1OSCAP(8) System Administration Utilities OSCAP(8)
2
6 oscap - OpenSCAP command line tool
7
10 oscap [general-options] module operation [operation-options-and-argu‐
11 ments]
12
15 oscap is Security Content Automation Protocol (SCAP) toolkit based on
16 OpenSCAP library. It provides various functions for different SCAP
17 specifications (modules).
18 OpenSCAP tool claims to provide capabilities of Authenticated Configu‐
20 ration Scanner and Authenticated Vulnerability Scanner as defined by
21 The National Institute of Standards and Technology.
22
25 -V, --version
26 Print supported SCAP specifications, location of schema files,
27 schematron files, CPE files, probes and supported OVAL objects.
28 Displays a list of inbuilt CPE names.
29 -h, --help
31 Help screen.
32
35 info Determine type and print information about a file.
36 xccdf The eXtensible Configuration Checklist Description Format.
38 oval Open Vulnerability and Assessment Language.
40 ds SCAP Data Stream
42 cpe Common Platform Enumeration.
44 cvss Common Vulnerability Scoring System
46 cve Common Vulnerabilities and Exposures
48 cvrf Common Vulnerability Reporting Framework
50
53 --verbose VERBOSITY_LEVEL
54 Turn on verbose mode at specified verbosity level. VER‐
55 BOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
56 --verbose-log-file FILE
58 Set filename to write additional information.
59
62 [options] any-scap-file.xml
63 This module prints information about SCAP content in a file
64 specified on a command line. It determines SCAP content type,
65 specification version, date of creation, date of import and so
66 on. Info module doesn't require any additional operation switch.
67 For XCCDF or SCAP source data stream files, the info module
69 prints out IDs of incorporated profiles, components, and data
70 streams. These IDs can be used to specify the target for evalua‐
71 tion. Use options --profile, --xccdf-id (or --oval-id), and
72 --datastream-id respectively.
73 --fetch-remote-resources
75 Allow download of remote components referenced from data
76 stream.
77 --local-files DIRECTORY
79 Instead of downloading remote data stream components from
80 the network, use data stream components stored locally as
81 files in the given directory. In place of the remote data
82 stream component OpenSCAP will attempt to use a file
83 whose file name is equal to @name attribute of the uri
84 element within the catalog element within the component-
85 ref element in the data stream if such file exists.
86 --profile PROFILE
88 Show info of the profile with the given ID.
89 --profiles
91 Show profiles from the input file in the <id>:<title>
92 format, one line per profile.
93
96 eval [options] INPUT_FILE [oval-definitions-files]
97 Perform evaluation of XCCDF document file given as INPUT_FILE.
98 Print result of each rule to standard output, including rule ti‐
99 tle, rule id and security identifier(CVE, CCE). Optionally you
100 can give an SCAP source data stream as the INPUT_FILE instead of
101 an XCCDF file (see --datastream-id).
102 oscap returns 0 if all rules pass. If there is an error during
104 evaluation, the return code is 1. If there is at least one rule
105 with either fail or unknown result, oscap finishes with return
106 code 2.
107 Unless --skip-validation (--skip-valid) is used, the INPUT_FILE
109 is validated using XSD schemas (depending on document type of
110 INPUT_FILE) and rejected if invalid.
111 You may specify OVAL Definition files as the last parameter, XC‐
113 CDF evaluation will then proceed only with those specified
114 files. Otherwise, when oval-definitions-files parameter is miss‐
115 ing, oscap tool will try to load all OVAL Definition files ref‐
116 erenced from XCCDF automatically (search in the same path as XC‐
117 CDF).
118 --profile PROFILE
120 Select a particular profile from XCCDF document. If
121 "(all)" is given a virtual profile that selects all
122 groups and rules will be used.
123 --rule RULE
125 Select a particular rule from XCCDF document. Only this
126 rule will be evaluated. Any other rules required by this
127 rule won't be evaluated. Rule will use values according
128 to the selected profile. If no profile is selected, de‐
129 fault values are used. This option can be used multiple
130 times to specify multiple rules at once.
