1OSCAP(8) System Administration Utilities OSCAP(8)
2
3
4
6 oscap - OpenSCAP command line tool
7
8
10 oscap [general-options] module operation [operation-options-and-argu‐
11 ments]
12
13
15 oscap is Security Content Automation Protocol (SCAP) toolkit based on
16 OpenSCAP library. It provides various functions for different SCAP
17 specifications (modules).
18
19 OpenSCAP tool claims to provide capabilities of Authenticated Configu‐
20 ration Scanner and Authenticated Vulnerability Scanner as defined by
21 The National Institute of Standards and Technology.
22
23
25 -V, --version
26 Print supported SCAP specifications, location of schema files,
27 schematron files, CPE files, probes and supported OVAL objects.
28 Displays a list of inbuilt CPE names.
29
30 -h, --help
31 Help screen.
32
33
35 info Determine type and print information about a file.
36
37 xccdf The eXtensible Configuration Checklist Description Format.
38
39 oval Open Vulnerability and Assessment Language.
40
41 ds SCAP Data Stream
42
43 cpe Common Platform Enumeration.
44
45 cvss Common Vulnerability Scoring System
46
47 cve Common Vulnerabilities and Exposures
48
49
52Turn on verbose mode at specified verbosity level. VERBOSITY_LEVEL is one of:
53DEVEL, INFO, WARNING, ERROR.
54
56Set filename to write additional information.
57
58
60 [options] any-scap-file.xml
61 This module prints information about SCAP content in a file
62 specified on a command line. It determines SCAP content type,
63 specification version, date of creation, date of import and so
64 on. Info module doesn't require any additional operation switch.
65
66 For XCCDF or Datastream files, info module prints out IDs of
67 incorporated profiles, components, and datastreams. These IDs
68 can be used to specify the target for evaluation. Use options
69 --profile, --xccdf-id (or --oval-id), and --datastream-id
70 respectively.
71
72 --fetch-remote-resources
73 Allow download of remote components referenced from
74 Datastream.
75
76 --profile PROFILE
77 Show info of the profile with the given ID.
78
79 --profiles
80 Show profiles from the input file in the <id>:<title>
81 format, one line per profile.
82
83
85 eval [options] INPUT_FILE [oval-definitions-files]
86 Perform evaluation of XCCDF document file given as INPUT_FILE.
87 Print result of each rule to standard output, including rule
88 title, rule id and security identifier(CVE, CCE). Optionally you
89 can give a source datastream as the INPUT_FILE instead of an
90 XCCDF file (see --datastream-id).
91
92 oscap returns 0 if all rules pass. If there is an error during
93 evaluation, the return code is 1. If there is at least one rule
94 with either fail or unknown result, oscap-scan finishes with
95 return code 2.
96
97 Unless --skip-valid is used, the INPUT_FILE is validated using
98 XSD schemas (depending on document type of INPUT_FILE) and
99 rejected if invalid.
100
101 You may specify OVAL Definition files as the last parameter,
102 XCCDF evaluation will then proceed only with those specified
103 files. Otherwise, when oval-definitions-files parameter is miss‐
104 ing, oscap tool will try to load all OVAL Definition files ref‐
105 erenced from XCCDF automatically (search in the same path as
106 XCCDF).
107
108 --profile PROFILE
109 Select a particular profile from XCCDF document. If
110 "(all)" is given a virtual profile that selects all
111 groups and rules will be used.
112
113 --rule RULE
114 Select a particular rule from XCCDF document. Only this
115 rule will be evaluated. Rule will use values according to
116 the selected profile. If no profile is selected, default
117 values are used.
118
119 --tailoring-file TAILORING_FILE
120 Use given file for XCCDF tailoring. Select profile from
121 tailoring file to apply using --profile. If both --tai‐
122 loring-file and --tailoring-id are specified, --tailor‐
123 ing-file takes priority.
124
125 --tailoring-id COMPONENT_REF_ID
126 Use tailoring component in input source datastream for
127 XCCDF tailoring. The tailoring component must be speci‐
128 fied by its Ref-ID (value of component-ref/@id attribute
129 in input source datastream). Select profile from tailor‐
130 ing component to apply using --profile. If both --tailor‐
131 ing-file and --tailoring-id are specified, --tailoring-
132 file takes priority.
