1OSCAP(8) System Administration Utilities OSCAP(8)
2
6 oscap - OpenSCAP command line tool
7
10 oscap [general-options] module operation [operation-options-and-argu‐
11 ments]
12
15 oscap is Security Content Automation Protocol (SCAP) toolkit based on
16 OpenSCAP library. It provides various functions for different SCAP
17 specifications (modules).
18 OpenSCAP tool claims to provide capabilities of Authenticated Configu‐
20 ration Scanner and Authenticated Vulnerability Scanner as defined by
21 The National Institute of Standards and Technology.
22
25 -V, --version
26 Print supported SCAP specifications, location of schema files,
27 schematron files, CPE files, probes and supported OVAL objects.
28 Displays a list of inbuilt CPE names.
29 -h, --help
31 Help screen.
32
35 info Determine type and print information about a file.
36 xccdf The eXtensible Configuration Checklist Description Format.
38 oval Open Vulnerability and Assessment Language.
40 ds SCAP Data Stream
42 cpe Common Platform Enumeration.
44 cvss Common Vulnerability Scoring System
46 cve Common Vulnerabilities and Exposures
48
52Turn on verbose mode at specified verbosity level. VERBOSITY_LEVEL is one of:
53DEVEL, INFO, WARNING, ERROR.
54
56Set filename to write additional information.
57
60 [options] any-scap-file.xml
61 This module prints information about SCAP content in a file
62 specified on a command line. It determines SCAP content type,
63 specification version, date of creation, date of import and so
64 on. Info module doesn't require any additional operation switch.
65 For XCCDF or Datastream files, info module prints out IDs of
67 incorporated profiles, components, and datastreams. These IDs
68 can be used to specify the target for evaluation. Use options
69 --profile, --xccdf-id (or --oval-id), and --datastream-id
70 respectively.
71 --fetch-remote-resources
73 Allow download of remote components referenced from
74 Datastream.
75 --profile PROFILE
77 Show info of the profile with the given ID.
78 --profiles
80 Show profiles from the input file in the <id>:<title>
81 format, one line per profile.
82
85 eval [options] INPUT_FILE [oval-definitions-files]
86 Perform evaluation of XCCDF document file given as INPUT_FILE.
87 Print result of each rule to standard output, including rule
88 title, rule id and security identifier(CVE, CCE). Optionally you
89 can give a source datastream as the INPUT_FILE instead of an
90 XCCDF file (see --datastream-id).
91 oscap returns 0 if all rules pass. If there is an error during
93 evaluation, the return code is 1. If there is at least one rule
94 with either fail or unknown result, oscap-scan finishes with
95 return code 2.
96 Unless --skip-valid is used, the INPUT_FILE is validated using
98 XSD schemas (depending on document type of INPUT_FILE) and
99 rejected if invalid.
100 You may specify OVAL Definition files as the last parameter,
102 XCCDF evaluation will then proceed only with those specified
103 files. Otherwise, when oval-definitions-files parameter is miss‐
104 ing, oscap tool will try to load all OVAL Definition files ref‐
105 erenced from XCCDF automatically (search in the same path as
106 XCCDF).
107 --profile PROFILE
109 Select a particular profile from XCCDF document. If
110 "(all)" is given a virtual profile that selects all
111 groups and rules will be used.
112 --rule RULE
114 Select a particular rule from XCCDF document. Only this
115 rule will be evaluated. Rule will use values according to
116 the selected profile. If no profile is selected, default
117 values are used.
118 --tailoring-file TAILORING_FILE
120 Use given file for XCCDF tailoring. Select profile from
121 tailoring file to apply using --profile. If both --tai‐
122 loring-file and --tailoring-id are specified, --tailor‐
123 ing-file takes priority.
124 --tailoring-id COMPONENT_REF_ID
126 Use tailoring component in input source datastream for
127 XCCDF tailoring. The tailoring component must be speci‐
128 fied by its Ref-ID (value of component-ref/@id attribute
129 in input source datastream). Select profile from tailor‐
130 ing component to apply using --profile. If both --tailor‐
131 ing-file and --tailoring-id are specified, --tailoring-
132 file takes priority.
