Provided by: openscap-scanner_1.3.7+dfsg-1build1_amd64 
NAME
oscap - OpenSCAP command line tool
SYNOPSIS
oscap [general-options] module operation [operation-options-and-arguments]
DESCRIPTION
oscap is Security Content Automation Protocol (SCAP) toolkit based on OpenSCAP library. It
provides various functions for different SCAP specifications (modules).
OpenSCAP tool claims to provide capabilities of Authenticated Configuration Scanner and
Authenticated Vulnerability Scanner as defined by The National Institute of Standards and
Technology.
GENERAL OPTIONS
-V, --version
Print supported SCAP specifications, location of schema files, schematron files,
CPE files, probes and supported OVAL objects. Displays a list of inbuilt CPE
names.
-h, --help
Help screen.
MODULES
info Determine type and print information about a file.
xccdf The eXtensible Configuration Checklist Description Format.
oval Open Vulnerability and Assessment Language.
ds SCAP Data Stream
cpe Common Platform Enumeration.
cvss Common Vulnerability Scoring System
cve Common Vulnerabilities and Exposures
cvrf Common Vulnerability Reporting Framework
COMMON OPTIONS FOR ALL MODULES
--verbose VERBOSITY_LEVEL
Turn on verbose mode at specified verbosity level. VERBOSITY_LEVEL is one of:
DEVEL, INFO, WARNING, ERROR.
--verbose-log-file FILE
Set filename to write additional information.
INFO OPERATIONS
[options] any-scap-file.xml
This module prints information about SCAP content in a file specified on a command
line. It determines SCAP content type, specification version, date of creation,
date of import and so on. Info module doesn't require any additional operation
switch.
For XCCDF or SCAP source data stream files, the info module prints out IDs of
incorporated profiles, components, and data streams. These IDs can be used to
specify the target for evaluation. Use options --profile, --xccdf-id (or --oval-
id), and --datastream-id respectively.
--fetch-remote-resources
Allow download of remote components referenced from data stream.
--local-files DIRECTORY
Instead of downloading remote data stream components from the network, use
data stream components stored locally as files in the given directory. In
place of the remote data stream component OpenSCAP will attempt to use a
file whose file name is equal to @name attribute of the uri element within
the catalog element within the component-ref element in the data stream if
such file exists.
--profile PROFILE
Show info of the profile with the given ID.
--profiles
Show profiles from the input file in the <id>:<title> format, one line per
profile.
XCCDF OPERATIONS
eval [options] INPUT_FILE [oval-definitions-files]
Perform evaluation of XCCDF document file given as INPUT_FILE. Print result of each
rule to standard output, including rule title, rule id and security identifier(CVE,
CCE). Optionally you can give an SCAP source data stream as the INPUT_FILE instead
of an XCCDF file (see --datastream-id).
oscap returns 0 if all rules pass. If there is an error during evaluation, the
return code is 1. If there is at least one rule with either fail or unknown result,
oscap finishes with return code 2.
Unless --skip-validation (--skip-valid) is used, the INPUT_FILE is validated using
XSD schemas (depending on document type of INPUT_FILE) and rejected if invalid.
You may specify OVAL Definition files as the last parameter, XCCDF evaluation will
then proceed only with those specified files. Otherwise, when oval-definitions-
files parameter is missing, oscap tool will try to load all OVAL Definition files
referenced from XCCDF automatically (search in the same path as XCCDF).
--profile PROFILE
Select a particular profile from XCCDF document. If "(all)" is given a
virtual profile that selects all groups and rules will be used.
--rule RULE
Select a particular rule from XCCDF document. Only this rule will be
evaluated. Any other rules required by this rule won't be evaluated. Rule
will use values according to the selected profile. If no profile is
selected, default values are used. This option can be used multiple times to
specify multiple rules at once.
--skip-rule RULE
Skip a particular rule from XCCDF document. This option can be used multiple
times to skip multiple rules at once.
--tailoring-file TAILORING_FILE
Use given file for XCCDF tailoring. Select profile from tailoring file to
apply using --profile. If both --tailoring-file and --tailoring-id are
specified, --tailoring-file takes priority.
