oracular (8) oscap.8.gz

Provided by: openscap-scanner_1.3.10+dfsg-3_amd64 bug

NAME

       oscap - OpenSCAP command line tool

SYNOPSIS

       oscap [general-options] module operation [operation-options-and-arguments]

DESCRIPTION

       oscap is Security Content Automation Protocol (SCAP) toolkit based on OpenSCAP library. It
       provides various functions for different SCAP specifications (modules).

       OpenSCAP tool claims to provide capabilities of Authenticated  Configuration  Scanner  and
       Authenticated  Vulnerability Scanner as defined by The National Institute of Standards and
       Technology.

GENERAL OPTIONS

       -V, --version
              Print supported SCAP specifications, location of schema  files,  schematron  files,
              CPE  files,  probes  and  supported  OVAL  objects.  Displays a list of inbuilt CPE
              names.

       -h, --help
              Help screen.

MODULES

       info   Determine type and print information about a file.

       xccdf  The eXtensible Configuration Checklist Description Format.

       oval   Open Vulnerability and Assessment Language.

       ds     SCAP Data Stream

       cpe    Common Platform Enumeration.

       cvss   Common Vulnerability Scoring System

       cve    Common Vulnerabilities and Exposures

       cvrf   Common Vulnerability Reporting Framework

COMMON OPTIONS FOR ALL MODULES

       --verbose VERBOSITY_LEVEL
              Turn on verbose mode at specified  verbosity  level.  VERBOSITY_LEVEL  is  one  of:
              DEVEL, INFO, WARNING, ERROR.

       --verbose-log-file FILE
              Set filename to write additional information.

INFO OPERATIONS

       [options] any-scap-file.xml
              This  module prints information about SCAP content in a file specified on a command
              line. It determines SCAP content type, specification  version,  date  of  creation,
              date  of  import  and  so  on. Info module doesn't require any additional operation
              switch.

              For XCCDF or SCAP source data stream files, the  info  module  prints  out  IDs  of
              incorporated  profiles,  components,  and  data  streams.  These IDs can be used to
              specify the target for evaluation. Use options --profile,  --xccdf-id  (or  --oval-
              id), and --datastream-id respectively.

              --fetch-remote-resources
                     Allow download of remote components referenced from data stream.

              --local-files DIRECTORY
                     Instead  of  downloading remote data stream components from the network, use
                     data stream components stored locally as files in the  given  directory.  In
                     place  of  the  remote  data stream component OpenSCAP will attempt to use a
                     file whose file name is equal to @name attribute of the uri  element  within
                     the  catalog  element within the component-ref element in the data stream if
                     such file exists.

              --profile PROFILE
                     Show info of the profile with the given ID.

              --profiles
                     Show profiles from the input file in the <id>:<title> format, one  line  per
                     profile.

              --references
                     Show list of references available in each benchmark.

XCCDF OPERATIONS

       eval [options] INPUT_FILE [oval-definitions-files]
              Perform evaluation of XCCDF document file given as INPUT_FILE. Print result of each
              rule to standard output, including rule title, rule id and security identifier(CVE,
              CCE).  Optionally you can give an SCAP source data stream as the INPUT_FILE instead
              of an XCCDF file (see --datastream-id).

              oscap returns 0 if all rules pass. If there is  an  error  during  evaluation,  the
              return code is 1. If there is at least one rule with either fail or unknown result,
              oscap finishes with return code 2.

              Unless --skip-validation (--skip-valid) is used, the INPUT_FILE is validated  using
              XSD schemas (depending on document type of INPUT_FILE) and rejected if invalid.

              You  may specify OVAL Definition files as the last parameter, XCCDF evaluation will
              then proceed only with those specified  files.  Otherwise,  when  oval-definitions-
              files  parameter  is missing, oscap tool will try to load all OVAL Definition files
              referenced from XCCDF automatically (search in the same path as XCCDF).

              --profile PROFILE
                     Select a particular profile from XCCDF  document.  If  "(all)"  is  given  a
                     virtual profile that selects all groups and rules will be used.

