1OSCAP(8) System Administration Utilities OSCAP(8)
2
6 oscap - OpenSCAP command line tool
7
10 oscap [general-options] module operation [operation-options-and-argu‐
11 ments]
12
15 oscap is Security Content Automation Protocol (SCAP) toolkit based on
16 OpenSCAP library. It provides various functions for different SCAP
17 specifications (modules).
18 OpenSCAP tool claims to provide capabilities of Authenticated Configu‐
20 ration Scanner and Authenticated Vulnerability Scanner as defined by
21 The National Institute of Standards and Technology.
22
25 -V, --version
26 Print supported SCAP specification, location of schema files,
27 schematron files, CPE files, probes and supported OVAL objects.
28 Displays a list of inbuilt CPE names.
29 -h, --help
31 Help screen.
32
35 info Determine type and print information about a file.
36 xccdf The eXtensible Configuration Checklist Description Format.
38 oval Open Vulnerability and Assessment Language.
40 ds SCAP Data Stream
42 cpe Common Platform Enumeration.
44 cvss Common Vulnerability Scoring System
46 cve Common Vulnerabilities and Exposures
48
52Turn on verbose mode at specified verbosity level. VERBOSITY_LEVEL is one of:
53DEVEL, INFO, WARNING, ERROR.
54
56Set filename to write additional information.
57
60 [options] any-scap-file.xml
61 This module prints information about SCAP content in a file
62 specified on a command line. It determines SCAP content type,
63 specification version, date of creation, date of import and so
64 on. Info module doesn't require any additional opperation
65 switch.
66 For XCCDF or Datastream files, info module prints out IDs of
68 incorporated profiles, components, and datastreams. These IDs
69 can be used to specify the target for evaluation. Use options
70 --profile, --xccdf-id (or --oval-id), and --datastream-id
71 respectively.
72 --fetch-remote-resources
74 Allow download of remote components referenced from
75 Datastream.
76 --profile PROFILE
78 Show info of the profile with the given ID.
79 --profiles
81 Show profiles from the input file in the <id>:<title>
82 format, one line per profile.
83
86 eval [options] INPUT_FILE [oval-definitions-files]
87 Perform evaluation of XCCDF document file given as INPUT_FILE.
88 Print result of each rule to standard output, including rule
89 title, rule id and security identifier(CVE, CCE). Optionally you
90 can give a source datastream as the INPUT_FILE instead of an
91 XCCDF file (see --datastream-id).
92 oscap returns 0 if all rules pass. If there is an error during
94 evaluation, the return code is 1. If there is at least one rule
95 with either fail or unknown result, oscap-scan finishes with
96 return code 2.
97 Unless --skip-valid is used, the INPUT_FILE is validated using
99 XSD schemas (depending on document type of INPUT_FILE) and
100 rejected if invalid.
101 You may specify OVAL Definition files as the last parameter,
103 XCCDF evaluation will then proceed only with those specified
104 files. Otherwise, when oval-definitions-files parameter is miss‐
105 ing, oscap tool will try to load all OVAL Definition files ref‐
106 erenced from XCCDF automatically (search in the same path as
107 XCCDF).
108 --profile PROFILE
110 Select a particular profile from XCCDF document. If
111 "(all)" is given a virtual profile that selects all
112 groups and rules will be used.
113 --rule RULE
115 Select a particular rule from XCCDF document. Only this
116 rule will be evaluated. Rule will use values according to
117 the selected profile. If no profile is selected, default
118 values are used.
119 --tailoring-file TAILORING_FILE
121 Use given file for XCCDF tailoring. Select profile from
122 tailoring file to apply using --profile. If both --tai‐
123 loring-file and --tailoring-id are specified, --tailor‐
124 ing-file takes priority.
125 --tailoring-id COMPONENT_REF_ID
127 Use tailoring component in input source datastream for
128 XCCDF tailoring. The tailoring component must be speci‐
129 fied by its Ref-ID (value of component-ref/@id attribute
130 in input source datastream). Select profile from tailor‐
131 ing component to apply using --profile. If both --tailor‐
132 ing-file and --tailoring-id are specified, --tailoring-
133 file takes priority.