--tailoring-id COMPONENT_REF_ID
Use tailoring component in input source data stream for XCCDF tailoring. The
tailoring component must be specified by its Ref-ID (value of component-
ref/@id attribute in input source data stream). Select profile from
tailoring component to apply using --profile. If both --tailoring-file and
--tailoring-id are specified, --tailoring-file takes priority.
--cpe CPE_FILE
Use given CPE dictionary or language (auto-detected) for applicability
checks. (Some CPE names are provided by openscap, see oscap --version for
inbuilt CPE names)
--results FILE
Write XCCDF results into FILE.
--results-arf FILE
Writes results to a given FILE in Asset Reporting Format. It is recommended
to use this option instead of --results when dealing with data streams.
--stig-viewer FILE
Writes XCCDF results into FILE. The rule result IDs in FILE are modified
according to STIG references in evaluated content. The FILE can be simply
imported into DISA STIG Viewer. See https://public.cyber.mil/stigs/srg-stig-
tools/ for information about DISA STIG Viewer.
--thin-results
Thin Results provides only minimal amount of information in OVAL/ARF
results. The option --without-syschar is automatically enabled when you use
Thin Results.
--without-syschar
Don't provide system characteristics in OVAL/ARF result files.
--report FILE
Write HTML report into FILE.
--oval-results
Generate OVAL Result file for each OVAL session used for evaluation. File
with name 'original-oval-definitions-filename.result.xml' will be generated
for each referenced OVAL file in current working directory. To change the
directory where OVAL files are generated change the CWD using the `cd`
command.
--check-engine-results
After evaluation is finished, each loaded check engine plugin is asked to
export its results. The export itself is plugin specific, please refer to
documentation of the plugin for more details.
--export-variables
Generate OVAL Variables documents which contain external variables' values
that were provided to the OVAL checking engine during evaluation. The
filename format is 'original-oval-definitions-filename-session-
index.variables-variables-index.xml'.
--datastream-id ID
Uses a data stream with that particular ID from the given data stream
collection. If not given the first data stream is used. Only applies if you
give source data stream in place of an XCCDF file.
--xccdf-id ID
Takes component ref with given ID from checklists. This allows one to select
a particular XCCDF component even in cases where there are multiple XCCDFs
in a single data stream. If none is given, the first component from the
checklists element is used.
--benchmark-id ID
Selects a component ref from any data stream that references a component
with XCCDF Benchmark such that its @id attribute matches given string
exactly. Please note that this is not the recommended way of selecting a
component-ref. You are advised to use --xccdf-id AND/OR --datastream-id for
more precision. --benchmark-id is only used when both --xccdf-id and
--datastream-id are not present on the command line!
--skip-valid, --skip-validation
Do not validate input/output files.
--skip-signature-validation
Do not validate digital signatures in digitally signed SCAP source data
streams.
--enforce-signature
Process only digitally signed SCAP source data streams. Data streams without
a signature would be rejected if this switch is used.
--fetch-remote-resources
Allow download of remote OVAL content referenced from XCCDF by check-
content-ref/@href.
--local-files DIRECTORY
Instead of downloading remote data stream components from the network, use
data stream components stored locally as files in the given directory. In
place of the remote data stream component OpenSCAP will attempt to use a
file whose file name is equal to @name attribute of the uri element within
the catalog element within the component-ref element in the data stream if
such file exists.
--remediate
Execute XCCDF remediation in the process of XCCDF evaluation. This option
automatically executes content of XCCDF fix elements for failed rules, and
thus this shall be avoided unless for trusted content. Use of this option is
always at your own risk.
remediate [options] INPUT_FILE [oval-definitions-files]
This module provides post-scan remediation. It assumes that the INPUT_FILE is
result of `oscap xccdf eval` operation. The input file must contain TestResult
element. This module executes XCCDF fix elements for failed rule-result contained
in the given TestResult. Use of this option is always at your own risk and it shall
be avoided unless for trusted content.
