1OSCAP(8)                System Administration Utilities               OSCAP(8)
2
3
4

NAME

6       oscap - OpenSCAP command line tool
7
8

SYNOPSIS

10       oscap  [general-options]  module operation [operation-options-and-argu‐
11       ments]
12
13

DESCRIPTION

15       oscap is Security Content Automation Protocol (SCAP) toolkit  based  on
16       OpenSCAP  library.  It  provides  various  functions for different SCAP
17       specifications (modules).
18
19       OpenSCAP tool claims to provide capabilities of Authenticated  Configu‐
20       ration  Scanner  and  Authenticated Vulnerability Scanner as defined by
21       The National Institute of Standards and Technology.
22
23

GENERAL OPTIONS

25       -V, --version
26              Print supported SCAP specifications, location of  schema  files,
27              schematron  files, CPE files, probes and supported OVAL objects.
28              Displays a list of inbuilt CPE names.
29
30       -h, --help
31              Help screen.
32
33

MODULES

35       info   Determine type and print information about a file.
36
37       xccdf  The eXtensible Configuration Checklist Description Format.
38
39       oval   Open Vulnerability and Assessment Language.
40
41       ds     SCAP Data Stream
42
43       cpe    Common Platform Enumeration.
44
45       cvss   Common Vulnerability Scoring System
46
47       cve    Common Vulnerabilities and Exposures
48
49

COMMON OPTIONS FOR ALL MODULES

--verbose VERBOSITY_LEVEL

52Turn on verbose mode at specified verbosity level. VERBOSITY_LEVEL is one  of:
53DEVEL, INFO, WARNING, ERROR.
54

--verbose-log-file FILE

56Set filename to write additional information.
57
58

INFO OPERATIONS

60       [options] any-scap-file.xml
61              This  module  prints  information  about  SCAP content in a file
62              specified on a command line. It determines  SCAP  content  type,
63              specification  version,  date of creation, date of import and so
64              on. Info module doesn't require any additional operation switch.
65
66              For XCCDF or Datastream files, info module  prints  out  IDs  of
67              incorporated  profiles,  components,  and datastreams. These IDs
68              can be used to specify the target for  evaluation.  Use  options
69              --profile,   --xccdf-id   (or  --oval-id),  and  --datastream-id
70              respectively.
71
72              --fetch-remote-resources
73                     Allow  download  of  remote  components  referenced  from
74                     Datastream.
75
76              --profile PROFILE
77                     Show info of the profile with the given ID.
78
79              --profiles
80                     Show  profiles  from  the  input file in the <id>:<title>
81                     format, one line per profile.
82
83