134 --cpe CPE_FILE
136 Use given CPE dictionary or language (auto-detected) for
137 applicability checks. (Some CPE names are provided by
138 openscap, see oscap --version for Inbuilt CPE names)
139 --results FILE
141 Write XCCDF results into FILE.
142 --results-arf FILE
144 Writes results to a given FILE in Asset Reporting Format.
145 It is recommended to use this option instead of --results
146 when dealing with datastreams.
147 --stig-viewer FILE
149 Writes XCCDF results into FILE in a format readable by
150 DISA STIG Viewer. See
151 http://iase.disa.mil/stigs/Pages/stig-viewing-guid‐
152 ance.aspx
153 --thin-results
155 Thin Results provides only minimal amount of information
156 in OVAL/ARF results. The option --without-syschar is
157 automatically enabled when you use Thin Results.
158 --without-syschar
160 Don't provide system characteristics in OVAL/ARF result
161 files.
162 --report FILE
164 Write HTML report into FILE. You also have to specify
165 --results for this feature to work. Please see --oval-
166 results to enable additional information in the report.
167 --oval-results
169 Generate OVAL Result file for each OVAL session used for
170 evaluation. File with name 'original-oval-definitions-
171 filename.result.xml' will be generated for each refer‐
172 enced OVAL file in current working directory. This option
173 (in conjunction with the --report option) also enables
174 inclusion of additional OVAL information in the XCCDF
175 report. To change the directory where OVAL files are gen‐
176 erated change the CWD using the `cd` command.
177 --check-engine-results
179 After evaluation is finished, each loaded check engine
180 plugin is asked to export its results. The export itself
181 is plugin specific, please refer to documentation of the
182 plugin for more details.
183 --export-variables
185 Generate OVAL Variables documents which contain external
186 variables' values that were provided to the OVAL checking
187 engine during evaluation. The filename format is 'origi‐
188 nal-oval-definitions-filename-session-index.variables-
189 variables-index.xml'.
190 --datastream-id ID
192 Uses a datastream with that particular ID from the given
193 datastream collection. If not given the first datastream
194 is used. Only applies if you give source datastream in
195 place of an XCCDF file.
196 --xccdf-id ID
198 Takes component ref with given ID from checklists. This
199 allows to select a particular XCCDF component even in
200 cases where there are 2 XCCDFs in one datastream. If none
201 is given, the first component from the checklists element
202 is used.
203 --benchmark-id ID
205 Selects a component ref from any datastream that refer‐
206 ences a component with XCCDF Benchmark such that its @id
207 attribute matches given string exactly. Please note that
208 this is not the recommended way of selecting a component-
209 ref. You are advised to use --xccdf-id AND/OR --datas‐
210 tream-id for more precision. --benchmark-id is only used
211 when both --xccdf-id and --datastream-id are not present
212 on the command line!
213 --skip-valid
215 Do not validate input/output files.
216 --fetch-remote-resources
218 Allow download of remote OVAL content referenced from
219 XCCDF by check-content-ref/@href.
220 --remediate
222 Execute XCCDF remediation in the process of XCCDF evalua‐
223 tion. This option automatically executes content of XCCDF
224 fix elements for failed rules, and thus this shall be
225 avoided unless for trusted content. Use of this option is
226 always at your own risk.
227 remediate [options] INPUT_FILE [oval-definitions-files]
229 This module provides post-scan remediation. It assumes that the
230 INPUT_FILE is result of `oscap xccdf eval` operation. The input
231 file must contain TestResult element. This module executes XCCDF
232 fix elements for failed rule-result contained in the given
233 TestResult. Use of this option is always at your own risk and it
234 shall be avoided unless for trusted content.
235 --result-id ID
237 ID of the XCCDF TestResult element which shall be reme‐
238 died. If this option is missing the last TestResult (in
239 top-down processing) will be remedied.