--result-id ID
ID of the XCCDF TestResult element which shall be remedied. If this option
is missing the last TestResult (in top-down processing) will be remedied.
--skip-valid, --skip-validation
Do not validate input/output files.
--fetch-remote-resources
Allow download of remote OVAL content referenced from XCCDF by check-
content-ref/@href.
--local-files DIRECTORY
Instead of downloading remote data stream components from the network, use
data stream components stored locally as files in the given directory. In
place of the remote data stream component OpenSCAP will attempt to use a
file whose file name is equal to @name attribute of the uri element within
the catalog element within the component-ref element in the data stream if
such file exists.
--cpe CPE_FILE
Use given CPE dictionary or language (auto-detected) for applicability
checks.
--results FILE
Write XCCDF results into FILE.
--results-arf FILE
Writes results to a given FILE in Asset Reporting Format. It is recommended
to use this option instead of --results when dealing with data streams.
--stig-viewer FILE
Writes XCCDF results into FILE. The rule result IDs in FILE are modified
according to STIG references in evaluated content. The FILE can be simply
imported into DISA STIG Viewer. See https://public.cyber.mil/stigs/srg-stig-
tools/ for information about DISA STIG Viewer.
--report FILE
Write HTML report into FILE.
--oval-results
Generate OVAL Result file for each OVAL session used for evaluation. File
with name 'original-oval-definitions-filename.result.xml' will be generated
for each referenced OVAL file.
--check-engine-results
After evaluation is finished, each loaded check engine plugin is asked to
export its results. The export itself is plugin specific, please refer to
documentation of the plugin for more details.
--export-variables
Generate OVAL Variables documents which contain external variables' values
that were provided to the OVAL checking engine during evaluation. The
filename format is 'original-oval-definitions-filename-session-
index.variables-variables-index.xml'.
--progress
Switch to sparse output suitable for progress reporting. Format of the
output is "$rule_id:$result\n".
--progress-full
Switch to sparse but a bit more saturated output also suitable for progress
reporting. Format of the output is "$rule_id|$rule_title|$result\n".
resolve -o output-file xccdf-file
Resolve an XCCDF file as described in the XCCDF specification. It will flatten
inheritance hierarchy of XCCDF profiles, groups, rules, and values. Result is
another XCCDF document, which will be written to output-file.
--force
Force resolving XCCDF document even if it is already marked as resolved.
validate [options] xccdf-file
Validate given XCCDF file against a XML schema. Every found error is printed to the
standard error. Return code is 0 if validation succeeds, 1 if validation could not
be performed due to some error, 2 if the XCCDF document is not valid.
--skip-schematron
Turn off Schematron-based validation. It is able to find more errors and
inconsistencies but is much slower. Schematron is available only for XCCDF
version 1.2.
export-oval-variables [options] xccdf-file [oval-definitions-files]
Collect all the XCCDF values that would be used by OVAL during evaluation of a
certain profile and export them as OVAL external-variables document(s). The
filename format is 'original-oval-definitions-filename-session-index.variables-
variables-index.xml'.
--profile PROFILE
Select a particular profile from XCCDF document.
--fetch-remote-resources
Allow download of remote OVAL content referenced from XCCDF by check-
content-ref/@href.
--local-files DIRECTORY
Instead of downloading remote data stream components from the network, use
data stream components stored locally as files in the given directory. In
place of the remote data stream component OpenSCAP will attempt to use a
file whose file name is equal to @name attribute of the uri element within
the catalog element within the component-ref element in the data stream if
such file exists.
--skip-valid, --skip-validation
Do not validate input/output files.
--datastream-id ID
Uses a data stream with that particular ID from the given data stream
collection. If not given the first data stream is used. Only applies if you
give an SCAP source data stream in place of an XCCDF file.
--xccdf-id ID
Takes component ref with given ID from checklists. This allows one to select
a particular XCCDF component even in cases where there are 2 XCCDFs in one
data stream.