131 --skip-rule RULE
133 Skip a particular rule from XCCDF document. This option
134 can be used multiple times to skip multiple rules at
135 once.
136 --tailoring-file TAILORING_FILE
138 Use given file for XCCDF tailoring. Select profile from
139 tailoring file to apply using --profile. If both --tai‐
140 loring-file and --tailoring-id are specified, --tailor‐
141 ing-file takes priority.
142 --tailoring-id COMPONENT_REF_ID
144 Use tailoring component in input source data stream for
145 XCCDF tailoring. The tailoring component must be speci‐
146 fied by its Ref-ID (value of component-ref/@id attribute
147 in input source data stream). Select profile from tailor‐
148 ing component to apply using --profile. If both --tailor‐
149 ing-file and --tailoring-id are specified, --tailoring-
150 file takes priority.
151 --cpe CPE_FILE
153 Use given CPE dictionary or language (auto-detected) for
154 applicability checks. (Some CPE names are provided by
155 openscap, see oscap --version for inbuilt CPE names)
156 --results FILE
158 Write XCCDF results into FILE.
159 --results-arf FILE
161 Writes results to a given FILE in Asset Reporting Format.
162 It is recommended to use this option instead of --results
163 when dealing with data streams.
164 --stig-viewer FILE
166 Writes XCCDF results into FILE. The rule result IDs in
167 FILE are modified according to STIG references in evalu‐
168 ated content. The FILE can be simply imported into DISA
169 STIG Viewer. See https://public.cyber.mil/stigs/srg-stig-
170 tools/ for information about DISA STIG Viewer.
171 --thin-results
173 Thin Results provides only minimal amount of information
174 in OVAL/ARF results. The option --without-syschar is au‐
175 tomatically enabled when you use Thin Results.
176 --without-syschar
178 Don't provide system characteristics in OVAL/ARF result
179 files.
180 --report FILE
182 Write HTML report into FILE.
183 --oval-results
185 Generate OVAL Result file for each OVAL session used for
186 evaluation. File with name 'original-oval-definitions-
187 filename.result.xml' will be generated for each refer‐
188 enced OVAL file in current working directory. To change
189 the directory where OVAL files are generated change the
190 CWD using the `cd` command.
191 --check-engine-results
193 After evaluation is finished, each loaded check engine
194 plugin is asked to export its results. The export itself
195 is plugin specific, please refer to documentation of the
196 plugin for more details.
197 --export-variables
199 Generate OVAL Variables documents which contain external
200 variables' values that were provided to the OVAL checking
201 engine during evaluation. The filename format is 'origi‐
202 nal-oval-definitions-filename-session-index.variables-
203 variables-index.xml'.
204 --datastream-id ID
206 Uses a data stream with that particular ID from the given
207 data stream collection. If not given the first data
208 stream is used. Only applies if you give source data
209 stream in place of an XCCDF file.
210 --xccdf-id ID
212 Takes component ref with given ID from checklists. This
213 allows one to select a particular XCCDF component even in
214 cases where there are multiple XCCDFs in a single data
215 stream. If none is given, the first component from the
216 checklists element is used.
217 --benchmark-id ID
219 Selects a component ref from any data stream that refer‐
220 ences a component with XCCDF Benchmark such that its @id
221 attribute matches given string exactly. Please note that
222 this is not the recommended way of selecting a component-
223 ref. You are advised to use --xccdf-id AND/OR --datas‐
224 tream-id for more precision. --benchmark-id is only used
225 when both --xccdf-id and --datastream-id are not present
226 on the command line!
227 --skip-valid, --skip-validation
229 Do not validate input/output files.
230 --skip-signature-validation
232 Do not validate digital signatures in digitally signed
233 SCAP source data streams.
234 --enforce-signature
236 Process only digitally signed SCAP source data streams.
237 Data streams without a signature would be rejected if
238 this switch is used.