240 --skip-valid
242 Do not validate input/output files.
243 --fetch-remote-resources
245 Allow download of remote OVAL content referenced from
246 XCCDF by check-content-ref/@href.
247 --cpe CPE_FILE
249 Use given CPE dictionary or language (auto-detected) for
250 applicability checks.
251 --results FILE
253 Write XCCDF results into FILE.
254 --results-arf FILE
256 Writes results to a given FILE in Asset Reporting Format.
257 It is recommended to use this option instead of --results
258 when dealing with datastreams.
259 --stig-viewer FILE
261 Writes XCCDF results into FILE in a format readable by
262 DISA STIG Viewer. See
263 http://iase.disa.mil/stigs/Pages/stig-viewing-guid‐
264 ance.aspx
265 --report FILE
267 Write HTML report into FILE. You also have to specify
268 --results for this feature to work.
269 --oval-results
271 Generate OVAL Result file for each OVAL session used for
272 evaluation. File with name 'original-oval-definitions-
273 filename.result.xml' will be generated for each refer‐
274 enced OVAL file. This option (with conjunction with the
275 --report option) also enables inclusion of additional
276 OVAL information in the XCCDF report.
277 --check-engine-results
279 After evaluation is finished, each loaded check engine
280 plugin is asked to export its results. The export itself
281 is plugin specific, please refer to documentation of the
282 plugin for more details.
283 --export-variables
285 Generate OVAL Variables documents which contain external
286 variables' values that were provided to the OVAL checking
287 engine during evaluation. The filename format is 'origi‐
288 nal-oval-definitions-filename-session-index.variables-
289 variables-index.xml'.
290 resolve -o output-file xccdf-file
292 Resolve an XCCDF file as described in the XCCDF specification.
293 It will flatten inheritance hierarchy of XCCDF profiles, groups,
294 rules, and values. Result is another XCCDF document, which will
295 be written to output-file.
296 --force
298 Force resolving XCCDF document even if it is already
299 marked as resolved.
300 validate [options] xccdf-file
302 Validate given XCCDF file against a XML schema. Every found
303 error is printed to the standard error. Return code is 0 if val‐
304 idation succeeds, 1 if validation could not be performed due to
305 some error, 2 if the XCCDF document is not valid.
306 --schematron
308 Turn on Schematron-based validation. It is able to find
309 more errors and inconsistencies but is much slower.
310 Schematron is available only for XCCDF version 1.2.
311 export-oval-variables [options] xccdf-file [oval-definitions-files]
313 Collect all the XCCDF values that would be used by OVAL during
314 evaluation of a certain profile and export them as OVAL exter‐
315 nal-variables document(s). The filename format is 'original-
316 oval-definitions-filename-session-index.variables-variables-
317 index.xml'.
318 --profile PROFILE
320 Select a particular profile from XCCDF document.
321 --fetch-remote-resources
323 Allow download of remote OVAL content referenced from
324 XCCDF by check-content-ref/@href.
325 --skip-valid
327 Do not validate input/output files.
328 --datastream-id ID
330 Uses a datastream with that particular ID from the given
331 datastream collection. If not given the first datastream
332 is used. Only applies if you give source datastream in
333 place of an XCCDF file.
334 --xccdf-id ID
336 Takes component ref with given ID from checklists. This
337 allows to select a particular XCCDF component even in
338 cases where there are 2 XCCDFs in one datastream.
339 --cpe CPE_FILE
341 Use given CPE dictionary or language (auto-detected) for
342 applicability checks. The variables documents are created
343 only for xccdf:Rules which are applicable.
344 generate [options] <submodule> [submodule-specific-options]
346 Generate another document from an XCCDF file such as security
347 guide or result report.
348 --profile ID
350 Apply profile with given ID to the Benchmark before fur‐
351 ther processing takes place.
352 Available submodules:
354 guide [options] xccdf-file
356 Generate a formatted document containing a security guide
357 from a XCCDF Benchmark. Unless the --output option is
358 specified it will be written to the standard output.