--benchmark-id ID
Selects a component ref from any data stream that references a component
with XCCDF Benchmark such that its @id attribute matches given string
exactly. Please note that this is not the recommended way of selecting a
component-ref. You are advised to use --xccdf-id AND/OR --datastream-id for
more precision. --benchmark-id is only used when both --xccdf-id and
--datastream-id are not present on the command line!
--cpe CPE_FILE
Use given CPE dictionary or language (auto-detected) for applicability
checks. The variables documents are created only for xccdf:Rules which are
applicable.
generate [options] <submodule> [submodule-specific-options]
Generate another document from an XCCDF file such as security guide or result
report.
--profile ID
Apply profile with given ID to the Benchmark before further processing takes
place.
Available submodules:
guide [options] xccdf-file
Generate a HTML document containing a security guide from an XCCDF
Benchmark. Unless the --output option is specified it will be written to the
standard output. Without profile being set only groups (not rules) will be
included in the output.
--output FILE
Write the guide to this file instead of standard output.
--hide-profile-info
This option has no effect and is kept only for backward compatibility
purposes.
--benchmark-id ID
Selects a component ref from any datastream that references a
component with XCCDF Benchmark such that its @id attribute matches
given string exactly.
--xccdf-id ID
Takes component ref with given ID from checklists. This allows one to
select a particular XCCDF component even in cases where there are
multiple XCCDFs in a single data stream. If none is given, the first
component from the checklists element is used.
--tailoring-file TAILORING_FILE
Use given file for XCCDF tailoring. Select profile from tailoring
file to apply using --profile. If both --tailoring-file and
--tailoring-id are specified, --tailoring-file takes priority.
--tailoring-id COMPONENT_REF_ID
Use tailoring component in input source data stream for XCCDF
tailoring. The tailoring component must be specified by its Ref-ID
(value of component-ref/@id attribute in input source data stream).
Select profile from tailoring component to apply using --profile. If
both --tailoring-file and --tailoring-id are specified, --tailoring-
file takes priority.
--skip-signature-validation
Do not validate digital signatures in digitally signed SCAP source
data streams.
--enforce-signature
Process only digitally signed SCAP source data streams. Data streams
without a signature would be rejected if this switch is used.
report [options] xccdf-file
Generate a HTML document containing results of an XCCDF Benchmark execution.
Unless the --output option is specified it will be written to the standard
output.
--output FILE
Write the report to this file instead of standard output.
--result-id ID
ID of the XCCDF TestResult from which the report will be generated.
--oval-template template-string
To use the ability to include additional information from OVAL in
xccdf result file, a template which will be used to obtain OVAL
result file names has to be specified. The template can be either a
filename or a string containing wildcard character (percent sign
'%'). Wildcard will be replaced by the original OVAL definition file
name as referenced from the XCCDF file. This way it is possible to
obtain OVAL information even from XCCDF documents referencing several
OVAL files. To use this option with results from an XCCDF evaluation,
specify %.result.xml as a OVAL file name template.
--sce-template template-string
To use the ability to include additional information from SCE in
XCCDF result file, a template which will be used to obtain SCE result
file names has to be specified. The template can be either a filename
or a string containing wildcard character (percent sign '%').
Wildcard will be replaced by the original SCE script file name as
referenced from the XCCDF file. This way it is possible to obtain SCE
information even from XCCDF documents referencing several SCE files.
To use this option with results from an XCCDF evaluation, specify
%.result.xml as a SCE file name template.
fix [options] xccdf-file
Generate a script that shall bring the system to a state of compliance with
given XCCDF Benchmark. There are 2 possibilities when generating fixes:
Result-oriented fixes (--result-id) or Profile-oriented fixes (--profile).
Result-oriented takes precedences over Profile-oriented, if result-id is
given, oscap will ignore any profile provided.
Result-oriented fixes are generated using result-id provided to select only
the failing rules from results in xccdf-file, it skips all other rules.
Profile-oriented fixes are generated using all rules within the provided
profile. If no result-id/profile are provided, (default) profile will be
used to generate fixes.
