Provided by: libopenscap8_1.2.8-1ubuntu0.3_amd64 bug

NAME

       oscap - OpenSCAP command line tool

SYNOPSIS

       oscap [general-options] module operation [operation-options-and-arguments]

DESCRIPTION

       oscap is Security Content Automation Protocol (SCAP) toolkit based on OpenSCAP library. It
       provides various functions for different SCAP specifications (modules).

       OpenSCAP tool claims to provide capabilities of Authenticated  Configuration  Scanner  and
       Authenticated  Vulnerability Scanner as defined by The National Institute of Standards and
       Technology.

GENERAL OPTIONS

       -V, --version
              Print supported SCAP specification, location of schema files, schematron files, CPE
              files, probes and supported OVAL objects.  Displays a list of inbuilt CPE names.

       -h, --help
              Help screen.

MODULES

       info   Determine type and print information about a file.

       xccdf  The eXtensible Configuration Checklist Description Format.

       oval   Open Vulnerability and Assessment Language.

       ds     SCAP Data Stream

       cpe    Common Platform Enumeration.

       cvss   Common Vulnerability Scoring System

       cve    Common Vulnerabilities and Exposures

INFO OPERATIONS

       any-scap-file.xml
              This  module prints information about SCAP content in a file specified on a command
              line. It determines SCAP content type, specification  version,  date  of  creation,
              date  of  import  and  so on. Info module doesn't require any additional opperation
              switch.

              For XCCDF or Datastream files, info module prints out IDs of incorporated profiles,
              components,  and  datastreams.  These  IDs  can  be  used to specify the target for
              evaluation. Use options --profile, --xccdf-id (or --oval-id),  and  --datastream-id
              respectively.

XCCDF OPERATIONS

       eval [options] INPUT_FILE [oval-definitions-files]
              Perform evaluation of XCCDF document file given as INPUT_FILE. Print result of each
              rule to standard output, including rule title, rule id and security identifier(CVE,
              CCE).  Optionally  you can give a source datastream as the INPUT_FILE instead of an
              XCCDF file (see --datastream-id).

              oscap returns 0 if all rules pass. If there is  an  error  during  evaluation,  the
              return code is 1. If there is at least one rule with either fail or unknown result,
              oscap-scan finishes with return code 2.

              Unless --skip-valid  is  used,  the  INPUT_FILE  is  validated  using  XSD  schemas
              (depending on document type of INPUT_FILE) and rejected if invalid.

              You  may specify OVAL Definition files as the last parameter, XCCDF evaluation will
              then proceed only with those specified  files.  Otherwise,  when  oval-definitions-
              files  parameter  is missing, oscap tool will try to load all OVAL Definition files
              referenced from XCCDF automatically (search in the same path as XCCDF).

              --profile PROFILE
                     Select a particular profile from XCCDF document.

              --tailoring-file TAILORING_FILE
                     Use  given  file  for  XCCDF  tailoring.  If   both   --tailoring-file   and
                     --tailoring-id are specified, --tailoring-file takes priority!

              --tailoring-id COMPONENT_ID
                     Use  component of given ID (in input source datastream) for XCCDF tailoring.
                     If both --tailoring-file and --tailoring-id are specified, --tailoring files
                     takes priority!

              --cpe CPE_FILE
                     Use  given  CPE  dictionary  or  language  (auto-detected) for applicability
                     checks. (Some CPE names are provided by openscap, see  oscap  --version  for
                     Inbuilt CPE names)

              --results FILE
                     Write XCCDF results into FILE.

              --results-arf FILE
                     Writes  results to a given FILE in Asset Reporting Format. It is recommended
                     to use this option instead of --results when dealing with datastreams.

              --report FILE
                     Write HTML report into FILE. You also have to  specify  --results  for  this
                     feature  to work. Please see --oval-results to enable additional information
                     in the report.

              --oval-results
                     Generate OVAL Result file for each OVAL session used  for  evaluation.  File
                     with  name 'original-oval-definitions-filename.result.xml' will be generated
                     for each referenced OVAL file in current working directory. This option  (in
                     conjunction  with  the --report option) also enables inclusion of additional
                     OVAL information in the XCCDF report. To change  the  directory  where  OVAL
                     files are generated change the CWD using the `cd` command.