239 --fetch-remote-resources
241 Allow download of remote OVAL content referenced from XC‐
242 CDF by check-content-ref/@href.
243 --local-files DIRECTORY
245 Instead of downloading remote data stream components from
246 the network, use data stream components stored locally as
247 files in the given directory. In place of the remote data
248 stream component OpenSCAP will attempt to use a file
249 whose file name is equal to @name attribute of the uri
250 element within the catalog element within the component-
251 ref element in the data stream if such file exists.
252 --remediate
254 Execute XCCDF remediation in the process of XCCDF evalua‐
255 tion. This option automatically executes content of XCCDF
256 fix elements for failed rules, and thus this shall be
257 avoided unless for trusted content. Use of this option is
258 always at your own risk.
259 remediate [options] INPUT_FILE [oval-definitions-files]
261 This module provides post-scan remediation. It assumes that the
262 INPUT_FILE is result of `oscap xccdf eval` operation. The input
263 file must contain TestResult element. This module executes XCCDF
264 fix elements for failed rule-result contained in the given
265 TestResult. Use of this option is always at your own risk and it
266 shall be avoided unless for trusted content.
267 --result-id ID
269 ID of the XCCDF TestResult element which shall be reme‐
270 died. If this option is missing the last TestResult (in
271 top-down processing) will be remedied.
272 --skip-valid, --skip-validation
274 Do not validate input/output files.
275 --fetch-remote-resources
277 Allow download of remote OVAL content referenced from XC‐
278 CDF by check-content-ref/@href.
279 --local-files DIRECTORY
281 Instead of downloading remote data stream components from
282 the network, use data stream components stored locally as
283 files in the given directory. In place of the remote data
284 stream component OpenSCAP will attempt to use a file
285 whose file name is equal to @name attribute of the uri
286 element within the catalog element within the component-
287 ref element in the data stream if such file exists.
288 --cpe CPE_FILE
290 Use given CPE dictionary or language (auto-detected) for
291 applicability checks.
292 --results FILE
294 Write XCCDF results into FILE.
295 --results-arf FILE
297 Writes results to a given FILE in Asset Reporting Format.
298 It is recommended to use this option instead of --results
299 when dealing with data streams.
300 --stig-viewer FILE
302 Writes XCCDF results into FILE. The rule result IDs in
303 FILE are modified according to STIG references in evalu‐
304 ated content. The FILE can be simply imported into DISA
305 STIG Viewer. See https://public.cyber.mil/stigs/srg-stig-
306 tools/ for information about DISA STIG Viewer.
307 --report FILE
309 Write HTML report into FILE.
310 --oval-results
312 Generate OVAL Result file for each OVAL session used for
313 evaluation. File with name 'original-oval-definitions-
314 filename.result.xml' will be generated for each refer‐
315 enced OVAL file.
316 --check-engine-results
318 After evaluation is finished, each loaded check engine
319 plugin is asked to export its results. The export itself
320 is plugin specific, please refer to documentation of the
321 plugin for more details.
322 --export-variables
324 Generate OVAL Variables documents which contain external
325 variables' values that were provided to the OVAL checking
326 engine during evaluation. The filename format is 'origi‐
327 nal-oval-definitions-filename-session-index.variables-
328 variables-index.xml'.
329 --progress
331 Switch to sparse output suitable for progress reporting.
332 Format of the output is "$rule_id:$result\n".
333 --progress-full
335 Switch to sparse but a bit more saturated output also
336 suitable for progress reporting. Format of the output is
337 "$rule_id|$rule_title|$result\n".
338 resolve -o output-file xccdf-file
340 Resolve an XCCDF file as described in the XCCDF specification.
341 It will flatten inheritance hierarchy of XCCDF profiles, groups,
342 rules, and values. Result is another XCCDF document, which will
343 be written to output-file.
344 --force
346 Force resolving XCCDF document even if it is already
347 marked as resolved.
348 validate [options] xccdf-file
350 Validate given XCCDF file against a XML schema. Every found er‐
351 ror is printed to the standard error. Return code is 0 if vali‐
352 dation succeeds, 1 if validation could not be performed due to
353 some error, 2 if the XCCDF document is not valid.
354 --skip-schematron
356 Turn off Schematron-based validation. It is able to find
357 more errors and inconsistencies but is much slower.
