OSCAP(8) System Administration Utilities OSCAP(8)
NAME
oscap - OpenSCAP command line tool
SYNOPSIS
oscap [general-options] module operation [operation-options-and-arguments]
DESCRIPTION
oscap is Security Content Automation Protocol (SCAP) toolkit based on OpenSCAP library. It provides various functions for different SCAP
specifications(modules).
GENERAL OPTIONS
-V, --version
SCAP specification supported by the module.
-q, --quiet
No output for certain operations, only return code.
-h, --help
Help screen.
MODULES
oval Open Vulnerability and Assessment Language.
xccdf The eXtensible Configuration Checklist Description Format.
cpe Common Platform Enumeration.
cvss Common Vulnerability Scoring System
OVAL OPERATIONS
collect [options] definitions-file
Probe the system and gather system characteristics for all objects in OVAL Definition file.
--id OBJECT-ID
Collect system characteristics ONLY for specified OVAL Object.
--variables FILE
Provide external variables expected by OVAL Definitions.
--syschar FILE
Write OVAL System Characteristic into file
--skip-valid
Do not validate input/output files.
eval [options] definitions-file
Probe the system and evaluate all definitions from OVAL Definition file. Print result of each definition to standard output. oscap
returns 0 if all definitions pass. If there is an error during evaluation, the return code is 1. If there is at least one failed
result definition, oscap-scan finishes with return code 2.
--id DEFINITION-ID
Evaluate ONLY specified OVAL Definition.
--variables FILE
Provide external variables expected by OVAL Definitions.
--directives FILE
Use OVAL Directives content to specify desired results content.
--results FILE
Write OVAL Results into file.
--report FILE
Create human readable (HTML) report from OVAL Results.
--skip-valid
Do not validate input/output files.
analyse [options] --results FILE definitions-file syschar-file
In this mode, the oscap tool does not perform data collection on the local system, but relies upon the input file, which may have
been generated on another system. The output (OVAL Results) is printed to file specified by --results parameter
--variables FILE
Provide external variables expected by OVAL Definitions.
--directives FILE
Use OVAL Directives content to specify desired results content.
--skip-valid
Do not validate input/output files.
validate-xml [options] definitions-file
Validate given OVAL file against a XML schema. Every found error is printed to the standard output. Return code is 0 if validation
succeeds, 1 if validation could not be performed due to some error, 2 if the OVAL document is not valid.
--definitions, --variables, --syschar, --results --directives
Specify whether the validated document is an OVAL Definitions file, external OVAL Variables, OVAL System Characteristics
file, OVAL Results file or OVAL Directives file. Default: definitions.
--schematron
Turn on Schematron-based validation. It is able to find more errors and inconsistencies but is much slower.
generate <submodule> [submodule-specific-options]
Generate another document form an OVAL file.
Available submodules:
report [options] oval-results-file
Generate a formatted HTML page containing visualisation of an OVAL results file. Unless the --output option is specified it
will be written to the standard output.
--output FILE
Write the report to this file instead of standard output.
list-probes [options]
List supported object types (i.e. probes)
--static
List all probes defined in the internal tables.
--dynamic
List all probes supported on the current system (this is default behavior).
--verbose
Be verbose.
XCCDF OPERATIONS
eval [options] xccdf-file [oval-definitions-files]
Perform evaluation driven by XCCDF file and use OVAL as checking engine. Print result of each rule to standard output. oscap returns
0 if all rules pass. If there is an error during evaluation, the return code is 1. If there is at least one failed rule, oscap-scan
finishes with return code 2.
You may specify all required OVAL Definition files as last parameters. If you don't do that, oscap tool will try to load all OVAL
Definition files referenced from XCCDF automaticaly(search in the same path as XCCDF).
--profile PROFILE
Select a particular profile from XCCDF document.
--results FILE
Write XCCDF results into file.
--report FILE
Write HTML report into file. You also have to specify --result for this feature to work.
--oval-results
Generate OVAL Result file for each OVAL session used for evaluation. File with name 'original-oval-definitions-file-
name.result.xml' will be generated for each referenced OVAL file. This option (with conjunction with the --report option)
also enables inclusion of additional OVAL information in the XCCDF report.
--export-variables
Generate OVAL Variables documents which contain external variables' values that were provided to the OVAL checking engine
during evaluation. The filename format is 'original-oval-definitions-filename-session-index.variables-variables-index.xml'.
--skip-valid
Do not validate input/output files.
resolve -o output-file xccdf-file
Resolve an XCCDF file as described in the XCCDF specification. It will flatten inheritance hierarchy of XCCDF profiles, groups,
rules, and values. Result is another XCCDF document, which will be written to output-file.
--force
Force resolving XCCDF document even if it is already marked as resolved.
validate-xml [options] xccdf-file
Validate given XCCDF file against a XML schema. Every found error is printed to the standard output. Return code is 0 if validation
succeeds, 1 if validation could not be performed due to some error, 2 if the XCCDF document is not valid.
export-oval-variables [options] xccdf-file [oval-definitions-files]
Collect all the XCCDF values that would be used by OVAL during evaluation of a certain profile and export them as OVAL external-
variables document(s). The filename format is 'original-oval-definitions-filename-session-index.variables-variables-index.xml'.
