1OSCAP(8) System Administration Utilities OSCAP(8)
2
6 oscap - OpenSCAP command line tool
7
10 oscap [general-options] module operation [operation-options-and-argu‐
11 ments]
12
15 oscap is Security Content Automation Protocol (SCAP) toolkit based on
16 OpenSCAP library. It provides various functions for different SCAP
17 specifications (modules).
18 OpenSCAP tool claims to provide capabilities of Authenticated Configu‐
20 ration Scanner and Authenticated Vulnerability Scanner as defined by
21 The National Institute of Standards and Technology.
22
25 -V, --version
26 Print supported SCAP specifications, location of schema files,
27 schematron files, CPE files, probes and supported OVAL objects.
28 Displays a list of inbuilt CPE names.
29 -h, --help
31 Help screen.
32
35 info Determine type and print information about a file.
36 xccdf The eXtensible Configuration Checklist Description Format.
38 oval Open Vulnerability and Assessment Language.
40 ds SCAP Data Stream
42 cpe Common Platform Enumeration.
44 cvss Common Vulnerability Scoring System
46 cve Common Vulnerabilities and Exposures
48
52Turn on verbose mode at specified verbosity level. VERBOSITY_LEVEL is one of:
53DEVEL, INFO, WARNING, ERROR.
54
56Set filename to write additional information.
57
60 [options] any-scap-file.xml
61 This module prints information about SCAP content in a file
62 specified on a command line. It determines SCAP content type,
63 specification version, date of creation, date of import and so
64 on. Info module doesn't require any additional operation switch.
65 For XCCDF or Datastream files, info module prints out IDs of
67 incorporated profiles, components, and datastreams. These IDs
68 can be used to specify the target for evaluation. Use options
69 --profile, --xccdf-id (or --oval-id), and --datastream-id
70 respectively.
71 --fetch-remote-resources
73 Allow download of remote components referenced from
74 Datastream.
75 --profile PROFILE
77 Show info of the profile with the given ID.
78 --profiles
80 Show profiles from the input file in the <id>:<title>
81 format, one line per profile.
82
85 eval [options] INPUT_FILE [oval-definitions-files]
86 Perform evaluation of XCCDF document file given as INPUT_FILE.
87 Print result of each rule to standard output, including rule
88 title, rule id and security identifier(CVE, CCE). Optionally you
89 can give a source datastream as the INPUT_FILE instead of an
90 XCCDF file (see --datastream-id).
91 oscap returns 0 if all rules pass. If there is an error during
93 evaluation, the return code is 1. If there is at least one rule
94 with either fail or unknown result, oscap-scan finishes with
95 return code 2.
96 Unless --skip-valid is used, the INPUT_FILE is validated using
98 XSD schemas (depending on document type of INPUT_FILE) and
99 rejected if invalid.
100 You may specify OVAL Definition files as the last parameter,
102 XCCDF evaluation will then proceed only with those specified
103 files. Otherwise, when oval-definitions-files parameter is miss‐
104 ing, oscap tool will try to load all OVAL Definition files ref‐
105 erenced from XCCDF automatically (search in the same path as
106 XCCDF).
107 --profile PROFILE
109 Select a particular profile from XCCDF document. If
110 "(all)" is given a virtual profile that selects all
111 groups and rules will be used.
112 --rule RULE
114 Select a particular rule from XCCDF document. Only this
115 rule will be evaluated. Rule will use values according to
116 the selected profile. If no profile is selected, default
117 values are used.
118 --tailoring-file TAILORING_FILE
120 Use given file for XCCDF tailoring. Select profile from
121 tailoring file to apply using --profile. If both --tai‐
122 loring-file and --tailoring-id are specified, --tailor‐
123 ing-file takes priority.
124 --tailoring-id COMPONENT_REF_ID
126 Use tailoring component in input source datastream for
127 XCCDF tailoring. The tailoring component must be speci‐
128 fied by its Ref-ID (value of component-ref/@id attribute
129 in input source datastream). Select profile from tailor‐
130 ing component to apply using --profile. If both --tailor‐
131 ing-file and --tailoring-id are specified, --tailoring-
132 file takes priority.