133 --cpe CPE_FILE
135 Use given CPE dictionary or language (auto-detected) for
136 applicability checks. (Some CPE names are provided by
137 openscap, see oscap --version for Inbuilt CPE names)
138 --results FILE
140 Write XCCDF results into FILE.
141 --results-arf FILE
143 Writes results to a given FILE in Asset Reporting Format.
144 It is recommended to use this option instead of --results
145 when dealing with datastreams.
146 --stig-viewer FILE
148 Writes XCCDF results into FILE in a format readable by
149 DISA STIG Viewer. See
150 http://iase.disa.mil/stigs/Pages/stig-viewing-guid‐
151 ance.aspx. This option should be used to generate
152 results for DISA STIG Viewer older than 2.6. To use DISA
153 STIG Viewer 2.6 or newer, use --results instead.
154 --thin-results
156 Thin Results provides only minimal amount of information
157 in OVAL/ARF results. The option --without-syschar is
158 automatically enabled when you use Thin Results.
159 --without-syschar
161 Don't provide system characteristics in OVAL/ARF result
162 files.
163 --report FILE
165 Write HTML report into FILE.
166 --oval-results
168 Generate OVAL Result file for each OVAL session used for
169 evaluation. File with name 'original-oval-definitions-
170 filename.result.xml' will be generated for each refer‐
171 enced OVAL file in current working directory. To change
172 the directory where OVAL files are generated change the
173 CWD using the `cd` command.
174 --check-engine-results
176 After evaluation is finished, each loaded check engine
177 plugin is asked to export its results. The export itself
178 is plugin specific, please refer to documentation of the
179 plugin for more details.
180 --export-variables
182 Generate OVAL Variables documents which contain external
183 variables' values that were provided to the OVAL checking
184 engine during evaluation. The filename format is 'origi‐
185 nal-oval-definitions-filename-session-index.variables-
186 variables-index.xml'.
187 --datastream-id ID
189 Uses a datastream with that particular ID from the given
190 datastream collection. If not given the first datastream
191 is used. Only applies if you give source datastream in
192 place of an XCCDF file.
193 --xccdf-id ID
195 Takes component ref with given ID from checklists. This
196 allows to select a particular XCCDF component even in
197 cases where there are 2 XCCDFs in one datastream. If none
198 is given, the first component from the checklists element
199 is used.
200 --benchmark-id ID
202 Selects a component ref from any datastream that refer‐
203 ences a component with XCCDF Benchmark such that its @id
204 attribute matches given string exactly. Please note that
205 this is not the recommended way of selecting a component-
206 ref. You are advised to use --xccdf-id AND/OR --datas‐
207 tream-id for more precision. --benchmark-id is only used
208 when both --xccdf-id and --datastream-id are not present
209 on the command line!
210 --skip-valid
212 Do not validate input/output files.
213 --fetch-remote-resources
215 Allow download of remote OVAL content referenced from
216 XCCDF by check-content-ref/@href.
217 --remediate
219 Execute XCCDF remediation in the process of XCCDF evalua‐
220 tion. This option automatically executes content of XCCDF
221 fix elements for failed rules, and thus this shall be
222 avoided unless for trusted content. Use of this option is
223 always at your own risk.
224 remediate [options] INPUT_FILE [oval-definitions-files]
226 This module provides post-scan remediation. It assumes that the
227 INPUT_FILE is result of `oscap xccdf eval` operation. The input
228 file must contain TestResult element. This module executes XCCDF
229 fix elements for failed rule-result contained in the given
230 TestResult. Use of this option is always at your own risk and it
231 shall be avoided unless for trusted content.
232 --result-id ID
234 ID of the XCCDF TestResult element which shall be reme‐
235 died. If this option is missing the last TestResult (in
236 top-down processing) will be remedied.
