1OSCAP(8)                System Administration Utilities               OSCAP(8)
2
3
4

NAME

6       oscap - OpenSCAP command line tool
7
8

SYNOPSIS

10       oscap  [general-options]  module operation [operation-options-and-argu‐
11       ments]
12
13

DESCRIPTION

15       oscap is Security Content Automation Protocol (SCAP) toolkit  based  on
16       OpenSCAP  library.  It  provides  various  functions for different SCAP
17       specifications (modules).
18
19       OpenSCAP tool claims to provide capabilities of Authenticated  Configu‐
20       ration  Scanner  and  Authenticated Vulnerability Scanner as defined by
21       The National Institute of Standards and Technology.
22
23

GENERAL OPTIONS

25       -V, --version
26              Print supported SCAP specification, location  of  schema  files,
27              schematron  files, CPE files, probes and supported OVAL objects.
28              Displays a list of inbuilt CPE names.
29
30       -h, --help
31              Help screen.
32
33

MODULES

35       info   Determine type and print information about a file.
36
37       xccdf  The eXtensible Configuration Checklist Description Format.
38
39       oval   Open Vulnerability and Assessment Language.
40
41       ds     SCAP Data Stream
42
43       cpe    Common Platform Enumeration.
44
45       cvss   Common Vulnerability Scoring System
46
47       cve    Common Vulnerabilities and Exposures
48
49

COMMON OPTIONS FOR ALL MODULES

--verbose VERBOSITY_LEVEL

52Turn on verbose mode at specified verbosity level. VERBOSITY_LEVEL is one  of:
53DEVEL, INFO, WARNING, ERROR.
54

--verbose-log-file FILE

56Set filename to write additional information.
57
58

INFO OPERATIONS

60       [options] any-scap-file.xml
61              This  module  prints  information  about  SCAP content in a file
62              specified on a command line. It determines  SCAP  content  type,
63              specification  version,  date of creation, date of import and so
64              on.  Info  module  doesn't  require  any  additional  opperation
65              switch.
66
67              For  XCCDF  or  Datastream  files, info module prints out IDs of
68              incorporated profiles, components, and  datastreams.  These  IDs
69              can  be  used  to specify the target for evaluation. Use options
70              --profile,  --xccdf-id  (or  --oval-id),   and   --datastream-id
71              respectively.
72
73              --fetch-remote-resources
74                     Allow  download  of  remote  components  referenced  from
75                     Datastream.
76
77              --profile PROFILE
78                     Show info of the profile with the given ID.
79
80              --profiles
81                     Show profiles from the input  file  in  the  <id>:<title>
82                     format, one line per profile.
83
84