133 --cpe CPE_FILE
135 Use given CPE dictionary or language (auto-detected) for
136 applicability checks. (Some CPE names are provided by
137 openscap, see oscap --version for Inbuilt CPE names)
138 --results FILE
140 Write XCCDF results into FILE.
141 --results-arf FILE
143 Writes results to a given FILE in Asset Reporting Format.
144 It is recommended to use this option instead of --results
145 when dealing with datastreams.
146 --stig-viewer FILE
148 Writes XCCDF results into FILE in a format readable by
149 DISA STIG Viewer. See
150 http://iase.disa.mil/stigs/Pages/stig-viewing-guid‐
151 ance.aspx. This option should be used to generate
152 results for DISA STIG Viewer older than 2.6. To use DISA
153 STIG Viewer 2.6 or newer, use --results instead.
154 --thin-results
156 Thin Results provides only minimal amount of information
157 in OVAL/ARF results. The option --without-syschar is
158 automatically enabled when you use Thin Results.
159 --without-syschar
161 Don't provide system characteristics in OVAL/ARF result
162 files.
163 --report FILE
165 Write HTML report into FILE. Add --oval-results to enable
166 detailed information in the report.
167 --oval-results
169 Generate OVAL Result file for each OVAL session used for
170 evaluation. File with name 'original-oval-definitions-
171 filename.result.xml' will be generated for each refer‐
172 enced OVAL file in current working directory. This option
173 (in conjunction with the --report option) also enables
174 inclusion of additional OVAL information in the XCCDF
175 report. To change the directory where OVAL files are gen‐
176 erated change the CWD using the `cd` command.
177 --check-engine-results
179 After evaluation is finished, each loaded check engine
180 plugin is asked to export its results. The export itself
181 is plugin specific, please refer to documentation of the
182 plugin for more details.
183 --export-variables
185 Generate OVAL Variables documents which contain external
186 variables' values that were provided to the OVAL checking
187 engine during evaluation. The filename format is 'origi‐
188 nal-oval-definitions-filename-session-index.variables-
189 variables-index.xml'.
190 --datastream-id ID
192 Uses a datastream with that particular ID from the given
193 datastream collection. If not given the first datastream
194 is used. Only applies if you give source datastream in
195 place of an XCCDF file.
196 --xccdf-id ID
198 Takes component ref with given ID from checklists. This
199 allows to select a particular XCCDF component even in
200 cases where there are 2 XCCDFs in one datastream. If none
201 is given, the first component from the checklists element
202 is used.
203 --benchmark-id ID
205 Selects a component ref from any datastream that refer‐
206 ences a component with XCCDF Benchmark such that its @id
207 attribute matches given string exactly. Please note that
208 this is not the recommended way of selecting a component-
209 ref. You are advised to use --xccdf-id AND/OR --datas‐
210 tream-id for more precision. --benchmark-id is only used
211 when both --xccdf-id and --datastream-id are not present
212 on the command line!
213 --skip-valid
215 Do not validate input/output files.
216 --fetch-remote-resources
218 Allow download of remote OVAL content referenced from
219 XCCDF by check-content-ref/@href.
220 --remediate
222 Execute XCCDF remediation in the process of XCCDF evalua‐
223 tion. This option automatically executes content of XCCDF
224 fix elements for failed rules, and thus this shall be
225 avoided unless for trusted content. Use of this option is
226 always at your own risk.
227 remediate [options] INPUT_FILE [oval-definitions-files]
229 This module provides post-scan remediation. It assumes that the
230 INPUT_FILE is result of `oscap xccdf eval` operation. The input
231 file must contain TestResult element. This module executes XCCDF
232 fix elements for failed rule-result contained in the given
233 TestResult. Use of this option is always at your own risk and it
234 shall be avoided unless for trusted content.
