1OSCAP(8) System Administration Utilities OSCAP(8)
2
6 oscap - OpenSCAP command line tool
7
10 oscap [general-options] module operation [operation-options-and-argu‐
11 ments]
12
15 oscap is Security Content Automation Protocol (SCAP) toolkit based on
16 OpenSCAP library. It provides various functions for different SCAP
17 specifications (modules).
18 OpenSCAP tool claims to provide capabilities of Authenticated Configu‐
20 ration Scanner and Authenticated Vulnerability Scanner as defined by
21 The National Institute of Standards and Technology.
22
25 -V, --version
26 Print supported SCAP specification, location of schema files,
27 schematron files, CPE files, probes and supported OVAL objects.
28 Displays a list of inbuilt CPE names.
29 -h, --help
31 Help screen.
32
35 info Determine type and print information about a file.
36 xccdf The eXtensible Configuration Checklist Description Format.
38 oval Open Vulnerability and Assessment Language.
40 ds SCAP Data Stream
42 cpe Common Platform Enumeration.
44 cvss Common Vulnerability Scoring System
46 cve Common Vulnerabilities and Exposures
48
51 [options] any-scap-file.xml
52 This module prints information about SCAP content in a file
53 specified on a command line. It determines SCAP content type,
54 specification version, date of creation, date of import and so
55 on. Info module doesn't require any additional opperation
56 switch.
57 For XCCDF or Datastream files, info module prints out IDs of
59 incorporated profiles, components, and datastreams. These IDs
60 can be used to specify the target for evaluation. Use options
61 --profile, --xccdf-id (or --oval-id), and --datastream-id
62 respectively.
63 --fetch-remote-resources
65 Allow download of remote components referenced from
66 Datastream.
67 --profile PROFILE
69 Show info of the profile with the given ID.
70 --profiles
72 Show profiles from the input file in the <id>:<title>
73 format, one line per profile.
74
77 eval [options] INPUT_FILE [oval-definitions-files]
78 Perform evaluation of XCCDF document file given as INPUT_FILE.
79 Print result of each rule to standard output, including rule
80 title, rule id and security identifier(CVE, CCE). Optionally you
81 can give a source datastream as the INPUT_FILE instead of an
82 XCCDF file (see --datastream-id).
83 oscap returns 0 if all rules pass. If there is an error during
85 evaluation, the return code is 1. If there is at least one rule
86 with either fail or unknown result, oscap-scan finishes with
87 return code 2.
88 Unless --skip-valid is used, the INPUT_FILE is validated using
90 XSD schemas (depending on document type of INPUT_FILE) and
91 rejected if invalid.
92 You may specify OVAL Definition files as the last parameter,
94 XCCDF evaluation will then proceed only with those specified
95 files. Otherwise, when oval-definitions-files parameter is miss‐
96 ing, oscap tool will try to load all OVAL Definition files ref‐
97 erenced from XCCDF automatically (search in the same path as
98 XCCDF).
99 --profile PROFILE
101 Select a particular profile from XCCDF document.
102 --rule RULE
104 Select a particular rule from XCCDF document. Only this
105 rule will be evaluated. Rule will use values according to
106 the selected profile. If no profile is selected, default
107 values are used.
108 --tailoring-file TAILORING_FILE
110 Use given file for XCCDF tailoring. Select profile from
111 tailoring file to apply using --profile. If both --tai‐
112 loring-file and --tailoring-id are specified, --tailor‐
113 ing-file takes priority.
114 --tailoring-id COMPONENT_REF_ID
116 Use tailoring component in input source datastream for
117 XCCDF tailoring. The tailoring component must be speci‐
118 fied by its Ref-ID (value of component-ref/@id attribute
119 in input source datastream). Select profile from tailor‐
120 ing component to apply using --profile. If both --tailor‐
121 ing-file and --tailoring-id are specified, --tailoring-
122 file takes priority.
