1OSCAP(8)                System Administration Utilities               OSCAP(8)
2
3
4

NAME

6       oscap - OpenSCAP command line tool
7
8

SYNOPSIS

10       oscap  [general-options]  module operation [operation-options-and-argu‐
11       ments]
12
13

DESCRIPTION

15       oscap is Security Content Automation Protocol (SCAP) toolkit  based  on
16       OpenSCAP  library.  It  provides  various  functions for different SCAP
17       specifications (modules).
18
19       OpenSCAP tool claims to provide capabilities of Authenticated  Configu‐
20       ration  Scanner  and  Authenticated Vulnerability Scanner as defined by
21       The National Institute of Standards and Technology.
22
23

GENERAL OPTIONS

25       -V, --version
26              Print supported SCAP specifications, location of  schema  files,
27              schematron  files, CPE files, probes and supported OVAL objects.
28              Displays a list of inbuilt CPE names.
29
30       -h, --help
31              Help screen.
32
33

MODULES

35       info   Determine type and print information about a file.
36
37       xccdf  The eXtensible Configuration Checklist Description Format.
38
39       oval   Open Vulnerability and Assessment Language.
40
41       ds     SCAP Data Stream
42
43       cpe    Common Platform Enumeration.
44
45       cvss   Common Vulnerability Scoring System
46
47       cve    Common Vulnerabilities and Exposures
48
49       cvrf   Common Vulnerability Reporting Framework
50
51

COMMON OPTIONS FOR ALL MODULES

53       --verbose VERBOSITY_LEVEL
54              Turn  on  verbose  mode  at  specified  verbosity  level.   VER‐
55              BOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
56
57       --verbose-log-file FILE
58              Set filename to write additional information.
59
60

INFO OPERATIONS

62       [options] any-scap-file.xml
63              This  module  prints  information  about  SCAP content in a file
64              specified on a command line. It determines  SCAP  content  type,
65              specification  version,  date of creation, date of import and so
66              on. Info module doesn't require any additional operation switch.
67
68              For XCCDF or SCAP source data  stream  files,  the  info  module
69              prints  out  IDs  of incorporated profiles, components, and data
70              streams. These IDs can be used to specify the target for evalua‐
71              tion.  Use  options  --profile,  --xccdf-id  (or --oval-id), and
72              --datastream-id respectively.
73
74              --fetch-remote-resources
75                     Allow download of remote components referenced from  data
76                     stream.
77
78              --profile PROFILE
79                     Show info of the profile with the given ID.
80
81              --profiles
82                     Show  profiles  from  the  input file in the <id>:<title>
83                     format, one line per profile.
84
85

