1OSCAP(8) System Administration Utilities OSCAP(8)
2
6 oscap - OpenSCAP command line tool
7
10 oscap [general-options] module operation [operation-options-and-argu‐
11 ments]
12
15 oscap is Security Content Automation Protocol (SCAP) toolkit based on
16 OpenSCAP library. It provides various functions for different SCAP
17 specifications (modules).
18 OpenSCAP tool claims to provide capabilities of Authenticated Configu‐
20 ration Scanner and Authenticated Vulnerability Scanner as defined by
21 The National Institute of Standards and Technology.
22
25 -V, --version
26 Print supported SCAP specifications, location of schema files,
27 schematron files, CPE files, probes and supported OVAL objects.
28 Displays a list of inbuilt CPE names.
29 -h, --help
31 Help screen.
32
35 info Determine type and print information about a file.
36 xccdf The eXtensible Configuration Checklist Description Format.
38 oval Open Vulnerability and Assessment Language.
40 ds SCAP Data Stream
42 cpe Common Platform Enumeration.
44 cvss Common Vulnerability Scoring System
46 cve Common Vulnerabilities and Exposures
48 cvrf Common Vulnerability Reporting Framework
50
53 --verbose VERBOSITY_LEVEL
54 Turn on verbose mode at specified verbosity level. VER‐
55 BOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
56 --verbose-log-file FILE
58 Set filename to write additional information.
59
62 [options] any-scap-file.xml
63 This module prints information about SCAP content in a file
64 specified on a command line. It determines SCAP content type,
65 specification version, date of creation, date of import and so
66 on. Info module doesn't require any additional operation switch.
67 For XCCDF or SCAP source data stream files, the info module
69 prints out IDs of incorporated profiles, components, and data
70 streams. These IDs can be used to specify the target for evalua‐
71 tion. Use options --profile, --xccdf-id (or --oval-id), and
72 --datastream-id respectively.
73 --fetch-remote-resources
75 Allow download of remote components referenced from data
76 stream.
77 --profile PROFILE
79 Show info of the profile with the given ID.
80 --profiles
82 Show profiles from the input file in the <id>:<title>
83 format, one line per profile.
84
87 eval [options] INPUT_FILE [oval-definitions-files]
88 Perform evaluation of XCCDF document file given as INPUT_FILE.
89 Print result of each rule to standard output, including rule ti‐
90 tle, rule id and security identifier(CVE, CCE). Optionally you
91 can give an SCAP source data stream as the INPUT_FILE instead of
92 an XCCDF file (see --datastream-id).
93 oscap returns 0 if all rules pass. If there is an error during
95 evaluation, the return code is 1. If there is at least one rule
96 with either fail or unknown result, oscap finishes with return
97 code 2.
98 Unless --skip-validation (--skip-valid) is used, the INPUT_FILE
100 is validated using XSD schemas (depending on document type of
101 INPUT_FILE) and rejected if invalid.
102 You may specify OVAL Definition files as the last parameter, XC‐
104 CDF evaluation will then proceed only with those specified
105 files. Otherwise, when oval-definitions-files parameter is miss‐
106 ing, oscap tool will try to load all OVAL Definition files ref‐
107 erenced from XCCDF automatically (search in the same path as XC‐
108 CDF).
109 --profile PROFILE
111 Select a particular profile from XCCDF document. If
112 "(all)" is given a virtual profile that selects all
113 groups and rules will be used.
114 --rule RULE
116 Select a particular rule from XCCDF document. Only this
117 rule will be evaluated. Rule will use values according to
118 the selected profile. If no profile is selected, default
119 values are used.
120 --tailoring-file TAILORING_FILE
122 Use given file for XCCDF tailoring. Select profile from
123 tailoring file to apply using --profile. If both --tai‐
124 loring-file and --tailoring-id are specified, --tailor‐
125 ing-file takes priority.
126 --tailoring-id COMPONENT_REF_ID
128 Use tailoring component in input source data stream for
129 XCCDF tailoring. The tailoring component must be speci‐
130 fied by its Ref-ID (value of component-ref/@id attribute
131 in input source data stream). Select profile from tailor‐
132 ing component to apply using --profile. If both --tailor‐
133 ing-file and --tailoring-id are specified, --tailoring-
134 file takes priority.
