oval-definitions-files]
313 Collect all the XCCDF values that would be used by OVAL during
314 evaluation of a certain profile and export them as OVAL exter‐
315 nal-variables document(s). The filename format is 'original-
316 oval-definitions-filename-session-index.variables-variables-
317 index.xml'.
318 --profile PROFILE
320 Select a particular profile from XCCDF document.
321 --fetch-remote-resources
323 Allow download of remote OVAL content referenced from
324 XCCDF by check-content-ref/@href.
325 --skip-valid
327 Do not validate input/output files.
328 --datastream-id ID
330 Uses a datastream with that particular ID from the given
331 datastream collection. If not given the first datastream
332 is used. Only applies if you give source datastream in
333 place of an XCCDF file.
334 --xccdf-id ID
336 Takes component ref with given ID from checklists. This
337 allows to select a particular XCCDF component even in
338 cases where there are 2 XCCDFs in one datastream.
339 --cpe CPE_FILE
341 Use given CPE dictionary or language (auto-detected) for
342 applicability checks. The variables documents are created
343 only for xccdf:Rules which are applicable.
344 generate [options] <submodule> [submodule-specific-options]
346 Generate another document from an XCCDF file such as security
347 guide or result report.
348 --profile ID
350 Apply profile with given ID to the Benchmark before fur‐
351 ther processing takes place.
352 Available submodules:
354 guide [options] xccdf-file
356 Generate a HTML document containing a security guide from
357 an XCCDF Benchmark. Unless the --output option is speci‐
358 fied it will be written to the standard output. Without
359 profile being set only groups (not rules) will be
360 included in the output.
361 --output FILE
363 Write the guide to this file instead of standard
364 output.
365 --hide-profile-info
367 This option has no effect and is kept only for
368 backward compatibility purposes.
369 --benchmark-id ID
371 Selects a component ref from any datastream that
372 references a component with XCCDF Benchmark such
373 that its @id attribute matches given string
374 exactly.
375 --xccdf-id ID
377 Takes component ref with given ID from checklists.
378 This allows to select a particular XCCDF component
379 even in cases where there are 2 XCCDFs in one
380 datastream. If none is given, the first component
381 from the checklists element is used.
382 --tailoring-file TAILORING_FILE
384 Use given file for XCCDF tailoring. Select profile
385 from tailoring file to apply using --profile. If
386 both --tailoring-file and --tailoring-id are spec‐
387 ified, --tailoring-file takes priority.
388 --tailoring-id COMPONENT_REF_ID
390 Use tailoring component in input source datastream
391 for XCCDF tailoring. The tailoring component must
392 be specified by its Ref-ID (value of component-
393 ref/@id attribute in input source datastream).
394 Select profile from tailoring component to apply
395 using --profile. If both --tailoring-file and
396 --tailoring-id are specified, --tailoring-file
397 takes priority.
398 report [options] xccdf-file
400 Generate a HTML document containing results of an XCCDF
401 Benchmark execution. Unless the --output option is speci‐
402 fied it will be written to the standard output.
403 --output FILE
405 Write the report to this file instead of standard
406 output.
407 --result-id ID
409 ID of the XCCDF TestResult from which the report
410 will be generated.
411 --oval-template template-string
413 To use the ability to include additional informa‐
414 tion from OVAL in xccdf result file, a template
415 which will be used to obtain OVAL result file
416 names has to be specified. The template can be
417 either a filename or a string containing wildcard
418 character (percent sign '%'). Wildcard will be
419 replaced by the original OVAL definition file name
420 as referenced from the XCCDF file. This way it is
421 possible to obtain OVAL information even from
422 XCCDF documents referencing several OVAL files. To
423 use this option with results from an XCCDF evalua‐
424 tion, specify %.result.xml as a OVAL file name
425 template.
426 --sce-template template-string
428 To use the ability to include additional informa‐
429 tion from SCE in XCCDF result file, a template
430 which will be used to obtain SCE result file names
431 has to be specified. The template can be either a
432 filename or a string containing wildcard character
433 (percent sign '%'). Wildcard will be replaced by
434 the original SCE script file name as referenced
435 from the XCCDF file. This way it is possible to
436 obtain SCE information even from XCCDF documents
437 referencing several SCE files. To use this option
438 with results from an XCCDF evaluation, specify
439 %.result.xml as a SCE file name template.