XCCDF OPERATIONS

87       eval [options] INPUT_FILE [oval-definitions-files]
88              Perform evaluation of XCCDF document file given  as  INPUT_FILE.
89              Print result of each rule to standard output, including rule ti‐
90              tle, rule id and security identifier(CVE, CCE).  Optionally  you
91              can give an SCAP source data stream as the INPUT_FILE instead of
92              an XCCDF file (see --datastream-id).
93
94              oscap returns 0 if all rules pass. If there is an  error  during
95              evaluation,  the return code is 1. If there is at least one rule
96              with either fail or unknown result, oscap finishes  with  return
97              code 2.
98
99              Unless  --skip-validation (--skip-valid) is used, the INPUT_FILE
100              is validated using XSD schemas (depending on  document  type  of
101              INPUT_FILE) and rejected if invalid.
102
103              You may specify OVAL Definition files as the last parameter, XC‐
104              CDF evaluation will  then  proceed  only  with  those  specified
105              files. Otherwise, when oval-definitions-files parameter is miss‐
106              ing, oscap tool will try to load all OVAL Definition files  ref‐
107              erenced from XCCDF automatically (search in the same path as XC‐
108              CDF).
109
110              --profile PROFILE
111                     Select a  particular  profile  from  XCCDF  document.  If
112                     "(all)"  is  given  a  virtual  profile  that selects all
113                     groups and rules will be used.
114
115              --rule RULE
116                     Select a particular rule from XCCDF document.  Only  this
117                     rule will be evaluated. Rule will use values according to
118                     the selected profile. If no profile is selected,  default
119                     values are used.
120
121              --tailoring-file TAILORING_FILE
122                     Use  given  file for XCCDF tailoring. Select profile from
123                     tailoring file to apply using --profile. If  both  --tai‐
124                     loring-file  and  --tailoring-id are specified, --tailor‐
125                     ing-file takes priority.
126
127              --tailoring-id COMPONENT_REF_ID
128                     Use tailoring component in input source data  stream  for
129                     XCCDF  tailoring.  The tailoring component must be speci‐
130                     fied by its Ref-ID (value of component-ref/@id  attribute
131                     in input source data stream). Select profile from tailor‐
132                     ing component to apply using --profile. If both --tailor‐
133                     ing-file  and  --tailoring-id are specified, --tailoring-
134                     file takes priority.
135
136              --cpe CPE_FILE
137                     Use given CPE dictionary or language (auto-detected)  for
138                     applicability  checks.  (Some  CPE  names are provided by
139                     openscap, see oscap --version for inbuilt CPE names)
140
141              --results FILE
142                     Write XCCDF results into FILE.
143
144              --results-arf FILE
145                     Writes results to a given FILE in Asset Reporting Format.
146                     It is recommended to use this option instead of --results
147                     when dealing with data streams.
148
149              --stig-viewer FILE
150                     Writes XCCDF results into FILE. The rule  result  IDs  in
151                     FILE  are modified according to STIG references in evalu‐
152                     ated content. The FILE can be simply imported  into  DISA
153                     STIG Viewer. See https://public.cyber.mil/stigs/srg-stig-
154                     tools/ for information about DISA STIG Viewer.
155
156              --thin-results
157                     Thin Results provides only minimal amount of  information
158                     in  OVAL/ARF results. The option --without-syschar is au‐
159                     tomatically enabled when you use Thin Results.
160
161              --without-syschar
162                     Don't provide system characteristics in  OVAL/ARF  result
163                     files.
164
165              --report FILE
166                     Write HTML report into FILE.
167
168              --oval-results
169                     Generate  OVAL Result file for each OVAL session used for
170                     evaluation. File  with  name  'original-oval-definitions-
171                     filename.result.xml'  will  be  generated for each refer‐
172                     enced OVAL file in current working directory.  To  change
173                     the  directory  where OVAL files are generated change the
174                     CWD using the `cd` command.
175
176              --check-engine-results
177                     After evaluation is finished, each  loaded  check  engine
178                     plugin  is asked to export its results. The export itself
179                     is plugin specific, please refer to documentation of  the
180                     plugin for more details.
181
182              --export-variables
183                     Generate  OVAL Variables documents which contain external
184                     variables' values that were provided to the OVAL checking
185                     engine  during evaluation. The filename format is 'origi‐
186                     nal-oval-definitions-filename-session-index.variables-
187                     variables-index.xml'.
188
189              --datastream-id ID
190                     Uses a data stream with that particular ID from the given
191                     data stream collection.  If  not  given  the  first  data
192                     stream  is  used.  Only  applies  if you give source data
193                     stream in place of an XCCDF file.
194
195              --xccdf-id ID
196                     Takes component ref with given ID from  checklists.  This
197                     allows  to  select  a  particular XCCDF component even in
198                     cases where there are 2 XCCDFs in  one  data  stream.  If
199                     none  is  given,  the first component from the checklists
200                     element is used.
201
202              --benchmark-id ID
203                     Selects a component ref from any data stream that  refer‐
204                     ences  a component with XCCDF Benchmark such that its @id
205                     attribute matches given string exactly. Please note  that