237 --skip-valid
239 Do not validate input/output files.
240 --fetch-remote-resources
242 Allow download of remote OVAL content referenced from
243 XCCDF by check-content-ref/@href.
244 --cpe CPE_FILE
246 Use given CPE dictionary or language (auto-detected) for
247 applicability checks.
248 --results FILE
250 Write XCCDF results into FILE.
251 --results-arf FILE
253 Writes results to a given FILE in Asset Reporting Format.
254 It is recommended to use this option instead of --results
255 when dealing with datastreams.
256 --stig-viewer FILE
258 Writes XCCDF results into FILE in a format readable by
259 DISA STIG Viewer. See
260 http://iase.disa.mil/stigs/Pages/stig-viewing-guid‐
261 ance.aspx. This option should be used to generate
262 results for DISA STIG Viewer older than 2.6. To use DISA
263 STIG Viewer 2.6 or newer, use --results instead.
264 --report FILE
266 Write HTML report into FILE.
267 --oval-results
269 Generate OVAL Result file for each OVAL session used for
270 evaluation. File with name 'original-oval-definitions-
271 filename.result.xml' will be generated for each refer‐
272 enced OVAL file.
273 --check-engine-results
275 After evaluation is finished, each loaded check engine
276 plugin is asked to export its results. The export itself
277 is plugin specific, please refer to documentation of the
278 plugin for more details.
279 --export-variables
281 Generate OVAL Variables documents which contain external
282 variables' values that were provided to the OVAL checking
283 engine during evaluation. The filename format is 'origi‐
284 nal-oval-definitions-filename-session-index.variables-
285 variables-index.xml'.
286 --progress
288 Switch to sparse output suitable for progress reporting.
289 Format of the output is "$rule_id:$result\n".
290 resolve -o output-file xccdf-file
292 Resolve an XCCDF file as described in the XCCDF specification.
293 It will flatten inheritance hierarchy of XCCDF profiles, groups,
294 rules, and values. Result is another XCCDF document, which will
295 be written to output-file.
296 --force
298 Force resolving XCCDF document even if it is already
299 marked as resolved.
300 validate [options] xccdf-file
302 Validate given XCCDF file against a XML schema. Every found
303 error is printed to the standard error. Return code is 0 if val‐
304 idation succeeds, 1 if validation could not be performed due to
305 some error, 2 if the XCCDF document is not valid.
306 --schematron
308 Turn on Schematron-based validation. It is able to find
309 more errors and inconsistencies but is much slower.
310 Schematron is available only for XCCDF version 1.2.
311 export-oval-variables [options] xccdf-file [oval-definitions-files]
313 Collect all the XCCDF values that would be used by OVAL during
314 evaluation of a certain profile and export them as OVAL exter‐
315 nal-variables document(s). The filename format is 'original-
316 oval-definitions-filename-session-index.variables-variables-
317 index.xml'.
318 --profile PROFILE
320 Select a particular profile from XCCDF document.
321 --fetch-remote-resources
323 Allow download of remote OVAL content referenced from
324 XCCDF by check-content-ref/@href.
325 --skip-valid
327 Do not validate input/output files.
328 --datastream-id ID
330 Uses a datastream with that particular ID from the given
331 datastream collection. If not given the first datastream
332 is used. Only applies if you give source datastream in
333 place of an XCCDF file.
334 --xccdf-id ID
336 Takes component ref with given ID from checklists. This
337 allows to select a particular XCCDF component even in
338 cases where there are 2 XCCDFs in one datastream.
339 --cpe CPE_FILE
341 Use given CPE dictionary or language (auto-detected) for
342 applicability checks. The variables documents are created
343 only for xccdf:Rules which are applicable.
344 generate [options] <submodule> [submodule-specific-options]
346 Generate another document from an XCCDF file such as security
347 guide or result report.
348 --profile ID
350 Apply profile with given ID to the Benchmark before fur‐
351 ther processing takes place.