              --check-engine-results
                     After  evaluation  is  finished, each loaded check engine plugin is asked to
                     export its results. The export itself is plugin specific,  please  refer  to
                     documentation of the plugin for more details.

              --export-variables
                     Generate  OVAL  Variables documents which contain external variables' values
                     that were provided to  the  OVAL  checking  engine  during  evaluation.  The
                     filename      format     is     'original-oval-definitions-filename-session-
                     index.variables-variables-index.xml'.

              --datastream-id ID
                     Uses a  datastream  with  that  particular  ID  from  the  given  datastream
                     collection.  If  not given the first datastream is used. Only applies if you
                     give source datastream in place of an XCCDF file.

              --xccdf-id ID
                     Takes component ref with given ID from checklists. This allows to  select  a
                     particular  XCCDF  component  even  in cases where there are 2 XCCDFs in one
                     datastream. If none is  given,  the  first  component  from  the  checklists
                     element is used.

              --benchmark-id ID
                     Selects a component ref from any datastream that references a component with
                     XCCDF Benchmark such that its @id attribute matches  given  string  exactly.
                     Please  note  that this is not the recommended way of selecting a component-
                     ref. You are advised to  use  --xccdf-id  AND/OR  --datastream-id  for  more
                     precision.   --benchmark-id   is   only   used   when  both  --xccdf-id  and
                     --datastream-id are not present on the command line!

              --skip-valid
                     Do not validate input/output files.

              --fetch-remote-resources
                     Allow download of remote  OVAL  content  referenced  from  XCCDF  by  check-
                     content-ref/@href.

              --remediate
                     Execute  XCCDF  remediation  in the process of XCCDF evaluation. This option
                     automatically executes content of XCCDF fix elements for failed  rules,  and
                     thus this shall be avoided unless for trusted content. Use of this option is
                     always at your own risk.

              --verbose VERBOSITY_LEVEL
                     Turn on verbose mode at specified verbosity level.  VERBOSITY_LEVEL  is  one
                     of: DEVEL, INFO, WARNING, ERROR.

              --verbose-log-file FILE
                     Set filename to write additional information.

       remediate [options] INPUT_FILE [oval-definitions-files]
              This  module  provides  post-scan  remediation.  It  assumes that the INPUT_FILE is
              result of `oscap xccdf eval` operation. The  input  file  must  contain  TestResult
              element.  This  module executes XCCDF fix elements for failed rule-result contained
              in the given TestResult. Use of this option is always at your own risk and it shall
              be avoided unless for trusted content.

              --result-id ID
                     ID  of  the XCCDF TestResult element which shall be remedied. If this option
                     is missing the last TestResult (in top-down processing) will be remedied.

              --skip-valid
                     Do not validate input/output files.

              --fetch-remote-resources
                     Allow download of remote  OVAL  content  referenced  from  XCCDF  by  check-
                     content-ref/@href.

              --cpe CPE_FILE
                     Use  given  CPE  dictionary  or  language  (auto-detected) for applicability
                     checks.

              --results FILE
                     Write XCCDF results into FILE.

              --results-arf FILE
                     Writes results to a given FILE in Asset Reporting Format. It is  recommended
                     to use this option instead of --results when dealing with datastreams.

              --report FILE
                     Write  HTML  report  into  FILE. You also have to specify --results for this
                     feature to work.

              --oval-results
                     Generate OVAL Result file for each OVAL session used  for  evaluation.  File
                     with  name 'original-oval-definitions-filename.result.xml' will be generated
                     for each referenced OVAL  file.  This  option  (with  conjunction  with  the
                     --report  option)  also  enables inclusion of additional OVAL information in
                     the XCCDF report.

              --check-engine-results
                     After evaluation is finished, each loaded check engine plugin  is  asked  to
                     export  its  results.  The export itself is plugin specific, please refer to
                     documentation of the plugin for more details.