358 Schematron is available only for XCCDF version 1.2.
359 export-oval-variables [options] xccdf-file [oval-definitions-files]
361 Collect all the XCCDF values that would be used by OVAL during
362 evaluation of a certain profile and export them as OVAL exter‐
363 nal-variables document(s). The filename format is 'original-
364 oval-definitions-filename-session-index.variables-variables-in‐
365 dex.xml'.
366 --profile PROFILE
368 Select a particular profile from XCCDF document.
369 --fetch-remote-resources
371 Allow download of remote OVAL content referenced from XC‐
372 CDF by check-content-ref/@href.
373 --local-files DIRECTORY
375 Instead of downloading remote data stream components from
376 the network, use data stream components stored locally as
377 files in the given directory. In place of the remote data
378 stream component OpenSCAP will attempt to use a file
379 whose file name is equal to @name attribute of the uri
380 element within the catalog element within the component-
381 ref element in the data stream if such file exists.
382 --skip-valid, --skip-validation
384 Do not validate input/output files.
385 --datastream-id ID
387 Uses a data stream with that particular ID from the given
388 data stream collection. If not given the first data
389 stream is used. Only applies if you give an SCAP source
390 data stream in place of an XCCDF file.
391 --xccdf-id ID
393 Takes component ref with given ID from checklists. This
394 allows one to select a particular XCCDF component even in
395 cases where there are 2 XCCDFs in one data stream.
396 --benchmark-id ID
398 Selects a component ref from any data stream that refer‐
399 ences a component with XCCDF Benchmark such that its @id
400 attribute matches given string exactly. Please note that
401 this is not the recommended way of selecting a component-
402 ref. You are advised to use --xccdf-id AND/OR --datas‐
403 tream-id for more precision. --benchmark-id is only used
404 when both --xccdf-id and --datastream-id are not present
405 on the command line!
406 --cpe CPE_FILE
408 Use given CPE dictionary or language (auto-detected) for
409 applicability checks. The variables documents are created
410 only for xccdf:Rules which are applicable.
411 generate [options] <submodule> [submodule-specific-options]
413 Generate another document from an XCCDF file such as security
414 guide or result report.
415 --profile ID
417 Apply profile with given ID to the Benchmark before fur‐
418 ther processing takes place.
419 Available submodules:
421 guide [options] xccdf-file
423 Generate a HTML document containing a security guide from
424 an XCCDF Benchmark. Unless the --output option is speci‐
425 fied it will be written to the standard output. Without
426 profile being set only groups (not rules) will be in‐
427 cluded in the output.
428 --output FILE
430 Write the guide to this file instead of standard
431 output.
432 --hide-profile-info
434 This option has no effect and is kept only for
435 backward compatibility purposes.
436 --benchmark-id ID
438 Selects a component ref from any datastream that
439 references a component with XCCDF Benchmark such
440 that its @id attribute matches given string ex‐
441 actly.
442 --xccdf-id ID
444 Takes component ref with given ID from checklists.
445 This allows one to select a particular XCCDF com‐
446 ponent even in cases where there are multiple XC‐
447 CDFs in a single data stream. If none is given,
448 the first component from the checklists element is
449 used.
450 --tailoring-file TAILORING_FILE
452 Use given file for XCCDF tailoring. Select profile
453 from tailoring file to apply using --profile. If
454 both --tailoring-file and --tailoring-id are spec‐
455 ified, --tailoring-file takes priority.
456 --tailoring-id COMPONENT_REF_ID
458 Use tailoring component in input source data
459 stream for XCCDF tailoring. The tailoring compo‐
460 nent must be specified by its Ref-ID (value of
461 component-ref/@id attribute in input source data
462 stream). Select profile from tailoring component
463 to apply using --profile. If both --tailoring-file
464 and --tailoring-id are specified, --tailoring-file
465 takes priority.
466 --skip-signature-validation
468 Do not validate digital signatures in digitally
469 signed SCAP source data streams.
470 --enforce-signature
472 Process only digitally signed SCAP source data
473 streams. Data streams without a signature would be
474 rejected if this switch is used.