352 Available submodules:
354 guide [options] xccdf-file
356 Generate a HTML document containing a security guide from
357 an XCCDF Benchmark. Unless the --output option is speci‐
358 fied it will be written to the standard output. Without
359 profile being set only groups (not rules) will be
360 included in the output.
361 --output FILE
363 Write the guide to this file instead of standard
364 output.
365 --hide-profile-info
367 Information on chosen profile (e.g. rules selected
368 by the profile) will be excluded from the docu‐
369 ment.
370 --benchmark-id ID
372 Selects a component ref from any datastream that
373 references a component with XCCDF Benchmark such
374 that its @id attribute matches given string
375 exactly.
376 report [options] xccdf-file
378 Generate a HTML document containing results of an XCCDF
379 Benchmark execution. Unless the --output option is speci‐
380 fied it will be written to the standard output.
381 --output FILE
383 Write the report to this file instead of standard
384 output.
385 --result-id ID
387 ID of the XCCDF TestResult from which the report
388 will be generated.
389 --oval-template template-string
391 To use the ability to include additional informa‐
392 tion from OVAL in xccdf result file, a template
393 which will be used to obtain OVAL result file
394 names has to be specified. The template can be
395 either a filename or a string containing wildcard
396 character (percent sign '%'). Wildcard will be
397 replaced by the original OVAL definition file name
398 as referenced from the XCCDF file. This way it is
399 possible to obtain OVAL information even from
400 XCCDF documents referencing several OVAL files. To
401 use this option with results from an XCCDF evalua‐
402 tion, specify %.result.xml as a OVAL file name
403 template.
404 --sce-template template-string
406 To use the ability to include additional informa‐
407 tion from SCE in XCCDF result file, a template
408 which will be used to obtain SCE result file names
409 has to be specified. The template can be either a
410 filename or a string containing wildcard character
411 (percent sign '%'). Wildcard will be replaced by
412 the original SCE script file name as referenced
413 from the XCCDF file. This way it is possible to
414 obtain SCE information even from XCCDF documents
415 referencing several SCE files. To use this option
416 with results from an XCCDF evaluation, specify
417 %.result.xml as a SCE file name template.
418 fix [options] xccdf-file
420 Generate a script that shall bring the system to a state
421 of compliance with given XCCDF Benchmark. There are 2
422 possibilities when generating fixes: Result-oriented
423 fixes (--result-id) or Profile-oriented fixes (--pro‐
424 file). Result-oriented takes precedences over Profile-
425 oriented, if result-id is given, oscap will ignore any
426 profile provided.
427 Result-oriented fixes are generated using result-id pro‐
429 vided to select only the failing rules from results in
430 xccdf-file, it skips all other rules.
431 Profile-oriented fixes are generated using all rules
433 within the provided profile. If no result-id/profile are
434 provided, (default) profile will be used to generate
435 fixes.
436 --fix-type TYPE
438 Specify fix type. There are multiple programming
439 languages in which the fix script can be gener‐
440 ated. TYPE should be one of: bash, ansible, pup‐
441 pet, anaconda. Default is bash. This option is
442 mutually exclusive with --template, because fix
443 type already determines the template URN.
444 --output FILE
446 Write the report to this file instead of standard
447 output.
448 --result-id ID
450 Fixes will be generated for failed rule-results of
451 the specified TestResult.
452 --template ID|FILE
454 Template to be used to generate the script. If it
455 contains a dot '.' it is interpreted as a location
456 of a file with the template definition. Otherwise
457 it identifies a template from standard set which
458 currently includes: bash (default if no --template
459 switch present). Brief explanation of the process
460 of writing your own templates is in the XSL file
461 xsl/legacy-fix.xsl in the openscap data directory.
462 You can also take a look at the default template
463 xsl/legacy-fixtpl-bash.xml.
464 --xccdf-id ID
466 Takes component ref with given ID from checklists.
467 This allows to select a particular XCCDF component
468 even in cases where there are 2 XCCDFs in one
469 datastream. If none is given, the first component
470 from the checklists element is used.