              --rule RULE
                     Select  a  particular  rule  from  XCCDF  document.  Only  this rule will be
                     evaluated. Any other rules required by this rule won't  be  evaluated.  Rule
                     will  use  values  according  to  the  selected  profile.  If  no profile is
                     selected, default values are used. This option can be used multiple times to
                     specify multiple rules at once.

              --skip-rule RULE
                     Skip a particular rule from XCCDF document. This option can be used multiple
                     times to skip multiple rules at once.

              --reference NAME:IDENTIFIER
                     Evaluate rules matching the given reference. This  option  can  be  used  to
                     check  for evaluating compliance with a particular policy requirement. Rules
                     that match the reference will be evaluated, other rules will be skipped  and
                     a  result of notselected will be returned. The argument needs to be provided
                     in the form NAME:IDENTIFIER (colon  is  a  separator),  where  NAME  is  the
                     reference  name used as a text of xccdf:reference elements that are child of
                     xccdf:Benchmark element and IDENTIFIER is a text of xccdf:reference  element
                     that  is  child  of a particular xccdf:Rule element which has the same @href
                     value as the  xccdf:reference  element  of  the  NAME  value.  This  feature
                     requires  SCAP  content to be formed in the aforementioned way. For example:
                     --reference "cis:4.1.3.19", --reference "anssi:BP28(R29)" List of references
                     available  in  the given benchmark can be obtained by running the oscap info
                     --references command.

              --tailoring-file TAILORING_FILE
                     Use given file for XCCDF tailoring. Select profile from  tailoring  file  to
                     apply  using  --profile.  If  both  --tailoring-file  and --tailoring-id are
                     specified, --tailoring-file takes priority.

              --tailoring-id COMPONENT_REF_ID
                     Use tailoring component in input source data stream for XCCDF tailoring. The
                     tailoring  component  must  be  specified by its Ref-ID (value of component-
                     ref/@id  attribute  in  input  source  data  stream).  Select  profile  from
                     tailoring  component  to apply using --profile. If both --tailoring-file and
                     --tailoring-id are specified, --tailoring-file takes priority.

              --cpe CPE_FILE
                     Use given CPE  dictionary  or  language  (auto-detected)  for  applicability
                     checks.  (Some  CPE  names are provided by openscap, see oscap --version for
                     inbuilt CPE names)

              --results FILE
                     Write XCCDF results into FILE.

              --results-arf FILE
                     Writes results to a given FILE in Asset Reporting Format. It is  recommended
                     to use this option instead of --results when dealing with data streams.

              --stig-viewer FILE
                     Writes  XCCDF  results  into  FILE. The rule result IDs in FILE are modified
                     according to STIG references in evaluated content. The FILE  can  be  simply
                     imported into DISA STIG Viewer. See https://public.cyber.mil/stigs/srg-stig-
                     tools/ for information about DISA STIG Viewer.

              --thin-results
                     Thin Results  provides  only  minimal  amount  of  information  in  OVAL/ARF
                     results.  The option --without-syschar is automatically enabled when you use
                     Thin Results.

              --without-syschar
                     Don't provide system characteristics in OVAL/ARF result files.

              --report FILE
                     Write HTML report into FILE.

              --oval-results
                     Generate OVAL Result file for each OVAL session used  for  evaluation.  File
                     with  name 'original-oval-definitions-filename.result.xml' will be generated
                     for each referenced OVAL file in current working directory.  To  change  the
                     directory  where  OVAL  files  are  generated  change the CWD using the `cd`
                     command.

              --check-engine-results
                     After evaluation is finished, each loaded check engine plugin  is  asked  to
                     export  its  results.  The export itself is plugin specific, please refer to
                     documentation of the plugin for more details.

              --export-variables
                     Generate OVAL Variables documents which contain external  variables'  values
                     that  were  provided  to  the  OVAL  checking  engine during evaluation. The
                     filename     format     is      'original-oval-definitions-filename-session-
                     index.variables-variables-index.xml'.

              --datastream-id ID
                     Uses  a  data  stream  with  that  particular  ID from the given data stream
                     collection. If not given the first data stream is used. Only applies if  you
                     give source data stream in place of an XCCDF file.