XCCDF OPERATIONS

86       eval [options] INPUT_FILE [oval-definitions-files]
87              Perform  evaluation  of XCCDF document file given as INPUT_FILE.
88              Print result of each rule to  standard  output,  including  rule
89              title, rule id and security identifier(CVE, CCE). Optionally you
90              can give a source datastream as the  INPUT_FILE  instead  of  an
91              XCCDF file (see --datastream-id).
92
93              oscap  returns  0 if all rules pass. If there is an error during
94              evaluation, the return code is 1. If there is at least one  rule
95              with  either  fail  or  unknown result, oscap-scan finishes with
96              return code 2.
97
98              Unless --skip-valid is used, the INPUT_FILE is  validated  using
99              XSD  schemas  (depending  on  document  type  of INPUT_FILE) and
100              rejected if invalid.
101
102              You may specify OVAL Definition files  as  the  last  parameter,
103              XCCDF  evaluation  will  then  proceed only with those specified
104              files. Otherwise, when oval-definitions-files parameter is miss‐
105              ing,  oscap tool will try to load all OVAL Definition files ref‐
106              erenced from XCCDF automatically (search in  the  same  path  as
107              XCCDF).
108
109              --profile PROFILE
110                     Select  a  particular  profile  from  XCCDF  document. If
111                     "(all)" is given  a  virtual  profile  that  selects  all
112                     groups and rules will be used.
113
114              --rule RULE
115                     Select  a  particular rule from XCCDF document. Only this
116                     rule will be evaluated. Rule will use values according to
117                     the  selected profile. If no profile is selected, default
118                     values are used.
119
120              --tailoring-file TAILORING_FILE
121                     Use given file for XCCDF tailoring. Select  profile  from
122                     tailoring  file  to apply using --profile. If both --tai‐
123                     loring-file and --tailoring-id are  specified,  --tailor‐
124                     ing-file takes priority.
125
126              --tailoring-id COMPONENT_REF_ID
127                     Use  tailoring  component  in input source datastream for
128                     XCCDF tailoring. The tailoring component must  be  speci‐
129                     fied  by its Ref-ID (value of component-ref/@id attribute
130                     in input source datastream). Select profile from  tailor‐
131                     ing component to apply using --profile. If both --tailor‐
132                     ing-file and --tailoring-id are  specified,  --tailoring-
133                     file takes priority.
134
135              --cpe CPE_FILE
136                     Use  given CPE dictionary or language (auto-detected) for
137                     applicability checks. (Some CPE  names  are  provided  by
138                     openscap, see oscap --version for Inbuilt CPE names)
139
140              --results FILE
141                     Write XCCDF results into FILE.
142
143              --results-arf FILE
144                     Writes results to a given FILE in Asset Reporting Format.
145                     It is recommended to use this option instead of --results
146                     when dealing with datastreams.
147
148              --stig-viewer FILE
149                     Writes  XCCDF  results  into FILE in a format readable by
150                     DISA             STIG             Viewer.             See
151                     http://iase.disa.mil/stigs/Pages/stig-viewing-guid
152                     ance.aspx
153
154              --thin-results
155                     Thin Results provides only minimal amount of  information
156                     in  OVAL/ARF  results.  The  option  --without-syschar is
157                     automatically enabled when you use Thin Results.
158
159              --without-syschar
160                     Don't provide system characteristics in  OVAL/ARF  result
161                     files.
162
163              --report FILE
164                     Write  HTML  report  into  FILE. You also have to specify
165                     --results for this feature to work.  Please  see  --oval-
166                     results to enable additional information in the report.
167
168              --oval-results
169                     Generate  OVAL Result file for each OVAL session used for
170                     evaluation. File  with  name  'original-oval-definitions-
171                     filename.result.xml'  will  be  generated for each refer‐
172                     enced OVAL file in current working directory. This option
173                     (in  conjunction  with  the --report option) also enables
174                     inclusion of additional OVAL  information  in  the  XCCDF
175                     report. To change the directory where OVAL files are gen‐
176                     erated change the CWD using the `cd` command.
177
178              --check-engine-results
179                     After evaluation is finished, each  loaded  check  engine
180                     plugin  is asked to export its results. The export itself
181                     is plugin specific, please refer to documentation of  the
182                     plugin for more details.
183
184              --export-variables
185                     Generate  OVAL Variables documents which contain external
186                     variables' values that were provided to the OVAL checking
187                     engine  during evaluation. The filename format is 'origi‐
188                     nal-oval-definitions-filename-session-index.variables-
189                     variables-index.xml'.
190
191              --datastream-id ID
192                     Uses  a datastream with that particular ID from the given
193                     datastream collection. If not given the first  datastream