471 --benchmark-id ID
473 Selects a component ref from any datastream that
474 references a component with XCCDF Benchmark such
475 that its @id attribute matches given string
476 exactly.
477 --tailoring-file TAILORING_FILE
479 Use given file for XCCDF tailoring. Select profile
480 from tailoring file to apply using --profile. If
481 both --tailoring-file and --tailoring-id are spec‐
482 ified, --tailoring-file takes priority.
483 --tailoring-id COMPONENT_REF_ID
485 Use tailoring component in input source datastream
486 for XCCDF tailoring. The tailoring component must
487 be specified by its Ref-ID (value of component-
488 ref/@id attribute in input source datastream).
489 Select profile from tailoring component to apply
490 using --profile. If both --tailoring-file and
491 --tailoring-id are specified, --tailoring-file
492 takes priority.
493 custom --stylesheet xslt-file [options] xccdf-file
495 Generate a custom output (depending on given XSLT file)
496 from an XCCDF file.
497 --stylesheet FILE
499 Specify an absolute path to a custom stylesheet to
500 format the output.
501 --output FILE
503 Write the document into file.
504
507 eval [options] INPUT_FILE
508 Probe the system and evaluate all definitions from OVAL Defini‐
509 tion file. Print result of each definition to standard output.
510 The return code is 0 after a successful evaluation. On error,
511 value 1 is returned.
512 INPUT_FILE can be either OVAL Definition File or SCAP Source
514 Datastream, it depends on used options.
515 Unless --skip-valid is used, the INPUT_FILE is validated using
517 XSD schemas (depending on document type of INPUT_FILE) and
518 rejected if invalid.
519 --id DEFINITION-ID
521 Evaluate ONLY specified OVAL Definition from OVAL Defini‐
522 tion File.
523 --variables FILE
525 Provide external variables expected by OVAL Definition
526 File.
527 --directives FILE
529 Use OVAL Directives content to specify desired results
530 content.
531 --without-syschar
533 Don't provide system characteristics in result file.
534 --results FILE
536 Write OVAL Results into file.
537 --report FILE
539 Create human readable (HTML) report from OVAL Results.
540 --datastream-id ID
542 Uses a datastream with that particular ID from the given
543 datastream collection. If not given the first datastream
544 is used. Only applies if you give source datastream in
545 place of an OVAL file.
546 --oval-id ID
548 Takes component ref with given ID from checks. This
549 allows to select a particular OVAL component even in
550 cases where there are 2 OVALs in one datastream.
551 --skip-valid
553 Do not validate input/output files.
554 --fetch-remote-resources
556 Allow download of remote components referenced from
557 Datastream.
558 collect [options] definitions-file
561 Probe the system and gather system characteristics for all
562 objects in OVAL Definition file.
563 --id OBJECT-ID
565 Collect system characteristics ONLY for specified OVAL
566 Object.
567 --variables FILE
569 Provide external variables expected by OVAL Definitions.
570 --syschar FILE
572 Write OVAL System Characteristic into file.
573 --skip-valid
575 Do not validate input/output files.
576 analyse [options] --results FILE definitions-file
580 syschar-file
581 In this mode, the oscap tool does not perform data
582 collection on the local system, but relies upon
583 the input file, which may have been generated on
584 another system. The output (OVAL Results) is
585 printed to file specified by --results parameter.
586 --variables FILE
588 Provide external variables expected by OVAL
589 Definitions.
590 --directives FILE
592 Use OVAL Directives content to specify
593 desired results content.
594 --skip-valid
596 Do not validate input/output files.
597 validate [options] oval-file
600 Validate given OVAL file against a XML schema.
601 Every found error is printed to the standard
602 error. Return code is 0 if validation succeeds, 1
603 if validation could not be performed due to some
604 error, 2 if the OVAL document is not valid.