206                     this is not the recommended way of selecting a component-
207                     ref. You are advised to use  --xccdf-id  AND/OR  --datas‐
208                     tream-id  for more precision. --benchmark-id is only used
209                     when both --xccdf-id and --datastream-id are not  present
210                     on the command line!
211
212              --skip-valid, --skip-validation
213                     Do not validate input/output files.
214
215              --skip-signature-validation
216                     Do  not  validate  digital signatures in digitally signed
217                     SCAP source data streams.
218
219              --enforce-signature
220                     Process only digitally signed SCAP source  data  streams.
221                     Data  streams  without  a  signature would be rejected if
222                     this switch is used.
223
224              --fetch-remote-resources
225                     Allow download of remote OVAL content referenced from XC‐
226                     CDF by check-content-ref/@href.
227
228              --remediate
229                     Execute XCCDF remediation in the process of XCCDF evalua‐
230                     tion. This option automatically executes content of XCCDF
231                     fix  elements  for  failed  rules, and thus this shall be
232                     avoided unless for trusted content. Use of this option is
233                     always at your own risk.
234
235       remediate [options] INPUT_FILE [oval-definitions-files]
236              This  module provides post-scan remediation. It assumes that the
237              INPUT_FILE is result of `oscap xccdf eval` operation. The  input
238              file must contain TestResult element. This module executes XCCDF
239              fix elements for  failed  rule-result  contained  in  the  given
240              TestResult. Use of this option is always at your own risk and it
241              shall be avoided unless for trusted content.
242
243              --result-id ID
244                     ID of the XCCDF TestResult element which shall  be  reme‐
245                     died.  If  this option is missing the last TestResult (in
246                     top-down processing) will be remedied.
247
248              --skip-valid, --skip-validation
249                     Do not validate input/output files.
250
251              --fetch-remote-resources
252                     Allow download of remote OVAL content referenced from XC‐
253                     CDF by check-content-ref/@href.
254
255              --cpe CPE_FILE
256                     Use  given CPE dictionary or language (auto-detected) for
257                     applicability checks.
258
259              --results FILE
260                     Write XCCDF results into FILE.
261
262              --results-arf FILE
263                     Writes results to a given FILE in Asset Reporting Format.
264                     It is recommended to use this option instead of --results
265                     when dealing with data streams.
266
267              --stig-viewer FILE
268                     Writes XCCDF results into FILE. The rule  result  IDs  in
269                     FILE  are modified according to STIG references in evalu‐
270                     ated content. The FILE can be simply imported  into  DISA
271                     STIG Viewer. See https://public.cyber.mil/stigs/srg-stig-
272                     tools/ for information about DISA STIG Viewer.
273
274              --report FILE
275                     Write HTML report into FILE.
276
277              --oval-results
278                     Generate OVAL Result file for each OVAL session used  for
279                     evaluation.  File  with  name 'original-oval-definitions-
280                     filename.result.xml' will be generated  for  each  refer‐
281                     enced OVAL file.
282
283              --check-engine-results
284                     After  evaluation  is  finished, each loaded check engine
285                     plugin is asked to export its results. The export  itself
286                     is  plugin specific, please refer to documentation of the
287                     plugin for more details.
288
289              --export-variables
290                     Generate OVAL Variables documents which contain  external
291                     variables' values that were provided to the OVAL checking
292                     engine during evaluation. The filename format is  'origi‐
293                     nal-oval-definitions-filename-session-index.variables-
294                     variables-index.xml'.
295
296              --progress
297                     Switch to sparse output suitable for progress  reporting.
298                     Format of the output is "$rule_id:$result\n".
299
300       resolve -o output-file xccdf-file
301              Resolve  an  XCCDF file as described in the XCCDF specification.
302              It will flatten inheritance hierarchy of XCCDF profiles, groups,
303              rules,  and values. Result is another XCCDF document, which will
304              be written to output-file.
305
306              --force
307                     Force resolving XCCDF document  even  if  it  is  already
308                     marked as resolved.
309
310       validate [options] xccdf-file
311              Validate  given XCCDF file against a XML schema. Every found er‐
312              ror is printed to the standard error. Return code is 0 if  vali‐
313              dation  succeeds,  1 if validation could not be performed due to
314              some error, 2 if the XCCDF document is not valid.
315
316              --skip-schematron
317                     Turn off Schematron-based validation. It is able to  find
318                     more  errors  and  inconsistencies  but  is  much slower.
319                     Schematron is available only for XCCDF version 1.2.
320
321       export-oval-variables [options] xccdf-file [oval-definitions-files]
322              Collect all the XCCDF values that would be used by  OVAL  during
323              evaluation  of  a certain profile and export them as OVAL exter‐
324              nal-variables document(s). The  filename  format  is  'original-
325              oval-definitions-filename-session-index.variables-variables-in‐
326              dex.xml'.
327
328              --profile PROFILE
329                     Select a particular profile from XCCDF document.
330
331              --fetch-remote-resources
332                     Allow download of remote OVAL content referenced from XC‐
333                     CDF by check-content-ref/@href.