235 --result-id ID
237 ID of the XCCDF TestResult element which shall be reme‐
238 died. If this option is missing the last TestResult (in
239 top-down processing) will be remedied.
240 --skip-valid
242 Do not validate input/output files.
243 --fetch-remote-resources
245 Allow download of remote OVAL content referenced from
246 XCCDF by check-content-ref/@href.
247 --cpe CPE_FILE
249 Use given CPE dictionary or language (auto-detected) for
250 applicability checks.
251 --results FILE
253 Write XCCDF results into FILE.
254 --results-arf FILE
256 Writes results to a given FILE in Asset Reporting Format.
257 It is recommended to use this option instead of --results
258 when dealing with datastreams.
259 --stig-viewer FILE
261 Writes XCCDF results into FILE in a format readable by
262 DISA STIG Viewer. See
263 http://iase.disa.mil/stigs/Pages/stig-viewing-guid‐
264 ance.aspx. This option should be used to generate
265 results for DISA STIG Viewer older than 2.6. To use DISA
266 STIG Viewer 2.6 or newer, use --results instead.
267 --report FILE
269 Write HTML report into FILE. Add --oval-results to enable
270 detailed information in the report.
271 --oval-results
273 Generate OVAL Result file for each OVAL session used for
274 evaluation. File with name 'original-oval-definitions-
275 filename.result.xml' will be generated for each refer‐
276 enced OVAL file. This option (with conjunction with the
277 --report option) also enables inclusion of additional
278 OVAL information in the XCCDF report.
279 --check-engine-results
281 After evaluation is finished, each loaded check engine
282 plugin is asked to export its results. The export itself
283 is plugin specific, please refer to documentation of the
284 plugin for more details.
285 --export-variables
287 Generate OVAL Variables documents which contain external
288 variables' values that were provided to the OVAL checking
289 engine during evaluation. The filename format is 'origi‐
290 nal-oval-definitions-filename-session-index.variables-
291 variables-index.xml'.
292 --progress
294 Switch to sparse output suitable for progress reporting.
295 Format of the output is "$rule_id:$result\n".
296 resolve -o output-file xccdf-file
298 Resolve an XCCDF file as described in the XCCDF specification.
299 It will flatten inheritance hierarchy of XCCDF profiles, groups,
300 rules, and values. Result is another XCCDF document, which will
301 be written to output-file.
302 --force
304 Force resolving XCCDF document even if it is already
305 marked as resolved.
306 validate [options] xccdf-file
308 Validate given XCCDF file against a XML schema. Every found
309 error is printed to the standard error. Return code is 0 if val‐
310 idation succeeds, 1 if validation could not be performed due to
311 some error, 2 if the XCCDF document is not valid.
312 --schematron
314 Turn on Schematron-based validation. It is able to find
315 more errors and inconsistencies but is much slower.
316 Schematron is available only for XCCDF version 1.2.
317 export-oval-variables [options] xccdf-file [oval-definitions-files]
319 Collect all the XCCDF values that would be used by OVAL during
320 evaluation of a certain profile and export them as OVAL exter‐
321 nal-variables document(s). The filename format is 'original-
322 oval-definitions-filename-session-index.variables-variables-
323 index.xml'.
324 --profile PROFILE
326 Select a particular profile from XCCDF document.
327 --fetch-remote-resources
329 Allow download of remote OVAL content referenced from
330 XCCDF by check-content-ref/@href.
331 --skip-valid
333 Do not validate input/output files.
334 --datastream-id ID
336 Uses a datastream with that particular ID from the given
337 datastream collection. If not given the first datastream
338 is used. Only applies if you give source datastream in
339 place of an XCCDF file.
340 --xccdf-id ID
342 Takes component ref with given ID from checklists. This
343 allows to select a particular XCCDF component even in
344 cases where there are 2 XCCDFs in one datastream.
345 --cpe CPE_FILE
347 Use given CPE dictionary or language (auto-detected) for
348 applicability checks. The variables documents are created
349 only for xccdf:Rules which are applicable.