XCCDF OPERATIONS

85       eval [options] INPUT_FILE [oval-definitions-files]
86              Perform evaluation of XCCDF document file given  as  INPUT_FILE.
87              Print  result  of  each  rule to standard output, including rule
88              title, rule id and security identifier(CVE, CCE). Optionally you
89              can  give  a  source  datastream as the INPUT_FILE instead of an
90              XCCDF file (see --datastream-id).
91
92              oscap returns 0 if all rules pass. If there is an  error  during
93              evaluation,  the return code is 1. If there is at least one rule
94              with either fail or unknown  result,  oscap-scan  finishes  with
95              return code 2.
96
97              Unless  --skip-valid  is used, the INPUT_FILE is validated using
98              XSD schemas (depending  on  document  type  of  INPUT_FILE)  and
99              rejected if invalid.
100
101              You  may  specify  OVAL  Definition files as the last parameter,
102              XCCDF evaluation will then proceed  only  with  those  specified
103              files. Otherwise, when oval-definitions-files parameter is miss‐
104              ing, oscap tool will try to load all OVAL Definition files  ref‐
105              erenced  from  XCCDF  automatically  (search in the same path as
106              XCCDF).
107
108              --profile PROFILE
109                     Select a  particular  profile  from  XCCDF  document.  If
110                     "(all)"  is  given  a  virtual  profile  that selects all
111                     groups and rules will be used.
112
113              --rule RULE
114                     Select a particular rule from XCCDF document.  Only  this
115                     rule will be evaluated. Rule will use values according to
116                     the selected profile. If no profile is selected,  default
117                     values are used.
118
119              --tailoring-file TAILORING_FILE
120                     Use  given  file for XCCDF tailoring. Select profile from
121                     tailoring file to apply using --profile. If  both  --tai‐
122                     loring-file  and  --tailoring-id are specified, --tailor‐
123                     ing-file takes priority.
124
125              --tailoring-id COMPONENT_REF_ID
126                     Use tailoring component in input  source  datastream  for
127                     XCCDF  tailoring.  The tailoring component must be speci‐
128                     fied by its Ref-ID (value of component-ref/@id  attribute
129                     in  input source datastream). Select profile from tailor‐
130                     ing component to apply using --profile. If both --tailor‐
131                     ing-file  and  --tailoring-id are specified, --tailoring-
132                     file takes priority.
133
134              --cpe CPE_FILE
135                     Use given CPE dictionary or language (auto-detected)  for
136                     applicability  checks.  (Some  CPE  names are provided by
137                     openscap, see oscap --version for Inbuilt CPE names)
138
139              --results FILE
140                     Write XCCDF results into FILE.
141
142              --results-arf FILE
143                     Writes results to a given FILE in Asset Reporting Format.
144                     It is recommended to use this option instead of --results
145                     when dealing with datastreams.
146
147              --stig-viewer FILE
148                     Writes XCCDF results into FILE in a  format  readable  by
149                     DISA             STIG             Viewer.             See
150                     http://iase.disa.mil/stigs/Pages/stig-viewing-guid
151                     ance.aspx.   This  option  should  be  used  to  generate
152                     results for DISA STIG Viewer older than 2.6. To use  DISA
153                     STIG Viewer 2.6 or newer, use --results instead.
154
155              --thin-results
156                     Thin  Results provides only minimal amount of information
157                     in OVAL/ARF  results.  The  option  --without-syschar  is
158                     automatically enabled when you use Thin Results.
159
160              --without-syschar
161                     Don't  provide  system characteristics in OVAL/ARF result
162                     files.
163
164              --report FILE
165                     Write HTML report into FILE.
166
167              --oval-results
168                     Generate OVAL Result file for each OVAL session used  for
169                     evaluation.  File  with  name 'original-oval-definitions-
170                     filename.result.xml' will be generated  for  each  refer‐
171                     enced  OVAL  file in current working directory. To change
172                     the directory where OVAL files are generated  change  the
173                     CWD using the `cd` command.
174
175              --check-engine-results
176                     After  evaluation  is  finished, each loaded check engine
177                     plugin is asked to export its results. The export  itself
178                     is  plugin specific, please refer to documentation of the
179                     plugin for more details.
180
181              --export-variables
182                     Generate OVAL Variables documents which contain  external
183                     variables' values that were provided to the OVAL checking
184                     engine during evaluation. The filename format is  'origi‐
185                     nal-oval-definitions-filename-session-index.variables-
186                     variables-index.xml'.
187
188              --datastream-id ID
189                     Uses a datastream with that particular ID from the  given
190                     datastream  collection. If not given the first datastream
191                     is used. Only applies if you give  source  datastream  in
192                     place of an XCCDF file.
193
194              --xccdf-id ID
195                     Takes  component  ref with given ID from checklists. This
