1OSCAP(8) System Administration Utilities OSCAP(8)
2
6 oscap - OpenSCAP command line tool
7
10 oscap [general-options] module operation [operation-options-and-argu‐
11 ments]
12
15 oscap is Security Content Automation Protocol (SCAP) toolkit based on
16 OpenSCAP library. It provides various functions for different SCAP
17 specifications(modules).
18
21 -V, --version
22 SCAP specification supported by the module.
23 -q, --quiet
25 No output for certain operations, only return code.
26 -h, --help
28 Help screen.
29
32 oval Open Vulnerability and Assessment Language.
33 xccdf The eXtensible Configuration Checklist Description Format.
35 cpe Common Platform Enumeration.
37 cvss Common Vulnerability Scoring System
39
42 collect [options] definitions-file
43 Probe the system and gather system characteristics for all
44 objects in OVAL Definition file.
45 --id OBJECT-ID
47 Collect system characteristics ONLY for specified OVAL
48 Object.
49 --variables FILE
51 Provide external variables expected by OVAL Definitions.
52 --syschar FILE
54 Write OVAL System Characteristic into file
55 --skip-valid
57 Do not validate input/output files.
58 eval [options] definitions-file
60 Probe the system and evaluate all definitions from OVAL Defini‐
61 tion file. Print result of each definition to standard output.
62 oscap returns 0 if all definitions pass. If there is an error
63 during evaluation, the return code is 1. If there is at least
64 one failed result definition, oscap-scan finishes with return
65 code 2.
66 --id DEFINITION-ID
68 Evaluate ONLY specified OVAL Definition.
69 --variables FILE
71 Provide external variables expected by OVAL Definitions.
72 --directives FILE
74 Use OVAL Directives content to specify desired results
75 content.
76 --results FILE
78 Write OVAL Results into file.
79 --report FILE
81 Create human readable (HTML) report from OVAL Results.
82 --skip-valid
84 Do not validate input/output files.
85 analyse [options] --results FILE definitions-file syschar-file
88 In this mode, the oscap tool does not perform data collection on
89 the local system, but relies upon the input file, which may have
90 been generated on another system. The output (OVAL Results) is
91 printed to file specified by --results parameter
92 --variables FILE
94 Provide external variables expected by OVAL Definitions.
95 --directives FILE
97 Use OVAL Directives content to specify desired results
98 content.
99 --skip-valid
101 Do not validate input/output files.
102 validate-xml [options] definitions-file
105 Validate given OVAL file against a XML schema. Every found error
106 is printed to the standard output. Return code is 0 if valida‐
107 tion succeeds, 1 if validation could not be performed due to
108 some error, 2 if the OVAL document is not valid.
109 --definitions, --variables, --syschar, --results --directives
111 Specify whether the validated document is an OVAL Defini‐
112 tions file, external OVAL Variables, OVAL System Charac‐
113 teristics file, OVAL Results file or OVAL Directives
114 file. Default: definitions.
115 --schematron
117 Turn on Schematron-based validation. It is able to find
118 more errors and inconsistencies but is much slower.
119 generate <submodule> [submodule-specific-options]
121 Generate another document form an OVAL file.
122 Available submodules:
124 report [options] oval-results-file
126 Generate a formatted HTML page containing visualisation
127 of an OVAL results file. Unless the --output option is
128 specified it will be written to the standard output.
129 --output FILE
131 Write the report to this file instead of standard
132 output.
133 list-probes [options]
135 List supported object types (i.e. probes)
136 --static
138 List all probes defined in the internal tables.
139 --dynamic
141 List all probes supported on the current system (this is
142 default behavior).
143 --verbose
145 Be verbose.
146
149 eval [options] xccdf-file [oval-definitions-files]
150 Perform evaluation driven by XCCDF file and use OVAL as checking
151 engine. Print result of each rule to standard output. oscap
152 returns 0 if all rules pass. If there is an error during evalua‐
153 tion, the return code is 1. If there is at least one failed
154 rule, oscap-scan finishes with return code 2.