123 --cpe CPE_FILE
125 Use given CPE dictionary or language (auto-detected) for
126 applicability checks. (Some CPE names are provided by
127 openscap, see oscap --version for Inbuilt CPE names)
128 --results FILE
130 Write XCCDF results into FILE.
131 --results-arf FILE
133 Writes results to a given FILE in Asset Reporting Format.
134 It is recommended to use this option instead of --results
135 when dealing with datastreams.
136 --stig-viewer FILE
138 Writes XCCDF results into FILE in a format readable by
139 DISA STIG Viewer. See
140 http://iase.disa.mil/stigs/Pages/stig-viewing-guid‐
141 ance.aspx
142 --thin-results
144 Thin Results provides only minimal amount of information
145 in OVAL/ARF results. The option --without-syschar is
146 automatically enabled when you use Thin Results.
147 --without-syschar
149 Don't provide system characteristics in OVAL/ARF result
150 files.
151 --report FILE
153 Write HTML report into FILE. You also have to specify
154 --results for this feature to work. Please see --oval-
155 results to enable additional information in the report.
156 --oval-results
158 Generate OVAL Result file for each OVAL session used for
159 evaluation. File with name 'original-oval-definitions-
160 filename.result.xml' will be generated for each refer‐
161 enced OVAL file in current working directory. This option
162 (in conjunction with the --report option) also enables
163 inclusion of additional OVAL information in the XCCDF
164 report. To change the directory where OVAL files are gen‐
165 erated change the CWD using the `cd` command.
166 --check-engine-results
168 After evaluation is finished, each loaded check engine
169 plugin is asked to export its results. The export itself
170 is plugin specific, please refer to documentation of the
171 plugin for more details.
172 --export-variables
174 Generate OVAL Variables documents which contain external
175 variables' values that were provided to the OVAL checking
176 engine during evaluation. The filename format is 'origi‐
177 nal-oval-definitions-filename-session-index.variables-
178 variables-index.xml'.
179 --datastream-id ID
181 Uses a datastream with that particular ID from the given
182 datastream collection. If not given the first datastream
183 is used. Only applies if you give source datastream in
184 place of an XCCDF file.
185 --xccdf-id ID
187 Takes component ref with given ID from checklists. This
188 allows to select a particular XCCDF component even in
189 cases where there are 2 XCCDFs in one datastream. If none
190 is given, the first component from the checklists element
191 is used.
192 --benchmark-id ID
194 Selects a component ref from any datastream that refer‐
195 ences a component with XCCDF Benchmark such that its @id
196 attribute matches given string exactly. Please note that
197 this is not the recommended way of selecting a component-
198 ref. You are advised to use --xccdf-id AND/OR --datas‐
199 tream-id for more precision. --benchmark-id is only used
200 when both --xccdf-id and --datastream-id are not present
201 on the command line!
202 --skip-valid
204 Do not validate input/output files.
205 --fetch-remote-resources
207 Allow download of remote OVAL content referenced from
208 XCCDF by check-content-ref/@href.
209 --remediate
211 Execute XCCDF remediation in the process of XCCDF evalua‐
212 tion. This option automatically executes content of XCCDF
213 fix elements for failed rules, and thus this shall be
214 avoided unless for trusted content. Use of this option is
215 always at your own risk.
216 --verbose VERBOSITY_LEVEL
218 Turn on verbose mode at specified verbosity level. VER‐
219 BOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
220 --verbose-log-file FILE
222 Set filename to write additional information.
223 remediate [options] INPUT_FILE [oval-definitions-files]
225 This module provides post-scan remediation. It assumes that the
226 INPUT_FILE is result of `oscap xccdf eval` operation. The input
227 file must contain TestResult element. This module executes XCCDF
228 fix elements for failed rule-result contained in the given
229 TestResult. Use of this option is always at your own risk and it
230 shall be avoided unless for trusted content.
231 --result-id ID
233 ID of the XCCDF TestResult element which shall be reme‐
234 died. If this option is missing the last TestResult (in
235 top-down processing) will be remedied.
236 --skip-valid
238 Do not validate input/output files.
239 --fetch-remote-resources
241 Allow download of remote OVAL content referenced from
242 XCCDF by check-content-ref/@href.
243 --cpe CPE_FILE
245 Use given CPE dictionary or language (auto-detected) for
246 applicability checks.