196                     allows to select a particular  XCCDF  component  even  in
197                     cases where there are 2 XCCDFs in one datastream. If none
198                     is given, the first component from the checklists element
199                     is used.
200
201              --benchmark-id ID
202                     Selects  a  component ref from any datastream that refer‐
203                     ences a component with XCCDF Benchmark such that its  @id
204                     attribute  matches given string exactly. Please note that
205                     this is not the recommended way of selecting a component-
206                     ref.  You  are  advised to use --xccdf-id AND/OR --datas‐
207                     tream-id for more precision. --benchmark-id is only  used
208                     when  both --xccdf-id and --datastream-id are not present
209                     on the command line!
210
211              --skip-valid
212                     Do not validate input/output files.
213
214              --fetch-remote-resources
215                     Allow download of remote  OVAL  content  referenced  from
216                     XCCDF by check-content-ref/@href.
217
218              --remediate
219                     Execute XCCDF remediation in the process of XCCDF evalua‐
220                     tion. This option automatically executes content of XCCDF
221                     fix  elements  for  failed  rules, and thus this shall be
222                     avoided unless for trusted content. Use of this option is
223                     always at your own risk.
224
225       remediate [options] INPUT_FILE [oval-definitions-files]
226              This  module provides post-scan remediation. It assumes that the
227              INPUT_FILE is result of `oscap xccdf eval` operation. The  input
228              file must contain TestResult element. This module executes XCCDF
229              fix elements for  failed  rule-result  contained  in  the  given
230              TestResult. Use of this option is always at your own risk and it
231              shall be avoided unless for trusted content.
232
233              --result-id ID
234                     ID of the XCCDF TestResult element which shall  be  reme‐
235                     died.  If  this option is missing the last TestResult (in
236                     top-down processing) will be remedied.
237
238              --skip-valid
239                     Do not validate input/output files.
240
241              --fetch-remote-resources
242                     Allow download of remote  OVAL  content  referenced  from
243                     XCCDF by check-content-ref/@href.
244
245              --cpe CPE_FILE
246                     Use  given CPE dictionary or language (auto-detected) for
247                     applicability checks.
248
249              --results FILE
250                     Write XCCDF results into FILE.
251
252              --results-arf FILE
253                     Writes results to a given FILE in Asset Reporting Format.
254                     It is recommended to use this option instead of --results
255                     when dealing with datastreams.
256
257              --stig-viewer FILE
258                     Writes XCCDF results into FILE in a  format  readable  by
259                     DISA             STIG             Viewer.             See
260                     http://iase.disa.mil/stigs/Pages/stig-viewing-guid
261                     ance.aspx.   This  option  should  be  used  to  generate
262                     results for DISA STIG Viewer older than 2.6. To use  DISA
263                     STIG Viewer 2.6 or newer, use --results instead.
264
265              --report FILE
266                     Write HTML report into FILE.
267
268              --oval-results
269                     Generate  OVAL Result file for each OVAL session used for
270                     evaluation. File  with  name  'original-oval-definitions-
271                     filename.result.xml'  will  be  generated for each refer‐
272                     enced OVAL file.
273
274              --check-engine-results
275                     After evaluation is finished, each  loaded  check  engine
276                     plugin  is asked to export its results. The export itself
277                     is plugin specific, please refer to documentation of  the
278                     plugin for more details.
279
280              --export-variables
281                     Generate  OVAL Variables documents which contain external
282                     variables' values that were provided to the OVAL checking
283                     engine  during evaluation. The filename format is 'origi‐
284                     nal-oval-definitions-filename-session-index.variables-
285                     variables-index.xml'.
286
287              --progress
288                     Switch  to sparse output suitable for progress reporting.
289                     Format of the output is "$rule_id:$result\n".
290
291       resolve -o output-file xccdf-file
292              Resolve an XCCDF file as described in the  XCCDF  specification.
293              It will flatten inheritance hierarchy of XCCDF profiles, groups,
294              rules, and values. Result is another XCCDF document, which  will
295              be written to output-file.
296
297              --force
298                     Force  resolving  XCCDF  document  even  if it is already
299                     marked as resolved.
300
301       validate [options] xccdf-file
302              Validate given XCCDF file against  a  XML  schema.  Every  found
303              error is printed to the standard error. Return code is 0 if val‐
304              idation succeeds, 1 if validation could not be performed due  to
305              some error, 2 if the XCCDF document is not valid.
306
307              --schematron
308                     Turn  on  Schematron-based validation. It is able to find
309                     more errors  and  inconsistencies  but  is  much  slower.
310                     Schematron is available only for XCCDF version 1.2.
311
312       export-oval-variables [options] xccdf-file [oval-definitions-files]