440 fix [options] xccdf-file
442 Generate a script that shall bring the system to a state
443 of compliance with given XCCDF Benchmark. There are 2
444 possibilities when generating fixes: Result-oriented
445 fixes (--result-id) or Profile-oriented fixes (--pro‐
446 file). Result-oriented takes precedences over Profile-
447 oriented, if result-id is given, oscap will ignore any
448 profile provided.
449 Result-oriented fixes are generated using result-id pro‐
451 vided to select only the failing rules from results in
452 xccdf-file, it skips all other rules.
453 Profile-oriented fixes are generated using all rules
455 within the provided profile. If no result-id/profile are
456 provided, (default) profile will be used to generate
457 fixes.
458 --fix-type TYPE
460 Specify fix type. There are multiple programming
461 languages in which the fix script can be gener‐
462 ated. TYPE should be one of: bash, ansible, pup‐
463 pet, anaconda, ignition, kubernetes. Default is
464 bash. This option is mutually exclusive with
465 --template, because fix type already determines
466 the template URN.
467 --output FILE
469 Write the report to this file instead of standard
470 output.
471 --result-id ID
473 Fixes will be generated for failed rule-results of
474 the specified TestResult.
475 --template ID|FILE
477 Template to be used to generate the script. If it
478 contains a dot '.' it is interpreted as a location
479 of a file with the template definition. Otherwise
480 it identifies a template from standard set which
481 currently includes: bash (default if no --template
482 switch present). Brief explanation of the process
483 of writing your own templates is in the XSL file
484 xsl/legacy-fix.xsl in the openscap data directory.
485 You can also take a look at the default template
486 xsl/legacy-fixtpl-bash.xml.
487 --xccdf-id ID
489 Takes component ref with given ID from checklists.
490 This allows to select a particular XCCDF component
491 even in cases where there are 2 XCCDFs in one
492 datastream. If none is given, the first component
493 from the checklists element is used.
494 --benchmark-id ID
496 Selects a component ref from any datastream that
497 references a component with XCCDF Benchmark such
498 that its @id attribute matches given string
499 exactly.
500 --tailoring-file TAILORING_FILE
502 Use given file for XCCDF tailoring. Select profile
503 from tailoring file to apply using --profile. If
504 both --tailoring-file and --tailoring-id are spec‐
505 ified, --tailoring-file takes priority.
506 --tailoring-id COMPONENT_REF_ID
508 Use tailoring component in input source datastream
509 for XCCDF tailoring. The tailoring component must
510 be specified by its Ref-ID (value of component-
511 ref/@id attribute in input source datastream).
512 Select profile from tailoring component to apply
513 using --profile. If both --tailoring-file and
514 --tailoring-id are specified, --tailoring-file
515 takes priority.
516 custom --stylesheet xslt-file [options] xccdf-file
518 Generate a custom output (depending on given XSLT file)
519 from an XCCDF file.
520 --stylesheet FILE
522 Specify an absolute path to a custom stylesheet to
523 format the output.
524 --output FILE
526 Write the document into file.
527
530 eval [options] INPUT_FILE
531 Probe the system and evaluate all definitions from OVAL Defini‐
532 tion file. Print result of each definition to standard output.
533 The return code is 0 after a successful evaluation. On error,
534 value 1 is returned.
535 INPUT_FILE can be either OVAL Definition File or SCAP Source
537 Datastream, it depends on used options.
538 Unless --skip-valid is used, the INPUT_FILE is validated using
540 XSD schemas (depending on document type of INPUT_FILE) and
541 rejected if invalid.
542 --id DEFINITION-ID
544 Evaluate ONLY specified OVAL Definition from OVAL Defini‐
545 tion File.
546 --variables FILE
548 Provide external variables expected by OVAL Definition
549 File.
550 --directives FILE
552 Use OVAL Directives content to specify desired results
553 content.
554 --without-syschar
556 Don't provide system characteristics in result file.
557 --results FILE
559 Write OVAL Results into file.
560 --report FILE
562 Create human readable (HTML) report from OVAL Results.
563 --datastream-id ID
565 Uses a datastream with that particular ID from the given
566 datastream collection. If not given the first datastream
567 is used. Only applies if you give source datastream in
568 place of an OVAL file.
569 --oval-id ID
571 Takes component ref with given ID from checks. This
572 allows to select a particular OVAL component even in
573 cases where there are 2 OVALs in one datastream.
574 --skip-valid
576 Do not validate input/output files.
577 --fetch-remote-resources
579 Allow download of remote components referenced from
580 Datastream.
581 collect [options] definitions-file
584 Probe the system and gather system characteristics for all
585 objects in OVAL Definition file.