155 You may specify all required OVAL Definition files as last
157 parameters. If you don't do that, oscap tool will try to load
158 all OVAL Definition files referenced from XCCDF automati‐
159 caly(search in the same path as XCCDF).
160 --profile PROFILE
162 Select a particular profile from XCCDF document.
163 --results FILE
165 Write XCCDF results into file.
166 --report FILE
168 Write HTML report into file. You also have to specify
169 --result for this feature to work.
170 --oval-results
172 Generate OVAL Result file for each OVAL session used for
173 evaluation. File with name 'original-oval-definitions-
174 filename.result.xml' will be generated for each refer‐
175 enced OVAL file. This option (with conjunction with the
176 --report option) also enables inclusion of additional
177 OVAL information in the XCCDF report.
178 --export-variables
180 Generate OVAL Variables documents which contain external
181 variables' values that were provided to the OVAL checking
182 engine during evaluation. The filename format is 'origi‐
183 nal-oval-definitions-filename-session-index.variables-
184 variables-index.xml'.
185 --skip-valid
187 Do not validate input/output files.
188 resolve -o output-file xccdf-file
190 Resolve an XCCDF file as described in the XCCDF specification.
191 It will flatten inheritance hierarchy of XCCDF profiles, groups,
192 rules, and values. Result is another XCCDF document, which will
193 be written to output-file.
194 --force
196 Force resolving XCCDF document even if it is already
197 marked as resolved.
198 validate-xml [options] xccdf-file
200 Validate given XCCDF file against a XML schema. Every found
201 error is printed to the standard output. Return code is 0 if
202 validation succeeds, 1 if validation could not be performed due
203 to some error, 2 if the XCCDF document is not valid.
204 export-oval-variables [options] xccdf-file [oval-definitions-files]
206 Collect all the XCCDF values that would be used by OVAL during
207 evaluation of a certain profile and export them as OVAL exter‐
208 nal-variables document(s). The filename format is 'original-
209 oval-definitions-filename-session-index.variables-variables-
210 index.xml'.
211 --profile PROFILE
213 Select a particular profile from XCCDF document.
214 generate [options] <submodule> [submodule-specific-options]
216 Generate another document form an XCCDF file such as security
217 guide or result report.
218 --profile ID
220 Apply profile with given ID to the Benchmark before fur‐
221 ther processing takes place.
222 --format FMT
224 Specify output format. This option applies only on docu‐
225 ment generators (i.e. guide, report). Avalable formats:
226 html (default), docbook.
227 Available submodules:
229 guide [options] xccdf-file
231 Generate a formatted document containing a security guide
232 from a XCCDF Benchmark. Unless the --output option is
233 specified it will be written to the standard output.
234 Without profile being set only groups (not rules) will be
235 included in the output.
236 --output FILE
238 Write the guide to this file instead of standard
239 output.
240 --hide-profile-info
242 Information on chosen profile (e.g. rules selected
243 by the profile) will be excluded from the docu‐
244 ment.
245 report [options] xccdf-file
247 Generate a document containing results of a XCCDF Bench‐
248 mark execution. Unless the --output option is specified
249 it will be written to the standard output. ID of the
250 TestResult element to visualise defaults to the most
251 recent result (according to the end-time attribute).
252 --output FILE
254 Write the report to this file instead of standard
255 output.
256 --result-id ID
258 ID of the XCCDF TestResult from which the report
259 will be generated.
260 --show what
262 Specify what result types shall be displayed in
263 the result report. The default is to show every‐
264 thing except for rules with results notselected
265 and notapplicable. The what part is a comma-sepa‐
266 rated list of result types to display in addition
267 to the default. If result type is prefixed by a
268 dash '-', it will be excluded from the results. If
269 what is prefixed by an equality sign '=', a fol‐
270 lowing list specifies exactly what rule types to
271 include in the report. Result types are: pass,
272 fixed, notchecked, notapplicable, notselected,
273 informational, unknown, error, fail.