135 --cpe CPE_FILE
137 Use given CPE dictionary or language (auto-detected) for
138 applicability checks. (Some CPE names are provided by
139 openscap, see oscap --version for inbuilt CPE names)
140 --results FILE
142 Write XCCDF results into FILE.
143 --results-arf FILE
145 Writes results to a given FILE in Asset Reporting Format.
146 It is recommended to use this option instead of --results
147 when dealing with data streams.
148 --stig-viewer FILE
150 Writes XCCDF results into FILE. The rule result IDs in
151 FILE are modified according to STIG references in evalu‐
152 ated content. The FILE can be simply imported into DISA
153 STIG Viewer. See https://public.cyber.mil/stigs/srg-stig-
154 tools/ for information about DISA STIG Viewer.
155 --thin-results
157 Thin Results provides only minimal amount of information
158 in OVAL/ARF results. The option --without-syschar is au‐
159 tomatically enabled when you use Thin Results.
160 --without-syschar
162 Don't provide system characteristics in OVAL/ARF result
163 files.
164 --report FILE
166 Write HTML report into FILE.
167 --oval-results
169 Generate OVAL Result file for each OVAL session used for
170 evaluation. File with name 'original-oval-definitions-
171 filename.result.xml' will be generated for each refer‐
172 enced OVAL file in current working directory. To change
173 the directory where OVAL files are generated change the
174 CWD using the `cd` command.
175 --check-engine-results
177 After evaluation is finished, each loaded check engine
178 plugin is asked to export its results. The export itself
179 is plugin specific, please refer to documentation of the
180 plugin for more details.
181 --export-variables
183 Generate OVAL Variables documents which contain external
184 variables' values that were provided to the OVAL checking
185 engine during evaluation. The filename format is 'origi‐
186 nal-oval-definitions-filename-session-index.variables-
187 variables-index.xml'.
188 --datastream-id ID
190 Uses a data stream with that particular ID from the given
191 data stream collection. If not given the first data
192 stream is used. Only applies if you give source data
193 stream in place of an XCCDF file.
194 --xccdf-id ID
196 Takes component ref with given ID from checklists. This
197 allows to select a particular XCCDF component even in
198 cases where there are 2 XCCDFs in one data stream. If
199 none is given, the first component from the checklists
200 element is used.
201 --benchmark-id ID
203 Selects a component ref from any data stream that refer‐
204 ences a component with XCCDF Benchmark such that its @id
205 attribute matches given string exactly. Please note that
206 this is not the recommended way of selecting a component-
207 ref. You are advised to use --xccdf-id AND/OR --datas‐
208 tream-id for more precision. --benchmark-id is only used
209 when both --xccdf-id and --datastream-id are not present
210 on the command line!
211 --skip-valid, --skip-validation
213 Do not validate input/output files.
214 --skip-signature-validation
216 Do not validate digital signatures in digitally signed
217 SCAP source data streams.
218 --enforce-signature
220 Process only digitally signed SCAP source data streams.
221 Data streams without a signature would be rejected if
222 this switch is used.
223 --fetch-remote-resources
225 Allow download of remote OVAL content referenced from XC‐
226 CDF by check-content-ref/@href.
227 --remediate
229 Execute XCCDF remediation in the process of XCCDF evalua‐
230 tion. This option automatically executes content of XCCDF
231 fix elements for failed rules, and thus this shall be
232 avoided unless for trusted content. Use of this option is
233 always at your own risk.
234 remediate [options] INPUT_FILE [oval-definitions-files]
236 This module provides post-scan remediation. It assumes that the
237 INPUT_FILE is result of `oscap xccdf eval` operation. The input
238 file must contain TestResult element. This module executes XCCDF
239 fix elements for failed rule-result contained in the given
240 TestResult. Use of this option is always at your own risk and it
241 shall be avoided unless for trusted content.
242 --result-id ID
244 ID of the XCCDF TestResult element which shall be reme‐
245 died. If this option is missing the last TestResult (in
246 top-down processing) will be remedied.
247 --skip-valid, --skip-validation
249 Do not validate input/output files.
250 --fetch-remote-resources
252 Allow download of remote OVAL content referenced from XC‐
253 CDF by check-content-ref/@href.
254 --cpe CPE_FILE
256 Use given CPE dictionary or language (auto-detected) for
257 applicability checks.