350 generate [options] <submodule> [submodule-specific-options]
352 Generate another document from an XCCDF file such as security
353 guide or result report.
354 --profile ID
356 Apply profile with given ID to the Benchmark before fur‐
357 ther processing takes place.
358 Available submodules:
360 guide [options] xccdf-file
362 Generate a HTML document containing a security guide from
363 an XCCDF Benchmark. Unless the --output option is speci‐
364 fied it will be written to the standard output. Without
365 profile being set only groups (not rules) will be
366 included in the output.
367 --output FILE
369 Write the guide to this file instead of standard
370 output.
371 --hide-profile-info
373 Information on chosen profile (e.g. rules selected
374 by the profile) will be excluded from the docu‐
375 ment.
376 --benchmark-id ID
378 Selects a component ref from any datastream that
379 references a component with XCCDF Benchmark such
380 that its @id attribute matches given string
381 exactly.
382 report [options] xccdf-file
384 Generate a HTML document containing results of an XCCDF
385 Benchmark execution. Unless the --output option is speci‐
386 fied it will be written to the standard output.
387 --output FILE
389 Write the report to this file instead of standard
390 output.
391 --result-id ID
393 ID of the XCCDF TestResult from which the report
394 will be generated.
395 --oval-template template-string
397 To use the ability to include additional informa‐
398 tion from OVAL in xccdf result file, a template
399 which will be used to obtain OVAL result file
400 names has to be specified. The template can be
401 either a filename or a string containing wildcard
402 character (percent sign '%'). Wildcard will be
403 replaced by the original OVAL definition file name
404 as referenced from the XCCDF file. This way it is
405 possible to obtain OVAL information even from
406 XCCDF documents referencing several OVAL files. To
407 use this option with results from an XCCDF evalua‐
408 tion, specify %.result.xml as a OVAL file name
409 template.
410 --sce-template template-string
412 To use the ability to include additional informa‐
413 tion from SCE in XCCDF result file, a template
414 which will be used to obtain SCE result file names
415 has to be specified. The template can be either a
416 filename or a string containing wildcard character
417 (percent sign '%'). Wildcard will be replaced by
418 the original SCE script file name as referenced
419 from the XCCDF file. This way it is possible to
420 obtain SCE information even from XCCDF documents
421 referencing several SCE files. To use this option
422 with results from an XCCDF evaluation, specify
423 %.result.xml as a SCE file name template.
424 fix [options] xccdf-file
426 Generate a script that shall bring the system to a state
427 of compliance with given XCCDF Benchmark. There are 2
428 possibilities when generating fixes: Result-oriented
429 fixes (--result-id) or Profile-oriented fixes (--pro‐
430 file). Result-oriented takes precedences over Profile-
431 oriented, if result-id is given, oscap will ignore any
432 profile provided.
433 Result-oriented fixes are generated using result-id pro‐
435 vided to select only the failing rules from results in
436 xccdf-file, it skips all other rules.
437 Profile-oriented fixes are generated using all rules
439 within the provided profile. If no result-id/profile are
440 provided, (default) profile will be used to generate
441 fixes.
442 --fix-type TYPE
444 Specify fix type. There are multiple programming
445 languages in which the fix script can be gener‐
446 ated. TYPE should be one of: bash, ansible, pup‐
447 pet, anaconda. Default is bash. This option is
448 mutually exclusive with --template, because fix
449 type already determines the template URN.
450 --output FILE
452 Write the report to this file instead of standard
453 output.
454 --result-id ID
456 Fixes will be generated for failed rule-results of
457 the specified TestResult.
458 --template ID|FILE
460 Template to be used to generate the script. If it
461 contains a dot '.' it is interpreted as a location
462 of a file with the template definition. Otherwise
463 it identifies a template from standard set which
464 currently includes: bash (default if no --template
465 switch present). Brief explanation of the process
466 of writing your own templates is in the XSL file
467 xsl/legacy-fix.xsl in the openscap data directory.
468 You can also take a look at the default template
469 xsl/legacy-fixtpl-bash.xml.