359 Without profile being set only groups (not rules) will be
360 included in the output.
361 --output FILE
363 Write the guide to this file instead of standard
364 output.
365 --hide-profile-info
367 Information on chosen profile (e.g. rules selected
368 by the profile) will be excluded from the docu‐
369 ment.
370 report [options] xccdf-file
372 Generate a document containing results of a XCCDF Bench‐
373 mark execution. Unless the --output option is specified
374 it will be written to the standard output. ID of the
375 TestResult element to visualise defaults to the most
376 recent result (according to the end-time attribute).
377 --output FILE
379 Write the report to this file instead of standard
380 output.
381 --result-id ID
383 ID of the XCCDF TestResult from which the report
384 will be generated.
385 --show what
387 Specify what result types shall be displayed in
388 the result report. The default is to show every‐
389 thing except for rules with results notselected
390 and notapplicable. The what part is a comma-sepa‐
391 rated list of result types to display in addition
392 to the default. If result type is prefixed by a
393 dash '-', it will be excluded from the results. If
394 what is prefixed by an equality sign '=', a fol‐
395 lowing list specifies exactly what rule types to
396 include in the report. Result types are: pass,
397 fixed, notchecked, notapplicable, notselected,
398 informational, unknown, error, fail.
399 --oval-template template-string
401 To use the ability to include additional informa‐
402 tion from OVAL in xccdf result file, a template
403 which will be used to obtain OVAL result file
404 names has to be specified. The template can be
405 either a filename or a string containing wildcard
406 character (percent sign '%'). Wildcard will be
407 replaced by the original OVAL definition file name
408 as referenced from the XCCDF file. This way it is
409 possible to obtain OVAL information even from
410 XCCDF documents referencing several OVAL files. To
411 use this option with results from an XCCDF evalua‐
412 tion, specify %.result.xml as a OVAL file name
413 template.
414 --sce-template template-string
416 To use the ability to include additional informa‐
417 tion from SCE in XCCDF result file, a template
418 which will be used to obtain SCE result file names
419 has to be specified. The template can be either a
420 filename or a string containing wildcard character
421 (percent sign '%'). Wildcard will be replaced by
422 the original SCE script file name as referenced
423 from the XCCDF file. This way it is possible to
424 obtain SCE information even from XCCDF documents
425 referencing several SCE files. To use this option
426 with results from an XCCDF evaluation, specify
427 %.result.xml as a SCE file name template.
428 fix [options] xccdf-file
430 Generate a script that shall bring the system to a state
431 of compliance with given XCCDF Benchmark. There are 2
432 possibilities when generating fixes: Result-oriented
433 fixes (--result-id) or Profile-oriented fixes (--pro‐
434 file). Result-oriented takes precedences over Profile-
435 oriented, if result-id is given, oscap will ignore any
436 profile provided.
437 Result-oriented fixes are generated using result-id pro‐
439 vided to select only the failing rules from results in
440 xccdf-file, it skips all other rules.
441 Profile-oriented fixes are generated using all rules
443 within the provided profile. If no result-id/profile are
444 provided, (default) profile will be used to generate
445 fixes.
446 --fix-type TYPE
448 Specify fix type. There are multiple programming
449 languages in which the fix script can be gener‐
450 ated. TYPE should be one of: bash, ansible, pup‐
451 pet, anaconda. Default is bash. This option is
452 mutually exclusive with --template, because fix
453 type already determines the template URN.
454 --output FILE
456 Write the report to this file instead of standard
457 output.
458 --result-id ID
460 Fixes will be generated for failed rule-results of
461 the specified TestResult.
462 --template ID|FILE
464 Template to be used to generate the script. If it
465 contains a dot '.' it is interpreted as a location
466 of a file with the template definition. Otherwise
467 it identifies a template from standard set which
468 currently includes: bash (default if no --template
469 switch present). Brief explanation of the process
470 of writing your own templates is in the XSL file
471 xsl/legacy-fix.xsl in the openscap data directory.