              --export-variables
                     Generate OVAL Variables documents which contain external  variables'  values
                     that  were  provided  to  the  OVAL  checking  engine during evaluation. The
                     filename     format     is      'original-oval-definitions-filename-session-
                     index.variables-variables-index.xml'.

       resolve -o output-file xccdf-file
              Resolve  an  XCCDF  file  as  described in the XCCDF specification. It will flatten
              inheritance hierarchy of XCCDF profiles,  groups,  rules,  and  values.  Result  is
              another XCCDF document, which will be written to output-file.

              --force
                     Force resolving XCCDF document even if it is already marked as resolved.

       validate [options] xccdf-file
              Validate given XCCDF file against a XML schema. Every found error is printed to the
              standard error. Return code is 0 if validation succeeds, 1 if validation could  not
              be performed due to some error, 2 if the XCCDF document is not valid.

              --schematron
                     Turn  on  Schematron-based  validation.  It  is able to find more errors and
                     inconsistencies but is much slower. Schematron is available only  for  XCCDF
                     version 1.2.

       export-oval-variables [options] xccdf-file [oval-definitions-files]
              Collect  all  the  XCCDF  values  that would be used by OVAL during evaluation of a
              certain profile  and  export  them  as  OVAL  external-variables  document(s).  The
              filename   format  is  'original-oval-definitions-filename-session-index.variables-
              variables-index.xml'.

              --profile PROFILE
                     Select a particular profile from XCCDF document.

              --fetch-remote-resources
                     Allow download of remote  OVAL  content  referenced  from  XCCDF  by  check-
                     content-ref/@href.

              --skip-valid
                     Do not validate input/output files.

              --datastream-id ID
                     Uses  a  datastream  with  that  particular  ID  from  the  given datastream
                     collection. If not given the first datastream is used. Only applies  if  you
                     give source datastream in place of an XCCDF file.

              --xccdf-id ID
                     Takes  component  ref with given ID from checklists. This allows to select a
                     particular XCCDF component even in cases where there are  2  XCCDFs  in  one
                     datastream.

              --cpe CPE_FILE
                     Use  given  CPE  dictionary  or  language  (auto-detected) for applicability
                     checks. The variables documents are created only for xccdf:Rules  which  are
                     applicable.

       generate [options] <submodule> [submodule-specific-options]
              Generate  another  document  form  an  XCCDF  file such as security guide or result
              report.

              --profile ID
                     Apply profile with given ID to the Benchmark before further processing takes
                     place.

              Available submodules:

              guide [options] xccdf-file
                     Generate  a  formatted  document  containing  a  security guide from a XCCDF
                     Benchmark. Unless the --output option is specified it will be written to the
                     standard  output.  Without profile being set only groups (not rules) will be
                     included in the output.

                     --output FILE
                            Write the guide to this file instead of standard output.

                     --hide-profile-info
                            Information on chosen profile (e.g. rules selected  by  the  profile)
                            will be excluded from the document.

              report [options] xccdf-file
                     Generate  a  document  containing  results  of  a XCCDF Benchmark execution.
                     Unless the --output option is specified it will be written to  the  standard
                     output.  ID  of  the  TestResult  element  to visualise defaults to the most
                     recent result (according to the end-time attribute).

                     --output FILE
                            Write the report to this file instead of standard output.

                     --result-id ID
                            ID of the XCCDF TestResult from which the report will be generated.

                     --show what
                            Specify what result types shall be displayed in  the  result  report.
                            The  default  is  to  show  everything  except for rules with results
                            notselected and notapplicable. The what  part  is  a  comma-separated
                            list of result types to display in addition to the default. If result
                            type is prefixed by a dash '-', it will be excluded from the results.
                            If  what  is  prefixed  by  an  equality  sign  '=', a following list
                            specifies exactly what rule types to include in  the  report.  Result
                            types  are:  pass,  fixed,  notchecked,  notapplicable,  notselected,
                            informational, unknown, error, fail.

                     --oval-template template-string
                            To use the ability to include additional  information  from  OVAL  in
                            xccdf  result  file,  a  template  which  will be used to obtain OVAL
                            result file names has to be specified. The template can be  either  a
                            filename  or  a  string  containing  wildcard character (percent sign
                            '%'). Wildcard will be replaced by the original OVAL definition  file
                            name  as  referenced  from the XCCDF file. This way it is possible to
                            obtain OVAL information even from XCCDF documents referencing several
                            OVAL files. To use this option with results from an XCCDF evaluation,
                            specify %.result.xml as a OVAL file name template.

              fix [options] xccdf-file
                     Generate a script that shall bring the system to a state of compliance  with
                     given XCCDF Benchmark.