133
134 --cpe CPE_FILE
135 Use given CPE dictionary or language (auto-detected) for
136 applicability checks. (Some CPE names are provided by
137 openscap, see oscap --version for Inbuilt CPE names)
138
139 --results FILE
140 Write XCCDF results into FILE.
141
142 --results-arf FILE
143 Writes results to a given FILE in Asset Reporting Format.
144 It is recommended to use this option instead of --results
145 when dealing with datastreams.
146
147 --stig-viewer FILE
148 Writes XCCDF results into FILE in a format readable by
149 DISA STIG Viewer. See
150 http://iase.disa.mil/stigs/Pages/stig-viewing-guid‐
151 ance.aspx. This option should be used to generate
152 results for DISA STIG Viewer older than 2.6. To use DISA
153 STIG Viewer 2.6 or newer, use --results instead.
154
155 --thin-results
156 Thin Results provides only minimal amount of information
157 in OVAL/ARF results. The option --without-syschar is
158 automatically enabled when you use Thin Results.
159
160 --without-syschar
161 Don't provide system characteristics in OVAL/ARF result
162 files.
163
164 --report FILE
165 Write HTML report into FILE.
166
167 --oval-results
168 Generate OVAL Result file for each OVAL session used for
169 evaluation. File with name 'original-oval-definitions-
170 filename.result.xml' will be generated for each refer‐
171 enced OVAL file in current working directory. To change
172 the directory where OVAL files are generated change the
173 CWD using the `cd` command.
174
175 --check-engine-results
176 After evaluation is finished, each loaded check engine
177 plugin is asked to export its results. The export itself
178 is plugin specific, please refer to documentation of the
179 plugin for more details.
180
181 --export-variables
182 Generate OVAL Variables documents which contain external
183 variables' values that were provided to the OVAL checking
184 engine during evaluation. The filename format is 'origi‐
185 nal-oval-definitions-filename-session-index.variables-
186 variables-index.xml'.
187
188 --datastream-id ID
189 Uses a datastream with that particular ID from the given
190 datastream collection. If not given the first datastream
191 is used. Only applies if you give source datastream in
192 place of an XCCDF file.
193
194 --xccdf-id ID
195 Takes component ref with given ID from checklists. This
196 allows to select a particular XCCDF component even in
197 cases where there are 2 XCCDFs in one datastream. If none
198 is given, the first component from the checklists element
199 is used.
200
201 --benchmark-id ID
202 Selects a component ref from any datastream that refer‐
203 ences a component with XCCDF Benchmark such that its @id
204 attribute matches given string exactly. Please note that
205 this is not the recommended way of selecting a component-
206 ref. You are advised to use --xccdf-id AND/OR --datas‐
207 tream-id for more precision. --benchmark-id is only used
208 when both --xccdf-id and --datastream-id are not present
209 on the command line!
210
211 --skip-valid
212 Do not validate input/output files.
213
214 --fetch-remote-resources
215 Allow download of remote OVAL content referenced from
216 XCCDF by check-content-ref/@href.
217
218 --remediate
219 Execute XCCDF remediation in the process of XCCDF evalua‐
220 tion. This option automatically executes content of XCCDF
221 fix elements for failed rules, and thus this shall be
222 avoided unless for trusted content. Use of this option is
223 always at your own risk.
224
225 remediate [options] INPUT_FILE [oval-definitions-files]
226 This module provides post-scan remediation. It assumes that the
227 INPUT_FILE is result of `oscap xccdf eval` operation. The input
228 file must contain TestResult element. This module executes XCCDF
229 fix elements for failed rule-result contained in the given
230 TestResult. Use of this option is always at your own risk and it
231 shall be avoided unless for trusted content.
232
233 --result-id ID
234 ID of the XCCDF TestResult element which shall be reme‐
235 died. If this option is missing the last TestResult (in
236 top-down processing) will be remedied.
237
238 --skip-valid
239 Do not validate input/output files.
240
241 --fetch-remote-resources
242 Allow download of remote OVAL content referenced from
243 XCCDF by check-content-ref/@href.
244
245 --cpe CPE_FILE
246 Use given CPE dictionary or language (auto-detected) for
247 applicability checks.