470 --xccdf-id ID
472 Takes component ref with given ID from checklists.
473 This allows to select a particular XCCDF component
474 even in cases where there are 2 XCCDFs in one
475 datastream. If none is given, the first component
476 from the checklists element is used.
477 --benchmark-id ID
479 Selects a component ref from any datastream that
480 references a component with XCCDF Benchmark such
481 that its @id attribute matches given string
482 exactly.
483 --tailoring-file TAILORING_FILE
485 Use given file for XCCDF tailoring. Select profile
486 from tailoring file to apply using --profile. If
487 both --tailoring-file and --tailoring-id are spec‐
488 ified, --tailoring-file takes priority.
489 --tailoring-id COMPONENT_REF_ID
491 Use tailoring component in input source datastream
492 for XCCDF tailoring. The tailoring component must
493 be specified by its Ref-ID (value of component-
494 ref/@id attribute in input source datastream).
495 Select profile from tailoring component to apply
496 using --profile. If both --tailoring-file and
497 --tailoring-id are specified, --tailoring-file
498 takes priority.
499 custom --stylesheet xslt-file [options] xccdf-file
501 Generate a custom output (depending on given XSLT file)
502 from an XCCDF file.
503 --stylesheet FILE
505 Specify an absolute path to a custom stylesheet to
506 format the output.
507 --output FILE
509 Write the document into file.
510
513 eval [options] INPUT_FILE
514 Probe the system and evaluate all definitions from OVAL Defini‐
515 tion file. Print result of each definition to standard output.
516 The return code is 0 after a successful evaluation. On error,
517 value 1 is returned.
518 INPUT_FILE can be either OVAL Definition File or SCAP Source
520 Datastream, it depends on used options.
521 Unless --skip-valid is used, the INPUT_FILE is validated using
523 XSD schemas (depending on document type of INPUT_FILE) and
524 rejected if invalid.
525 --id DEFINITION-ID
527 Evaluate ONLY specified OVAL Definition from OVAL Defini‐
528 tion File.
529 --variables FILE
531 Provide external variables expected by OVAL Definition
532 File.
533 --directives FILE
535 Use OVAL Directives content to specify desired results
536 content.
537 --without-syschar
539 Don't provide system characteristics in result file.
540 --results FILE
542 Write OVAL Results into file.
543 --report FILE
545 Create human readable (HTML) report from OVAL Results.
546 --datastream-id ID
548 Uses a datastream with that particular ID from the given
549 datastream collection. If not given the first datastream
550 is used. Only applies if you give source datastream in
551 place of an OVAL file.
552 --oval-id ID
554 Takes component ref with given ID from checks. This
555 allows to select a particular OVAL component even in
556 cases where there are 2 OVALs in one datastream.
557 --skip-valid
559 Do not validate input/output files.
560 --fetch-remote-resources
562 Allow download of remote components referenced from
563 Datastream.
564 collect [options] definitions-file
567 Probe the system and gather system characteristics for all
568 objects in OVAL Definition file.
569 --id OBJECT-ID
571 Collect system characteristics ONLY for specified OVAL
572 Object.
573 --variables FILE
575 Provide external variables expected by OVAL Definitions.
576 --syschar FILE
578 Write OVAL System Characteristic into file.
579 --skip-valid
581 Do not validate input/output files.
582 analyse [options] --results FILE definitions-file
586 syschar-file
587 In this mode, the oscap tool does not perform data
588 collection on the local system, but relies upon
589 the input file, which may have been generated on
590 another system. The output (OVAL Results) is
591 printed to file specified by --results parameter.
592 --variables FILE
594 Provide external variables expected by OVAL
595 Definitions.
596 --directives FILE
598 Use OVAL Directives content to specify
599 desired results content.
600 --skip-valid
602 Do not validate input/output files.
603 validate [options] oval-file
606 Validate given OVAL file against a XML schema.
607 Every found error is printed to the standard
608 error. Return code is 0 if validation succeeds, 1
609 if validation could not be performed due to some
610 error, 2 if the OVAL document is not valid.