                     --output FILE
                            Write the report to this file instead of standard output.

                     --result-id ID
                            Fixes  will  be  generated  for  failed rule-results of the specified
                            TestResult.

                     --template ID|FILE
                            Template to be used to generate the script. If it contains a dot  '.'
                            it  is  interpreted  as  a  location  of  a  file  with  the template
                            definition. Otherwise it identifies  a  template  from  standard  set
                            which  currently  includes:  bash  (default  if  no --template switch
                            present). Brief explanation  of  the  process  of  writing  your  own
                            templates  is in the XSL file xsl/legacy-fix.xsl in the openscap data
                            directory.  You  can  also  take  a  look  at  the  default  template
                            xsl/legacy-fixtpl-bash.xml.

              custom --stylesheet xslt-file [options] xccdf-file
                     Generate a custom output (depending on given XSLT file) from an XCCDF file.

                     --stylesheet FILE
                            Specify an absolute path to a custom stylesheet to format the output.

                     --output FILE
                             Write the document into file.

OVAL OPERATIONS

       eval [options] INPUT_FILE
              Probe  the  system  and  evaluate  all definitions from OVAL Definition file. Print
              result of each definition to  standard  output.  The  return  code  is  0  after  a
              successful evaluation. On error, value 1 is returned.

              INPUT_FILE can be either OVAL Definition File or SCAP Source Datastream, it depends
              on used options.

              Unless --skip-valid  is  used,  the  INPUT_FILE  is  validated  using  XSD  schemas
              (depending on document type of INPUT_FILE) and rejected if invalid.

              --id DEFINITION-ID
                     Evaluate ONLY specified OVAL Definition from OVAL Definition File.

              --variables FILE
                     Provide external variables expected by OVAL Definition File.

              --directives FILE
                     Use OVAL Directives content to specify desired results content.

              --results FILE
                     Write OVAL Results into file.

              --report FILE
                     Create human readable (HTML) report from OVAL Results.

              --datastream-id ID
                     Uses  a  datastream  with  that  particular  ID  from  the  given datastream
                     collection. If not given the first datastream is used. Only applies  if  you
                     give source datastream in place of an OVAL file.

              --oval-id ID
                     Takes  component  ref  with  given  ID  from checks. This allows to select a
                     particular OVAL component even in cases where  there  are  2  OVALs  in  one
                     datastream.

              --skip-valid
                     Do not validate input/output files.

              --verbose VERBOSITY_LEVEL
                     Turn  on  verbose  mode at specified verbosity level. VERBOSITY_LEVEL is one
                     of: DEVEL, INFO, WARNING, ERROR.

              --verbose-log-file FILE
                     Set filename to write additional information.

       collect [options] definitions-file
              Probe the system  and  gather  system  characteristics  for  all  objects  in  OVAL
              Definition file.

              --id OBJECT-ID
                     Collect system characteristics ONLY for specified OVAL Object.

              --variables FILE
                     Provide external variables expected by OVAL Definitions.

              --syschar FILE
                     Write OVAL System Characteristic into file.

              --skip-valid
                     Do not validate input/output files.

              --verbose VERBOSITY_LEVEL
                     Turn  on  verbose  mode at specified verbosity level. VERBOSITY_LEVEL is one
                     of: DEVEL, INFO, WARNING, ERROR.

              --verbose-log-file FILE
                     Set filename to write additional information.

       analyse [options] --results FILE definitions-file syschar-file
              In this mode, the oscap tool does not perform data collection on the local  system,
              but  relies  upon  the input file, which may have been generated on another system.
              The output (OVAL Results) is printed to file specified by --results parameter.

              --variables FILE
                     Provide external variables expected by OVAL Definitions.

              --directives FILE
                     Use OVAL Directives content to specify desired results content.