313              Collect  all  the XCCDF values that would be used by OVAL during
314              evaluation of a certain profile and export them as  OVAL  exter‐
315              nal-variables  document(s).  The  filename  format is 'original-
316              oval-definitions-filename-session-index.variables-variables-
317              index.xml'.
318
319              --profile PROFILE
320                     Select a particular profile from XCCDF document.
321
322              --fetch-remote-resources
323                     Allow  download  of  remote  OVAL content referenced from
324                     XCCDF by check-content-ref/@href.
325
326              --skip-valid
327                     Do not validate input/output files.
328
329              --datastream-id ID
330                     Uses a datastream with that particular ID from the  given
331                     datastream  collection. If not given the first datastream
332                     is used. Only applies if you give  source  datastream  in
333                     place of an XCCDF file.
334
335              --xccdf-id ID
336                     Takes  component  ref with given ID from checklists. This
337                     allows to select a particular  XCCDF  component  even  in
338                     cases where there are 2 XCCDFs in one datastream.
339
340              --cpe CPE_FILE
341                     Use  given CPE dictionary or language (auto-detected) for
342                     applicability checks. The variables documents are created
343                     only for xccdf:Rules which are applicable.
344
345       generate [options] <submodule> [submodule-specific-options]
346              Generate  another  document  from an XCCDF file such as security
347              guide or result report.
348
349              --profile ID
350                     Apply profile with given ID to the Benchmark before  fur‐
351                     ther processing takes place.
352
353              Available submodules:
354
355              guide [options] xccdf-file
356                     Generate a HTML document containing a security guide from
357                     an XCCDF Benchmark. Unless the --output option is  speci‐
358                     fied  it  will be written to the standard output. Without
359                     profile  being  set  only  groups  (not  rules)  will  be
360                     included in the output.
361
362                     --output FILE
363                            Write  the  guide to this file instead of standard
364                            output.
365
366                     --hide-profile-info
367                            This option has no effect and  is  kept  only  for
368                            backward compatibility purposes.
369
370                     --benchmark-id ID
371                            Selects  a  component ref from any datastream that
372                            references a component with XCCDF  Benchmark  such
373                            that   its  @id  attribute  matches  given  string
374                            exactly.
375
376                     --xccdf-id ID
377                            Takes component ref with given ID from checklists.
378                            This allows to select a particular XCCDF component
379                            even in cases where there  are  2  XCCDFs  in  one
380                            datastream.  If none is given, the first component
381                            from the checklists element is used.
382
383                     --tailoring-file TAILORING_FILE
384                            Use given file for XCCDF tailoring. Select profile
385                            from  tailoring  file to apply using --profile. If
386                            both --tailoring-file and --tailoring-id are spec‐
387                            ified, --tailoring-file takes priority.
388
389                     --tailoring-id COMPONENT_REF_ID
390                            Use tailoring component in input source datastream
391                            for XCCDF tailoring. The tailoring component  must
392                            be  specified  by  its Ref-ID (value of component-
393                            ref/@id attribute  in  input  source  datastream).
394                            Select  profile  from tailoring component to apply
395                            using  --profile.  If  both  --tailoring-file  and
396                            --tailoring-id   are  specified,  --tailoring-file
397                            takes priority.
398
399              report [options] xccdf-file
400                     Generate a HTML document containing results of  an  XCCDF
401                     Benchmark execution. Unless the --output option is speci‐
402                     fied it will be written to the standard output.
403
404                     --output FILE
405                            Write the report to this file instead of  standard
406                            output.
407
408                     --result-id ID
409                            ID  of  the XCCDF TestResult from which the report
410                            will be generated.
411
412                     --oval-template template-string
413                            To use the ability to include additional  informa‐
414                            tion  from  OVAL  in xccdf result file, a template
415                            which will be used  to  obtain  OVAL  result  file
416                            names  has  to  be  specified. The template can be
417                            either a filename or a string containing  wildcard
418                            character  (percent  sign  '%').  Wildcard will be
419                            replaced by the original OVAL definition file name
420                            as  referenced from the XCCDF file. This way it is
421                            possible to  obtain  OVAL  information  even  from
422                            XCCDF documents referencing several OVAL files. To
423                            use this option with results from an XCCDF evalua‐
424                            tion,  specify  %.result.xml  as  a OVAL file name