611 --definitions, --variables, --syschar, --results
613 --directives
614 Type of the OVAL document is automatically
615 detected by default. If you want enforce
616 certain document type, you can use one of
617 these options.
618 --schematron
620 Turn on Schematron-based validation. It is
621 able to find more errors and inconsisten‐
622 cies but is much slower.
623 generate <submodule> [submodule-specific-options]
625 Generate another document from an OVAL file.
626 Available submodules:
628 report [options] oval-results-file
630 Generate a formatted HTML page containing
631 visualisation of an OVAL results file.
632 Unless the --output option is specified it
633 will be written to the standard output.
634 --output FILE
636 Write the report to this file
637 instead of standard output.
638
641 check name
642 Check whether name is in correct CPE format.
643 match name dictionary.xml
645 Find an exact match of CPE name in the dictionary.
646 validate cpe-dict-file
648 Validate given CPE dictionary file against a XML
649 schema. Every found error is printed to the stan‐
650 dard error. Return code is 0 if validation suc‐
651 ceeds, 1 if validation could not be performed due
652 to some error, 2 if the XCCDF document is not
653 valid.
654
657 score cvss_vector
658 Calculate score from a CVSS vector. Prints base
659 score for base CVSS vector, base and temporal
660 score for temporal CVSS vector, base and temporal
661 and environmental score for environmental CVSS
662 vector.
663 describe cvss_vector
665 Describe individual components of a CVSS vector in
666 a human-readable format and print partial scores.
667 CVSS vector consists of several slash-separated compo‐
669 nents specified as key-value pairs. Each key can be spec‐
670 ified at most once. Valid CVSS vector has to contain at
671 least base CVSS metrics, i.e. AV, AC, AU, C, I, and A.
672 Following table summarizes the components and possible
673 values (second column is metric category: B for base, T
674 for temporal, E for environmental):
675 AV:[L|A|N] B Access vector: Local,
677 Adjacent network, Network
678 AC:[H|M|L] B Access complexity: High,
680 Medium, Low
681 AU:[M|S|N] B Required authentication:
683 Multiple instances, Single instance, None
684 C:[N|P|C] B Confidentiality impact:
686 None, Partial, Complete
687 I:[N|P|C] B Integrity impact: None,
689 Partial, Complete
690 A:[N|P|C] B Availability impact:
692 None, Partial, Complete
693 E:[ND|U|POC|F|H] T Exploitability: Not
695 Defined, Unproven, Proof of Concept, Functional,
696 High
697 RL:[ND|OF|TF|W|U] T Remediation Level: Not
699 Defined, Official Fix, Temporary Fix, Workaround,
700 Unavailable
701 RC:[ND|UC|UR|C] T Report Confidence: Not
703 Defined, Unconfirmed, Uncorroborated, Confirmed
704 CDP:[ND|N|L|LM|MH|H] E Collateral Damage Poten‐
706 tial: Not Defined, None, Low, Low-Medium, Medium-
707 High, High
708 TD:[ND|N|L|M|H] E Target Distribution: Not
710 Defined, None, Low, Medium, High
711 CR:[ND|L|M|H] E Confidentiality require‐
713 ment: Not Defined, Low, Medium, High
714 IR:[ND|L|M|H] E Integrity requirement:
716 Not Defined, Low, Medium, High
717 AR:[ND|L|M|H] E Availability require‐
719 ment: Not Defined, Low, Medium, High
720
722 sds-compose [options] SOURCE_XCCDF TARGET_SDS
723 Creates a source datastream from the XCCDF file
724 given in SOURCE_XCCDF and stores the result in
725 TARGET_SDS. Dependencies like OVAL files are auto‐
726 matically detected and bundled in target source
727 datastream.
728 --skip-valid
730 Do not validate input/output files.
731 sds-add [options] NEW_COMPONENT EXISTING_SDS
733 Adds given NEW_COMPONENT file to the existing
734 source datastream (EXISTING_SDS). Component file
735 might be OVAL, XCCDF or CPE Dictionary file.