248
249 --results FILE
250 Write XCCDF results into FILE.
251
252 --results-arf FILE
253 Writes results to a given FILE in Asset Reporting Format.
254 It is recommended to use this option instead of --results
255 when dealing with datastreams.
256
257 --stig-viewer FILE
258 Writes XCCDF results into FILE in a format readable by
259 DISA STIG Viewer. See
260 http://iase.disa.mil/stigs/Pages/stig-viewing-guid‐
261 ance.aspx. This option should be used to generate
262 results for DISA STIG Viewer older than 2.6. To use DISA
263 STIG Viewer 2.6 or newer, use --results instead.
264
265 --report FILE
266 Write HTML report into FILE.
267
268 --oval-results
269 Generate OVAL Result file for each OVAL session used for
270 evaluation. File with name 'original-oval-definitions-
271 filename.result.xml' will be generated for each refer‐
272 enced OVAL file.
273
274 --check-engine-results
275 After evaluation is finished, each loaded check engine
276 plugin is asked to export its results. The export itself
277 is plugin specific, please refer to documentation of the
278 plugin for more details.
279
280 --export-variables
281 Generate OVAL Variables documents which contain external
282 variables' values that were provided to the OVAL checking
283 engine during evaluation. The filename format is 'origi‐
284 nal-oval-definitions-filename-session-index.variables-
285 variables-index.xml'.
286
287 --progress
288 Switch to sparse output suitable for progress reporting.
289 Format of the output is "$rule_id:$result\n".
290
291 resolve -o output-file xccdf-file
292 Resolve an XCCDF file as described in the XCCDF specification.
293 It will flatten inheritance hierarchy of XCCDF profiles, groups,
294 rules, and values. Result is another XCCDF document, which will
295 be written to output-file.
296
297 --force
298 Force resolving XCCDF document even if it is already
299 marked as resolved.
300
301 validate [options] xccdf-file
302 Validate given XCCDF file against a XML schema. Every found
303 error is printed to the standard error. Return code is 0 if val‐
304 idation succeeds, 1 if validation could not be performed due to
305 some error, 2 if the XCCDF document is not valid.
306
307 --schematron
308 Turn on Schematron-based validation. It is able to find
309 more errors and inconsistencies but is much slower.
310 Schematron is available only for XCCDF version 1.2.
311
312 export-oval-variables [options] xccdf-file [oval-definitions-files]
313 Collect all the XCCDF values that would be used by OVAL during
314 evaluation of a certain profile and export them as OVAL exter‐
315 nal-variables document(s). The filename format is 'original-
316 oval-definitions-filename-session-index.variables-variables-
317 index.xml'.
318
319 --profile PROFILE
320 Select a particular profile from XCCDF document.
321
322 --fetch-remote-resources
323 Allow download of remote OVAL content referenced from
324 XCCDF by check-content-ref/@href.
325
326 --skip-valid
327 Do not validate input/output files.
328
329 --datastream-id ID
330 Uses a datastream with that particular ID from the given
331 datastream collection. If not given the first datastream
332 is used. Only applies if you give source datastream in
333 place of an XCCDF file.
334
335 --xccdf-id ID
336 Takes component ref with given ID from checklists. This
337 allows to select a particular XCCDF component even in
338 cases where there are 2 XCCDFs in one datastream.
339
340 --cpe CPE_FILE
341 Use given CPE dictionary or language (auto-detected) for
342 applicability checks. The variables documents are created
343 only for xccdf:Rules which are applicable.
344
345 generate [options] <submodule> [submodule-specific-options]
346 Generate another document from an XCCDF file such as security
347 guide or result report.
348
349 --profile ID
350 Apply profile with given ID to the Benchmark before fur‐
351 ther processing takes place.
352
353 Available submodules:
354
355 guide [options] xccdf-file
356 Generate a HTML document containing a security guide from
357 an XCCDF Benchmark. Unless the --output option is speci‐
358 fied it will be written to the standard output. Without
359 profile being set only groups (not rules) will be
360 included in the output.
361
362 --output FILE
363 Write the guide to this file instead of standard
364 output.