425                            template.
426
427                     --sce-template template-string
428                            To use the ability to include additional  informa‐
429                            tion  from  SCE  in  XCCDF result file, a template
430                            which will be used to obtain SCE result file names
431                            has  to be specified. The template can be either a
432                            filename or a string containing wildcard character
433                            (percent  sign  '%'). Wildcard will be replaced by
434                            the original SCE script file  name  as  referenced
435                            from  the  XCCDF  file. This way it is possible to
436                            obtain SCE information even from  XCCDF  documents
437                            referencing  several SCE files. To use this option
438                            with results from  an  XCCDF  evaluation,  specify
439                            %.result.xml as a SCE file name template.
440
441              fix [options] xccdf-file
442                     Generate  a script that shall bring the system to a state
443                     of compliance with given XCCDF  Benchmark.  There  are  2
444                     possibilities   when  generating  fixes:  Result-oriented
445                     fixes (--result-id)  or  Profile-oriented  fixes  (--pro‐
446                     file).  Result-oriented  takes  precedences over Profile-
447                     oriented, if result-id is given, oscap  will  ignore  any
448                     profile provided.
449
450                     Result-oriented  fixes are generated using result-id pro‐
451                     vided to select only the failing rules  from  results  in
452                     xccdf-file, it skips all other rules.
453
454                     Profile-oriented  fixes  are  generated  using  all rules
455                     within the provided profile. If no result-id/profile  are
456                     provided,  (default)  profile  will  be  used to generate
457                     fixes.
458
459                     --fix-type TYPE
460                            Specify fix type. There are  multiple  programming
461                            languages  in  which  the fix script can be gener‐
462                            ated. TYPE should be one of: bash,  ansible,  pup‐
463                            pet,  anaconda,  ignition,  kubernetes. Default is
464                            bash.  This  option  is  mutually  exclusive  with
465                            --template,  because  fix  type already determines
466                            the template URN.
467
468                     --output FILE
469                            Write the report to this file instead of  standard
470                            output.
471
472                     --result-id ID
473                            Fixes will be generated for failed rule-results of
474                            the specified TestResult.
475
476                     --template ID|FILE
477                            Template to be used to generate the script. If  it
478                            contains a dot '.' it is interpreted as a location
479                            of a file with the template definition.  Otherwise
480                            it  identifies  a template from standard set which
481                            currently includes: bash (default if no --template
482                            switch  present). Brief explanation of the process
483                            of writing your own templates is in the  XSL  file
484                            xsl/legacy-fix.xsl in the openscap data directory.
485                            You can also take a look at the  default  template
486                            xsl/legacy-fixtpl-bash.xml.
487
488                     --xccdf-id ID
489                            Takes component ref with given ID from checklists.
490                            This allows to select a particular XCCDF component
491                            even  in  cases  where  there  are 2 XCCDFs in one
492                            datastream. If none is given, the first  component
493                            from the checklists element is used.
494
495                     --benchmark-id ID
496                            Selects  a  component ref from any datastream that
497                            references a component with XCCDF  Benchmark  such
498                            that   its  @id  attribute  matches  given  string
499                            exactly.
500
501                     --tailoring-file TAILORING_FILE
502                            Use given file for XCCDF tailoring. Select profile
503                            from  tailoring  file to apply using --profile. If
504                            both --tailoring-file and --tailoring-id are spec‐
505                            ified, --tailoring-file takes priority.
506
507                     --tailoring-id COMPONENT_REF_ID
508                            Use tailoring component in input source datastream
509                            for XCCDF tailoring. The tailoring component  must
510                            be  specified  by  its Ref-ID (value of component-
511                            ref/@id attribute  in  input  source  datastream).
512                            Select  profile  from tailoring component to apply
513                            using  --profile.  If  both  --tailoring-file  and
514                            --tailoring-id   are  specified,  --tailoring-file
515                            takes priority.
516
517              custom --stylesheet xslt-file [options] xccdf-file
518                     Generate a custom output (depending on given  XSLT  file)
519                     from an XCCDF file.
520
521                     --stylesheet FILE
522                            Specify an absolute path to a custom stylesheet to
523                            format the output.
524
525                     --output FILE
526                             Write the document into file.
527
528