274 --oval-template template-string
276 To use the ability to include additional informa‐
277 tion from OVAL in xccdf result file, a template
278 which will be used to obtain OVAL result file
279 names has to be specified. The template can be
280 either a filename or a string containing wildcard
281 character (percent sign '%'). Wildcard will be
282 replaced by the original OVAL definition file name
283 as referenced from the XCCDF file. This way it is
284 possible to obtain OVAL information even from
285 XCCDF documents referencing several OVAL files. To
286 use this option with results from an XCCDF evalua‐
287 tion, specify %.result.xml as a OVAL file name
288 template.
289 fix [options] xccdf-file
291 Generate a script that shall bring the system to a state
292 of compliance with given XCCDF Benchmark.
293 --output FILE
295 Write the report to this file instead of standard
296 output.
297 --result-id ID
299 With this option the script generating engine will
300 pick rules that failed for given test and generate
301 fixes only for them.
302 --template ID|FILE
304 Template to be used to generate the script. If it
305 contains a dot '.' it is interpreted as a location
306 of a file with the template definition. Otherwise
307 it identifies a template from standard set which
308 currently includes: bash (default if no --template
309 switch present). Brief explanation of the process
310 of writing your own templates is in the XSL file
311 xsl/fix.xsl in the openscap data directory. You
312 can also take a look at the default template
313 xsl/fixtpl-bash.xml.
314
317 check name
318 Check whether name is in correct CPE format.
319 match name dictionary.xml
321 Find an exact match of CPE name in the dictionary.
322
325 score cvss_vector
326 Calculate score from a CVSS vector. Prints base score for base
327 CVSS vector, base and temporal score for temporal CVSS vector,
328 base and temporal and environmental score for environmental CVSS
329 vector.
330 describe cvss_vector
332 Describe individual components of a CVSS vector in a human-read‐
333 able format and print partial scores.
334 CVSS vector consists of several slash-separated components specified as
336 key-value pairs. Each key can be specified at most once. Valid CVSS
337 vector has to contain at least base CVSS metrics, i.e. AV, AC, AU, C,
338 I, and A. Following table summarizes the components and possible values
339 (second column is metric category: B for base, T for temporal, E for
340 environmental):
341 AV:[L|A|N] B Access vector: Local, Adjacent net‐
343 work, Network
344 AC:[H|M|L] B Access complexity: High, Medium, Low
346 AU:[M|S|N] B Required authentication: Multiple
348 instances, Single instance, None
349 C:[N|P|C] B Confidentiality impact: None, Partial,
351 Complete
352 I:[N|P|C] B Integrity impact: None, Partial, Com‐
354 plete
355 A:[N|P|C] B Availability impact: None, Partial,
357 Complete
358 E:[ND|U|POC|F|H] T Exploitability: Not Defined, Unproven,
360 Proof of Concept, Functional, High
361 RL:[ND|OF|TF|W|U] T Remediation Level: Not Defined, Offi‐
363 cial Fix, Temporary Fix, Workaround, Unavailable
364 RC:[ND|UC|UR|C] T Report Confidence: Not Defined, Uncon‐
366 firmed, Uncorroborated, Confirmed
367 CDP:[ND|N|L|LM|MH|H] E Collateral Damage Potential: Not
369 Defined, None, Low, Low-Medium, Medium-High, High
370 TD:[ND|N|L|M|H] E Target Distribution: Not Defined,
372 None, Low, Medium, High
373 CR:[ND|L|M|H] E Confidentiality requirement: Not
375 Defined, Low, Medium, High
376 IR:[ND|L|M|H] E Integrity requirement: Not Defined,
378 Low, Medium, High
379 AR:[ND|L|M|H] E Availability requirement: Not Defined,
381 Low, Medium, High
382
384 National Vulnerability Database -
385 http://web.nvd.nist.gov/view/ncp/repository
386 Red Hat content repository - http://www.redhat.com/security/data/oval/
388
392 Peter Vrabec <pvrabec@redhat.com>
393Red Hat Jun 2010 OSCAP(8)