              --xccdf-id ID
                     Takes component ref with given ID from checklists. This allows one to select
                     a particular XCCDF component even in cases where there are  multiple  XCCDFs
                     in  a  single  data  stream.  If none is given, the first component from the
                     checklists element is used.

              --benchmark-id ID
                     Selects a component ref from any data stream  that  references  a  component
                     with  XCCDF  Benchmark  such  that  its  @id  attribute matches given string
                     exactly. Please note that this is not the recommended  way  of  selecting  a
                     component-ref.  You are advised to use --xccdf-id AND/OR --datastream-id for
                     more precision.  --benchmark-id  is  only  used  when  both  --xccdf-id  and
                     --datastream-id are not present on the command line!

              --skip-valid, --skip-validation
                     Do not validate input/output files.

              --skip-signature-validation
                     Do  not  validate  digital  signatures  in digitally signed SCAP source data
                     streams.

              --enforce-signature
                     Process only digitally signed SCAP source data streams. Data streams without
                     a signature would be rejected if this switch is used.

              --fetch-remote-resources
                     Allow  download  of  remote  OVAL  content  referenced  from XCCDF by check-
                     content-ref/@href.

              --local-files DIRECTORY
                     Instead of downloading remote data stream components from the  network,  use
                     data  stream  components  stored locally as files in the given directory. In
                     place of the remote data stream component OpenSCAP will  attempt  to  use  a
                     file  whose  file name is equal to @name attribute of the uri element within
                     the catalog element within the component-ref element in the data  stream  if
                     such file exists.

              --remediate
                     Execute  XCCDF  remediation  in the process of XCCDF evaluation. This option
                     automatically executes content of XCCDF fix elements for failed  rules,  and
                     thus this shall be avoided unless for trusted content. Use of this option is
                     always at your own risk.

       remediate [options] INPUT_FILE [oval-definitions-files]
              This module provides post-scan remediation.  It  assumes  that  the  INPUT_FILE  is
              result  of  `oscap  xccdf  eval`  operation. The input file must contain TestResult
              element. This module executes XCCDF fix elements for failed  rule-result  contained
              in the given TestResult. Use of this option is always at your own risk and it shall
              be avoided unless for trusted content.

              --result-id ID
                     ID of the XCCDF TestResult element which shall be remedied. If  this  option
                     is missing the last TestResult (in top-down processing) will be remedied.

              --skip-valid, --skip-validation
                     Do not validate input/output files.

              --fetch-remote-resources
                     Allow  download  of  remote  OVAL  content  referenced  from XCCDF by check-
                     content-ref/@href.

              --local-files DIRECTORY
                     Instead of downloading remote data stream components from the  network,  use
                     data  stream  components  stored locally as files in the given directory. In
                     place of the remote data stream component OpenSCAP will  attempt  to  use  a
                     file  whose  file name is equal to @name attribute of the uri element within
                     the catalog element within the component-ref element in the data  stream  if
                     such file exists.

              --cpe CPE_FILE
                     Use  given  CPE  dictionary  or  language  (auto-detected) for applicability
                     checks.

              --results FILE
                     Write XCCDF results into FILE.

              --results-arf FILE
                     Writes results to a given FILE in Asset Reporting Format. It is  recommended
                     to use this option instead of --results when dealing with data streams.

              --stig-viewer FILE
                     Writes  XCCDF  results  into  FILE. The rule result IDs in FILE are modified
                     according to STIG references in evaluated content. The FILE  can  be  simply
                     imported into DISA STIG Viewer. See https://public.cyber.mil/stigs/srg-stig-
                     tools/ for information about DISA STIG Viewer.

              --report FILE
                     Write HTML report into FILE.

              --oval-results
                     Generate OVAL Result file for each OVAL session used  for  evaluation.  File
                     with  name 'original-oval-definitions-filename.result.xml' will be generated
                     for each referenced OVAL file.

              --check-engine-results
                     After evaluation is finished, each loaded check engine plugin  is  asked  to
                     export  its  results.  The export itself is plugin specific, please refer to
                     documentation of the plugin for more details.