194                     is  used.  Only  applies if you give source datastream in
195                     place of an XCCDF file.
196
197              --xccdf-id ID
198                     Takes component ref with given ID from  checklists.  This
199                     allows  to  select  a  particular XCCDF component even in
200                     cases where there are 2 XCCDFs in one datastream. If none
201                     is given, the first component from the checklists element
202                     is used.
203
204              --benchmark-id ID
205                     Selects a component ref from any datastream  that  refer‐
206                     ences  a component with XCCDF Benchmark such that its @id
207                     attribute matches given string exactly. Please note  that
208                     this is not the recommended way of selecting a component-
209                     ref. You are advised to use  --xccdf-id  AND/OR  --datas‐
210                     tream-id  for more precision. --benchmark-id is only used
211                     when both --xccdf-id and --datastream-id are not  present
212                     on the command line!
213
214              --skip-valid
215                     Do not validate input/output files.
216
217              --fetch-remote-resources
218                     Allow  download  of  remote  OVAL content referenced from
219                     XCCDF by check-content-ref/@href.
220
221              --remediate
222                     Execute XCCDF remediation in the process of XCCDF evalua‐
223                     tion. This option automatically executes content of XCCDF
224                     fix elements for failed rules, and  thus  this  shall  be
225                     avoided unless for trusted content. Use of this option is
226                     always at your own risk.
227
228       remediate [options] INPUT_FILE [oval-definitions-files]
229              This module provides post-scan remediation. It assumes that  the
230              INPUT_FILE  is result of `oscap xccdf eval` operation. The input
231              file must contain TestResult element. This module executes XCCDF
232              fix  elements  for  failed  rule-result  contained  in the given
233              TestResult. Use of this option is always at your own risk and it
234              shall be avoided unless for trusted content.
235
236              --result-id ID
237                     ID  of  the XCCDF TestResult element which shall be reme‐
238                     died. If this option is missing the last  TestResult  (in
239                     top-down processing) will be remedied.
240
241              --skip-valid
242                     Do not validate input/output files.
243
244              --fetch-remote-resources
245                     Allow  download  of  remote  OVAL content referenced from
246                     XCCDF by check-content-ref/@href.
247
248              --cpe CPE_FILE
249                     Use given CPE dictionary or language (auto-detected)  for
250                     applicability checks.
251
252              --results FILE
253                     Write XCCDF results into FILE.
254
255              --results-arf FILE
256                     Writes results to a given FILE in Asset Reporting Format.
257                     It is recommended to use this option instead of --results
258                     when dealing with datastreams.
259
260              --stig-viewer FILE
261                     Writes  XCCDF  results  into FILE in a format readable by
262                     DISA             STIG             Viewer.             See
263                     http://iase.disa.mil/stigs/Pages/stig-viewing-guid
264                     ance.aspx
265
266              --report FILE
267                     Write HTML report into FILE. You  also  have  to  specify
268                     --results for this feature to work.
269
270              --oval-results
271                     Generate  OVAL Result file for each OVAL session used for
272                     evaluation. File  with  name  'original-oval-definitions-
273                     filename.result.xml'  will  be  generated for each refer‐
274                     enced OVAL file. This option (with conjunction  with  the
275                     --report  option)  also  enables  inclusion of additional
276                     OVAL information in the XCCDF report.
277
278              --check-engine-results
279                     After evaluation is finished, each  loaded  check  engine
280                     plugin  is asked to export its results. The export itself
281                     is plugin specific, please refer to documentation of  the
282                     plugin for more details.
283
284              --export-variables
285                     Generate  OVAL Variables documents which contain external
286                     variables' values that were provided to the OVAL checking
287                     engine  during evaluation. The filename format is 'origi‐
288                     nal-oval-definitions-filename-session-index.variables-
289                     variables-index.xml'.
290
291       resolve -o output-file xccdf-file
292              Resolve  an  XCCDF file as described in the XCCDF specification.
293              It will flatten inheritance hierarchy of XCCDF profiles, groups,
294              rules,  and values. Result is another XCCDF document, which will
295              be written to output-file.
296
297              --force
298                     Force resolving XCCDF document  even  if  it  is  already
299                     marked as resolved.
300
301       validate [options] xccdf-file
302              Validate  given  XCCDF  file  against  a XML schema. Every found
303              error is printed to the standard error. Return code is 0 if val‐
304              idation  succeeds, 1 if validation could not be performed due to
305              some error, 2 if the XCCDF document is not valid.
306