--profile PROFILE
Select a particular profile from XCCDF document.
generate [options] <submodule> [submodule-specific-options]
Generate another document form an XCCDF file such as security guide or result report.
--profile ID
Apply profile with given ID to the Benchmark before further processing takes place.
--format FMT
Specify output format. This option applies only on document generators (i.e. guide, report). Avalable formats: html
(default), docbook.
Available submodules:
guide [options] xccdf-file
Generate a formatted document containing a security guide from a XCCDF Benchmark. Unless the --output option is specified it
will be written to the standard output. Without profile being set only groups (not rules) will be included in the output.
--output FILE
Write the guide to this file instead of standard output.
--hide-profile-info
Information on chosen profile (e.g. rules selected by the profile) will be excluded from the document.
report [options] xccdf-file
Generate a document containing results of a XCCDF Benchmark execution. Unless the --output option is specified it will be
written to the standard output. ID of the TestResult element to visualise defaults to the most recent result (according to
the end-time attribute).
--output FILE
Write the report to this file instead of standard output.
--result-id ID
ID of the XCCDF TestResult from which the report will be generated.
--show what
Specify what result types shall be displayed in the result report. The default is to show everything except for rules
with results notselected and notapplicable. The what part is a comma-separated list of result types to display in
addition to the default. If result type is prefixed by a dash '-', it will be excluded from the results. If what is
prefixed by an equality sign '=', a following list specifies exactly what rule types to include in the report. Result
types are: pass, fixed, notchecked, notapplicable, notselected, informational, unknown, error, fail.
--oval-template template-string
To use the ability to include additional information from OVAL in xccdf result file, a template which will be used to
obtain OVAL result file names has to be specified. The template can be either a filename or a string containing wild-
card character (percent sign '%'). Wildcard will be replaced by the original OVAL definition file name as referenced
from the XCCDF file. This way it is possible to obtain OVAL information even from XCCDF documents referencing several
OVAL files. To use this option with results from an XCCDF evaluation, specify %.result.xml as a OVAL file name tem-
plate.
fix [options] xccdf-file
Generate a script that shall bring the system to a state of compliance with given XCCDF Benchmark.
--output FILE
Write the report to this file instead of standard output.
--result-id ID
With this option the script generating engine will pick rules that failed for given test and generate fixes only for
them.
--template ID|FILE
Template to be used to generate the script. If it contains a dot '.' it is interpreted as a location of a file with
the template definition. Otherwise it identifies a template from standard set which currently includes: bash (default
if no --template switch present). Brief explanation of the process of writing your own templates is in the XSL file
xsl/fix.xsl in the openscap data directory. You can also take a look at the default template xsl/fixtpl-bash.xml.
CPE OPERATIONS
check name
Check whether name is in correct CPE format.
match name dictionary.xml
Find an exact match of CPE name in the dictionary.
CVSS OPERATIONS
score cvss_vector
Calculate score from a CVSS vector. Prints base score for base CVSS vector, base and temporal score for temporal CVSS vector, base
and temporal and environmental score for environmental CVSS vector.
describe cvss_vector
Describe individual components of a CVSS vector in a human-readable format and print partial scores.
CVSS vector consists of several slash-separated components specified as key-value pairs. Each key can be specified at most once. Valid CVSS
vector has to contain at least base CVSS metrics, i.e. AV, AC, AU, C, I, and A. Following table summarizes the components and possible val-
ues (second column is metric category: B for base, T for temporal, E for environmental):
AV:[L|A|N] B Access vector: Local, Adjacent network, Network
AC:[H|M|L] B Access complexity: High, Medium, Low
AU:[M|S|N] B Required authentication: Multiple instances, Single instance, None
C:[N|P|C] B Confidentiality impact: None, Partial, Complete
I:[N|P|C] B Integrity impact: None, Partial, Complete
A:[N|P|C] B Availability impact: None, Partial, Complete
E:[ND|U|POC|F|H] T Exploitability: Not Defined, Unproven, Proof of Concept, Functional, High
RL:[ND|OF|TF|W|U] T Remediation Level: Not Defined, Official Fix, Temporary Fix, Workaround, Unavailable
RC:[ND|UC|UR|C] T Report Confidence: Not Defined, Unconfirmed, Uncorroborated, Confirmed
CDP:[ND|N|L|LM|MH|H] E Collateral Damage Potential: Not Defined, None, Low, Low-Medium, Medium-High, High
TD:[ND|N|L|M|H] E Target Distribution: Not Defined, None, Low, Medium, High
CR:[ND|L|M|H] E Confidentiality requirement: Not Defined, Low, Medium, High
IR:[ND|L|M|H] E Integrity requirement: Not Defined, Low, Medium, High
AR:[ND|L|M|H] E Availability requirement: Not Defined, Low, Medium, High
CONTENT
National Vulnerability Database - http://web.nvd.nist.gov/view/ncp/repository
Red Hat content repository - http://www.redhat.com/security/data/oval/
AUTHOR
Peter Vrabec <pvrabec@redhat.com>
Red Hat Jun 2010 OSCAP(8)