258 --results FILE
260 Write XCCDF results into FILE.
261 --results-arf FILE
263 Writes results to a given FILE in Asset Reporting Format.
264 It is recommended to use this option instead of --results
265 when dealing with data streams.
266 --stig-viewer FILE
268 Writes XCCDF results into FILE. The rule result IDs in
269 FILE are modified according to STIG references in evalu‐
270 ated content. The FILE can be simply imported into DISA
271 STIG Viewer. See https://public.cyber.mil/stigs/srg-stig-
272 tools/ for information about DISA STIG Viewer.
273 --report FILE
275 Write HTML report into FILE.
276 --oval-results
278 Generate OVAL Result file for each OVAL session used for
279 evaluation. File with name 'original-oval-definitions-
280 filename.result.xml' will be generated for each refer‐
281 enced OVAL file.
282 --check-engine-results
284 After evaluation is finished, each loaded check engine
285 plugin is asked to export its results. The export itself
286 is plugin specific, please refer to documentation of the
287 plugin for more details.
288 --export-variables
290 Generate OVAL Variables documents which contain external
291 variables' values that were provided to the OVAL checking
292 engine during evaluation. The filename format is 'origi‐
293 nal-oval-definitions-filename-session-index.variables-
294 variables-index.xml'.
295 --progress
297 Switch to sparse output suitable for progress reporting.
298 Format of the output is "$rule_id:$result\n".
299 resolve -o output-file xccdf-file
301 Resolve an XCCDF file as described in the XCCDF specification.
302 It will flatten inheritance hierarchy of XCCDF profiles, groups,
303 rules, and values. Result is another XCCDF document, which will
304 be written to output-file.
305 --force
307 Force resolving XCCDF document even if it is already
308 marked as resolved.
309 validate [options] xccdf-file
311 Validate given XCCDF file against a XML schema. Every found er‐
312 ror is printed to the standard error. Return code is 0 if vali‐
313 dation succeeds, 1 if validation could not be performed due to
314 some error, 2 if the XCCDF document is not valid.
315 --skip-schematron
317 Turn off Schematron-based validation. It is able to find
318 more errors and inconsistencies but is much slower.
319 Schematron is available only for XCCDF version 1.2.
320 export-oval-variables [options] xccdf-file [oval-definitions-files]
322 Collect all the XCCDF values that would be used by OVAL during
323 evaluation of a certain profile and export them as OVAL exter‐
324 nal-variables document(s). The filename format is 'original-
325 oval-definitions-filename-session-index.variables-variables-in‐
326 dex.xml'.
327 --profile PROFILE
329 Select a particular profile from XCCDF document.
330 --fetch-remote-resources
332 Allow download of remote OVAL content referenced from XC‐
333 CDF by check-content-ref/@href.
334 --skip-valid, --skip-validation
336 Do not validate input/output files.
337 --datastream-id ID
339 Uses a data stream with that particular ID from the given
340 data stream collection. If not given the first data
341 stream is used. Only applies if you give an SCAP source
342 data stream in place of an XCCDF file.
343 --xccdf-id ID
345 Takes component ref with given ID from checklists. This
346 allows to select a particular XCCDF component even in
347 cases where there are 2 XCCDFs in one data stream.
348 --benchmark-id ID
350 Selects a component ref from any data stream that refer‐
351 ences a component with XCCDF Benchmark such that its @id
352 attribute matches given string exactly. Please note that
353 this is not the recommended way of selecting a component-
354 ref. You are advised to use --xccdf-id AND/OR --datas‐
355 tream-id for more precision. --benchmark-id is only used
356 when both --xccdf-id and --datastream-id are not present
357 on the command line!
358 --cpe CPE_FILE
360 Use given CPE dictionary or language (auto-detected) for
361 applicability checks. The variables documents are created
362 only for xccdf:Rules which are applicable.
363 generate [options] <submodule> [submodule-specific-options]
365 Generate another document from an XCCDF file such as security
366 guide or result report.
367 --profile ID
369 Apply profile with given ID to the Benchmark before fur‐
370 ther processing takes place.