334
335              --skip-valid, --skip-validation
336                     Do not validate input/output files.
337
338              --datastream-id ID
339                     Uses a data stream with that particular ID from the given
340                     data stream collection.  If  not  given  the  first  data
341                     stream  is  used. Only applies if you give an SCAP source
342                     data stream in place of an XCCDF file.
343
344              --xccdf-id ID
345                     Takes component ref with given ID from  checklists.  This
346                     allows  to  select  a  particular XCCDF component even in
347                     cases where there are 2 XCCDFs in one data stream.
348
349              --benchmark-id ID
350                     Selects a component ref from any data stream that  refer‐
351                     ences  a component with XCCDF Benchmark such that its @id
352                     attribute matches given string exactly. Please note  that
353                     this is not the recommended way of selecting a component-
354                     ref. You are advised to use  --xccdf-id  AND/OR  --datas‐
355                     tream-id  for more precision. --benchmark-id is only used
356                     when both --xccdf-id and --datastream-id are not  present
357                     on the command line!
358
359              --cpe CPE_FILE
360                     Use  given CPE dictionary or language (auto-detected) for
361                     applicability checks. The variables documents are created
362                     only for xccdf:Rules which are applicable.
363
364       generate [options] <submodule> [submodule-specific-options]
365              Generate  another  document  from an XCCDF file such as security
366              guide or result report.
367
368              --profile ID
369                     Apply profile with given ID to the Benchmark before  fur‐
370                     ther processing takes place.
371
372              Available submodules:
373
374              guide [options] xccdf-file
375                     Generate a HTML document containing a security guide from
376                     an XCCDF Benchmark. Unless the --output option is  speci‐
377                     fied  it  will be written to the standard output. Without
378                     profile being set only groups (not  rules)  will  be  in‐
379                     cluded in the output.
380
381                     --output FILE
382                            Write  the  guide to this file instead of standard
383                            output.
384
385                     --hide-profile-info
386                            This option has no effect and  is  kept  only  for
387                            backward compatibility purposes.
388
389                     --benchmark-id ID
390                            Selects  a  component ref from any datastream that
391                            references a component with XCCDF  Benchmark  such
392                            that  its  @id  attribute matches given string ex‐
393                            actly.
394
395                     --xccdf-id ID
396                            Takes component ref with given ID from checklists.
397                            This allows to select a particular XCCDF component
398                            even in cases where there are 2 XCCDFs in one data
399                            stream. If none is given, the first component from
400                            the checklists element is used.
401
402                     --tailoring-file TAILORING_FILE
403                            Use given file for XCCDF tailoring. Select profile
404                            from  tailoring  file to apply using --profile. If
405                            both --tailoring-file and --tailoring-id are spec‐
406                            ified, --tailoring-file takes priority.
407
408                     --tailoring-id COMPONENT_REF_ID
409                            Use  tailoring  component  in  input  source  data
410                            stream for XCCDF tailoring. The  tailoring  compo‐
411                            nent  must  be  specified  by its Ref-ID (value of
412                            component-ref/@id attribute in input  source  data
413                            stream).  Select  profile from tailoring component
414                            to apply using --profile. If both --tailoring-file
415                            and --tailoring-id are specified, --tailoring-file
416                            takes priority.
417
418                     --skip-signature-validation
419                            Do not validate digital  signatures  in  digitally
420                            signed SCAP source data streams.
421
422              --enforce-signature
423                     Process  only  digitally signed SCAP source data streams.
424                     Data streams without a signature  would  be  rejected  if
425                     this switch is used.
426
427              report [options] xccdf-file
428                     Generate  a  HTML document containing results of an XCCDF
429                     Benchmark execution. Unless the --output option is speci‐
430                     fied it will be written to the standard output.
431
432                     --output FILE
433                            Write  the report to this file instead of standard
434                            output.
435
436                     --result-id ID
437                            ID of the XCCDF TestResult from which  the  report
438                            will be generated.
439
440                     --oval-template template-string
441                            To  use the ability to include additional informa‐
442                            tion from OVAL in xccdf result  file,  a  template
443                            which  will  be  used  to  obtain OVAL result file
444                            names has to be specified. The template can be ei‐
445                            ther  a  filename  or a string containing wildcard
446                            character (percent sign '%'). Wildcard will be re‐
447                            placed  by  the original OVAL definition file name
448                            as referenced from the XCCDF file. This way it  is
449                            possible  to obtain OVAL information even from XC‐
450                            CDF documents referencing several OVAL  files.  To
451                            use this option with results from an XCCDF evalua‐