365
366 --hide-profile-info
367 This option has no effect and is kept only for
368 backward compatibility purposes.
369
370 --benchmark-id ID
371 Selects a component ref from any datastream that
372 references a component with XCCDF Benchmark such
373 that its @id attribute matches given string
374 exactly.
375
376 --xccdf-id ID
377 Takes component ref with given ID from checklists.
378 This allows to select a particular XCCDF component
379 even in cases where there are 2 XCCDFs in one
380 datastream. If none is given, the first component
381 from the checklists element is used.
382
383 --tailoring-file TAILORING_FILE
384 Use given file for XCCDF tailoring. Select profile
385 from tailoring file to apply using --profile. If
386 both --tailoring-file and --tailoring-id are spec‐
387 ified, --tailoring-file takes priority.
388
389 --tailoring-id COMPONENT_REF_ID
390 Use tailoring component in input source datastream
391 for XCCDF tailoring. The tailoring component must
392 be specified by its Ref-ID (value of component-
393 ref/@id attribute in input source datastream).
394 Select profile from tailoring component to apply
395 using --profile. If both --tailoring-file and
396 --tailoring-id are specified, --tailoring-file
397 takes priority.
398
399 report [options] xccdf-file
400 Generate a HTML document containing results of an XCCDF
401 Benchmark execution. Unless the --output option is speci‐
402 fied it will be written to the standard output.
403
404 --output FILE
405 Write the report to this file instead of standard
406 output.
407
408 --result-id ID
409 ID of the XCCDF TestResult from which the report
410 will be generated.
411
412 --oval-template template-string
413 To use the ability to include additional informa‐
414 tion from OVAL in xccdf result file, a template
415 which will be used to obtain OVAL result file
416 names has to be specified. The template can be
417 either a filename or a string containing wildcard
418 character (percent sign '%'). Wildcard will be
419 replaced by the original OVAL definition file name
420 as referenced from the XCCDF file. This way it is
421 possible to obtain OVAL information even from
422 XCCDF documents referencing several OVAL files. To
423 use this option with results from an XCCDF evalua‐
424 tion, specify %.result.xml as a OVAL file name
425 template.
426
427 --sce-template template-string
428 To use the ability to include additional informa‐
429 tion from SCE in XCCDF result file, a template
430 which will be used to obtain SCE result file names
431 has to be specified. The template can be either a
432 filename or a string containing wildcard character
433 (percent sign '%'). Wildcard will be replaced by
434 the original SCE script file name as referenced
435 from the XCCDF file. This way it is possible to
436 obtain SCE information even from XCCDF documents
437 referencing several SCE files. To use this option
438 with results from an XCCDF evaluation, specify
439 %.result.xml as a SCE file name template.
440
441 fix [options] xccdf-file
442 Generate a script that shall bring the system to a state
443 of compliance with given XCCDF Benchmark. There are 2
444 possibilities when generating fixes: Result-oriented
445 fixes (--result-id) or Profile-oriented fixes (--pro‐
446 file). Result-oriented takes precedences over Profile-
447 oriented, if result-id is given, oscap will ignore any
448 profile provided.
449
450 Result-oriented fixes are generated using result-id pro‐
451 vided to select only the failing rules from results in
452 xccdf-file, it skips all other rules.
453
454 Profile-oriented fixes are generated using all rules
455 within the provided profile. If no result-id/profile are
456 provided, (default) profile will be used to generate
457 fixes.
458
459 --fix-type TYPE
460 Specify fix type. There are multiple programming
461 languages in which the fix script can be gener‐
462 ated. TYPE should be one of: bash, ansible, pup‐
463 pet, anaconda, ignition, kubernetes. Default is
464 bash. This option is mutually exclusive with
465 --template, because fix type already determines
466 the template URN.
467
468 --output FILE
469 Write the report to this file instead of standard
470 output.
471
472 --result-id ID
473 Fixes will be generated for failed rule-results of
474 the specified TestResult.
475
476 --template ID|FILE
477 Template to be used to generate the script. If it
478 contains a dot '.' it is interpreted as a location
479 of a file with the template definition. Otherwise
480 it identifies a template from standard set which
481 currently includes: bash (default if no --template
482 switch present). Brief explanation of the process
483 of writing your own templates is in the XSL file
484 xsl/legacy-fix.xsl in the openscap data directory.