--fix-type TYPE
Specify fix type. There are multiple programming languages in which
the fix script can be generated. TYPE should be one of: bash,
ansible, puppet, anaconda, ignition, kubernetes, blueprint. Default
is bash. This option is mutually exclusive with --template, because
fix type already determines the template URN.
--output FILE
Write the report to this file instead of standard output.
--result-id ID
Fixes will be generated for failed rule-results of the specified
TestResult.
--template ID|FILE
Template to be used to generate the script. If it contains a dot '.'
it is interpreted as a location of a file with the template
definition. Otherwise it identifies a template from standard set
which currently includes: bash (default if no --template switch
present). Brief explanation of the process of writing your own
templates is in the XSL file xsl/legacy-fix.xsl in the openscap data
directory. You can also take a look at the default template
xsl/legacy-fixtpl-bash.xml.
--xccdf-id ID
Takes component ref with given ID from checklists. This allows one to
select a particular XCCDF component even in cases where there are
multiple XCCDFs in a single data stream. If none is given, the first
component from the checklists element is used.
--benchmark-id ID
Selects a component ref from any data stream that references a
component with XCCDF Benchmark such that its @id attribute matches
given string exactly.
--tailoring-file TAILORING_FILE
Use given file for XCCDF tailoring. Select profile from tailoring
file to apply using --profile. If both --tailoring-file and
--tailoring-id are specified, --tailoring-file takes priority.
--tailoring-id COMPONENT_REF_ID
Use tailoring component in input source data stream for XCCDF
tailoring. The tailoring component must be specified by its Ref-ID
(value of component-ref/@id attribute in input source data stream).
Select profile from tailoring component to apply using --profile. If
both --tailoring-file and --tailoring-id are specified, --tailoring-
file takes priority.
--skip-signature-validation
Do not validate digital signatures in digitally signed SCAP source
data streams.
--enforce-signature
Process only digitally signed SCAP source data streams. Data streams
without a signature would be rejected if this switch is used.
custom --stylesheet xslt-file [options] xccdf-file
Generate a custom output (depending on given XSLT file) from an XCCDF file.
--stylesheet FILE
Specify an absolute path to a custom stylesheet to format the output.
--output FILE
Write the document into file.
OVAL OPERATIONS
eval [options] INPUT_FILE
Probe the system and evaluate all definitions from OVAL Definition file. Print
result of each definition to standard output. The return code is 0 after a
successful evaluation. On error, value 1 is returned.
INPUT_FILE can be either OVAL Definition File or SCAP source data stream, it
depends on used options.
Unless --skip-validation (--skip-valid) is used, the INPUT_FILE is validated using
XSD schemas (depending on document type of INPUT_FILE) and rejected if invalid.
--id DEFINITION-ID
Evaluate ONLY specified OVAL Definition from OVAL Definition File.
--variables FILE
Provide external variables expected by OVAL Definition File.
--directives FILE
Use OVAL Directives content to specify desired results content.
--without-syschar
Don't provide system characteristics in result file.
--results FILE
Write OVAL Results into file.
--report FILE
Create human readable (HTML) report from OVAL Results.
--datastream-id ID
Uses a data stream with that particular ID from the given data stream
collection. If not given the first data stream is used. Only applies if you
give source data stream in place of an OVAL file.
--oval-id ID
Takes component ref with given ID from checks. This allows one to select a
particular OVAL component even in cases where there are multiple OVALs in a
single data stream.
--skip-valid, --skip-validation
Do not validate input/output files.
--fetch-remote-resources
Allow download of remote components referenced from data stream.
--local-files DIRECTORY
Instead of downloading remote data stream components from the network, use
data stream components stored locally as files in the given directory. In
place of the remote data stream component OpenSCAP will attempt to use a
file whose file name is equal to @name attribute of the uri element within
the catalog element within the component-ref element in the data stream if
such file exists.
collect [options] definitions-file
Probe the system and gather system characteristics for all objects in OVAL
Definition file.
--id OBJECT-ID
Collect system characteristics ONLY for specified OVAL Object.
--variables FILE
Provide external variables expected by OVAL Definitions.
--syschar FILE
Write OVAL System Characteristic into file.