247 --results FILE
249 Write XCCDF results into FILE.
250 --results-arf FILE
252 Writes results to a given FILE in Asset Reporting Format.
253 It is recommended to use this option instead of --results
254 when dealing with datastreams.
255 --stig-viewer FILE
257 Writes XCCDF results into FILE in a format readable by
258 DISA STIG Viewer. See
259 http://iase.disa.mil/stigs/Pages/stig-viewing-guid‐
260 ance.aspx
261 --report FILE
263 Write HTML report into FILE. You also have to specify
264 --results for this feature to work.
265 --oval-results
267 Generate OVAL Result file for each OVAL session used for
268 evaluation. File with name 'original-oval-definitions-
269 filename.result.xml' will be generated for each refer‐
270 enced OVAL file. This option (with conjunction with the
271 --report option) also enables inclusion of additional
272 OVAL information in the XCCDF report.
273 --check-engine-results
275 After evaluation is finished, each loaded check engine
276 plugin is asked to export its results. The export itself
277 is plugin specific, please refer to documentation of the
278 plugin for more details.
279 --export-variables
281 Generate OVAL Variables documents which contain external
282 variables' values that were provided to the OVAL checking
283 engine during evaluation. The filename format is 'origi‐
284 nal-oval-definitions-filename-session-index.variables-
285 variables-index.xml'.
286 resolve -o output-file xccdf-file
288 Resolve an XCCDF file as described in the XCCDF specification.
289 It will flatten inheritance hierarchy of XCCDF profiles, groups,
290 rules, and values. Result is another XCCDF document, which will
291 be written to output-file.
292 --force
294 Force resolving XCCDF document even if it is already
295 marked as resolved.
296 validate [options] xccdf-file
298 Validate given XCCDF file against a XML schema. Every found
299 error is printed to the standard error. Return code is 0 if val‐
300 idation succeeds, 1 if validation could not be performed due to
301 some error, 2 if the XCCDF document is not valid.
302 --schematron
304 Turn on Schematron-based validation. It is able to find
305 more errors and inconsistencies but is much slower.
306 Schematron is available only for XCCDF version 1.2.
307 export-oval-variables [options] xccdf-file [oval-definitions-files]
309 Collect all the XCCDF values that would be used by OVAL during
310 evaluation of a certain profile and export them as OVAL exter‐
311 nal-variables document(s). The filename format is 'original-
312 oval-definitions-filename-session-index.variables-variables-
313 index.xml'.
314 --profile PROFILE
316 Select a particular profile from XCCDF document.
317 --fetch-remote-resources
319 Allow download of remote OVAL content referenced from
320 XCCDF by check-content-ref/@href.
321 --skip-valid
323 Do not validate input/output files.
324 --datastream-id ID
326 Uses a datastream with that particular ID from the given
327 datastream collection. If not given the first datastream
328 is used. Only applies if you give source datastream in
329 place of an XCCDF file.
330 --xccdf-id ID
332 Takes component ref with given ID from checklists. This
333 allows to select a particular XCCDF component even in
334 cases where there are 2 XCCDFs in one datastream.
335 --cpe CPE_FILE
337 Use given CPE dictionary or language (auto-detected) for
338 applicability checks. The variables documents are created
339 only for xccdf:Rules which are applicable.
340 generate [options] <submodule> [submodule-specific-options]
342 Generate another document form an XCCDF file such as security
343 guide or result report.
344 --profile ID
346 Apply profile with given ID to the Benchmark before fur‐
347 ther processing takes place.
348 Available submodules:
350 guide [options] xccdf-file
352 Generate a formatted document containing a security guide
353 from a XCCDF Benchmark. Unless the --output option is
354 specified it will be written to the standard output.
355 Without profile being set only groups (not rules) will be
356 included in the output.
357 --output FILE
359 Write the guide to this file instead of standard
360 output.
361 --hide-profile-info
363 Information on chosen profile (e.g. rules selected
364 by the profile) will be excluded from the docu‐
365 ment.