485 You can also take a look at the default template
486 xsl/legacy-fixtpl-bash.xml.
487
488 --xccdf-id ID
489 Takes component ref with given ID from checklists.
490 This allows to select a particular XCCDF component
491 even in cases where there are 2 XCCDFs in one
492 datastream. If none is given, the first component
493 from the checklists element is used.
494
495 --benchmark-id ID
496 Selects a component ref from any datastream that
497 references a component with XCCDF Benchmark such
498 that its @id attribute matches given string
499 exactly.
500
501 --tailoring-file TAILORING_FILE
502 Use given file for XCCDF tailoring. Select profile
503 from tailoring file to apply using --profile. If
504 both --tailoring-file and --tailoring-id are spec‐
505 ified, --tailoring-file takes priority.
506
507 --tailoring-id COMPONENT_REF_ID
508 Use tailoring component in input source datastream
509 for XCCDF tailoring. The tailoring component must
510 be specified by its Ref-ID (value of component-
511 ref/@id attribute in input source datastream).
512 Select profile from tailoring component to apply
513 using --profile. If both --tailoring-file and
514 --tailoring-id are specified, --tailoring-file
515 takes priority.
516
517 custom --stylesheet xslt-file [options] xccdf-file
518 Generate a custom output (depending on given XSLT file)
519 from an XCCDF file.
520
521 --stylesheet FILE
522 Specify an absolute path to a custom stylesheet to
523 format the output.
524
525 --output FILE
526 Write the document into file.
527
528
530 eval [options] INPUT_FILE
531 Probe the system and evaluate all definitions from OVAL Defini‐
532 tion file. Print result of each definition to standard output.
533 The return code is 0 after a successful evaluation. On error,
534 value 1 is returned.
535
536 INPUT_FILE can be either OVAL Definition File or SCAP Source
537 Datastream, it depends on used options.
538
539 Unless --skip-valid is used, the INPUT_FILE is validated using
540 XSD schemas (depending on document type of INPUT_FILE) and
541 rejected if invalid.
542
543 --id DEFINITION-ID
544 Evaluate ONLY specified OVAL Definition from OVAL Defini‐
545 tion File.
546
547 --variables FILE
548 Provide external variables expected by OVAL Definition
549 File.
550
551 --directives FILE
552 Use OVAL Directives content to specify desired results
553 content.
554
555 --without-syschar
556 Don't provide system characteristics in result file.
557
558 --results FILE
559 Write OVAL Results into file.
560
561 --report FILE
562 Create human readable (HTML) report from OVAL Results.
563
564 --datastream-id ID
565 Uses a datastream with that particular ID from the given
566 datastream collection. If not given the first datastream
567 is used. Only applies if you give source datastream in
568 place of an OVAL file.
569
570 --oval-id ID
571 Takes component ref with given ID from checks. This
572 allows to select a particular OVAL component even in
573 cases where there are 2 OVALs in one datastream.
574
575 --skip-valid
576 Do not validate input/output files.
577
578 --fetch-remote-resources
579 Allow download of remote components referenced from
580 Datastream.
581
582
583 collect [options] definitions-file
584 Probe the system and gather system characteristics for all
585 objects in OVAL Definition file.
586
587 --id OBJECT-ID
588 Collect system characteristics ONLY for specified OVAL
589 Object.
590
591 --variables FILE
592 Provide external variables expected by OVAL Definitions.
593
594 --syschar FILE
595 Write OVAL System Characteristic into file.
596
597 --skip-valid
598 Do not validate input/output files.
599
600
601
602 analyse [options] --results FILE definitions-file
603 syschar-file
604 In this mode, the oscap tool does not perform data
605 collection on the local system, but relies upon
606 the input file, which may have been generated on
607 another system. The output (OVAL Results) is
608 printed to file specified by --results parameter.
609
610 --variables FILE
611 Provide external variables expected by OVAL
612 Definitions.
613
614 --directives FILE
615 Use OVAL Directives content to specify
616 desired results content.