452                            tion, specify %.result.xml as  a  OVAL  file  name
453                            template.
454
455                     --sce-template template-string
456                            To  use the ability to include additional informa‐
457                            tion from SCE in XCCDF  result  file,  a  template
458                            which will be used to obtain SCE result file names
459                            has to be specified. The template can be either  a
460                            filename or a string containing wildcard character
461                            (percent sign '%'). Wildcard will be  replaced  by
462                            the  original  SCE  script file name as referenced
463                            from the XCCDF file. This way it  is  possible  to
464                            obtain  SCE  information even from XCCDF documents
465                            referencing several SCE files. To use this  option
466                            with  results  from  an  XCCDF evaluation, specify
467                            %.result.xml as a SCE file name template.
468
469              fix [options] xccdf-file
470                     Generate a script that shall bring the system to a  state
471                     of  compliance  with  given  XCCDF Benchmark. There are 2
472                     possibilities  when  generating  fixes:   Result-oriented
473                     fixes  (--result-id)  or  Profile-oriented  fixes (--pro‐
474                     file). Result-oriented takes  precedences  over  Profile-
475                     oriented,  if  result-id  is given, oscap will ignore any
476                     profile provided.
477
478                     Result-oriented fixes are generated using result-id  pro‐
479                     vided  to  select  only the failing rules from results in
480                     xccdf-file, it skips all other rules.
481
482                     Profile-oriented fixes  are  generated  using  all  rules
483                     within  the provided profile. If no result-id/profile are
484                     provided, (default) profile  will  be  used  to  generate
485                     fixes.
486
487                     --fix-type TYPE
488                            Specify  fix  type. There are multiple programming
489                            languages in which the fix script  can  be  gener‐
490                            ated.  TYPE  should be one of: bash, ansible, pup‐
491                            pet, anaconda, ignition,  kubernetes.  Default  is
492                            bash.  This  option  is  mutually  exclusive  with
493                            --template, because fix  type  already  determines
494                            the template URN.
495
496                     --output FILE
497                            Write  the report to this file instead of standard
498                            output.
499
500                     --result-id ID
501                            Fixes will be generated for failed rule-results of
502                            the specified TestResult.
503
504                     --template ID|FILE
505                            Template  to be used to generate the script. If it
506                            contains a dot '.' it is interpreted as a location
507                            of  a file with the template definition. Otherwise
508                            it identifies a template from standard  set  which
509                            currently includes: bash (default if no --template
510                            switch present). Brief explanation of the  process
511                            of  writing  your own templates is in the XSL file
512                            xsl/legacy-fix.xsl in the openscap data directory.
513                            You  can  also take a look at the default template
514                            xsl/legacy-fixtpl-bash.xml.
515
516                     --xccdf-id ID
517                            Takes component ref with given ID from checklists.
518                            This allows to select a particular XCCDF component
519                            even in cases where there are 2 XCCDFs in one data
520                            stream. If none is given, the first component from
521                            the checklists element is used.
522
523                     --benchmark-id ID
524                            Selects a component ref from any data stream  that
525                            references  a  component with XCCDF Benchmark such
526                            that its @id attribute matches  given  string  ex‐
527                            actly.
528
529                     --tailoring-file TAILORING_FILE
530                            Use given file for XCCDF tailoring. Select profile
531                            from tailoring file to apply using  --profile.  If
532                            both --tailoring-file and --tailoring-id are spec‐
533                            ified, --tailoring-file takes priority.
534
535                     --tailoring-id COMPONENT_REF_ID
536                            Use  tailoring  component  in  input  source  data
537                            stream  for  XCCDF tailoring. The tailoring compo‐
538                            nent must be specified by  its  Ref-ID  (value  of
539                            component-ref/@id  attribute  in input source data
540                            stream). Select profile from  tailoring  component
541                            to apply using --profile. If both --tailoring-file
542                            and --tailoring-id are specified, --tailoring-file
543                            takes priority.
544
545                     --skip-signature-validation
546                            Do  not  validate  digital signatures in digitally
547                            signed SCAP source data streams.
548
549              --enforce-signature
550                     Process only digitally signed SCAP source  data  streams.
551                     Data  streams  without  a  signature would be rejected if
552                     this switch is used.
553
554              custom --stylesheet xslt-file [options] xccdf-file
555                     Generate a custom output (depending on given  XSLT  file)
556                     from an XCCDF file.
557
558                     --stylesheet FILE
559                            Specify an absolute path to a custom stylesheet to
560                            format the output.
561
562                     --output FILE
563                             Write the document into file.
564
565