472 You can also take a look at the default template
473 xsl/legacy-fixtpl-bash.xml.
474 --xccdf-id ID
476 Takes component ref with given ID from checklists.
477 This allows to select a particular XCCDF component
478 even in cases where there are 2 XCCDFs in one
479 datastream. If none is given, the first component
480 from the checklists element is used.
481 --benchmark-id ID
483 Selects a component ref from any datastream that
484 references a component with XCCDF Benchmark such
485 that its @id attribute matches given string
486 exactly.
487 --tailoring-file TAILORING_FILE
489 Use given file for XCCDF tailoring. Select profile
490 from tailoring file to apply using --profile. If
491 both --tailoring-file and --tailoring-id are spec‐
492 ified, --tailoring-file takes priority.
493 --tailoring-id COMPONENT_REF_ID
495 Use tailoring component in input source datastream
496 for XCCDF tailoring. The tailoring component must
497 be specified by its Ref-ID (value of component-
498 ref/@id attribute in input source datastream).
499 Select profile from tailoring component to apply
500 using --profile. If both --tailoring-file and
501 --tailoring-id are specified, --tailoring-file
502 takes priority.
503 custom --stylesheet xslt-file [options] xccdf-file
505 Generate a custom output (depending on given XSLT file)
506 from an XCCDF file.
507 --stylesheet FILE
509 Specify an absolute path to a custom stylesheet to
510 format the output.
511 --output FILE
513 Write the document into file.
514
517 eval [options] INPUT_FILE
518 Probe the system and evaluate all definitions from OVAL Defini‐
519 tion file. Print result of each definition to standard output.
520 The return code is 0 after a successful evaluation. On error,
521 value 1 is returned.
522 INPUT_FILE can be either OVAL Definition File or SCAP Source
524 Datastream, it depends on used options.
525 Unless --skip-valid is used, the INPUT_FILE is validated using
527 XSD schemas (depending on document type of INPUT_FILE) and
528 rejected if invalid.
529 --id DEFINITION-ID
531 Evaluate ONLY specified OVAL Definition from OVAL Defini‐
532 tion File.
533 --variables FILE
535 Provide external variables expected by OVAL Definition
536 File.
537 --directives FILE
539 Use OVAL Directives content to specify desired results
540 content.
541 --without-syschar
543 Don't provide system characteristics in result file.
544 --results FILE
546 Write OVAL Results into file.
547 --report FILE
549 Create human readable (HTML) report from OVAL Results.
550 --datastream-id ID
552 Uses a datastream with that particular ID from the given
553 datastream collection. If not given the first datastream
554 is used. Only applies if you give source datastream in
555 place of an OVAL file.
556 --oval-id ID
558 Takes component ref with given ID from checks. This
559 allows to select a particular OVAL component even in
560 cases where there are 2 OVALs in one datastream.
561 --skip-valid
563 Do not validate input/output files.
564 --fetch-remote-resources
566 Allow download of remote components referenced from Datastream.
567 collect [options] definitions-file
570 Probe the system and gather system characteristics for all
571 objects in OVAL Definition file.
572 --id OBJECT-ID
574 Collect system characteristics ONLY for specified OVAL
575 Object.
576 --variables FILE
578 Provide external variables expected by OVAL Definitions.
579 --syschar FILE
581 Write OVAL System Characteristic into file.
582 --skip-valid
584 Do not validate input/output files.
585 analyse [options] --results FILE definitions-file
589 syschar-file
590 In this mode, the oscap tool does not perform data
591 collection on the local system, but relies upon
592 the input file, which may have been generated on
593 another system. The output (OVAL Results) is
594 printed to file specified by --results parameter.
595 --variables FILE
597 Provide external variables expected by OVAL
598 Definitions.
599 --directives FILE
601 Use OVAL Directives content to specify
602 desired results content.
603 --skip-valid
605 Do not validate input/output files.
606 validate [options] oval-file
609 Validate given OVAL file against a XML schema.
610 Every found error is printed to the standard
611 error. Return code is 0 if validation succeeds, 1
612 if validation could not be performed due to some
613 error, 2 if the OVAL document is not valid.