OVAL OPERATIONS

530       eval [options] INPUT_FILE
531              Probe the system and evaluate all definitions from OVAL  Defini‐
532              tion  file.  Print result of each definition to standard output.
533              The return code is 0 after a  successful evaluation.  On  error,
534              value 1 is returned.
535
536              INPUT_FILE  can  be  either  OVAL Definition File or SCAP Source
537              Datastream, it depends on used options.
538
539              Unless --skip-valid is used, the INPUT_FILE is  validated  using
540              XSD  schemas  (depending  on  document  type  of INPUT_FILE) and
541              rejected if invalid.
542
543              --id DEFINITION-ID
544                     Evaluate ONLY specified OVAL Definition from OVAL Defini‐
545                     tion File.
546
547              --variables FILE
548                     Provide  external  variables  expected by OVAL Definition
549                     File.
550
551              --directives FILE
552                     Use OVAL Directives content to  specify  desired  results
553                     content.
554
555              --without-syschar
556                     Don't provide system characteristics in result file.
557
558              --results FILE
559                     Write OVAL Results into file.
560
561              --report FILE
562                     Create human readable (HTML) report from OVAL Results.
563
564              --datastream-id ID
565                     Uses  a datastream with that particular ID from the given
566                     datastream collection. If not given the first  datastream
567                     is  used.  Only  applies if you give source datastream in
568                     place of an OVAL file.
569
570              --oval-id ID
571                     Takes component ref  with  given  ID  from  checks.  This
572                     allows  to  select  a  particular  OVAL component even in
573                     cases where there are 2 OVALs in one datastream.
574
575              --skip-valid
576                     Do not validate input/output files.
577
578              --fetch-remote-resources
579                     Allow  download  of  remote  components  referenced  from
580                     Datastream.
581
582
583       collect [options] definitions-file
584              Probe  the  system  and  gather  system  characteristics for all
585              objects in OVAL Definition file.
586
587              --id OBJECT-ID
588                     Collect system characteristics ONLY  for  specified  OVAL
589                     Object.
590
591              --variables FILE
592                     Provide external variables expected by OVAL Definitions.
593
594              --syschar FILE
595                     Write OVAL System Characteristic into file.
596
597              --skip-valid
598                     Do not validate input/output files.
599
600
601
602       analyse   [options]   --results   FILE   definitions-file
603       syschar-file
604              In this mode, the oscap tool does not perform data
605              collection  on  the  local system, but relies upon
606              the input file, which may have been  generated  on
607              another  system.  The  output  (OVAL  Results)  is
608              printed to file specified by --results parameter.
609
610              --variables FILE
611                     Provide external variables expected by OVAL
612                     Definitions.
613
614              --directives FILE
615                     Use  OVAL  Directives  content  to  specify
616                     desired results content.
617
618              --skip-valid
619                     Do not validate input/output files.
620
621
622       validate [options] oval-file
623              Validate given OVAL file  against  a  XML  schema.
624              Every  found  error  is  printed  to  the standard
625              error. Return code is 0 if validation succeeds,  1
626              if  validation  could not be performed due to some
627              error, 2 if the OVAL document is not valid.
628
629              --definitions, --variables,  --syschar,  --results
630              --directives
631                     Type  of the OVAL document is automatically
632                     detected by default. If  you  want  enforce
633                     certain  document  type, you can use one of
634                     these options.
635
636              --schematron
637                     Turn on Schematron-based validation. It  is
638                     able  to  find more errors and inconsisten‐
639                     cies but is much slower.
640
641       generate <submodule> [submodule-specific-options]
642              Generate another document from an OVAL file.
643
644              Available submodules:
645
646              report [options] oval-results-file
647                     Generate a formatted HTML  page  containing
648                     visualisation  of  an  OVAL  results  file.
649                     Unless the --output option is specified  it
650                     will be written to the standard output.
651
652                     --output FILE
653                            Write   the   report  to  this  file
654                            instead of standard output.
655
656