OVAL OPERATIONS

567       eval [options] INPUT_FILE
568              Probe the system and evaluate all definitions from OVAL  Defini‐
569              tion  file.  Print result of each definition to standard output.
570              The return code is 0 after a  successful evaluation.  On  error,
571              value 1 is returned.
572
573              INPUT_FILE  can  be  either  OVAL Definition File or SCAP source
574              data stream, it depends on used options.
575
576              Unless --skip-validation (--skip-valid) is used, the  INPUT_FILE
577              is  validated  using  XSD schemas (depending on document type of
578              INPUT_FILE) and rejected if invalid.
579
580              --id DEFINITION-ID
581                     Evaluate ONLY specified OVAL Definition from OVAL Defini‐
582                     tion File.
583
584              --variables FILE
585                     Provide  external  variables  expected by OVAL Definition
586                     File.
587
588              --directives FILE
589                     Use OVAL Directives content to  specify  desired  results
590                     content.
591
592              --without-syschar
593                     Don't provide system characteristics in result file.
594
595              --results FILE
596                     Write OVAL Results into file.
597
598              --report FILE
599                     Create human readable (HTML) report from OVAL Results.
600
601              --datastream-id ID
602                     Uses a data stream with that particular ID from the given
603                     data stream collection.  If  not  given  the  first  data
604                     stream  is  used.  Only  applies  if you give source data
605                     stream in place of an OVAL file.
606
607              --oval-id ID
608                     Takes component ref with given ID from checks.  This  al‐
609                     lows  to select a particular OVAL component even in cases
610                     where there are 2 OVALs in one data stream.
611
612              --skip-valid, --skip-validation
613                     Do not validate input/output files.
614
615              --fetch-remote-resources
616                     Allow download of remote components referenced from  data
617                     stream.
618
619
620       collect [options] definitions-file
621              Probe  the  system and gather system characteristics for all ob‐
622              jects in OVAL Definition file.
623
624              --id OBJECT-ID
625                     Collect system characteristics ONLY  for  specified  OVAL
626                     Object.
627
628              --variables FILE
629                     Provide external variables expected by OVAL Definitions.
630
631              --syschar FILE
632                     Write OVAL System Characteristic into file.
633
634              --skip-valid, --skip-validation
635                     Do not validate input/output files.
636
637
638
639       analyse [options] --results FILE definitions-file syschar-file
640              In this mode, the oscap tool does not perform data collection on
641              the local system, but relies upon the input file, which may have
642              been  generated  on another system. The output (OVAL Results) is
643              printed to file specified by --results parameter.
644
645              --variables FILE
646                     Provide external variables expected by OVAL Definitions.
647
648              --directives FILE
649                     Use OVAL Directives content to  specify  desired  results
650                     content.
651
652              --skip-valid, --skip-validation
653                     Do not validate input/output files.
654
655
656       validate [options] oval-file
657              Validate given OVAL file against a XML schema. Every found error
658              is printed to the standard error. Return code is 0 if validation
659              succeeds, 1 if validation could not be performed due to some er‐
660              ror, 2 if the OVAL document is not valid.
661
662              --definitions, --variables, --syschar, --results --directives
663                     Type of the OVAL document is  automatically  detected  by
664                     default.  If  you want enforce certain document type, you
665                     can use one of these options.
666
667              --skip-schematron
668                     Turn off Schematron-based validation. It is able to  find
669                     more errors and inconsistencies but is much slower.
670
671       generate <submodule> [submodule-specific-options]
672              Generate another document from an OVAL file.
673
674              Available submodules:
675
676              report [options] oval-results-file
677                     Generate  a  formatted HTML page containing visualisation
678                     of an OVAL results file. Unless the  --output  option  is
679                     specified it will be written to the standard output.
680
681                     --output FILE
682                            Write  the report to this file instead of standard
683                            output.
684
685

