OSCAP(8) System Administration Utilities OSCAP(8)NAME
oscap - OpenSCAP command line tool
SYNOPSIS
oscap [general-options] module operation [operation-options-and-argu‐
ments]
DESCRIPTION
oscap is Security Content Automation Protocol (SCAP) toolkit based on
OpenSCAP library. It provides various functions for different SCAP
specifications(modules).
GENERAL OPTIONS-V, --version
SCAP specification supported by the module.
-q, --quiet
No output for certain operations, only return code.
-h, --help
Help screen.
MODULES
oval Open Vulnerability and Assessment Language.
xccdf The eXtensible Configuration Checklist Description Format.
cpe Common Platform Enumeration.
cvss Common Vulnerability Scoring System
OVAL OPERATIONS
collect [options] definitions-file
Probe the system and gather system characteristics for all
objects in OVAL Definition file.
--id OBJECT-ID
Collect system characteristics ONLY for specified OVAL
Object.
--variables FILE
Provide external variables expected by OVAL Definitions.
--syschar FILE
Write OVAL System Characteristic into file
--skip-valid
Do not validate input/output files.
eval [options] definitions-file
Probe the system and evaluate all definitions from OVAL Defini‐
tion file. Print result of each definition to standard output.
oscap returns 0 if all definitions pass. If there is an error
during evaluation, the return code is 1. If there is at least
one failed result definition, oscap-scan finishes with return
code 2.
--id DEFINITION-ID
Evaluate ONLY specified OVAL Definition.
--variables FILE
Provide external variables expected by OVAL Definitions.
--directives FILE
Use OVAL Directives content to specify desired results
content.
--results FILE
Write OVAL Results into file.
--report FILE
Create human readable (HTML) report from OVAL Results.
--skip-valid
Do not validate input/output files.
analyse [options] --results FILE definitions-file syschar-file
In this mode, the oscap tool does not perform data collection on
the local system, but relies upon the input file, which may have
been generated on another system. The output (OVAL Results) is
printed to file specified by --results parameter
--variables FILE
Provide external variables expected by OVAL Definitions.
--directives FILE
Use OVAL Directives content to specify desired results
content.
--skip-valid
Do not validate input/output files.
validate-xml [options] definitions-file
Validate given OVAL file against a XML schema. Every found error
is printed to the standard output. Return code is 0 if valida‐
tion succeeds, 1 if validation could not be performed due to
some error, 2 if the OVAL document is not valid.
--definitions, --variables, --syschar, --results --directives
Specify whether the validated document is an OVAL Defini‐
tions file, external OVAL Variables, OVAL System Charac‐
teristics file, OVAL Results file or OVAL Directives
file. Default: definitions.
--schematron
Turn on Schematron-based validation. It is able to find
more errors and inconsistencies but is much slower.
generate <submodule> [submodule-specific-options]
Generate another document form an OVAL file.
Available submodules:
report [options] oval-results-file
Generate a formatted HTML page containing visualisation
of an OVAL results file. Unless the --output option is
specified it will be written to the standard output.
--output FILE
Write the report to this file instead of standard
output.
list-probes [options]
List supported object types (i.e. probes)
--static
List all probes defined in the internal tables.
--dynamic
List all probes supported on the current system (this is
default behavior).
--verbose
Be verbose.
XCCDF OPERATIONS
eval [options] xccdf-file [oval-definitions-files]
Perform evaluation driven by XCCDF file and use OVAL as checking
engine. Print result of each rule to standard output. oscap
returns 0 if all rules pass. If there is an error during evalua‐
tion, the return code is 1. If there is at least one failed
rule, oscap-scan finishes with return code 2.
You may specify all required OVAL Definition files as last
parameters. If you don't do that, oscap tool will try to load
all OVAL Definition files referenced from XCCDF automati‐
caly(search in the same path as XCCDF).
--profile PROFILE
Select a particular profile from XCCDF document.
--results FILE
Write XCCDF results into file.
--report FILE
Write HTML report into file. You also have to specify
--result for this feature to work.
--oval-results
Generate OVAL Result file for each OVAL session used for
evaluation. File with name 'original-oval-definitions-
filename.result.xml' will be generated for each refer‐
enced OVAL file. This option (with conjunction with the
--report option) also enables inclusion of additional
OVAL information in the XCCDF report.
--export-variables
Generate OVAL Variables documents which contain external
variables' values that were provided to the OVAL checking
engine during evaluation. The filename format is 'origi‐
nal-oval-definitions-filename-session-index.variables-
variables-index.xml'.
--skip-valid
Do not validate input/output files.
resolve -o output-file xccdf-file
Resolve an XCCDF file as described in the XCCDF specification.
It will flatten inheritance hierarchy of XCCDF profiles, groups,
rules, and values. Result is another XCCDF document, which will
be written to output-file.
--force
Force resolving XCCDF document even if it is already
marked as resolved.
validate-xml [options] xccdf-file
Validate given XCCDF file against a XML schema. Every found
error is printed to the standard output. Return code is 0 if
validation succeeds, 1 if validation could not be performed due
to some error, 2 if the XCCDF document is not valid.
export-oval-variables [options] xccdf-file [oval-definitions-files]
Collect all the XCCDF values that would be used by OVAL during
evaluation of a certain profile and export them as OVAL exter‐
nal-variables document(s). The filename format is 'original-
oval-definitions-filename-session-index.variables-variables-
index.xml'.