307              --schematron
308                     Turn on Schematron-based validation. It is able  to  find
309                     more  errors  and  inconsistencies  but  is  much slower.
310                     Schematron is available only for XCCDF version 1.2.
311
312       export-oval-variables [options] xccdf-file [oval-definitions-files]
313              Collect all the XCCDF values that would be used by  OVAL  during
314              evaluation  of  a certain profile and export them as OVAL exter‐
315              nal-variables document(s). The  filename  format  is  'original-
316              oval-definitions-filename-session-index.variables-variables-
317              index.xml'.
318
319              --profile PROFILE
320                     Select a particular profile from XCCDF document.
321
322              --fetch-remote-resources
323                     Allow download of remote  OVAL  content  referenced  from
324                     XCCDF by check-content-ref/@href.
325
326              --skip-valid
327                     Do not validate input/output files.
328
329              --datastream-id ID
330                     Uses  a datastream with that particular ID from the given
331                     datastream collection. If not given the first  datastream
332                     is  used.  Only  applies if you give source datastream in
333                     place of an XCCDF file.
334
335              --xccdf-id ID
336                     Takes component ref with given ID from  checklists.  This
337                     allows  to  select  a  particular XCCDF component even in
338                     cases where there are 2 XCCDFs in one datastream.
339
340              --cpe CPE_FILE
341                     Use given CPE dictionary or language (auto-detected)  for
342                     applicability checks. The variables documents are created
343                     only for xccdf:Rules which are applicable.
344
345       generate [options] <submodule> [submodule-specific-options]
346              Generate another document from an XCCDF file  such  as  security
347              guide or result report.
348
349              --profile ID
350                     Apply  profile with given ID to the Benchmark before fur‐
351                     ther processing takes place.
352
353              Available submodules:
354
355              guide [options] xccdf-file
356                     Generate a formatted document containing a security guide
357                     from  a  XCCDF  Benchmark.  Unless the --output option is
358                     specified it will be  written  to  the  standard  output.
359                     Without profile being set only groups (not rules) will be
360                     included in the output.
361
362                     --output FILE
363                            Write the guide to this file instead  of  standard
364                            output.
365
366                     --hide-profile-info
367                            Information on chosen profile (e.g. rules selected
368                            by the profile) will be excluded  from  the  docu‐
369                            ment.
370
371              report [options] xccdf-file
372                     Generate  a document containing results of a XCCDF Bench‐
373                     mark execution. Unless the --output option  is  specified
374                     it  will  be  written  to  the standard output. ID of the
375                     TestResult element to  visualise  defaults  to  the  most
376                     recent result (according to the end-time attribute).
377
378                     --output FILE
379                            Write  the report to this file instead of standard
380                            output.
381
382                     --result-id ID
383                            ID of the XCCDF TestResult from which  the  report
384                            will be generated.
385
386                     --show what
387                            Specify  what  result  types shall be displayed in
388                            the result report. The default is to  show  every‐
389                            thing  except  for  rules with results notselected
390                            and notapplicable. The what part is a  comma-sepa‐
391                            rated  list of result types to display in addition
392                            to the default. If result type is  prefixed  by  a
393                            dash '-', it will be excluded from the results. If
394                            what is prefixed by an equality sign '=',  a  fol‐
395                            lowing  list  specifies exactly what rule types to
396                            include in the report.  Result  types  are:  pass,
397                            fixed,   notchecked,  notapplicable,  notselected,
398                            informational, unknown, error, fail.
399
400                     --oval-template template-string
401                            To use the ability to include additional  informa‐
402                            tion  from  OVAL  in xccdf result file, a template
403                            which will be used  to  obtain  OVAL  result  file
404                            names  has  to  be  specified. The template can be
405                            either a filename or a string containing  wildcard
406                            character  (percent  sign  '%').  Wildcard will be
407                            replaced by the original OVAL definition file name
408                            as  referenced from the XCCDF file. This way it is
409                            possible to  obtain  OVAL  information  even  from
410                            XCCDF documents referencing several OVAL files. To
411                            use this option with results from an XCCDF evalua‐
412                            tion,  specify  %.result.xml  as  a OVAL file name
413                            template.
414
415                     --sce-template template-string