371 Available submodules:
373 guide [options] xccdf-file
375 Generate a HTML document containing a security guide from
376 an XCCDF Benchmark. Unless the --output option is speci‐
377 fied it will be written to the standard output. Without
378 profile being set only groups (not rules) will be in‐
379 cluded in the output.
380 --output FILE
382 Write the guide to this file instead of standard
383 output.
384 --hide-profile-info
386 This option has no effect and is kept only for
387 backward compatibility purposes.
388 --benchmark-id ID
390 Selects a component ref from any datastream that
391 references a component with XCCDF Benchmark such
392 that its @id attribute matches given string ex‐
393 actly.
394 --xccdf-id ID
396 Takes component ref with given ID from checklists.
397 This allows to select a particular XCCDF component
398 even in cases where there are 2 XCCDFs in one data
399 stream. If none is given, the first component from
400 the checklists element is used.
401 --tailoring-file TAILORING_FILE
403 Use given file for XCCDF tailoring. Select profile
404 from tailoring file to apply using --profile. If
405 both --tailoring-file and --tailoring-id are spec‐
406 ified, --tailoring-file takes priority.
407 --tailoring-id COMPONENT_REF_ID
409 Use tailoring component in input source data
410 stream for XCCDF tailoring. The tailoring compo‐
411 nent must be specified by its Ref-ID (value of
412 component-ref/@id attribute in input source data
413 stream). Select profile from tailoring component
414 to apply using --profile. If both --tailoring-file
415 and --tailoring-id are specified, --tailoring-file
416 takes priority.
417 --skip-signature-validation
419 Do not validate digital signatures in digitally
420 signed SCAP source data streams.
421 --enforce-signature
423 Process only digitally signed SCAP source data streams.
424 Data streams without a signature would be rejected if
425 this switch is used.
426 report [options] xccdf-file
428 Generate a HTML document containing results of an XCCDF
429 Benchmark execution. Unless the --output option is speci‐
430 fied it will be written to the standard output.
431 --output FILE
433 Write the report to this file instead of standard
434 output.
435 --result-id ID
437 ID of the XCCDF TestResult from which the report
438 will be generated.
439 --oval-template template-string
441 To use the ability to include additional informa‐
442 tion from OVAL in xccdf result file, a template
443 which will be used to obtain OVAL result file
444 names has to be specified. The template can be ei‐
445 ther a filename or a string containing wildcard
446 character (percent sign '%'). Wildcard will be re‐
447 placed by the original OVAL definition file name
448 as referenced from the XCCDF file. This way it is
449 possible to obtain OVAL information even from XC‐
450 CDF documents referencing several OVAL files. To
451 use this option with results from an XCCDF evalua‐
452 tion, specify %.result.xml as a OVAL file name
453 template.
454 --sce-template template-string
456 To use the ability to include additional informa‐
457 tion from SCE in XCCDF result file, a template
458 which will be used to obtain SCE result file names
459 has to be specified. The template can be either a
460 filename or a string containing wildcard character
461 (percent sign '%'). Wildcard will be replaced by
462 the original SCE script file name as referenced
463 from the XCCDF file. This way it is possible to
464 obtain SCE information even from XCCDF documents
465 referencing several SCE files. To use this option
466 with results from an XCCDF evaluation, specify
467 %.result.xml as a SCE file name template.
468 fix [options] xccdf-file
470 Generate a script that shall bring the system to a state
471 of compliance with given XCCDF Benchmark. There are 2
472 possibilities when generating fixes: Result-oriented
473 fixes (--result-id) or Profile-oriented fixes (--pro‐
474 file). Result-oriented takes precedences over Profile-
475 oriented, if result-id is given, oscap will ignore any
476 profile provided.
477 Result-oriented fixes are generated using result-id pro‐
479 vided to select only the failing rules from results in
480 xccdf-file, it skips all other rules.
481 Profile-oriented fixes are generated using all rules
483 within the provided profile. If no result-id/profile are
484 provided, (default) profile will be used to generate
485 fixes.
486 --fix-type TYPE
488 Specify fix type. There are multiple programming
489 languages in which the fix script can be gener‐
490 ated. TYPE should be one of: bash, ansible, pup‐
491 pet, anaconda, ignition, kubernetes. Default is
492 bash. This option is mutually exclusive with
493 --template, because fix type already determines
494 the template URN.
495 --output FILE
497 Write the report to this file instead of standard
498 output.