              --skip-valid
                     Do not validate input/output files.

              --verbose VERBOSITY_LEVEL
                     Turn on verbose mode at specified verbosity level.  VERBOSITY_LEVEL  is  one
                     of: DEVEL, INFO, WARNING, ERROR.

              --verbose-log-file FILE
                     Set filename to write additional information.

       validate [options] oval-file
              Validate  given OVAL file against a XML schema. Every found error is printed to the
              standard error. Return code is 0 if validation succeeds, 1 if validation could  not
              be performed due to some error, 2 if the OVAL document is not valid.

              --definitions, --variables, --syschar, --results --directives
                     Type  of the OVAL document is automatically detected by default. If you want
                     enforce certain document type, you can use one of these options.

              --schematron
                     Turn on Schematron-based validation. It is able  to  find  more  errors  and
                     inconsistencies but is much slower.

       generate <submodule> [submodule-specific-options]
              Generate another document form an OVAL file.

              Available submodules:

              report [options] oval-results-file
                     Generate  a  formatted HTML page containing visualisation of an OVAL results
                     file. Unless the --output option is specified it  will  be  written  to  the
                     standard output.

                     --output FILE
                            Write the report to this file instead of standard output.

       list-probes [options]
              List supported object types (i.e. probes)

              --static
                     List all probes defined in the internal tables.

              --dynamic
                     List all probes supported on the current system (this is default behavior).

              --verbose
                     Be verbose.

CPE OPERATIONS

       check name
              Check whether name is in correct CPE format.

       match name dictionary.xml
              Find an exact match of CPE name in the dictionary.

       validate cpe-dict-file
              Validate  given  CPE  dictionary  file  against  a XML schema. Every found error is
              printed to the standard error. Return code  is  0  if  validation  succeeds,  1  if
              validation could not be performed due to some error, 2 if the XCCDF document is not
              valid.

CVSS OPERATIONS

       score cvss_vector
              Calculate score from a CVSS vector. Prints base score for base  CVSS  vector,  base
              and  temporal  score  for temporal CVSS vector, base and temporal and environmental
              score for environmental CVSS vector.

       describe cvss_vector
              Describe individual components of a CVSS vector  in  a  human-readable  format  and
              print partial scores.

       CVSS  vector  consists of several slash-separated components specified as key-value pairs.
       Each key can be specified at most once. Valid CVSS vector has to  contain  at  least  base
       CVSS  metrics, i.e. AV, AC, AU, C, I, and A. Following table summarizes the components and
       possible values (second column is metric category: B for  base,  T  for  temporal,  E  for
       environmental):

              AV:[L|A|N]            B   Access vector: Local, Adjacent network, Network

              AC:[H|M|L]            B   Access complexity: High, Medium, Low

              AU:[M|S|N]             B    Required  authentication:  Multiple  instances,  Single
              instance, None

              C:[N|P|C]             B   Confidentiality impact: None, Partial, Complete

              I:[N|P|C]             B   Integrity impact: None, Partial, Complete

              A:[N|P|C]             B   Availability impact: None, Partial, Complete

              E:[ND|U|POC|F|H]      T   Exploitability: Not Defined, Unproven, Proof of  Concept,
              Functional, High

              RL:[ND|OF|TF|W|U]      T    Remediation Level: Not Defined, Official Fix, Temporary
              Fix, Workaround, Unavailable

              RC:[ND|UC|UR|C]         T     Report   Confidence:   Not   Defined,    Unconfirmed,
              Uncorroborated, Confirmed

              CDP:[ND|N|L|LM|MH|H]  E   Collateral Damage Potential: Not Defined, None, Low, Low-
              Medium, Medium-High, High

              TD:[ND|N|L|M|H]       E   Target Distribution: Not Defined, None, Low, Medium, High

              CR:[ND|L|M|H]         E   Confidentiality requirement: Not  Defined,  Low,  Medium,
              High

              IR:[ND|L|M|H]         E   Integrity requirement: Not Defined, Low, Medium, High

              AR:[ND|L|M|H]         E   Availability requirement: Not Defined, Low, Medium, High

DS OPERATIONS

       sds-compose [options] SOURCE_XCCDF TARGET_SDS
              Creates  a  source  datastream from the XCCDF file given in SOURCE_XCCDF and stores
              the result in TARGET_SDS. Dependencies like OVAL files are  automatically  detected
              and bundled in target source datastream.