416                            To use the ability to include additional  informa‐
417                            tion  from  SCE  in  XCCDF result file, a template
418                            which will be used to obtain SCE result file names
419                            has  to be specified. The template can be either a
420                            filename or a string containing wildcard character
421                            (percent  sign  '%'). Wildcard will be replaced by
422                            the original SCE script file  name  as  referenced
423                            from  the  XCCDF  file. This way it is possible to
424                            obtain SCE information even from  XCCDF  documents
425                            referencing  several SCE files. To use this option
426                            with results from  an  XCCDF  evaluation,  specify
427                            %.result.xml as a SCE file name template.
428
429              fix [options] xccdf-file
430                     Generate  a script that shall bring the system to a state
431                     of compliance with given XCCDF  Benchmark.  There  are  2
432                     possibilities   when  generating  fixes:  Result-oriented
433                     fixes (--result-id)  or  Profile-oriented  fixes  (--pro‐
434                     file).  Result-oriented  takes  precedences over Profile-
435                     oriented, if result-id is given, oscap  will  ignore  any
436                     profile provided.
437
438                     Result-oriented  fixes are generated using result-id pro‐
439                     vided to select only the failing rules  from  results  in
440                     xccdf-file, it skips all other rules.
441
442                     Profile-oriented  fixes  are  generated  using  all rules
443                     within the provided profile. If no result-id/profile  are
444                     provided,  (default)  profile  will  be  used to generate
445                     fixes.
446
447                     --fix-type TYPE
448                            Specify fix type. There are  multiple  programming
449                            languages  in  which  the fix script can be gener‐
450                            ated. TYPE should be one of: bash,  ansible,  pup‐
451                            pet,  anaconda.  Default  is  bash. This option is
452                            mutually exclusive with  --template,  because  fix
453                            type already determines the template URN.
454
455                     --output FILE
456                            Write  the report to this file instead of standard
457                            output.
458
459                     --result-id ID
460                            Fixes will be generated for failed rule-results of
461                            the specified TestResult.
462
463                     --template ID|FILE
464                            Template  to be used to generate the script. If it
465                            contains a dot '.' it is interpreted as a location
466                            of  a file with the template definition. Otherwise
467                            it identifies a template from standard  set  which
468                            currently includes: bash (default if no --template
469                            switch present). Brief explanation of the  process
470                            of  writing  your own templates is in the XSL file
471                            xsl/legacy-fix.xsl in the openscap data directory.
472                            You  can  also take a look at the default template
473                            xsl/legacy-fixtpl-bash.xml.
474
475                     --xccdf-id ID
476                            Takes component ref with given ID from checklists.
477                            This allows to select a particular XCCDF component
478                            even in cases where there  are  2  XCCDFs  in  one
479                            datastream.  If none is given, the first component
480                            from the checklists element is used.
481
482                     --benchmark-id ID
483                            Selects a component ref from any  datastream  that
484                            references  a  component with XCCDF Benchmark such
485                            that  its  @id  attribute  matches  given   string
486                            exactly.
487
488                     --tailoring-file TAILORING_FILE
489                            Use given file for XCCDF tailoring. Select profile
490                            from tailoring file to apply using  --profile.  If
491                            both --tailoring-file and --tailoring-id are spec‐
492                            ified, --tailoring-file takes priority.
493
494                     --tailoring-id COMPONENT_REF_ID
495                            Use tailoring component in input source datastream
496                            for  XCCDF tailoring. The tailoring component must
497                            be specified by its Ref-ID  (value  of  component-
498                            ref/@id  attribute  in  input  source datastream).
499                            Select profile from tailoring component  to  apply
500                            using  --profile.  If  both  --tailoring-file  and
501                            --tailoring-id  are  specified,   --tailoring-file
502                            takes priority.
503
504              custom --stylesheet xslt-file [options] xccdf-file
505                     Generate  a  custom output (depending on given XSLT file)
506                     from an XCCDF file.
507
508                     --stylesheet FILE
509                            Specify an absolute path to a custom stylesheet to
510                            format the output.
511
512                     --output FILE
513                             Write the document into file.
514
515