736 Dependencies like OVAL files are automatically
737 detected an bundled in target source datastream.
738 --datastream-id DATASTREAM_ID
740 Uses a datastream with that particular ID
741 from the given datastream collection. If
742 not given the first datastream is used.
743 --skip-valid
745 Do not validate input/output files.
746 sds-split [options] SOURCE_DS TARGET_DIR
748 Splits given source datastream into multiple files
749 and stores all the files in TARGET_DIR.
750 --datastream-id DATASTREAM_ID
752 Uses a datastream with that particular ID
753 from the given datastream collection. If
754 not given the first datastream is used.
755 --xccdf-id XCCDF_ID
757 Takes component ref with given ID from
758 checklists. This allows to select a partic‐
759 ular XCCDF component even in cases where
760 there are 2 XCCDFs in one datastream.
761 --skip-valid
763 Do not validate input/output files.
764 --fetch-remote-resources
766 Allow download of remote components refer‐
767 enced from Datastream.
768 sds-validate SOURCE_DS
770 Validate given source datastream file against a
771 XML schema. Every found error is printed to the
772 standard error. Return code is 0 if validation
773 succeeds, 1 if validation could not be performed
774 due to some error, 2 if the source datastream is
775 not valid.
776 rds-create [options] SDS TARGET_ARF XCCDF_RESULTS
778 [OVAL_RESULTS [OVAL_RESULTS ..]]
779 Takes given source datastream, XCCDF and OVAL
780 results and creates a result datastream (in Asset
781 Reporting Format) and saves it to file given in
782 TARGET_ARF.
783 --skip-valid
785 Do not validate input/output files.
786 rds-split [options] [--report-id REPORT_ID] RDS TAR‐
788 GET_DIR
789 Takes given result datastream (also called ARF =
790 asset reporting format) and splits given report
791 and its respective report-request to given target
792 directory. If no report-id is given, we assume
793 user wants the first applicable report in top-down
794 order in the file.
795 --skip-valid
797 Do not validate input/output files.
798 rds-validate SOURCE_RDS
800 Validate given result datastream file against a
801 XML schema. Every found error is printed to the
802 standard error. Return code is 0 if validation
803 succeeds, 1 if validation could not be performed
804 due to some error, 2 if the result datastream is
805 not valid.
806
809 validate cve-nvd-feed.xml
810 Validate given CVE data feed.
811 find CVE cve-nvd-feed.xml
813 Find given CVE in data feed and report base score,
814 vector string and vulnerable software list.
815
818 Normally, the exit status is 0 when operation finished
819 successfully and 1 otherwise. In cases when oscap per‐
820 forms evaluation of the system it may return 2 indicating
821 success of the operation but incompliance of the assessed
822 system.
823
826 Evaluate XCCDF content using CPE dictionary and produce
827 html report. In this case we use United States Government
828 Configuration Baseline (USGCB) for Red Hat Enterprise
829 Linux 5 Desktop.
830 oscap xccdf eval --fetch-remote-resources --oval-results \
832 --profile united_states_government_configuration_baseline \
833 --report usgcb-rhel5desktop.report.html \
834 --results usgcb-rhel5desktop-xccdf.xml.result.xml \
835 --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
836 usgcb-rhel5desktop-xccdf.xml
837
839 SCAP Security Guide - https://github.com/OpenSCAP/scap-
840 security-guide/
841 National Vulnerability Database -
843 http://web.nvd.nist.gov/view/ncp/repository
844 Red Hat content repository - http://www.redhat.com/secu‐
846 rity/data/oval/
847
851 Please report bugs using https://github.com/OpenSCAP/openscap/issues
852 Make sure you include the full output of `oscap --v` in the bug report.
853
856 Peter Vrabec <pvrabec@redhat.com>
857 Šimon Lukašík
858 Martin Preisler <mpreisle@redhat.com>
859Red Hat October 2018 OSCAP(8)