586 --id OBJECT-ID
588 Collect system characteristics ONLY for specified OVAL
589 Object.
590 --variables FILE
592 Provide external variables expected by OVAL Definitions.
593 --syschar FILE
595 Write OVAL System Characteristic into file.
596 --skip-valid
598 Do not validate input/output files.
599 analyse [options] --results FILE definitions-file
603 syschar-file
604 In this mode, the oscap tool does not perform data
605 collection on the local system, but relies upon
606 the input file, which may have been generated on
607 another system. The output (OVAL Results) is
608 printed to file specified by --results parameter.
609 --variables FILE
611 Provide external variables expected by OVAL
612 Definitions.
613 --directives FILE
615 Use OVAL Directives content to specify
616 desired results content.
617 --skip-valid
619 Do not validate input/output files.
620 validate [options] oval-file
623 Validate given OVAL file against a XML schema.
624 Every found error is printed to the standard
625 error. Return code is 0 if validation succeeds, 1
626 if validation could not be performed due to some
627 error, 2 if the OVAL document is not valid.
628 --definitions, --variables, --syschar, --results
630 --directives
631 Type of the OVAL document is automatically
632 detected by default. If you want enforce
633 certain document type, you can use one of
634 these options.
635 --schematron
637 Turn on Schematron-based validation. It is
638 able to find more errors and inconsisten‐
639 cies but is much slower.
640 generate <submodule> [submodule-specific-options]
642 Generate another document from an OVAL file.
643 Available submodules:
645 report [options] oval-results-file
647 Generate a formatted HTML page containing
648 visualisation of an OVAL results file.
649 Unless the --output option is specified it
650 will be written to the standard output.
651 --output FILE
653 Write the report to this file
654 instead of standard output.
655
658 check name
659 Check whether name is in correct CPE format.
660 match name dictionary.xml
662 Find an exact match of CPE name in the dictionary.
663 validate cpe-dict-file
665 Validate given CPE dictionary file against a XML
666 schema. Every found error is printed to the stan‐
667 dard error. Return code is 0 if validation suc‐
668 ceeds, 1 if validation could not be performed due
669 to some error, 2 if the XCCDF document is not
670 valid.
671
674 score cvss_vector
675 Calculate score from a CVSS vector. Prints base
676 score for base CVSS vector, base and temporal
677 score for temporal CVSS vector, base and temporal
678 and environmental score for environmental CVSS
679 vector.
680 describe cvss_vector
682 Describe individual components of a CVSS vector in
683 a human-readable format and print partial scores.
684 CVSS vector consists of several slash-separated compo‐
686 nents specified as key-value pairs. Each key can be spec‐
687 ified at most once. Valid CVSS vector has to contain at
688 least base CVSS metrics, i.e. AV, AC, AU, C, I, and A.
689 Following table summarizes the components and possible
690 values (second column is metric category: B for base, T
691 for temporal, E for environmental):
692 AV:[L|A|N] B Access vector: Local,
694 Adjacent network, Network
695 AC:[H|M|L] B Access complexity: High,
697 Medium, Low
698 AU:[M|S|N] B Required authentication:
700 Multiple instances, Single instance, None
701 C:[N|P|C] B Confidentiality impact:
703 None, Partial, Complete
704 I:[N|P|C] B Integrity impact: None,
706 Partial, Complete
707 A:[N|P|C] B Availability impact:
709 None, Partial, Complete
710 E:[ND|U|POC|F|H] T Exploitability: Not
712 Defined, Unproven, Proof of Concept, Functional,
713 High
714 RL:[ND|OF|TF|W|U] T Remediation Level: Not
716 Defined, Official Fix, Temporary Fix, Workaround,
717 Unavailable
718 RC:[ND|UC|UR|C] T Report Confidence: Not
720 Defined, Unconfirmed, Uncorroborated, Confirmed
721 CDP:[ND|N|L|LM|MH|H] E Collateral Damage Poten‐
723 tial: Not Defined, None, Low, Low-Medium, Medium-
724 High, High
725 TD:[ND|N|L|M|H] E Target Distribution: Not
727 Defined, None, Low, Medium, High
728 CR:[ND|L|M|H] E Confidentiality require‐
730 ment: Not Defined, Low, Medium, High
731 IR:[ND|L|M|H] E Integrity requirement:
733 Not Defined, Low, Medium, High
734 AR:[ND|L|M|H] E Availability require‐
736 ment: Not Defined, Low, Medium, High
737
739 sds-compose [options] SOURCE_XCCDF TARGET_SDS
740 Creates a source datastream from the XCCDF file
741 given in SOURCE_XCCDF and stores the result in
742 TARGET_SDS. Dependencies like OVAL files are auto‐
743 matically detected and bundled in target source
744 datastream.