475 report [options] xccdf-file
477 Generate a HTML document containing results of an XCCDF
478 Benchmark execution. Unless the --output option is speci‐
479 fied it will be written to the standard output.
480 --output FILE
482 Write the report to this file instead of standard
483 output.
484 --result-id ID
486 ID of the XCCDF TestResult from which the report
487 will be generated.
488 --oval-template template-string
490 To use the ability to include additional informa‐
491 tion from OVAL in xccdf result file, a template
492 which will be used to obtain OVAL result file
493 names has to be specified. The template can be ei‐
494 ther a filename or a string containing wildcard
495 character (percent sign '%'). Wildcard will be re‐
496 placed by the original OVAL definition file name
497 as referenced from the XCCDF file. This way it is
498 possible to obtain OVAL information even from XC‐
499 CDF documents referencing several OVAL files. To
500 use this option with results from an XCCDF evalua‐
501 tion, specify %.result.xml as a OVAL file name
502 template.
503 --sce-template template-string
505 To use the ability to include additional informa‐
506 tion from SCE in XCCDF result file, a template
507 which will be used to obtain SCE result file names
508 has to be specified. The template can be either a
509 filename or a string containing wildcard character
510 (percent sign '%'). Wildcard will be replaced by
511 the original SCE script file name as referenced
512 from the XCCDF file. This way it is possible to
513 obtain SCE information even from XCCDF documents
514 referencing several SCE files. To use this option
515 with results from an XCCDF evaluation, specify
516 %.result.xml as a SCE file name template.
517 fix [options] xccdf-file
519 Generate a script that shall bring the system to a state
520 of compliance with given XCCDF Benchmark. There are 2
521 possibilities when generating fixes: Result-oriented
522 fixes (--result-id) or Profile-oriented fixes (--pro‐
523 file). Result-oriented takes precedences over Profile-
524 oriented, if result-id is given, oscap will ignore any
525 profile provided.
526 Result-oriented fixes are generated using result-id pro‐
528 vided to select only the failing rules from results in
529 xccdf-file, it skips all other rules.
530 Profile-oriented fixes are generated using all rules
532 within the provided profile. If no result-id/profile are
533 provided, (default) profile will be used to generate
534 fixes.
535 --fix-type TYPE
537 Specify fix type. There are multiple programming
538 languages in which the fix script can be gener‐
539 ated. TYPE should be one of: bash, ansible, pup‐
540 pet, anaconda, ignition, kubernetes, blueprint.
541 Default is bash. This option is mutually exclusive
542 with --template, because fix type already deter‐
543 mines the template URN.
544 --output FILE
546 Write the report to this file instead of standard
547 output.
548 --result-id ID
550 Fixes will be generated for failed rule-results of
551 the specified TestResult.
552 --template ID|FILE
554 Template to be used to generate the script. If it
555 contains a dot '.' it is interpreted as a location
556 of a file with the template definition. Otherwise
557 it identifies a template from standard set which
558 currently includes: bash (default if no --template
559 switch present). Brief explanation of the process
560 of writing your own templates is in the XSL file
561 xsl/legacy-fix.xsl in the openscap data directory.
562 You can also take a look at the default template
563 xsl/legacy-fixtpl-bash.xml.
564 --xccdf-id ID
566 Takes component ref with given ID from checklists.
567 This allows one to select a particular XCCDF com‐
568 ponent even in cases where there are multiple XC‐
569 CDFs in a single data stream. If none is given,
570 the first component from the checklists element is
571 used.
572 --benchmark-id ID
574 Selects a component ref from any data stream that
575 references a component with XCCDF Benchmark such
576 that its @id attribute matches given string ex‐
577 actly.
578 --tailoring-file TAILORING_FILE
580 Use given file for XCCDF tailoring. Select profile
581 from tailoring file to apply using --profile. If
582 both --tailoring-file and --tailoring-id are spec‐
583 ified, --tailoring-file takes priority.