CPE OPERATIONS

687       check name
688              Check whether name is in correct CPE format.
689
690       match name dictionary.xml
691              Find an exact match of CPE name in the dictionary.
692
693       validate cpe-dict-file
694              Validate given CPE dictionary file against a XML  schema.  Every
695              found  error  is printed to the standard error. Return code is 0
696              if validation succeeds, 1 if validation could not  be  performed
697              due to some error, 2 if the XCCDF document is not valid.
698
699

CVSS OPERATIONS

701       score cvss_vector
702              Calculate  score  from a CVSS vector. Prints base score for base
703              CVSS vector, base and temporal score for temporal  CVSS  vector,
704              base and temporal and environmental score for environmental CVSS
705              vector.
706
707       describe cvss_vector
708              Describe individual components of a CVSS vector in a human-read‐
709              able format and print partial scores.
710
711       CVSS vector consists of several slash-separated components specified as
712       key-value pairs. Each key can be specified at  most  once.  Valid  CVSS
713       vector  has  to contain at least base CVSS metrics, i.e. AV, AC, AU, C,
714       I, and A. Following table summarizes the components and possible values
715       (second  column  is  metric category: B for base, T for temporal, E for
716       environmental):
717
718              AV:[L|A|N]            B   Access vector:  Local,  Adjacent  net‐
719              work, Network
720
721              AC:[H|M|L]            B   Access complexity: High, Medium, Low
722
723              AU:[M|S|N]             B   Required authentication: Multiple in‐
724              stances, Single instance, None
725
726              C:[N|P|C]             B   Confidentiality impact: None, Partial,
727              Complete
728
729              I:[N|P|C]              B   Integrity impact: None, Partial, Com‐
730              plete
731
732              A:[N|P|C]             B   Availability  impact:  None,  Partial,
733              Complete
734
735              E:[ND|U|POC|F|H]      T   Exploitability: Not Defined, Unproven,
736              Proof of Concept, Functional, High
737
738              RL:[ND|OF|TF|W|U]     T   Remediation Level: Not Defined,  Offi‐
739              cial Fix, Temporary Fix, Workaround, Unavailable
740
741              RC:[ND|UC|UR|C]       T   Report Confidence: Not Defined, Uncon‐
742              firmed, Uncorroborated, Confirmed
743
744              CDP:[ND|N|L|LM|MH|H]  E   Collateral Damage Potential:  Not  De‐
745              fined, None, Low, Low-Medium, Medium-High, High
746
747              TD:[ND|N|L|M|H]        E    Target  Distribution:  Not  Defined,
748              None, Low, Medium, High
749
750              CR:[ND|L|M|H]         E   Confidentiality requirement:  Not  De‐
751              fined, Low, Medium, High
752
753              IR:[ND|L|M|H]          E    Integrity  requirement: Not Defined,
754              Low, Medium, High
755
756              AR:[ND|L|M|H]         E   Availability requirement: Not Defined,
757              Low, Medium, High
758