499 --result-id ID
501 Fixes will be generated for failed rule-results of
502 the specified TestResult.
503 --template ID|FILE
505 Template to be used to generate the script. If it
506 contains a dot '.' it is interpreted as a location
507 of a file with the template definition. Otherwise
508 it identifies a template from standard set which
509 currently includes: bash (default if no --template
510 switch present). Brief explanation of the process
511 of writing your own templates is in the XSL file
512 xsl/legacy-fix.xsl in the openscap data directory.
513 You can also take a look at the default template
514 xsl/legacy-fixtpl-bash.xml.
515 --xccdf-id ID
517 Takes component ref with given ID from checklists.
518 This allows to select a particular XCCDF component
519 even in cases where there are 2 XCCDFs in one data
520 stream. If none is given, the first component from
521 the checklists element is used.
522 --benchmark-id ID
524 Selects a component ref from any data stream that
525 references a component with XCCDF Benchmark such
526 that its @id attribute matches given string ex‐
527 actly.
528 --tailoring-file TAILORING_FILE
530 Use given file for XCCDF tailoring. Select profile
531 from tailoring file to apply using --profile. If
532 both --tailoring-file and --tailoring-id are spec‐
533 ified, --tailoring-file takes priority.
534 --tailoring-id COMPONENT_REF_ID
536 Use tailoring component in input source data
537 stream for XCCDF tailoring. The tailoring compo‐
538 nent must be specified by its Ref-ID (value of
539 component-ref/@id attribute in input source data
540 stream). Select profile from tailoring component
541 to apply using --profile. If both --tailoring-file
542 and --tailoring-id are specified, --tailoring-file
543 takes priority.
544 --skip-signature-validation
546 Do not validate digital signatures in digitally
547 signed SCAP source data streams.
548 --enforce-signature
550 Process only digitally signed SCAP source data streams.
551 Data streams without a signature would be rejected if
552 this switch is used.
553 custom --stylesheet xslt-file [options] xccdf-file
555 Generate a custom output (depending on given XSLT file)
556 from an XCCDF file.
557 --stylesheet FILE
559 Specify an absolute path to a custom stylesheet to
560 format the output.
561 --output FILE
563 Write the document into file.
564
567 eval [options] INPUT_FILE
568 Probe the system and evaluate all definitions from OVAL Defini‐
569 tion file. Print result of each definition to standard output.
570 The return code is 0 after a successful evaluation. On error,
571 value 1 is returned.
572 INPUT_FILE can be either OVAL Definition File or SCAP source
574 data stream, it depends on used options.
575 Unless --skip-validation (--skip-valid) is used, the INPUT_FILE
577 is validated using XSD schemas (depending on document type of
578 INPUT_FILE) and rejected if invalid.
579 --id DEFINITION-ID
581 Evaluate ONLY specified OVAL Definition from OVAL Defini‐
582 tion File.
583 --variables FILE
585 Provide external variables expected by OVAL Definition
586 File.
587 --directives FILE
589 Use OVAL Directives content to specify desired results
590 content.
591 --without-syschar
593 Don't provide system characteristics in result file.
594 --results FILE
596 Write OVAL Results into file.
597 --report FILE
599 Create human readable (HTML) report from OVAL Results.
600 --datastream-id ID
602 Uses a data stream with that particular ID from the given
603 data stream collection. If not given the first data
604 stream is used. Only applies if you give source data
605 stream in place of an OVAL file.
606 --oval-id ID
608 Takes component ref with given ID from checks. This al‐
609 lows to select a particular OVAL component even in cases
610 where there are 2 OVALs in one data stream.
611 --skip-valid, --skip-validation
613 Do not validate input/output files.
614 --fetch-remote-resources
616 Allow download of remote components referenced from data
617 stream.
618 collect [options] definitions-file
621 Probe the system and gather system characteristics for all ob‐
622 jects in OVAL Definition file.
623 --id OBJECT-ID
625 Collect system characteristics ONLY for specified OVAL
626 Object.
627 --variables FILE
629 Provide external variables expected by OVAL Definitions.
630 --syschar FILE
632 Write OVAL System Characteristic into file.
633 --skip-valid, --skip-validation
635 Do not validate input/output files.
636 analyse [options] --results FILE definitions-file syschar-file
640 In this mode, the oscap tool does not perform data collection on
641 the local system, but relies upon the input file, which may have
642 been generated on another system. The output (OVAL Results) is
643 printed to file specified by --results parameter.