584 --tailoring-id COMPONENT_REF_ID
586 Use tailoring component in input source data
587 stream for XCCDF tailoring. The tailoring compo‐
588 nent must be specified by its Ref-ID (value of
589 component-ref/@id attribute in input source data
590 stream). Select profile from tailoring component
591 to apply using --profile. If both --tailoring-file
592 and --tailoring-id are specified, --tailoring-file
593 takes priority.
594 --skip-signature-validation
596 Do not validate digital signatures in digitally
597 signed SCAP source data streams.
598 --enforce-signature
600 Process only digitally signed SCAP source data
601 streams. Data streams without a signature would be
602 rejected if this switch is used.
603 custom --stylesheet xslt-file [options] xccdf-file
605 Generate a custom output (depending on given XSLT file)
606 from an XCCDF file.
607 --stylesheet FILE
609 Specify an absolute path to a custom stylesheet to
610 format the output.
611 --output FILE
613 Write the document into file.
614
617 eval [options] INPUT_FILE
618 Probe the system and evaluate all definitions from OVAL Defini‐
619 tion file. Print result of each definition to standard output.
620 The return code is 0 after a successful evaluation. On error,
621 value 1 is returned.
622 INPUT_FILE can be either OVAL Definition File or SCAP source
624 data stream, it depends on used options.
625 Unless --skip-validation (--skip-valid) is used, the INPUT_FILE
627 is validated using XSD schemas (depending on document type of
628 INPUT_FILE) and rejected if invalid.
629 --id DEFINITION-ID
631 Evaluate ONLY specified OVAL Definition from OVAL Defini‐
632 tion File.
633 --variables FILE
635 Provide external variables expected by OVAL Definition
636 File.
637 --directives FILE
639 Use OVAL Directives content to specify desired results
640 content.
641 --without-syschar
643 Don't provide system characteristics in result file.
644 --results FILE
646 Write OVAL Results into file.
647 --report FILE
649 Create human readable (HTML) report from OVAL Results.
650 --datastream-id ID
652 Uses a data stream with that particular ID from the given
653 data stream collection. If not given the first data
654 stream is used. Only applies if you give source data
655 stream in place of an OVAL file.
656 --oval-id ID
658 Takes component ref with given ID from checks. This al‐
659 lows one to select a particular OVAL component even in
660 cases where there are multiple OVALs in a single data
661 stream.
662 --skip-valid, --skip-validation
664 Do not validate input/output files.
665 --fetch-remote-resources
667 Allow download of remote components referenced from data
668 stream.
669 --local-files DIRECTORY
671 Instead of downloading remote data stream components from
672 the network, use data stream components stored locally as
673 files in the given directory. In place of the remote data
674 stream component OpenSCAP will attempt to use a file
675 whose file name is equal to @name attribute of the uri
676 element within the catalog element within the component-
677 ref element in the data stream if such file exists.
678 collect [options] definitions-file
681 Probe the system and gather system characteristics for all ob‐
682 jects in OVAL Definition file.
683 --id OBJECT-ID
685 Collect system characteristics ONLY for specified OVAL
686 Object.
687 --variables FILE
689 Provide external variables expected by OVAL Definitions.
690 --syschar FILE
692 Write OVAL System Characteristic into file.
693 --skip-valid, --skip-validation
695 Do not validate input/output files.
696 analyse [options] --results FILE definitions-file syschar-file
700 In this mode, the oscap tool does not perform data collection on
701 the local system, but relies upon the input file, which may have
702 been generated on another system. The output (OVAL Results) is
703 printed to file specified by --results parameter.
704 --variables FILE
706 Provide external variables expected by OVAL Definitions.
707 --directives FILE
709 Use OVAL Directives content to specify desired results
710 content.
711 --skip-valid, --skip-validation
713 Do not validate input/output files.
714 validate [options] oval-file
717 Validate given OVAL file against a XML schema. Every found error
718 is printed to the standard error. Return code is 0 if validation
719 succeeds, 1 if validation could not be performed due to some er‐
720 ror, 2 if the OVAL document is not valid.