366 report [options] xccdf-file
368 Generate a document containing results of a XCCDF Bench‐
369 mark execution. Unless the --output option is specified
370 it will be written to the standard output. ID of the
371 TestResult element to visualise defaults to the most
372 recent result (according to the end-time attribute).
373 --output FILE
375 Write the report to this file instead of standard
376 output.
377 --result-id ID
379 ID of the XCCDF TestResult from which the report
380 will be generated.
381 --show what
383 Specify what result types shall be displayed in
384 the result report. The default is to show every‐
385 thing except for rules with results notselected
386 and notapplicable. The what part is a comma-sepa‐
387 rated list of result types to display in addition
388 to the default. If result type is prefixed by a
389 dash '-', it will be excluded from the results. If
390 what is prefixed by an equality sign '=', a fol‐
391 lowing list specifies exactly what rule types to
392 include in the report. Result types are: pass,
393 fixed, notchecked, notapplicable, notselected,
394 informational, unknown, error, fail.
395 --oval-template template-string
397 To use the ability to include additional informa‐
398 tion from OVAL in xccdf result file, a template
399 which will be used to obtain OVAL result file
400 names has to be specified. The template can be
401 either a filename or a string containing wildcard
402 character (percent sign '%'). Wildcard will be
403 replaced by the original OVAL definition file name
404 as referenced from the XCCDF file. This way it is
405 possible to obtain OVAL information even from
406 XCCDF documents referencing several OVAL files. To
407 use this option with results from an XCCDF evalua‐
408 tion, specify %.result.xml as a OVAL file name
409 template.
410 --sce-template template-string
412 To use the ability to include additional informa‐
413 tion from SCE in XCCDF result file, a template
414 which will be used to obtain SCE result file names
415 has to be specified. The template can be either a
416 filename or a string containing wildcard character
417 (percent sign '%'). Wildcard will be replaced by
418 the original SCE script file name as referenced
419 from the XCCDF file. This way it is possible to
420 obtain SCE information even from XCCDF documents
421 referencing several SCE files. To use this option
422 with results from an XCCDF evaluation, specify
423 %.result.xml as a SCE file name template.
424 fix [options] xccdf-file
426 Generate a script that shall bring the system to a state
427 of compliance with given XCCDF Benchmark. There are 2
428 possibilities when generating fixes: Result-oriented
429 fixes (--result-id) or Profile-oriented fixes (--pro‐
430 file). Result-oriented takes precedences over Profile-
431 oriented, if result-id is given, oscap will ignore any
432 profile provided.
433 Result-oriented fixes are generated using result-id pro‐
435 vided to select only the failing rules from results in
436 xccdf-file, it skips all other rules.
437 Profile-oriented fixes are generated using all rules
439 within the provided profile. If no result-id/profile are
440 provided, (default) profile will be used to generate
441 fixes.
442 --fix-type TYPE
444 Specify fix type. There are multiple programming
445 languages in which the fix script can be gener‐
446 ated. TYPE should be one of: bash, ansible, pup‐
447 pet, anaconda. Default is bash. This option is
448 mutually exclusive with --template, because fix
449 type already determines the template URN.
450 --output FILE
452 Write the report to this file instead of standard
453 output.
454 --result-id ID
456 Fixes will be generated for failed rule-results of
457 the specified TestResult.
458 --template ID|FILE
460 Template to be used to generate the script. If it
461 contains a dot '.' it is interpreted as a location
462 of a file with the template definition. Otherwise
463 it identifies a template from standard set which
464 currently includes: bash (default if no --template
465 switch present). Brief explanation of the process
466 of writing your own templates is in the XSL file
467 xsl/legacy-fix.xsl in the openscap data directory.
468 You can also take a look at the default template
469 xsl/legacy-fixtpl-bash.xml.
470 --xccdf-id ID
472 Takes component ref with given ID from checklists.
473 This allows to select a particular XCCDF component
474 even in cases where there are 2 XCCDFs in one
475 datastream. If none is given, the first component
476 from the checklists element is used.