614 --definitions, --variables, --syschar, --results
616 --directives
617 Type of the OVAL document is automatically
618 detected by default. If you want enforce
619 certain document type, you can use one of
620 these options.
621 --schematron
623 Turn on Schematron-based validation. It is
624 able to find more errors and inconsisten‐
625 cies but is much slower.
626 generate <submodule> [submodule-specific-options]
628 Generate another document from an OVAL file.
629 Available submodules:
631 report [options] oval-results-file
633 Generate a formatted HTML page containing
634 visualisation of an OVAL results file.
635 Unless the --output option is specified it
636 will be written to the standard output.
637 --output FILE
639 Write the report to this file
640 instead of standard output.
641
644 check name
645 Check whether name is in correct CPE format.
646 match name dictionary.xml
648 Find an exact match of CPE name in the dictionary.
649 validate cpe-dict-file
651 Validate given CPE dictionary file against a XML
652 schema. Every found error is printed to the stan‐
653 dard error. Return code is 0 if validation suc‐
654 ceeds, 1 if validation could not be performed due
655 to some error, 2 if the XCCDF document is not
656 valid.
657
660 score cvss_vector
661 Calculate score from a CVSS vector. Prints base
662 score for base CVSS vector, base and temporal
663 score for temporal CVSS vector, base and temporal
664 and environmental score for environmental CVSS
665 vector.
666 describe cvss_vector
668 Describe individual components of a CVSS vector in
669 a human-readable format and print partial scores.
670 CVSS vector consists of several slash-separated compo‐
672 nents specified as key-value pairs. Each key can be spec‐
673 ified at most once. Valid CVSS vector has to contain at
674 least base CVSS metrics, i.e. AV, AC, AU, C, I, and A.
675 Following table summarizes the components and possible
676 values (second column is metric category: B for base, T
677 for temporal, E for environmental):
678 AV:[L|A|N] B Access vector: Local,
680 Adjacent network, Network
681 AC:[H|M|L] B Access complexity: High,
683 Medium, Low
684 AU:[M|S|N] B Required authentication:
686 Multiple instances, Single instance, None
687 C:[N|P|C] B Confidentiality impact:
689 None, Partial, Complete
690 I:[N|P|C] B Integrity impact: None,
692 Partial, Complete
693 A:[N|P|C] B Availability impact:
695 None, Partial, Complete
696 E:[ND|U|POC|F|H] T Exploitability: Not
698 Defined, Unproven, Proof of Concept, Functional,
699 High
700 RL:[ND|OF|TF|W|U] T Remediation Level: Not
702 Defined, Official Fix, Temporary Fix, Workaround,
703 Unavailable
704 RC:[ND|UC|UR|C] T Report Confidence: Not
706 Defined, Unconfirmed, Uncorroborated, Confirmed
707 CDP:[ND|N|L|LM|MH|H] E Collateral Damage Poten‐
709 tial: Not Defined, None, Low, Low-Medium, Medium-
710 High, High
711 TD:[ND|N|L|M|H] E Target Distribution: Not
713 Defined, None, Low, Medium, High
714 CR:[ND|L|M|H] E Confidentiality require‐
716 ment: Not Defined, Low, Medium, High
717 IR:[ND|L|M|H] E Integrity requirement:
719 Not Defined, Low, Medium, High
720 AR:[ND|L|M|H] E Availability require‐
722 ment: Not Defined, Low, Medium, High
723
725 sds-compose [options] SOURCE_XCCDF TARGET_SDS
726 Creates a source datastream from the XCCDF file
727 given in SOURCE_XCCDF and stores the result in
728 TARGET_SDS. Dependencies like OVAL files are auto‐
729 matically detected and bundled in target source
730 datastream.
731 --skip-valid
733 Do not validate input/output files.
734 sds-add [options] NEW_COMPONENT EXISTING_SDS
736 Adds given NEW_COMPONENT file to the existing
737 source datastream (EXISTING_SDS). Component file
738 might be OVAL, XCCDF or CPE Dictionary file.