721 --definitions, --variables, --syschar, --results --directives
723 Type of the OVAL document is automatically detected by
724 default. If you want enforce certain document type, you
725 can use one of these options.
726 --skip-schematron
728 Turn off Schematron-based validation. It is able to find
729 more errors and inconsistencies but is much slower.
730 generate <submodule> [submodule-specific-options]
732 Generate another document from an OVAL file.
733 Available submodules:
735 report [options] oval-results-file
737 Generate a formatted HTML page containing visualisation
738 of an OVAL results file. Unless the --output option is
739 specified it will be written to the standard output.
740 --output FILE
742 Write the report to this file instead of standard
743 output.
744
747 check name
748 Check whether name is in correct CPE format.
749 match name dictionary.xml
751 Find an exact match of CPE name in the dictionary.
752 validate cpe-dict-file
754 Validate given CPE dictionary file against a XML schema. Every
755 found error is printed to the standard error. Return code is 0
756 if validation succeeds, 1 if validation could not be performed
757 due to some error, 2 if the XCCDF document is not valid.
758
761 score cvss_vector
762 Calculate score from a CVSS vector. Prints base score for base
763 CVSS vector, base and temporal score for temporal CVSS vector,
764 base and temporal and environmental score for environmental CVSS
765 vector.
766 describe cvss_vector
768 Describe individual components of a CVSS vector in a human-read‐
769 able format and print partial scores.
770 CVSS vector consists of several slash-separated components specified as
772 key-value pairs. Each key can be specified at most once. Valid CVSS
773 vector has to contain at least base CVSS metrics, i.e. AV, AC, AU, C,
774 I, and A. Following table summarizes the components and possible values
775 (second column is metric category: B for base, T for temporal, E for
776 environmental):
777 AV:[L|A|N] B Access vector: Local, Adjacent net‐
779 work, Network
780 AC:[H|M|L] B Access complexity: High, Medium, Low
782 AU:[M|S|N] B Required authentication: Multiple in‐
784 stances, Single instance, None
785 C:[N|P|C] B Confidentiality impact: None, Partial,
787 Complete
788 I:[N|P|C] B Integrity impact: None, Partial, Com‐
790 plete
791 A:[N|P|C] B Availability impact: None, Partial,
793 Complete
794 E:[ND|U|POC|F|H] T Exploitability: Not Defined, Unproven,
796 Proof of Concept, Functional, High
797 RL:[ND|OF|TF|W|U] T Remediation Level: Not Defined, Offi‐
799 cial Fix, Temporary Fix, Workaround, Unavailable
800 RC:[ND|UC|UR|C] T Report Confidence: Not Defined, Uncon‐
802 firmed, Uncorroborated, Confirmed
803 CDP:[ND|N|L|LM|MH|H] E Collateral Damage Potential: Not De‐
805 fined, None, Low, Low-Medium, Medium-High, High
806 TD:[ND|N|L|M|H] E Target Distribution: Not Defined,
808 None, Low, Medium, High
809 CR:[ND|L|M|H] E Confidentiality requirement: Not De‐
811 fined, Low, Medium, High
812 IR:[ND|L|M|H] E Integrity requirement: Not Defined,
814 Low, Medium, High
815 AR:[ND|L|M|H] E Availability requirement: Not Defined,
817 Low, Medium, High
818
820 sds-compose [options] SOURCE_XCCDF TARGET_SDS
821 Creates an SCAP source data stream from the XCCDF file given in
822 SOURCE_XCCDF and stores the result in TARGET_SDS. Dependencies
823 like OVAL files are automatically detected and bundled in the
824 created source data stream.
825 --skip-valid, --skip-validation
827 Do not validate input/output files.
828 sds-add [options] NEW_COMPONENT EXISTING_SDS
830 Adds given NEW_COMPONENT file to the existing source data stream
831 (EXISTING_SDS). Component file might be OVAL, XCCDF or CPE Dic‐
832 tionary file. Dependencies like OVAL files are automatically de‐
833 tected and bundled in target source data stream.
834 --datastream-id DATASTREAM_ID
836 Uses a data stream with that particular ID from the given
837 data stream collection. If not given the first data
838 stream is used.