745 --skip-valid
747 Do not validate input/output files.
748 sds-add [options] NEW_COMPONENT EXISTING_SDS
750 Adds given NEW_COMPONENT file to the existing
751 source datastream (EXISTING_SDS). Component file
752 might be OVAL, XCCDF or CPE Dictionary file.
753 Dependencies like OVAL files are automatically
754 detected and bundled in target source datastream.
755 --datastream-id DATASTREAM_ID
757 Uses a datastream with that particular ID
758 from the given datastream collection. If
759 not given the first datastream is used.
760 --skip-valid
762 Do not validate input/output files.
763 sds-split [options] SOURCE_DS TARGET_DIR
765 Splits given source datastream into multiple files
766 and stores all the files in TARGET_DIR.
767 --datastream-id DATASTREAM_ID
769 Uses a datastream with that particular ID
770 from the given datastream collection. If
771 not given the first datastream is used.
772 --xccdf-id XCCDF_ID
774 Takes component ref with given ID from
775 checklists. This allows to select a partic‐
776 ular XCCDF component even in cases where
777 there are 2 XCCDFs in one datastream.
778 --skip-valid
780 Do not validate input/output files.
781 --fetch-remote-resources
783 Allow download of remote components refer‐
784 enced from Datastream.
785 sds-validate SOURCE_DS
787 Validate given source datastream file against a
788 XML schema. Every found error is printed to the
789 standard error. Return code is 0 if validation
790 succeeds, 1 if validation could not be performed
791 due to some error, 2 if the source datastream is
792 not valid.
793 rds-create [options] SDS TARGET_ARF XCCDF_RESULTS
795 [OVAL_RESULTS [OVAL_RESULTS ..]]
796 Takes given source datastream, XCCDF and OVAL
797 results and creates a result datastream (in Asset
798 Reporting Format) and saves it to file given in
799 TARGET_ARF.
800 --skip-valid
802 Do not validate input/output files.
803 rds-split [options] [--report-id REPORT_ID] RDS TAR‐
805 GET_DIR
806 Takes given result datastream (also called ARF =
807 asset reporting format) and splits given report
808 and its respective report-request to given target
809 directory. If no report-id is given, we assume
810 user wants the first applicable report in top-down
811 order in the file.
812 --skip-valid
814 Do not validate input/output files.
815 rds-validate SOURCE_RDS
817 Validate given result datastream file against a
818 XML schema. Every found error is printed to the
819 standard error. Return code is 0 if validation
820 succeeds, 1 if validation could not be performed
821 due to some error, 2 if the result datastream is
822 not valid.
823
826 validate cve-nvd-feed.xml
827 Validate given CVE data feed.
828 find CVE cve-nvd-feed.xml
830 Find given CVE in data feed and report base score,
831 vector string and vulnerable software list.
832
835 Normally, the exit status is 0 when operation finished
836 successfully and 1 otherwise. In cases when oscap per‐
837 forms evaluation of the system it may return 2 indicating
838 success of the operation but incompliance of the assessed
839 system.
840
843 Evaluate XCCDF content using CPE dictionary and produce
844 html report. In this case we use United States Government
845 Configuration Baseline (USGCB) for Red Hat Enterprise
846 Linux 5 Desktop.
847 oscap xccdf eval --fetch-remote-resources --oval-results \
849 --profile united_states_government_configuration_baseline \
850 --report usgcb-rhel5desktop.report.html \
851 --results usgcb-rhel5desktop-xccdf.xml.result.xml \
852 --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
853 usgcb-rhel5desktop-xccdf.xml
854
856 SCAP Security Guide - https://github.com/OpenSCAP/scap-
857 security-guide/
858 National Vulnerability Database -
860 http://web.nvd.nist.gov/view/ncp/repository
861 Red Hat content repository - http://www.redhat.com/secu‐
863 rity/data/oval/
864
868 Please report bugs using https://github.com/OpenSCAP/openscap/issues
869 Make sure you include the full output of `oscap --v` in the bug report.
870
873 Peter Vrabec <pvrabec@redhat.com>
874 Šimon Lukašík
875 Martin Preisler <mpreisle@redhat.com>
876Red Hat October 2018 OSCAP(8)