DS OPERATIONS

760       sds-compose [options] SOURCE_XCCDF TARGET_SDS
761              Creates  an SCAP source data stream from the XCCDF file given in
762              SOURCE_XCCDF and stores the result in  TARGET_SDS.  Dependencies
763              like  OVAL  files  are automatically detected and bundled in the
764              created source data stream.
765
766              --skip-valid, --skip-validation
767                     Do not validate input/output files.
768
769       sds-add [options] NEW_COMPONENT EXISTING_SDS
770              Adds given NEW_COMPONENT file to the existing source data stream
771              (EXISTING_SDS).  Component file might be OVAL, XCCDF or CPE Dic‐
772              tionary file. Dependencies like OVAL files are automatically de‐
773              tected and bundled in target source data stream.
774
775              --datastream-id DATASTREAM_ID
776                     Uses a data stream with that particular ID from the given
777                     data stream collection.  If  not  given  the  first  data
778                     stream is used.
779
780              --skip-valid, --skip-validation
781                     Do not validate input/output files.
782
783       sds-split [options] SOURCE_DS TARGET_DIR
784              Splits  given  source data stream into multiple files and stores
785              all the files in TARGET_DIR.
786
787              --datastream-id DATASTREAM_ID
788                     Uses a data stream with that particular ID from the given
789                     data  stream  collection.  If  not  given  the first data
790                     stream is used.
791
792              --xccdf-id XCCDF_ID
793                     Takes component ref with given ID from  checklists.  This
794                     allows  to  select  a  particular XCCDF component even in
795                     cases where there are 2 XCCDFs in one data stream.
796
797              --skip-valid, --skip-validation
798                     Do not validate input/output files.
799
800              --fetch-remote-resources
801                     Allow download of remote components referenced from  data
802                     stream.
803
804       sds-validate SOURCE_DS
805              Validate given source data stream file against a XML schema. Ev‐
806              ery found error is printed to the standard error. Return code is
807              0 if validation succeeds, 1 if validation could not be performed
808              due to some error, 2 if the source data stream is not valid.
809
810       rds-create  [options]  SDS   TARGET_ARF   XCCDF_RESULTS   [OVAL_RESULTS
811       [OVAL_RESULTS ..]]
812              Takes  given source data stream, XCCDF and OVAL results and cre‐
813              ates a result data stream (in Asset Reporting Format) and  saves
814              it to file given in TARGET_ARF.
815
816              --skip-valid, --skip-validation
817                     Do not validate input/output files.
818
819       rds-split [options] [--report-id REPORT_ID] RDS TARGET_DIR
820              Takes  given result data stream (also called ARF = asset report‐
821              ing format) and splits given report and its  respective  report-
822              request  to given target directory. If no report-id is given, we
823              assume user wants the first applicable report in top-down  order
824              in the file.
825
826              --skip-valid, --skip-validation
827                     Do not validate input/output files.
828
829       rds-validate SOURCE_RDS
830              Validate given result data stream file against a XML schema. Ev‐
831              ery found error is printed to the standard error. Return code is
832              0 if validation succeeds, 1 if validation could not be performed
833              due to some error, 2 if the result data stream is not valid.
834
835

CVE OPERATIONS

837       validate cve-nvd-feed.xml
838              Validate given CVE data feed.
839
840       find CVE cve-nvd-feed.xml
841              Find given CVE in data feed and report base score, vector string
842              and vulnerable software list.
843
844

EXIT STATUS

846       Normally, the exit status is 0 when operation finished successfully and
847       1 otherwise. In cases when oscap performs evaluation of the  system  it
848       may  return  2  indicating success of the operation but incompliance of
849       the assessed system.
850
851

EXAMPLES

853       Evaluate XCCDF content using CPE dictionary and produce HTML report. In
854       this  case  we use United States Government Configuration Baseline (US‐
855       GCB) for Red Hat Enterprise Linux 5 Desktop.
856
857               oscap xccdf eval --fetch-remote-resources --oval-results \
858                       --profile united_states_government_configuration_baseline \
859                       --report usgcb-rhel5desktop.report.html \
860                       --results usgcb-rhel5desktop-xccdf.xml.result.xml \
861                       --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
862                       usgcb-rhel5desktop-xccdf.xml
863

CONTENT

865        SCAP Security Guide - https://github.com/OpenSCAP/scap-security-guide/
866
867        National             Vulnerability             Database              -
868       http://web.nvd.nist.gov/view/ncp/repository
869
870        Red   Hat   CVE   content  repository  -  https://www.redhat.com/secu
871       rity/data/metrics/ds/v2/
872
873
874

REPORTING BUGS

876       Please report bugs using https://github.com/OpenSCAP/openscap/issues
877       Make sure you include the full output of `oscap --v` in the bug report.
878
879

AUTHORS

881       Peter Vrabec <pvrabec@redhat.com>
882       Šimon Lukašík
883       Martin Preisler <mpreisle@redhat.com>
884
885
886
887Red Hat                           March 2021                          OSCAP(8)
Impressum