839 --skip-valid, --skip-validation
841 Do not validate input/output files.
842 sds-split [options] SOURCE_DS TARGET_DIR
844 Splits given source data stream into multiple files and stores
845 all the files in TARGET_DIR.
846 --datastream-id DATASTREAM_ID
848 Uses a data stream with that particular ID from the given
849 data stream collection. If not given the first data
850 stream is used.
851 --xccdf-id XCCDF_ID
853 Takes component ref with given ID from checklists. This
854 allows one to select a particular XCCDF component even in
855 cases where there are multiple XCCDFs in a single data
856 stream.
857 --skip-valid, --skip-validation
859 Do not validate input/output files.
860 --fetch-remote-resources
862 Allow download of remote components referenced from data
863 stream.
864 --local-files DIRECTORY
866 Instead of downloading remote data stream components from
867 the network, use data stream components stored locally as
868 files in the given directory. In place of the remote data
869 stream component OpenSCAP will attempt to use a file
870 whose file name is equal to @name attribute of the uri
871 element within the catalog element within the component-
872 ref element in the data stream if such file exists.
873 sds-validate SOURCE_DS
875 Validate given source data stream file against a XML schema. Ev‐
876 ery found error is printed to the standard error. Return code is
877 0 if validation succeeds, 1 if validation could not be performed
878 due to some error, 2 if the source data stream is not valid.
879 rds-create [options] SDS TARGET_ARF XCCDF_RESULTS [OVAL_RESULTS
881 [OVAL_RESULTS ..]]
882 Takes given source data stream, XCCDF and OVAL results and cre‐
883 ates a result data stream (in Asset Reporting Format) and saves
884 it to file given in TARGET_ARF.
885 --skip-valid, --skip-validation
887 Do not validate input/output files.
888 rds-split [options] [--report-id REPORT_ID] RDS TARGET_DIR
890 Takes given result data stream (also called ARF = asset report‐
891 ing format) and splits given report and its respective report-
892 request to given target directory. If no report-id is given, we
893 assume user wants the first applicable report in top-down order
894 in the file.
895 --skip-valid, --skip-validation
897 Do not validate input/output files.
898 rds-validate SOURCE_RDS
900 Validate given result data stream file against a XML schema. Ev‐
901 ery found error is printed to the standard error. Return code is
902 0 if validation succeeds, 1 if validation could not be performed
903 due to some error, 2 if the result data stream is not valid.
904
907 validate cve-nvd-feed.xml
908 Validate given CVE data feed.
909 find CVE cve-nvd-feed.xml
911 Find given CVE in data feed and report base score, vector string
912 and vulnerable software list.
913
916 Normally, the exit status is 0 when operation finished successfully and
917 1 otherwise. In cases when oscap performs evaluation of the system it
918 may return 2 indicating success of the operation but incompliance of
919 the assessed system.
920
923 Evaluate XCCDF content using CPE dictionary and produce HTML report. In
924 this case we use United States Government Configuration Baseline (US‐
925 GCB) for Red Hat Enterprise Linux 5 Desktop.
926 oscap xccdf eval --fetch-remote-resources --oval-results \
928 --profile united_states_government_configuration_baseline \
929 --report usgcb-rhel5desktop.report.html \
930 --results usgcb-rhel5desktop-xccdf.xml.result.xml \
931 --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
932 usgcb-rhel5desktop-xccdf.xml
933
935 SCAP Security Guide - https://github.com/OpenSCAP/scap-security-guide/
936 National Vulnerability Database -
938 http://web.nvd.nist.gov/view/ncp/repository
939 Red Hat CVE content repository - https://www.redhat.com/secu‐
941 rity/data/metrics/ds/v2/
942
946 Please report bugs using https://github.com/OpenSCAP/openscap/issues
947 Make sure you include the full output of `oscap --v` in the bug report.
948
951 Peter Vrabec <pvrabec@redhat.com>
952 Šimon Lukašík
953 Martin Preisler <mpreisle@redhat.com>
954Red Hat March 2021 OSCAP(8)