644 --variables FILE
646 Provide external variables expected by OVAL Definitions.
647 --directives FILE
649 Use OVAL Directives content to specify desired results
650 content.
651 --skip-valid, --skip-validation
653 Do not validate input/output files.
654 validate [options] oval-file
657 Validate given OVAL file against a XML schema. Every found error
658 is printed to the standard error. Return code is 0 if validation
659 succeeds, 1 if validation could not be performed due to some er‐
660 ror, 2 if the OVAL document is not valid.
661 --definitions, --variables, --syschar, --results --directives
663 Type of the OVAL document is automatically detected by
664 default. If you want enforce certain document type, you
665 can use one of these options.
666 --skip-schematron
668 Turn off Schematron-based validation. It is able to find
669 more errors and inconsistencies but is much slower.
670 generate <submodule> [submodule-specific-options]
672 Generate another document from an OVAL file.
673 Available submodules:
675 report [options] oval-results-file
677 Generate a formatted HTML page containing visualisation
678 of an OVAL results file. Unless the --output option is
679 specified it will be written to the standard output.
680 --output FILE
682 Write the report to this file instead of standard
683 output.
684
687 check name
688 Check whether name is in correct CPE format.
689 match name dictionary.xml
691 Find an exact match of CPE name in the dictionary.
692 validate cpe-dict-file
694 Validate given CPE dictionary file against a XML schema. Every
695 found error is printed to the standard error. Return code is 0
696 if validation succeeds, 1 if validation could not be performed
697 due to some error, 2 if the XCCDF document is not valid.
698
701 score cvss_vector
702 Calculate score from a CVSS vector. Prints base score for base
703 CVSS vector, base and temporal score for temporal CVSS vector,
704 base and temporal and environmental score for environmental CVSS
705 vector.
706 describe cvss_vector
708 Describe individual components of a CVSS vector in a human-read‐
709 able format and print partial scores.
710 CVSS vector consists of several slash-separated components specified as
712 key-value pairs. Each key can be specified at most once. Valid CVSS
713 vector has to contain at least base CVSS metrics, i.e. AV, AC, AU, C,
714 I, and A. Following table summarizes the components and possible values
715 (second column is metric category: B for base, T for temporal, E for
716 environmental):
717 AV:[L|A|N] B Access vector: Local, Adjacent net‐
719 work, Network
720 AC:[H|M|L] B Access complexity: High, Medium, Low
722 AU:[M|S|N] B Required authentication: Multiple in‐
724 stances, Single instance, None
725 C:[N|P|C] B Confidentiality impact: None, Partial,
727 Complete
728 I:[N|P|C] B Integrity impact: None, Partial, Com‐
730 plete
731 A:[N|P|C] B Availability impact: None, Partial,
733 Complete
734 E:[ND|U|POC|F|H] T Exploitability: Not Defined, Unproven,
736 Proof of Concept, Functional, High
737 RL:[ND|OF|TF|W|U] T Remediation Level: Not Defined, Offi‐
739 cial Fix, Temporary Fix, Workaround, Unavailable
740 RC:[ND|UC|UR|C] T Report Confidence: Not Defined, Uncon‐
742 firmed, Uncorroborated, Confirmed
743 CDP:[ND|N|L|LM|MH|H] E Collateral Damage Potential: Not De‐
745 fined, None, Low, Low-Medium, Medium-High, High
746 TD:[ND|N|L|M|H] E Target Distribution: Not Defined,
748 None, Low, Medium, High
749 CR:[ND|L|M|H] E Confidentiality requirement: Not De‐
751 fined, Low, Medium, High
752 IR:[ND|L|M|H] E Integrity requirement: Not Defined,
754 Low, Medium, High
755 AR:[ND|L|M|H] E Availability requirement: Not Defined,
757 Low, Medium, High
758
760 sds-compose [options] SOURCE_XCCDF TARGET_SDS
761 Creates an SCAP source data stream from the XCCDF file given in
762 SOURCE_XCCDF and stores the result in TARGET_SDS. Dependencies
763 like OVAL files are automatically detected and bundled in the
764 created source data stream.