CPE OPERATIONS

658       check name
659              Check whether name is in correct CPE format.
660
661       match name dictionary.xml
662              Find an exact match of CPE name in the dictionary.
663
664       validate cpe-dict-file
665              Validate given CPE dictionary file against  a  XML
666              schema.  Every found error is printed to the stan‐
667              dard error. Return code is 0  if  validation  suc‐
668              ceeds,  1 if validation could not be performed due
669              to some error, 2 if  the  XCCDF  document  is  not
670              valid.
671
672

CVSS OPERATIONS

674       score cvss_vector
675              Calculate  score  from  a CVSS vector. Prints base
676              score for base  CVSS  vector,  base  and  temporal
677              score  for temporal CVSS vector, base and temporal
678              and environmental  score  for  environmental  CVSS
679              vector.
680
681       describe cvss_vector
682              Describe individual components of a CVSS vector in
683              a human-readable format and print partial scores.
684
685       CVSS vector consists of  several  slash-separated  compo‐
686       nents specified as key-value pairs. Each key can be spec‐
687       ified at most once. Valid CVSS vector has to  contain  at
688       least  base  CVSS  metrics, i.e. AV, AC, AU, C, I, and A.
689       Following table summarizes the  components  and  possible
690       values  (second  column is metric category: B for base, T
691       for temporal, E for environmental):
692
693              AV:[L|A|N]            B    Access  vector:  Local,
694              Adjacent network, Network
695
696              AC:[H|M|L]            B   Access complexity: High,
697              Medium, Low
698
699              AU:[M|S|N]            B   Required authentication:
700              Multiple instances, Single instance, None
701
702              C:[N|P|C]              B   Confidentiality impact:
703              None, Partial, Complete
704
705              I:[N|P|C]             B   Integrity impact:  None,
706              Partial, Complete
707
708              A:[N|P|C]               B    Availability  impact:
709              None, Partial, Complete
710
711              E:[ND|U|POC|F|H]       T     Exploitability:   Not
712              Defined,  Unproven,  Proof of Concept, Functional,
713              High
714
715              RL:[ND|OF|TF|W|U]     T   Remediation  Level:  Not
716              Defined,  Official Fix, Temporary Fix, Workaround,
717              Unavailable
718
719              RC:[ND|UC|UR|C]       T   Report  Confidence:  Not
720              Defined, Unconfirmed, Uncorroborated, Confirmed
721
722              CDP:[ND|N|L|LM|MH|H]  E   Collateral Damage Poten‐
723              tial: Not Defined, None, Low, Low-Medium,  Medium-
724              High, High
725
726              TD:[ND|N|L|M|H]       E   Target Distribution: Not
727              Defined, None, Low, Medium, High
728
729              CR:[ND|L|M|H]         E   Confidentiality require‐
730              ment: Not Defined, Low, Medium, High
731
732              IR:[ND|L|M|H]          E    Integrity requirement:
733              Not Defined, Low, Medium, High
734
735              AR:[ND|L|M|H]          E    Availability  require‐
736              ment: Not Defined, Low, Medium, High
737