OVAL OPERATIONS

517       eval [options] INPUT_FILE
518              Probe  the system and evaluate all definitions from OVAL Defini‐
519              tion file. Print result of each definition to  standard  output.
520              The  return  code is 0 after a  successful evaluation. On error,
521              value 1 is returned.
522
523              INPUT_FILE can be either OVAL Definition  File  or  SCAP  Source
524              Datastream, it depends on used options.
525
526              Unless  --skip-valid  is used, the INPUT_FILE is validated using
527              XSD schemas (depending  on  document  type  of  INPUT_FILE)  and
528              rejected if invalid.
529
530              --id DEFINITION-ID
531                     Evaluate ONLY specified OVAL Definition from OVAL Defini‐
532                     tion File.
533
534              --variables FILE
535                     Provide external variables expected  by  OVAL  Definition
536                     File.
537
538              --directives FILE
539                     Use  OVAL  Directives  content to specify desired results
540                     content.
541
542              --without-syschar
543                     Don't provide system characteristics in result file.
544
545              --results FILE
546                     Write OVAL Results into file.
547
548              --report FILE
549                     Create human readable (HTML) report from OVAL Results.
550
551              --datastream-id ID
552                     Uses a datastream with that particular ID from the  given
553                     datastream  collection. If not given the first datastream
554                     is used. Only applies if you give  source  datastream  in
555                     place of an OVAL file.
556
557              --oval-id ID
558                     Takes  component  ref  with  given  ID  from checks. This
559                     allows to select a  particular  OVAL  component  even  in
560                     cases where there are 2 OVALs in one datastream.
561
562              --skip-valid
563                     Do not validate input/output files.
564
565              --fetch-remote-resources
566              Allow download of remote components referenced from Datastream.
567
568
569       collect [options] definitions-file
570              Probe  the  system  and  gather  system  characteristics for all
571              objects in OVAL Definition file.
572
573              --id OBJECT-ID
574                     Collect system characteristics ONLY  for  specified  OVAL
575                     Object.
576
577              --variables FILE
578                     Provide external variables expected by OVAL Definitions.
579
580              --syschar FILE
581                     Write OVAL System Characteristic into file.
582
583              --skip-valid
584                     Do not validate input/output files.
585
586
587
588       analyse   [options]   --results   FILE   definitions-file
589       syschar-file
590              In this mode, the oscap tool does not perform data
591              collection  on  the  local system, but relies upon
592              the input file, which may have been  generated  on
593              another  system.  The  output  (OVAL  Results)  is
594              printed to file specified by --results parameter.
595
596              --variables FILE
597                     Provide external variables expected by OVAL
598                     Definitions.
599
600              --directives FILE
601                     Use  OVAL  Directives  content  to  specify
602                     desired results content.
603
604              --skip-valid
605                     Do not validate input/output files.
606
607
608       validate [options] oval-file
609              Validate given OVAL file  against  a  XML  schema.
610              Every  found  error  is  printed  to  the standard
611              error. Return code is 0 if validation succeeds,  1
612              if  validation  could not be performed due to some
613              error, 2 if the OVAL document is not valid.
614
615              --definitions, --variables,  --syschar,  --results
616              --directives
617                     Type  of the OVAL document is automatically
618                     detected by default. If  you  want  enforce
619                     certain  document  type, you can use one of
620                     these options.
621
622              --schematron
623                     Turn on Schematron-based validation. It  is
624                     able  to  find more errors and inconsisten‐
625                     cies but is much slower.
626
627       generate <submodule> [submodule-specific-options]
628              Generate another document from an OVAL file.
629
630              Available submodules:
631
632              report [options] oval-results-file
633                     Generate a formatted HTML  page  containing
634                     visualisation  of  an  OVAL  results  file.
635                     Unless the --output option is specified  it
636                     will be written to the standard output.
637
638                     --output FILE
639                            Write   the   report  to  this  file
640                            instead of standard output.
641
642