--skip-valid, --skip-validation
Do not validate input/output files.
analyse [options] --results FILE definitions-file syschar-file
In this mode, the oscap tool does not perform data collection on the local system,
but relies upon the input file, which may have been generated on another system.
The output (OVAL Results) is printed to file specified by --results parameter.
--variables FILE
Provide external variables expected by OVAL Definitions.
--directives FILE
Use OVAL Directives content to specify desired results content.
--skip-valid, --skip-validation
Do not validate input/output files.
validate [options] oval-file
Validate given OVAL file against a XML schema. Every found error is printed to the
standard error. Return code is 0 if validation succeeds, 1 if validation could not
be performed due to some error, 2 if the OVAL document is not valid.
--definitions, --variables, --syschar, --results --directives
Type of the OVAL document is automatically detected by default. If you want
enforce certain document type, you can use one of these options.
--skip-schematron
Turn off Schematron-based validation. It is able to find more errors and
inconsistencies but is much slower.
generate <submodule> [submodule-specific-options]
Generate another document from an OVAL file.
Available submodules:
report [options] oval-results-file
Generate a formatted HTML page containing visualisation of an OVAL results
file. Unless the --output option is specified it will be written to the
standard output.
--output FILE
Write the report to this file instead of standard output.
CPE OPERATIONS
check name
Check whether name is in correct CPE format.
match name dictionary.xml
Find an exact match of CPE name in the dictionary.
validate cpe-dict-file
Validate given CPE dictionary file against a XML schema. Every found error is
printed to the standard error. Return code is 0 if validation succeeds, 1 if
validation could not be performed due to some error, 2 if the XCCDF document is not
valid.
CVSS OPERATIONS
score cvss_vector
Calculate score from a CVSS vector. Prints base score for base CVSS vector, base
and temporal score for temporal CVSS vector, base and temporal and environmental
score for environmental CVSS vector.
describe cvss_vector
Describe individual components of a CVSS vector in a human-readable format and
print partial scores.
CVSS vector consists of several slash-separated components specified as key-value pairs.
Each key can be specified at most once. Valid CVSS vector has to contain at least base
CVSS metrics, i.e. AV, AC, AU, C, I, and A. Following table summarizes the components and
possible values (second column is metric category: B for base, T for temporal, E for
environmental):
AV:[L|A|N] B Access vector: Local, Adjacent network, Network
AC:[H|M|L] B Access complexity: High, Medium, Low
AU:[M|S|N] B Required authentication: Multiple instances, Single
instance, None
C:[N|P|C] B Confidentiality impact: None, Partial, Complete
I:[N|P|C] B Integrity impact: None, Partial, Complete
A:[N|P|C] B Availability impact: None, Partial, Complete
E:[ND|U|POC|F|H] T Exploitability: Not Defined, Unproven, Proof of Concept,
Functional, High
RL:[ND|OF|TF|W|U] T Remediation Level: Not Defined, Official Fix, Temporary
Fix, Workaround, Unavailable
RC:[ND|UC|UR|C] T Report Confidence: Not Defined, Unconfirmed,
Uncorroborated, Confirmed
CDP:[ND|N|L|LM|MH|H] E Collateral Damage Potential: Not Defined, None, Low, Low-
Medium, Medium-High, High
TD:[ND|N|L|M|H] E Target Distribution: Not Defined, None, Low, Medium, High
CR:[ND|L|M|H] E Confidentiality requirement: Not Defined, Low, Medium,
High
IR:[ND|L|M|H] E Integrity requirement: Not Defined, Low, Medium, High
AR:[ND|L|M|H] E Availability requirement: Not Defined, Low, Medium, High
DS OPERATIONS
sds-compose [options] SOURCE_XCCDF TARGET_SDS
Creates an SCAP source data stream from the XCCDF file given in SOURCE_XCCDF and
stores the result in TARGET_SDS. Dependencies like OVAL files are automatically
detected and bundled in the created source data stream.