DS OPERATIONS

739       sds-compose [options] SOURCE_XCCDF TARGET_SDS
740              Creates  a  source  datastream from the XCCDF file
741              given in SOURCE_XCCDF and  stores  the  result  in
742              TARGET_SDS. Dependencies like OVAL files are auto‐
743              matically detected and bundled  in  target  source
744              datastream.
745
746              --skip-valid
747                     Do not validate input/output files.
748
749       sds-add [options] NEW_COMPONENT EXISTING_SDS
750              Adds  given  NEW_COMPONENT  file  to  the existing
751              source datastream (EXISTING_SDS).  Component  file
752              might  be  OVAL,  XCCDF  or  CPE  Dictionary file.
753              Dependencies like  OVAL  files  are  automatically
754              detected and bundled in target source datastream.
755
756              --datastream-id DATASTREAM_ID
757                     Uses  a  datastream with that particular ID
758                     from the given  datastream  collection.  If
759                     not given the first datastream is used.
760
761              --skip-valid
762                     Do not validate input/output files.
763
764       sds-split [options] SOURCE_DS TARGET_DIR
765              Splits given source datastream into multiple files
766              and stores all the files in TARGET_DIR.
767
768              --datastream-id DATASTREAM_ID
769                     Uses a datastream with that  particular  ID
770                     from  the  given  datastream collection. If
771                     not given the first datastream is used.
772
773              --xccdf-id XCCDF_ID
774                     Takes component  ref  with  given  ID  from
775                     checklists. This allows to select a partic‐
776                     ular XCCDF component even  in  cases  where
777                     there are 2 XCCDFs in one datastream.
778
779              --skip-valid
780                     Do not validate input/output files.
781
782              --fetch-remote-resources
783                     Allow  download of remote components refer‐
784                     enced from Datastream.
785
786       sds-validate SOURCE_DS
787              Validate given source datastream  file  against  a
788              XML  schema.  Every  found error is printed to the
789              standard error. Return code  is  0  if  validation
790              succeeds,  1  if validation could not be performed
791              due to some error, 2 if the source  datastream  is
792              not valid.
793
794       rds-create   [options]   SDS   TARGET_ARF   XCCDF_RESULTS
795       [OVAL_RESULTS [OVAL_RESULTS ..]]
796              Takes given  source  datastream,  XCCDF  and  OVAL
797              results  and creates a result datastream (in Asset
798              Reporting Format) and saves it to  file  given  in
799              TARGET_ARF.
800
801              --skip-valid
802                     Do not validate input/output files.
803
804       rds-split  [options]  [--report-id  REPORT_ID]  RDS  TAR‐
805       GET_DIR
806              Takes given result datastream (also called  ARF  =
807              asset  reporting  format)  and splits given report
808              and its respective report-request to given  target
809              directory.  If  no  report-id  is given, we assume
810              user wants the first applicable report in top-down
811              order in the file.
812
813              --skip-valid
814                     Do not validate input/output files.
815
816       rds-validate SOURCE_RDS
817              Validate  given  result  datastream file against a
818              XML schema. Every found error is  printed  to  the
819              standard  error.  Return  code  is 0 if validation
820              succeeds, 1 if validation could not  be  performed
821              due  to  some error, 2 if the result datastream is
822              not valid.
823
824

CVE OPERATIONS

826       validate cve-nvd-feed.xml
827              Validate given CVE data feed.
828
829       find CVE cve-nvd-feed.xml
830              Find given CVE in data feed and report base score,
831              vector string and vulnerable software list.
832
833

EXIT STATUS

835       Normally,  the  exit  status is 0 when operation finished
836       successfully and 1 otherwise. In cases  when  oscap  per‐
837       forms evaluation of the system it may return 2 indicating
838       success of the operation but incompliance of the assessed
839       system.
840
841

EXAMPLES

843       Evaluate  XCCDF  content using CPE dictionary and produce
844       html report. In this case we use United States Government
845       Configuration  Baseline  (USGCB)  for  Red Hat Enterprise
846       Linux 5 Desktop.
847
848               oscap xccdf eval --fetch-remote-resources --oval-results \
849                       --profile united_states_government_configuration_baseline \
850                       --report usgcb-rhel5desktop.report.html \
851                       --results usgcb-rhel5desktop-xccdf.xml.result.xml \
852                       --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
853                       usgcb-rhel5desktop-xccdf.xml
854

CONTENT

856        SCAP Security Guide -  https://github.com/OpenSCAP/scap-
857       security-guide/
858
859        National         Vulnerability         Database        -
860       http://web.nvd.nist.gov/view/ncp/repository
861
862        Red Hat content repository - http://www.redhat.com/secu
863       rity/data/oval/
864
865
866

REPORTING BUGS

868       Please report bugs using https://github.com/OpenSCAP/openscap/issues
869       Make sure you include the full output of `oscap --v` in the bug report.
870
871

AUTHORS

873       Peter Vrabec <pvrabec@redhat.com>
874       Šimon Lukašík
875       Martin Preisler <mpreisle@redhat.com>
876
877
878
879Red Hat                          October 2018                         OSCAP(8)
Impressum