605 --definitions, --variables, --syschar, --results
607 --directives
608 Type of the OVAL document is automatically
609 detected by default. If you want enforce
610 certain document type, you can use one of
611 these options.
612 --schematron
614 Turn on Schematron-based validation. It is
615 able to find more errors and inconsisten‐
616 cies but is much slower.
617 generate <submodule> [submodule-specific-options]
619 Generate another document from an OVAL file.
620 Available submodules:
622 report [options] oval-results-file
624 Generate a formatted HTML page containing
625 visualisation of an OVAL results file.
626 Unless the --output option is specified it
627 will be written to the standard output.
628 --output FILE
630 Write the report to this file
631 instead of standard output.
632
635 check name
636 Check whether name is in correct CPE format.
637 match name dictionary.xml
639 Find an exact match of CPE name in the dictionary.
640 validate cpe-dict-file
642 Validate given CPE dictionary file against a XML
643 schema. Every found error is printed to the stan‐
644 dard error. Return code is 0 if validation suc‐
645 ceeds, 1 if validation could not be performed due
646 to some error, 2 if the XCCDF document is not
647 valid.
648
651 score cvss_vector
652 Calculate score from a CVSS vector. Prints base
653 score for base CVSS vector, base and temporal
654 score for temporal CVSS vector, base and temporal
655 and environmental score for environmental CVSS
656 vector.
657 describe cvss_vector
659 Describe individual components of a CVSS vector in
660 a human-readable format and print partial scores.
661 CVSS vector consists of several slash-separated compo‐
663 nents specified as key-value pairs. Each key can be spec‐
664 ified at most once. Valid CVSS vector has to contain at
665 least base CVSS metrics, i.e. AV, AC, AU, C, I, and A.
666 Following table summarizes the components and possible
667 values (second column is metric category: B for base, T
668 for temporal, E for environmental):
669 AV:[L|A|N] B Access vector: Local,
671 Adjacent network, Network
672 AC:[H|M|L] B Access complexity: High,
674 Medium, Low
675 AU:[M|S|N] B Required authentication:
677 Multiple instances, Single instance, None
678 C:[N|P|C] B Confidentiality impact:
680 None, Partial, Complete
681 I:[N|P|C] B Integrity impact: None,
683 Partial, Complete
684 A:[N|P|C] B Availability impact:
686 None, Partial, Complete
687 E:[ND|U|POC|F|H] T Exploitability: Not
689 Defined, Unproven, Proof of Concept, Functional,
690 High
691 RL:[ND|OF|TF|W|U] T Remediation Level: Not
693 Defined, Official Fix, Temporary Fix, Workaround,
694 Unavailable
695 RC:[ND|UC|UR|C] T Report Confidence: Not
697 Defined, Unconfirmed, Uncorroborated, Confirmed
698 CDP:[ND|N|L|LM|MH|H] E Collateral Damage Poten‐
700 tial: Not Defined, None, Low, Low-Medium, Medium-
701 High, High
702 TD:[ND|N|L|M|H] E Target Distribution: Not
704 Defined, None, Low, Medium, High
705 CR:[ND|L|M|H] E Confidentiality require‐
707 ment: Not Defined, Low, Medium, High
708 IR:[ND|L|M|H] E Integrity requirement:
710 Not Defined, Low, Medium, High
711 AR:[ND|L|M|H] E Availability require‐
713 ment: Not Defined, Low, Medium, High
714
716 sds-compose [options] SOURCE_XCCDF TARGET_SDS
717 Creates a source datastream from the XCCDF file
718 given in SOURCE_XCCDF and stores the result in
719 TARGET_SDS. Dependencies like OVAL files are auto‐
720 matically detected and bundled in target source
721 datastream.
722 --skip-valid
724 Do not validate input/output files.
725 sds-add [options] NEW_COMPONENT EXISTING_SDS
727 Adds given NEW_COMPONENT file to the existing
728 source datastream (EXISTING_SDS). Component file
729 might be OVAL, XCCDF or CPE Dictionary file.