--skip-valid, --skip-validation
Do not validate input/output files.
sds-add [options] NEW_COMPONENT EXISTING_SDS
Adds given NEW_COMPONENT file to the existing source data stream (EXISTING_SDS).
Component file might be OVAL, XCCDF or CPE Dictionary file. Dependencies like OVAL
files are automatically detected and bundled in target source data stream.
--datastream-id DATASTREAM_ID
Uses a data stream with that particular ID from the given data stream
collection. If not given the first data stream is used.
--skip-valid, --skip-validation
Do not validate input/output files.
sds-split [options] SOURCE_DS TARGET_DIR
Splits given source data stream into multiple files and stores all the files in
TARGET_DIR.
--datastream-id DATASTREAM_ID
Uses a data stream with that particular ID from the given data stream
collection. If not given the first data stream is used.
--xccdf-id XCCDF_ID
Takes component ref with given ID from checklists. This allows one to select
a particular XCCDF component even in cases where there are multiple XCCDFs
in a single data stream.
--skip-valid, --skip-validation
Do not validate input/output files.
--fetch-remote-resources
Allow download of remote components referenced from data stream.
--local-files DIRECTORY
Instead of downloading remote data stream components from the network, use
data stream components stored locally as files in the given directory. In
place of the remote data stream component OpenSCAP will attempt to use a
file whose file name is equal to @name attribute of the uri element within
the catalog element within the component-ref element in the data stream if
such file exists.
sds-validate SOURCE_DS
Validate given source data stream file against a XML schema. Every found error is
printed to the standard error. Return code is 0 if validation succeeds, 1 if
validation could not be performed due to some error, 2 if the source data stream is
not valid.
rds-create [options] SDS TARGET_ARF XCCDF_RESULTS [OVAL_RESULTS [OVAL_RESULTS ..]]
Takes given source data stream, XCCDF and OVAL results and creates a result data
stream (in Asset Reporting Format) and saves it to file given in TARGET_ARF.
--skip-valid, --skip-validation
Do not validate input/output files.
rds-split [options] [--report-id REPORT_ID] RDS TARGET_DIR
Takes given result data stream (also called ARF = asset reporting format) and
splits given report and its respective report-request to given target directory. If
no report-id is given, we assume user wants the first applicable report in top-down
order in the file.
--skip-valid, --skip-validation
Do not validate input/output files.
rds-validate SOURCE_RDS
Validate given result data stream file against a XML schema. Every found error is
printed to the standard error. Return code is 0 if validation succeeds, 1 if
validation could not be performed due to some error, 2 if the result data stream is
not valid.
CVE OPERATIONS
validate cve-nvd-feed.xml
Validate given CVE data feed.
find CVE cve-nvd-feed.xml
Find given CVE in data feed and report base score, vector string and vulnerable
software list.
EXIT STATUS
Normally, the exit status is 0 when operation finished successfully and 1 otherwise. In
cases when oscap performs evaluation of the system it may return 2 indicating success of
the operation but incompliance of the assessed system.
EXAMPLES
Evaluate XCCDF content using CPE dictionary and produce HTML report. In this case we use
United States Government Configuration Baseline (USGCB) for Red Hat Enterprise Linux 5
Desktop.
oscap xccdf eval --fetch-remote-resources --oval-results \
--profile united_states_government_configuration_baseline \
--report usgcb-rhel5desktop.report.html \
--results usgcb-rhel5desktop-xccdf.xml.result.xml \
--cpe usgcb-rhel5desktop-cpe-dictionary.xml \
usgcb-rhel5desktop-xccdf.xml
CONTENT
SCAP Security Guide - https://github.com/OpenSCAP/scap-security-guide/
National Vulnerability Database - http://web.nvd.nist.gov/view/ncp/repository
Red Hat CVE content repository - https://www.redhat.com/security/data/metrics/ds/v2/
REPORTING BUGS
Please report bugs using https://github.com/OpenSCAP/openscap/issues
Make sure you include the full output of `oscap --v` in the bug report.
AUTHORS
Peter Vrabec <pvrabec@redhat.com>
Šimon Lukašík
Martin Preisler <mpreisle@redhat.com>