--profile PROFILE
Select a particular profile from XCCDF document.
generate [options] <submodule> [submodule-specific-options]
Generate another document form an XCCDF file such as security
guide or result report.
--profile ID
Apply profile with given ID to the Benchmark before fur‐
ther processing takes place.
--format FMT
Specify output format. This option applies only on docu‐
ment generators (i.e. guide, report). Avalable formats:
html (default), docbook.
Available submodules:
guide [options] xccdf-file
Generate a formatted document containing a security guide
from a XCCDF Benchmark. Unless the --output option is
specified it will be written to the standard output.
Without profile being set only groups (not rules) will be
included in the output.
--output FILE
Write the guide to this file instead of standard
output.
--hide-profile-info
Information on chosen profile (e.g. rules selected
by the profile) will be excluded from the docu‐
ment.
report [options] xccdf-file
Generate a document containing results of a XCCDF Bench‐
mark execution. Unless the --output option is specified
it will be written to the standard output. ID of the
TestResult element to visualise defaults to the most
recent result (according to the end-time attribute).
--output FILE
Write the report to this file instead of standard
output.
--result-id ID
ID of the XCCDF TestResult from which the report
will be generated.
--show what
Specify what result types shall be displayed in
the result report. The default is to show every‐
thing except for rules with results notselected
and notapplicable. The what part is a comma-sepa‐
rated list of result types to display in addition
to the default. If result type is prefixed by a
dash '-', it will be excluded from the results. If
what is prefixed by an equality sign '=', a fol‐
lowing list specifies exactly what rule types to
include in the report. Result types are: pass,
fixed, notchecked, notapplicable, notselected,
informational, unknown, error, fail.
--oval-template template-string
To use the ability to include additional informa‐
tion from OVAL in xccdf result file, a template
which will be used to obtain OVAL result file
names has to be specified. The template can be
either a filename or a string containing wildcard
character (percent sign '%'). Wildcard will be
replaced by the original OVAL definition file name
as referenced from the XCCDF file. This way it is
possible to obtain OVAL information even from
XCCDF documents referencing several OVAL files. To
use this option with results from an XCCDF evalua‐
tion, specify %.result.xml as a OVAL file name
template.
fix [options] xccdf-file
Generate a script that shall bring the system to a state
of compliance with given XCCDF Benchmark.
--output FILE
Write the report to this file instead of standard
output.
--result-id ID
With this option the script generating engine will
pick rules that failed for given test and generate
fixes only for them.
--template ID|FILE
Template to be used to generate the script. If it
contains a dot '.' it is interpreted as a location
of a file with the template definition. Otherwise
it identifies a template from standard set which
currently includes: bash (default if no --template
switch present). Brief explanation of the process
of writing your own templates is in the XSL file
xsl/fix.xsl in the openscap data directory. You
can also take a look at the default template
xsl/fixtpl-bash.xml.
CPE OPERATIONS
check name
Check whether name is in correct CPE format.
match name dictionary.xml
Find an exact match of CPE name in the dictionary.
CVSS OPERATIONS
score cvss_vector
Calculate score from a CVSS vector. Prints base score for base
CVSS vector, base and temporal score for temporal CVSS vector,
base and temporal and environmental score for environmental CVSS
vector.
describe cvss_vector
Describe individual components of a CVSS vector in a human-read‐
able format and print partial scores.
CVSS vector consists of several slash-separated components specified as
key-value pairs. Each key can be specified at most once. Valid CVSS
vector has to contain at least base CVSS metrics, i.e. AV, AC, AU, C,
I, and A. Following table summarizes the components and possible values
(second column is metric category: B for base, T for temporal, E for
environmental):
AV:[L|A|N] B Access vector: Local, Adjacent net‐
work, Network
AC:[H|M|L] B Access complexity: High, Medium, Low
AU:[M|S|N] B Required authentication: Multiple
instances, Single instance, None
C:[N|P|C] B Confidentiality impact: None, Partial,
Complete
I:[N|P|C] B Integrity impact: None, Partial, Com‐
plete
A:[N|P|C] B Availability impact: None, Partial,
Complete
E:[ND|U|POC|F|H] T Exploitability: Not Defined, Unproven,
Proof of Concept, Functional, High
RL:[ND|OF|TF|W|U] T Remediation Level: Not Defined, Offi‐
cial Fix, Temporary Fix, Workaround, Unavailable
RC:[ND|UC|UR|C] T Report Confidence: Not Defined, Uncon‐
firmed, Uncorroborated, Confirmed
CDP:[ND|N|L|LM|MH|H] E Collateral Damage Potential: Not
Defined, None, Low, Low-Medium, Medium-High, High
TD:[ND|N|L|M|H] E Target Distribution: Not Defined,
None, Low, Medium, High
CR:[ND|L|M|H] E Confidentiality requirement: Not
Defined, Low, Medium, High
IR:[ND|L|M|H] E Integrity requirement: Not Defined,
Low, Medium, High
AR:[ND|L|M|H] E Availability requirement: Not Defined,
Low, Medium, High
CONTENT
National Vulnerability Database -
http://web.nvd.nist.gov/view/ncp/repository
Red Hat content repository - http://www.redhat.com/security/data/oval/
AUTHOR
Peter Vrabec <pvrabec@redhat.com>
Red Hat Jun 2010 OSCAP(8)