477 --benchmark-id ID
479 Selects a component ref from any datastream that
480 references a component with XCCDF Benchmark such
481 that its @id attribute matches given string
482 exactly.
483 --tailoring-file TAILORING_FILE
485 Use given file for XCCDF tailoring. Select profile
486 from tailoring file to apply using --profile. If
487 both --tailoring-file and --tailoring-id are spec‐
488 ified, --tailoring-file takes priority.
489 --tailoring-id COMPONENT_REF_ID
491 Use tailoring component in input source datastream
492 for XCCDF tailoring. The tailoring component must
493 be specified by its Ref-ID (value of component-
494 ref/@id attribute in input source datastream).
495 Select profile from tailoring component to apply
496 using --profile. If both --tailoring-file and
497 --tailoring-id are specified, --tailoring-file
498 takes priority.
499 custom --stylesheet xslt-file [options] xccdf-file
501 Generate a custom output (depending on given XSLT file)
502 from an XCCDF file.
503 --stylesheet FILE
505 Specify an absolute path to a custom stylesheet to
506 format the output.
507 --output FILE
509 Write the document into file.
510
513 eval [options] INPUT_FILE
514 Probe the system and evaluate all definitions from OVAL Defini‐
515 tion file. Print result of each definition to standard output.
516 The return code is 0 after a successful evaluation. On error,
517 value 1 is returned.
518 INPUT_FILE can be either OVAL Definition File or SCAP Source
520 Datastream, it depends on used options.
521 Unless --skip-valid is used, the INPUT_FILE is validated using
523 XSD schemas (depending on document type of INPUT_FILE) and
524 rejected if invalid.
525 --id DEFINITION-ID
527 Evaluate ONLY specified OVAL Definition from OVAL Defini‐
528 tion File.
529 --variables FILE
531 Provide external variables expected by OVAL Definition
532 File.
533 --directives FILE
535 Use OVAL Directives content to specify desired results
536 content.
537 --without-syschar
539 Don't provide system characteristics in result file.
540 --results FILE
542 Write OVAL Results into file.
543 --report FILE
545 Create human readable (HTML) report from OVAL Results.
546 --datastream-id ID
548 Uses a datastream with that particular ID from the given
549 datastream collection. If not given the first datastream
550 is used. Only applies if you give source datastream in
551 place of an OVAL file.
552 --oval-id ID
554 Takes component ref with given ID from checks. This
555 allows to select a particular OVAL component even in
556 cases where there are 2 OVALs in one datastream.
557 --skip-valid
559 Do not validate input/output files.
560 --fetch-remote-resources
562 Allow download of remote components referenced from Datastream.
563 --verbose VERBOSITY_LEVEL
565 Turn on verbose mode at specified verbosity level. VER‐
566 BOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
567 --verbose-log-file FILE
569 Set filename to write additional information.
570 collect [options] definitions-file
573 Probe the system and gather system characteristics for all
574 objects in OVAL Definition file.
575 --id OBJECT-ID
577 Collect system characteristics ONLY for specified OVAL
578 Object.
579 --variables FILE
581 Provide external variables expected by OVAL Definitions.
582 --syschar FILE
584 Write OVAL System Characteristic into file.
585 --skip-valid
587 Do not validate input/output files.
588 --verbose VERBOSITY_LEVEL
590 Turn on verbose mode at specified verbosity level. VER‐
591 BOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
592 --verbose-log-file FILE
594 Set filename to write additional information.
595 analyse [options] --results FILE definitions-file syschar-file
598 In this mode, the oscap tool does not perform data collection on
599 the local system, but relies upon the input file, which may have
600 been generated on another system. The output (OVAL Results) is
601 printed to file specified by --results parameter.
602 --variables FILE
604 Provide external variables expected by OVAL Definitions.
605 --directives FILE
607 Use OVAL Directives content to specify desired results
608 content.
609 --skip-valid
611 Do not validate input/output files.
612 --verbose VERBOSITY_LEVEL
614 Turn on verbose mode at specified verbosity level. VER‐
615 BOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
616 --verbose-log-file FILE
618 Set filename to write additional information.
619 validate [options] oval-file
622 Validate given OVAL file against a XML schema. Every found error
623 is printed to the standard error. Return code is 0 if validation
624 succeeds, 1 if validation could not be performed due to some
625 error, 2 if the OVAL document is not valid.