CPE OPERATIONS

644       check name
645              Check whether name is in correct CPE format.
646
647       match name dictionary.xml
648              Find an exact match of CPE name in the dictionary.
649
650       validate cpe-dict-file
651              Validate given CPE dictionary file against  a  XML
652              schema.  Every found error is printed to the stan‐
653              dard error. Return code is 0  if  validation  suc‐
654              ceeds,  1 if validation could not be performed due
655              to some error, 2 if  the  XCCDF  document  is  not
656              valid.
657
658

CVSS OPERATIONS

660       score cvss_vector
661              Calculate  score  from  a CVSS vector. Prints base
662              score for base  CVSS  vector,  base  and  temporal
663              score  for temporal CVSS vector, base and temporal
664              and environmental  score  for  environmental  CVSS
665              vector.
666
667       describe cvss_vector
668              Describe individual components of a CVSS vector in
669              a human-readable format and print partial scores.
670
671       CVSS vector consists of  several  slash-separated  compo‐
672       nents specified as key-value pairs. Each key can be spec‐
673       ified at most once. Valid CVSS vector has to  contain  at
674       least  base  CVSS  metrics, i.e. AV, AC, AU, C, I, and A.
675       Following table summarizes the  components  and  possible
676       values  (second  column is metric category: B for base, T
677       for temporal, E for environmental):
678
679              AV:[L|A|N]            B    Access  vector:  Local,
680              Adjacent network, Network
681
682              AC:[H|M|L]            B   Access complexity: High,
683              Medium, Low
684
685              AU:[M|S|N]            B   Required authentication:
686              Multiple instances, Single instance, None
687
688              C:[N|P|C]              B   Confidentiality impact:
689              None, Partial, Complete
690
691              I:[N|P|C]             B   Integrity impact:  None,
692              Partial, Complete
693
694              A:[N|P|C]               B    Availability  impact:
695              None, Partial, Complete
696
697              E:[ND|U|POC|F|H]       T     Exploitability:   Not
698              Defined,  Unproven,  Proof of Concept, Functional,
699              High
700
701              RL:[ND|OF|TF|W|U]     T   Remediation  Level:  Not
702              Defined,  Official Fix, Temporary Fix, Workaround,
703              Unavailable
704
705              RC:[ND|UC|UR|C]       T   Report  Confidence:  Not
706              Defined, Unconfirmed, Uncorroborated, Confirmed
707
708              CDP:[ND|N|L|LM|MH|H]  E   Collateral Damage Poten‐
709              tial: Not Defined, None, Low, Low-Medium,  Medium-
710              High, High
711
712              TD:[ND|N|L|M|H]       E   Target Distribution: Not
713              Defined, None, Low, Medium, High
714
715              CR:[ND|L|M|H]         E   Confidentiality require‐
716              ment: Not Defined, Low, Medium, High
717
718              IR:[ND|L|M|H]          E    Integrity requirement:
719              Not Defined, Low, Medium, High
720
721              AR:[ND|L|M|H]          E    Availability  require‐
722              ment: Not Defined, Low, Medium, High
723