739 Dependencies like OVAL files are automatically
740 detected an bundled in target source datastream.
741 --datastream-id DATASTREAM_ID
743 Uses a datastream with that particular ID
744 from the given datastream collection. If
745 not given the first datastream is used.
746 --skip-valid
748 Do not validate input/output files.
749 sds-split [options] SOURCE_DS TARGET_DIR
751 Splits given source datastream into multiple files
752 and stores all the files in TARGET_DIR.
753 --datastream-id DATASTREAM_ID
755 Uses a datastream with that particular ID
756 from the given datastream collection. If
757 not given the first datastream is used.
758 --xccdf-id XCCDF_ID
760 Takes component ref with given ID from
761 checklists. This allows to select a partic‐
762 ular XCCDF component even in cases where
763 there are 2 XCCDFs in one datastream.
764 --skip-valid
766 Do not validate input/output files.
767 --fetch-remote-resources
769 Allow download of remote components refer‐
770 enced from Datastream.
771 sds-validate SOURCE_DS
773 Validate given source datastream file against a
774 XML schema. Every found error is printed to the
775 standard error. Return code is 0 if validation
776 succeeds, 1 if validation could not be performed
777 due to some error, 2 if the source datastream is
778 not valid.
779 rds-create [options] SDS TARGET_ARF XCCDF_RESULTS
781 [OVAL_RESULTS [OVAL_RESULTS ..]]
782 Takes given source datastream, XCCDF and OVAL
783 results and creates a result datastream (in Asset
784 Reporting Format) and saves it to file given in
785 TARGET_ARF.
786 --skip-valid
788 Do not validate input/output files.
789 rds-split [options] [--report-id REPORT_ID] RDS TAR‐
791 GET_DIR
792 Takes given result datastream (also called ARF =
793 asset reporting format) and splits given report
794 and its respective report-request to given target
795 directory. If no report-id is given, we assume
796 user wants the first applicable report in top-down
797 order in the file.
798 --skip-valid
800 Do not validate input/output files.
801 rds-validate SOURCE_RDS
803 Validate given result datastream file against a
804 XML schema. Every found error is printed to the
805 standard error. Return code is 0 if validation
806 succeeds, 1 if validation could not be performed
807 due to some error, 2 if the result datastream is
808 not valid.
809
812 validate cve-nvd-feed.xml
813 Validate given CVE data feed.
814 find CVE cve-nvd-feed.xml
816 Find given CVE in data feed and report base score,
817 vector string and vulnerable software list.
818
821 Normally, the exit status is 0 when operation finished
822 successfully and 1 otherwise. In cases when oscap per‐
823 forms evaluation of the system it may return 2 indicating
824 success of the operation but incompliance of the assessed
825 system.
826
829 Evaluate XCCDF content using CPE dictionary and produce
830 html report. In this case we use United States Government
831 Configuration Baseline (USGCB) for Red Hat Enterprise
832 Linux 5 Desktop.
833 oscap xccdf eval --fetch-remote-resources --oval-results \
835 --profile united_states_government_configuration_baseline \
836 --report usgcb-rhel5desktop.report.html \
837 --results usgcb-rhel5desktop-xccdf.xml.result.xml \
838 --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
839 usgcb-rhel5desktop-xccdf.xml
840
842 SCAP Security Guide - https://github.com/OpenSCAP/scap-
843 security-guide/
844 National Vulnerability Database -
846 http://web.nvd.nist.gov/view/ncp/repository
847 Red Hat content repository - http://www.redhat.com/secu‐
849 rity/data/oval/
850
854 Please report bugs using https://github.com/OpenSCAP/openscap/issues
855 Make sure you include the full output of `oscap --v` in the bug report.
856
859 Peter Vrabec <pvrabec@redhat.com>
860 Šimon Lukašík
861 Martin Preisler <mpreisle@redhat.com>
862Red Hat March 2017 OSCAP(8)