730 Dependencies like OVAL files are automatically
731 detected an bundled in target source datastream.
732 --datastream-id DATASTREAM_ID
734 Uses a datastream with that particular ID
735 from the given datastream collection. If
736 not given the first datastream is used.
737 --skip-valid
739 Do not validate input/output files.
740 sds-split [options] SOURCE_DS TARGET_DIR
742 Splits given source datastream into multiple files
743 and stores all the files in TARGET_DIR.
744 --datastream-id DATASTREAM_ID
746 Uses a datastream with that particular ID
747 from the given datastream collection. If
748 not given the first datastream is used.
749 --xccdf-id XCCDF_ID
751 Takes component ref with given ID from
752 checklists. This allows to select a partic‐
753 ular XCCDF component even in cases where
754 there are 2 XCCDFs in one datastream.
755 --skip-valid
757 Do not validate input/output files.
758 --fetch-remote-resources
760 Allow download of remote components refer‐
761 enced from Datastream.
762 sds-validate SOURCE_DS
764 Validate given source datastream file against a
765 XML schema. Every found error is printed to the
766 standard error. Return code is 0 if validation
767 succeeds, 1 if validation could not be performed
768 due to some error, 2 if the source datastream is
769 not valid.
770 rds-create [options] SDS TARGET_ARF XCCDF_RESULTS
772 [OVAL_RESULTS [OVAL_RESULTS ..]]
773 Takes given source datastream, XCCDF and OVAL
774 results and creates a result datastream (in Asset
775 Reporting Format) and saves it to file given in
776 TARGET_ARF.
777 --skip-valid
779 Do not validate input/output files.
780 rds-split [options] [--report-id REPORT_ID] RDS TAR‐
782 GET_DIR
783 Takes given result datastream (also called ARF =
784 asset reporting format) and splits given report
785 and its respective report-request to given target
786 directory. If no report-id is given, we assume
787 user wants the first applicable report in top-down
788 order in the file.
789 --skip-valid
791 Do not validate input/output files.
792 rds-validate SOURCE_RDS
794 Validate given result datastream file against a
795 XML schema. Every found error is printed to the
796 standard error. Return code is 0 if validation
797 succeeds, 1 if validation could not be performed
798 due to some error, 2 if the result datastream is
799 not valid.
800
803 validate cve-nvd-feed.xml
804 Validate given CVE data feed.
805 find CVE cve-nvd-feed.xml
807 Find given CVE in data feed and report base score,
808 vector string and vulnerable software list.
809
812 Normally, the exit status is 0 when operation finished
813 successfully and 1 otherwise. In cases when oscap per‐
814 forms evaluation of the system it may return 2 indicating
815 success of the operation but incompliance of the assessed
816 system.
817
820 Evaluate XCCDF content using CPE dictionary and produce
821 html report. In this case we use United States Government
822 Configuration Baseline (USGCB) for Red Hat Enterprise
823 Linux 5 Desktop.
824 oscap xccdf eval --fetch-remote-resources --oval-results \
826 --profile united_states_government_configuration_baseline \
827 --report usgcb-rhel5desktop.report.html \
828 --results usgcb-rhel5desktop-xccdf.xml.result.xml \
829 --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
830 usgcb-rhel5desktop-xccdf.xml
831
833 SCAP Security Guide - https://github.com/OpenSCAP/scap-
834 security-guide/
835 National Vulnerability Database -
837 http://web.nvd.nist.gov/view/ncp/repository
838 Red Hat content repository - http://www.redhat.com/secu‐
840 rity/data/oval/
841
845 Please report bugs using https://github.com/OpenSCAP/openscap/issues
846 Make sure you include the full output of `oscap --v` in the bug report.
847
850 Peter Vrabec <pvrabec@redhat.com>
851 Šimon Lukašík
852 Martin Preisler <mpreisle@redhat.com>
853Red Hat October 2018 OSCAP(8)