DS OPERATIONS

725       sds-compose [options] SOURCE_XCCDF TARGET_SDS
726              Creates  a  source  datastream from the XCCDF file
727              given in SOURCE_XCCDF and  stores  the  result  in
728              TARGET_SDS. Dependencies like OVAL files are auto‐
729              matically detected and bundled  in  target  source
730              datastream.
731
732              --skip-valid
733                     Do not validate input/output files.
734
735       sds-add [options] NEW_COMPONENT EXISTING_SDS
736              Adds  given  NEW_COMPONENT  file  to  the existing
737              source datastream (EXISTING_SDS).  Component  file
738              might  be  OVAL,  XCCDF  or  CPE  Dictionary file.
739              Dependencies like  OVAL  files  are  automatically
740              detected  an bundled in target source datastream.
741
742              --datastream-id DATASTREAM_ID
743                     Uses  a  datastream with that particular ID
744                     from the given  datastream  collection.  If
745                     not given the first datastream is used.
746
747              --skip-valid
748                     Do not validate input/output files.
749
750       sds-split [options] SOURCE_DS TARGET_DIR
751              Splits given source datastream into multiple files
752              and stores all the files in TARGET_DIR.
753
754              --datastream-id DATASTREAM_ID
755                     Uses a datastream with that  particular  ID
756                     from  the  given  datastream collection. If
757                     not given the first datastream is used.
758
759              --xccdf-id XCCDF_ID
760                     Takes component  ref  with  given  ID  from
761                     checklists. This allows to select a partic‐
762                     ular XCCDF component even  in  cases  where
763                     there are 2 XCCDFs in one datastream.
764
765              --skip-valid
766                     Do not validate input/output files.
767
768              --fetch-remote-resources
769                     Allow  download of remote components refer‐
770                     enced from Datastream.
771
772       sds-validate SOURCE_DS
773              Validate given source datastream  file  against  a
774              XML  schema.  Every  found error is printed to the
775              standard error. Return code  is  0  if  validation
776              succeeds,  1  if validation could not be performed
777              due to some error, 2 if the source  datastream  is
778              not valid.
779
780       rds-create   [options]   SDS   TARGET_ARF   XCCDF_RESULTS
781       [OVAL_RESULTS [OVAL_RESULTS ..]]
782              Takes given  source  datastream,  XCCDF  and  OVAL
783              results  and creates a result datastream (in Asset
784              Reporting Format) and saves it to  file  given  in
785              TARGET_ARF.
786
787              --skip-valid
788                     Do not validate input/output files.
789
790       rds-split  [options]  [--report-id  REPORT_ID]  RDS  TAR‐
791       GET_DIR
792              Takes given result datastream (also called  ARF  =
793              asset  reporting  format)  and splits given report
794              and its respective report-request to given  target
795              directory.  If  no  report-id  is given, we assume
796              user wants the first applicable report in top-down
797              order in the file.
798
799              --skip-valid
800                     Do not validate input/output files.
801
802       rds-validate SOURCE_RDS
803              Validate  given  result  datastream file against a
804              XML schema. Every found error is  printed  to  the
805              standard  error.  Return  code  is 0 if validation
806              succeeds, 1 if validation could not  be  performed
807              due  to  some error, 2 if the result datastream is
808              not valid.
809
810

CVE OPERATIONS

812       validate cve-nvd-feed.xml
813              Validate given CVE data feed.
814
815       find CVE cve-nvd-feed.xml
816              Find given CVE in data feed and report base score,
817              vector string and vulnerable software list.
818
819

EXIT STATUS

821       Normally,  the  exit  status is 0 when operation finished
822       successfully and 1 otherwise. In cases  when  oscap  per‐
823       forms evaluation of the system it may return 2 indicating
824       success of the operation but incompliance of the assessed
825       system.
826
827

EXAMPLES

829       Evaluate  XCCDF  content using CPE dictionary and produce
830       html report. In this case we use United States Government
831       Configuration  Baseline  (USGCB)  for  Red Hat Enterprise
832       Linux 5 Desktop.
833
834               oscap xccdf eval --fetch-remote-resources --oval-results \
835                       --profile united_states_government_configuration_baseline \
836                       --report usgcb-rhel5desktop.report.html \
837                       --results usgcb-rhel5desktop-xccdf.xml.result.xml \
838                       --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
839                       usgcb-rhel5desktop-xccdf.xml
840

CONTENT

842        SCAP Security Guide -  https://github.com/OpenSCAP/scap-
843       security-guide/
844
845        National         Vulnerability         Database        -
846       http://web.nvd.nist.gov/view/ncp/repository
847
848        Red Hat content repository - http://www.redhat.com/secu
849       rity/data/oval/
850
851
852

REPORTING BUGS

854       Please report bugs using https://github.com/OpenSCAP/openscap/issues
855       Make sure you include the full output of `oscap --v` in the bug report.
856
857

AUTHORS

859       Peter Vrabec <pvrabec@redhat.com>
860       Šimon Lukašík
861       Martin Preisler <mpreisle@redhat.com>
862
863
864
865Red Hat                           March 2017                          OSCAP(8)
Impressum