617
618 --skip-valid
619 Do not validate input/output files.
620
621
622 validate [options] oval-file
623 Validate given OVAL file against a XML schema.
624 Every found error is printed to the standard
625 error. Return code is 0 if validation succeeds, 1
626 if validation could not be performed due to some
627 error, 2 if the OVAL document is not valid.
628
629 --definitions, --variables, --syschar, --results
630 --directives
631 Type of the OVAL document is automatically
632 detected by default. If you want enforce
633 certain document type, you can use one of
634 these options.
635
636 --schematron
637 Turn on Schematron-based validation. It is
638 able to find more errors and inconsisten‐
639 cies but is much slower.
640
641 generate <submodule> [submodule-specific-options]
642 Generate another document from an OVAL file.
643
644 Available submodules:
645
646 report [options] oval-results-file
647 Generate a formatted HTML page containing
648 visualisation of an OVAL results file.
649 Unless the --output option is specified it
650 will be written to the standard output.
651
652 --output FILE
653 Write the report to this file
654 instead of standard output.
655
656
658 check name
659 Check whether name is in correct CPE format.
660
661 match name dictionary.xml
662 Find an exact match of CPE name in the dictionary.
663
664 validate cpe-dict-file
665 Validate given CPE dictionary file against a XML
666 schema. Every found error is printed to the stan‐
667 dard error. Return code is 0 if validation suc‐
668 ceeds, 1 if validation could not be performed due
669 to some error, 2 if the XCCDF document is not
670 valid.
671
672
674 score cvss_vector
675 Calculate score from a CVSS vector. Prints base
676 score for base CVSS vector, base and temporal
677 score for temporal CVSS vector, base and temporal
678 and environmental score for environmental CVSS
679 vector.
680
681 describe cvss_vector
682 Describe individual components of a CVSS vector in
683 a human-readable format and print partial scores.
684
685 CVSS vector consists of several slash-separated compo‐
686 nents specified as key-value pairs. Each key can be spec‐
687 ified at most once. Valid CVSS vector has to contain at
688 least base CVSS metrics, i.e. AV, AC, AU, C, I, and A.
689 Following table summarizes the components and possible
690 values (second column is metric category: B for base, T
691 for temporal, E for environmental):
692
693 AV:[L|A|N] B Access vector: Local,
694 Adjacent network, Network
695
696 AC:[H|M|L] B Access complexity: High,
697 Medium, Low
698
699 AU:[M|S|N] B Required authentication:
700 Multiple instances, Single instance, None
701
702 C:[N|P|C] B Confidentiality impact:
703 None, Partial, Complete
704
705 I:[N|P|C] B Integrity impact: None,
706 Partial, Complete
707
708 A:[N|P|C] B Availability impact:
709 None, Partial, Complete
710
711 E:[ND|U|POC|F|H] T Exploitability: Not
712 Defined, Unproven, Proof of Concept, Functional,
713 High
714
715 RL:[ND|OF|TF|W|U] T Remediation Level: Not
716 Defined, Official Fix, Temporary Fix, Workaround,
717 Unavailable
718
719 RC:[ND|UC|UR|C] T Report Confidence: Not
720 Defined, Unconfirmed, Uncorroborated, Confirmed
721
722 CDP:[ND|N|L|LM|MH|H] E Collateral Damage Poten‐
723 tial: Not Defined, None, Low, Low-Medium, Medium-
724 High, High
725
726 TD:[ND|N|L|M|H] E Target Distribution: Not
727 Defined, None, Low, Medium, High
728
729 CR:[ND|L|M|H] E Confidentiality require‐
730 ment: Not Defined, Low, Medium, High
731
732 IR:[ND|L|M|H] E Integrity requirement:
733 Not Defined, Low, Medium, High
734
735 AR:[ND|L|M|H] E Availability require‐
736 ment: Not Defined, Low, Medium, High
737
739 sds-compose [options] SOURCE_XCCDF TARGET_SDS
740 Creates a source datastream from the XCCDF file
741 given in SOURCE_XCCDF and stores the result in
742 TARGET_SDS. Dependencies like OVAL files are auto‐
743 matically detected and bundled in target source
744 datastream.