765 --skip-valid, --skip-validation
767 Do not validate input/output files.
768 sds-add [options] NEW_COMPONENT EXISTING_SDS
770 Adds given NEW_COMPONENT file to the existing source data stream
771 (EXISTING_SDS). Component file might be OVAL, XCCDF or CPE Dic‐
772 tionary file. Dependencies like OVAL files are automatically de‐
773 tected and bundled in target source data stream.
774 --datastream-id DATASTREAM_ID
776 Uses a data stream with that particular ID from the given
777 data stream collection. If not given the first data
778 stream is used.
779 --skip-valid, --skip-validation
781 Do not validate input/output files.
782 sds-split [options] SOURCE_DS TARGET_DIR
784 Splits given source data stream into multiple files and stores
785 all the files in TARGET_DIR.
786 --datastream-id DATASTREAM_ID
788 Uses a data stream with that particular ID from the given
789 data stream collection. If not given the first data
790 stream is used.
791 --xccdf-id XCCDF_ID
793 Takes component ref with given ID from checklists. This
794 allows to select a particular XCCDF component even in
795 cases where there are 2 XCCDFs in one data stream.
796 --skip-valid, --skip-validation
798 Do not validate input/output files.
799 --fetch-remote-resources
801 Allow download of remote components referenced from data
802 stream.
803 sds-validate SOURCE_DS
805 Validate given source data stream file against a XML schema. Ev‐
806 ery found error is printed to the standard error. Return code is
807 0 if validation succeeds, 1 if validation could not be performed
808 due to some error, 2 if the source data stream is not valid.
809 rds-create [options] SDS TARGET_ARF XCCDF_RESULTS [OVAL_RESULTS
811 [OVAL_RESULTS ..]]
812 Takes given source data stream, XCCDF and OVAL results and cre‐
813 ates a result data stream (in Asset Reporting Format) and saves
814 it to file given in TARGET_ARF.
815 --skip-valid, --skip-validation
817 Do not validate input/output files.
818 rds-split [options] [--report-id REPORT_ID] RDS TARGET_DIR
820 Takes given result data stream (also called ARF = asset report‐
821 ing format) and splits given report and its respective report-
822 request to given target directory. If no report-id is given, we
823 assume user wants the first applicable report in top-down order
824 in the file.
825 --skip-valid, --skip-validation
827 Do not validate input/output files.
828 rds-validate SOURCE_RDS
830 Validate given result data stream file against a XML schema. Ev‐
831 ery found error is printed to the standard error. Return code is
832 0 if validation succeeds, 1 if validation could not be performed
833 due to some error, 2 if the result data stream is not valid.
834
837 validate cve-nvd-feed.xml
838 Validate given CVE data feed.
839 find CVE cve-nvd-feed.xml
841 Find given CVE in data feed and report base score, vector string
842 and vulnerable software list.
843
846 Normally, the exit status is 0 when operation finished successfully and
847 1 otherwise. In cases when oscap performs evaluation of the system it
848 may return 2 indicating success of the operation but incompliance of
849 the assessed system.
850
853 Evaluate XCCDF content using CPE dictionary and produce HTML report. In
854 this case we use United States Government Configuration Baseline (US‐
855 GCB) for Red Hat Enterprise Linux 5 Desktop.
856 oscap xccdf eval --fetch-remote-resources --oval-results \
858 --profile united_states_government_configuration_baseline \
859 --report usgcb-rhel5desktop.report.html \
860 --results usgcb-rhel5desktop-xccdf.xml.result.xml \
861 --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
862 usgcb-rhel5desktop-xccdf.xml
863
865 SCAP Security Guide - https://github.com/OpenSCAP/scap-security-guide/
866 National Vulnerability Database -
868 http://web.nvd.nist.gov/view/ncp/repository
869 Red Hat CVE content repository - https://www.redhat.com/secu‐
871 rity/data/metrics/ds/v2/
872
876 Please report bugs using https://github.com/OpenSCAP/openscap/issues
877 Make sure you include the full output of `oscap --v` in the bug report.
878
881 Peter Vrabec <pvrabec@redhat.com>
882 Šimon Lukašík
883 Martin Preisler <mpreisle@redhat.com>
884Red Hat March 2021 OSCAP(8)