626 --definitions, --variables, --syschar, --results --directives
628 Type of the OVAL document is automatically detected by
629 default. If you want enforce certain document type, you
630 can use one of these options.
631 --schematron
633 Turn on Schematron-based validation. It is able to find
634 more errors and inconsistencies but is much slower.
635 generate <submodule> [submodule-specific-options]
637 Generate another document form an OVAL file.
638 Available submodules:
640 report [options] oval-results-file
642 Generate a formatted HTML page containing visualisation
643 of an OVAL results file. Unless the --output option is
644 specified it will be written to the standard output.
645 --output FILE
647 Write the report to this file instead of standard
648 output.
649 list-probes [options]
651 List supported object types (i.e. probes)
652 --static
654 List all probes defined in the internal tables.
655 --dynamic
657 List all probes supported on the current system (this is
658 default behavior).
659 --verbose
661 Be verbose.
662
666 check name
667 Check whether name is in correct CPE format.
668 match name dictionary.xml
670 Find an exact match of CPE name in the dictionary.
671 validate cpe-dict-file
673 Validate given CPE dictionary file against a XML schema. Every
674 found error is printed to the standard error. Return code is 0
675 if validation succeeds, 1 if validation could not be performed
676 due to some error, 2 if the XCCDF document is not valid.
677
680 score cvss_vector
681 Calculate score from a CVSS vector. Prints base score for base
682 CVSS vector, base and temporal score for temporal CVSS vector,
683 base and temporal and environmental score for environmental CVSS
684 vector.
685 describe cvss_vector
687 Describe individual components of a CVSS vector in a human-read‐
688 able format and print partial scores.
689 CVSS vector consists of several slash-separated components specified as
691 key-value pairs. Each key can be specified at most once. Valid CVSS
692 vector has to contain at least base CVSS metrics, i.e. AV, AC, AU, C,
693 I, and A. Following table summarizes the components and possible values
694 (second column is metric category: B for base, T for temporal, E for
695 environmental):
696 AV:[L|A|N] B Access vector: Local, Adjacent net‐
698 work, Network
699 AC:[H|M|L] B Access complexity: High, Medium, Low
701 AU:[M|S|N] B Required authentication: Multiple
703 instances, Single instance, None
704 C:[N|P|C] B Confidentiality impact: None, Partial,
706 Complete
707 I:[N|P|C] B Integrity impact: None, Partial, Com‐
709 plete
710 A:[N|P|C] B Availability impact: None, Partial,
712 Complete
713 E:[ND|U|POC|F|H] T Exploitability: Not Defined, Unproven,
715 Proof of Concept, Functional, High
716 RL:[ND|OF|TF|W|U] T Remediation Level: Not Defined, Offi‐
718 cial Fix, Temporary Fix, Workaround, Unavailable
719 RC:[ND|UC|UR|C] T Report Confidence: Not Defined, Uncon‐
721 firmed, Uncorroborated, Confirmed
722 CDP:[ND|N|L|LM|MH|H] E Collateral Damage Potential: Not
724 Defined, None, Low, Low-Medium, Medium-High, High
725 TD:[ND|N|L|M|H] E Target Distribution: Not Defined,
727 None, Low, Medium, High
728 CR:[ND|L|M|H] E Confidentiality requirement: Not
730 Defined, Low, Medium, High
731 IR:[ND|L|M|H] E Integrity requirement: Not Defined,
733 Low, Medium, High
734 AR:[ND|L|M|H] E Availability requirement: Not Defined,
736 Low, Medium, High
737
739 sds-compose [options] SOURCE_XCCDF TARGET_SDS
740 Creates a source datastream from the XCCDF file given in
741 SOURCE_XCCDF and stores the result in TARGET_SDS. Dependencies
742 like OVAL files are automatically detected and bundled in target
743 source datastream.