745
746 --skip-valid
747 Do not validate input/output files.
748
749 sds-add [options] NEW_COMPONENT EXISTING_SDS
750 Adds given NEW_COMPONENT file to the existing
751 source datastream (EXISTING_SDS). Component file
752 might be OVAL, XCCDF or CPE Dictionary file.
753 Dependencies like OVAL files are automatically
754 detected and bundled in target source datastream.
755
756 --datastream-id DATASTREAM_ID
757 Uses a datastream with that particular ID
758 from the given datastream collection. If
759 not given the first datastream is used.
760
761 --skip-valid
762 Do not validate input/output files.
763
764 sds-split [options] SOURCE_DS TARGET_DIR
765 Splits given source datastream into multiple files
766 and stores all the files in TARGET_DIR.
767
768 --datastream-id DATASTREAM_ID
769 Uses a datastream with that particular ID
770 from the given datastream collection. If
771 not given the first datastream is used.
772
773 --xccdf-id XCCDF_ID
774 Takes component ref with given ID from
775 checklists. This allows to select a partic‐
776 ular XCCDF component even in cases where
777 there are 2 XCCDFs in one datastream.
778
779 --skip-valid
780 Do not validate input/output files.
781
782 --fetch-remote-resources
783 Allow download of remote components refer‐
784 enced from Datastream.
785
786 sds-validate SOURCE_DS
787 Validate given source datastream file against a
788 XML schema. Every found error is printed to the
789 standard error. Return code is 0 if validation
790 succeeds, 1 if validation could not be performed
791 due to some error, 2 if the source datastream is
792 not valid.
793
794 rds-create [options] SDS TARGET_ARF XCCDF_RESULTS
795 [OVAL_RESULTS [OVAL_RESULTS ..]]
796 Takes given source datastream, XCCDF and OVAL
797 results and creates a result datastream (in Asset
798 Reporting Format) and saves it to file given in
799 TARGET_ARF.
800
801 --skip-valid
802 Do not validate input/output files.
803
804 rds-split [options] [--report-id REPORT_ID] RDS TAR‐
805 GET_DIR
806 Takes given result datastream (also called ARF =
807 asset reporting format) and splits given report
808 and its respective report-request to given target
809 directory. If no report-id is given, we assume
810 user wants the first applicable report in top-down
811 order in the file.
812
813 --skip-valid
814 Do not validate input/output files.
815
816 rds-validate SOURCE_RDS
817 Validate given result datastream file against a
818 XML schema. Every found error is printed to the
819 standard error. Return code is 0 if validation
820 succeeds, 1 if validation could not be performed
821 due to some error, 2 if the result datastream is
822 not valid.
823
824
826 validate cve-nvd-feed.xml
827 Validate given CVE data feed.
828
829 find CVE cve-nvd-feed.xml
830 Find given CVE in data feed and report base score,
831 vector string and vulnerable software list.
832
833
835 Normally, the exit status is 0 when operation finished
836 successfully and 1 otherwise. In cases when oscap per‐
837 forms evaluation of the system it may return 2 indicating
838 success of the operation but incompliance of the assessed
839 system.
840
841
843 Evaluate XCCDF content using CPE dictionary and produce
844 html report. In this case we use United States Government
845 Configuration Baseline (USGCB) for Red Hat Enterprise
846 Linux 5 Desktop.
847
848 oscap xccdf eval --fetch-remote-resources --oval-results \
849 --profile united_states_government_configuration_baseline \
850 --report usgcb-rhel5desktop.report.html \
851 --results usgcb-rhel5desktop-xccdf.xml.result.xml \
852 --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
853 usgcb-rhel5desktop-xccdf.xml
854
856 SCAP Security Guide - https://github.com/OpenSCAP/scap-
857 security-guide/
858
859 National Vulnerability Database -
860 http://web.nvd.nist.gov/view/ncp/repository
861
862 Red Hat content repository - http://www.redhat.com/secu‐
863 rity/data/oval/
864
865
866
868 Please report bugs using https://github.com/OpenSCAP/openscap/issues
869 Make sure you include the full output of `oscap --v` in the bug report.
870
871
873 Peter Vrabec <pvrabec@redhat.com>
874 Šimon Lukašík
875 Martin Preisler <mpreisle@redhat.com>
876
877
878
879Red Hat October 2018 OSCAP(8)