              --skip-valid
                     Do not validate input/output files.

       sds-add [options] NEW_COMPONENT EXISTING_SDS
              Adds  given  NEW_COMPONENT  file  to the existing source datastream (EXISTING_SDS).
              Component file might be OVAL, XCCDF or CPE Dictionary file. Dependencies like  OVAL
              files are automatically detected  an bundled in target source datastream.

              --datastream-id DATASTREAM_ID
                     Uses  a  datastream  with  that  particular  ID  from  the  given datastream
                     collection. If not given the first datastream is used.

              --skip-valid
                     Do not validate input/output files.

       sds-split [options] SOURCE_DS TARGET_DIR
              Splits given source datastream into multiple files and  stores  all  the  files  in
              TARGET_DIR.

              --datastream-id DATASTREAM_ID
                     Uses  a  datastream  with  that  particular  ID  from  the  given datastream
                     collection. If not given the first datastream is used.

              --xccdf-id XCCDF_ID
                     Takes component ref with given ID from checklists. This allows to  select  a
                     particular  XCCDF  component  even  in cases where there are 2 XCCDFs in one
                     datastream.

              --skip-valid
                     Do not validate input/output files.

       sds-validate SOURCE_DS
              Validate given source datastream file against a XML schema. Every  found  error  is
              printed  to  the  standard  error.  Return  code  is 0 if validation succeeds, 1 if
              validation could not be performed due to some error, 2 if the source datastream  is
              not valid.

       rds-create [options] SDS TARGET_ARF XCCDF_RESULTS [OVAL_RESULTS [OVAL_RESULTS ..]]
              Takes  given  source  datastream,  XCCDF  and  OVAL  results  and  creates a result
              datastream (in Asset Reporting Format) and saves it to file given in TARGET_ARF.

              --skip-valid
                     Do not validate input/output files.

       rds-split [options] [--report-id REPORT_ID] RDS TARGET_DIR
              Takes given result datastream (also called ARF = asset reporting format) and splits
              given  report  and  its  respective report-request to given target directory. If no
              report-id is given, we assume user wants the first applicable  report  in  top-down
              order in the file.

              --skip-valid
                     Do not validate input/output files.

       rds-validate SOURCE_RDS
              Validate  given  result  datastream file against a XML schema. Every found error is
              printed to the standard error. Return code  is  0  if  validation  succeeds,  1  if
              validation  could not be performed due to some error, 2 if the result datastream is
              not valid.

CVE OPERATIONS

       validate cve-nvd-feed.xml
              Validate given CVE data feed.

       find CVE cve-nvd-feed.xml
              Find given CVE in data feed and report base score,  vector  string  and  vulnerable
              software list.

EXIT STATUS

       Normally,  the  exit  status is 0 when operation finished successfully and 1 otherwise. In
       cases when oscap performs evaluation of the system it may return 2 indicating  success  of
       the operation but incompliance of the assessed system.

EXAMPLES

       Evaluate  XCCDF  content using CPE dictionary and produce html report. In this case we use
       United States Government Configuration Baseline (USGCB) for Red  Hat  Enterprise  Linux  5
       Desktop.

               oscap xccdf eval --fetch-remote-resources --oval-results \
                       --profile united_states_government_configuration_baseline \
                       --report usgcb-rhel5desktop.report.html \
                       --results usgcb-rhel5desktop-xccdf.xml.result.xml \
                       --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
                       usgcb-rhel5desktop-xccdf.xml

CONTENT

        National Vulnerability Database - http://web.nvd.nist.gov/view/ncp/repository

        Red Hat content repository - http://www.redhat.com/security/data/oval/

REPORTING BUGS

       Please report bugs using https://fedorahosted.org/openscap/
       Make sure you include the full output of `oscap --v` in the bug report.

AUTHORS

       Peter Vrabec <pvrabec@redhat.com>
       Šimon Lukašík
       Martin Preisler <mpreisle@redhat.com>