744 --skip-valid
746 Do not validate input/output files.
747 sds-add [options] NEW_COMPONENT EXISTING_SDS
749 Adds given NEW_COMPONENT file to the existing source datastream
750 (EXISTING_SDS). Component file might be OVAL, XCCDF or CPE Dic‐
751 tionary file. Dependencies like OVAL files are automatically
752 detected an bundled in target source datastream.
753 --datastream-id DATASTREAM_ID
755 Uses a datastream with that particular ID from the given
756 datastream collection. If not given the first datastream
757 is used.
758 --skip-valid
760 Do not validate input/output files.
761 sds-split [options] SOURCE_DS TARGET_DIR
763 Splits given source datastream into multiple files and stores
764 all the files in TARGET_DIR.
765 --datastream-id DATASTREAM_ID
767 Uses a datastream with that particular ID from the given
768 datastream collection. If not given the first datastream
769 is used.
770 --xccdf-id XCCDF_ID
772 Takes component ref with given ID from checklists. This
773 allows to select a particular XCCDF component even in
774 cases where there are 2 XCCDFs in one datastream.
775 --skip-valid
777 Do not validate input/output files.
778 --fetch-remote-resources
780 Allow download of remote components referenced from
781 Datastream.
782 sds-validate SOURCE_DS
784 Validate given source datastream file against a XML schema.
785 Every found error is printed to the standard error. Return code
786 is 0 if validation succeeds, 1 if validation could not be per‐
787 formed due to some error, 2 if the source datastream is not
788 valid.
789 rds-create [options] SDS TARGET_ARF XCCDF_RESULTS [OVAL_RESULTS
791 [OVAL_RESULTS ..]]
792 Takes given source datastream, XCCDF and OVAL results and cre‐
793 ates a result datastream (in Asset Reporting Format) and saves
794 it to file given in TARGET_ARF.
795 --skip-valid
797 Do not validate input/output files.
798 rds-split [options] [--report-id REPORT_ID] RDS TARGET_DIR
800 Takes given result datastream (also called ARF = asset reporting
801 format) and splits given report and its respective report-
802 request to given target directory. If no report-id is given, we
803 assume user wants the first applicable report in top-down order
804 in the file.
805 --skip-valid
807 Do not validate input/output files.
808 rds-validate SOURCE_RDS
810 Validate given result datastream file against a XML schema.
811 Every found error is printed to the standard error. Return code
812 is 0 if validation succeeds, 1 if validation could not be per‐
813 formed due to some error, 2 if the result datastream is not
814 valid.
815
818 validate cve-nvd-feed.xml
819 Validate given CVE data feed.
820 find CVE cve-nvd-feed.xml
822 Find given CVE in data feed and report base score, vector string
823 and vulnerable software list.
824
827 Normally, the exit status is 0 when operation finished successfully and
828 1 otherwise. In cases when oscap performs evaluation of the system it
829 may return 2 indicating success of the operation but incompliance of
830 the assessed system.
831
834 Evaluate XCCDF content using CPE dictionary and produce html report. In
835 this case we use United States Government Configuration Baseline
836 (USGCB) for Red Hat Enterprise Linux 5 Desktop.
837 oscap xccdf eval --fetch-remote-resources --oval-results \
839 --profile united_states_government_configuration_baseline \
840 --report usgcb-rhel5desktop.report.html \
841 --results usgcb-rhel5desktop-xccdf.xml.result.xml \
842 --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
843 usgcb-rhel5desktop-xccdf.xml
844
846 SCAP Security Guide - https://github.com/OpenSCAP/scap-security-guide/
847 National Vulnerability Database -
849 http://web.nvd.nist.gov/view/ncp/repository
850 Red Hat content repository - http://www.redhat.com/security/data/oval/
852
856 Please report bugs using https://github.com/OpenSCAP/openscap/issues
857 Make sure you include the full output of `oscap --v` in the bug report.
858
861 Peter Vrabec <pvrabec@redhat.com>
862 Šimon Lukašík
863 Martin Preisler <mpreisle@redhat.com>
864Red Hat March 2017 OSCAP(8)