              --export-variables
                     Generate OVAL Variables documents which contain external  variables'  values
                     that  were  provided  to  the  OVAL  checking  engine during evaluation. The
                     filename     format     is      'original-oval-definitions-filename-session-
                     index.variables-variables-index.xml'.

              --progress
                     Switch  to  sparse  output  suitable  for  progress reporting. Format of the
                     output is "$rule_id:$result\n".

              --progress-full
                     Switch to sparse but a bit more saturated output also suitable for  progress
                     reporting. Format of the output is "$rule_id|$rule_title|$result\n".

       resolve -o output-file xccdf-file
              Resolve  an  XCCDF  file  as  described in the XCCDF specification. It will flatten
              inheritance hierarchy of XCCDF profiles,  groups,  rules,  and  values.  Result  is
              another XCCDF document, which will be written to output-file.

              --force
                     Force resolving XCCDF document even if it is already marked as resolved.

       validate [options] xccdf-file
              Validate given XCCDF file against a XML schema. Every found error is printed to the
              standard error. Return code is 0 if validation succeeds, 1 if validation could  not
              be performed due to some error, 2 if the XCCDF document is not valid.

              --skip-schematron
                     Turn  off  Schematron-based  validation.  It is able to find more errors and
                     inconsistencies but is much slower. Schematron is available only  for  XCCDF
                     version 1.2.

       export-oval-variables [options] xccdf-file [oval-definitions-files]
              Collect  all  the  XCCDF  values  that would be used by OVAL during evaluation of a
              certain profile  and  export  them  as  OVAL  external-variables  document(s).  The
              filename   format  is  'original-oval-definitions-filename-session-index.variables-
              variables-index.xml'.

              --profile PROFILE
                     Select a particular profile from XCCDF document.

              --fetch-remote-resources
                     Allow download of remote  OVAL  content  referenced  from  XCCDF  by  check-
                     content-ref/@href.

              --local-files DIRECTORY
                     Instead  of  downloading remote data stream components from the network, use
                     data stream components stored locally as files in the  given  directory.  In
                     place  of  the  remote  data stream component OpenSCAP will attempt to use a
                     file whose file name is equal to @name attribute of the uri  element  within
                     the  catalog  element within the component-ref element in the data stream if
                     such file exists.

              --skip-valid, --skip-validation
                     Do not validate input/output files.

              --datastream-id ID
                     Uses a data stream with that  particular  ID  from  the  given  data  stream
                     collection.  If not given the first data stream is used. Only applies if you
                     give an SCAP source data stream in place of an XCCDF file.

              --xccdf-id ID
                     Takes component ref with given ID from checklists. This allows one to select
                     a  particular  XCCDF component even in cases where there are 2 XCCDFs in one
                     data stream.

              --benchmark-id ID
                     Selects a component ref from any data stream  that  references  a  component
                     with  XCCDF  Benchmark  such  that  its  @id  attribute matches given string
                     exactly. Please note that this is not the recommended  way  of  selecting  a
                     component-ref.  You are advised to use --xccdf-id AND/OR --datastream-id for
                     more precision.  --benchmark-id  is  only  used  when  both  --xccdf-id  and
                     --datastream-id are not present on the command line!

              --cpe CPE_FILE
                     Use  given  CPE  dictionary  or  language  (auto-detected) for applicability
                     checks. The variables documents are created only for xccdf:Rules  which  are
                     applicable.

       generate [options] <submodule> [submodule-specific-options]
              Generate  another  document  from  an  XCCDF  file such as security guide or result
              report.

              --profile ID
                     Apply profile with given ID to the Benchmark before further processing takes
                     place.

              Available submodules:

              guide [options] xccdf-file
                     Generate  a  HTML  document  containing  a  security  guide  from  an  XCCDF
                     Benchmark. Unless the --output option is specified it will be written to the
                     standard  output.  Without profile being set only groups (not rules) will be
                     included in the output.

                     --output FILE
                            Write the guide to this file instead of standard output.

                     --hide-profile-info
                            This option has no effect and is kept only for backward compatibility
                            purposes.

                     --benchmark-id ID
                            Selects  a  component  ref  from  any  datastream  that  references a
                            component with XCCDF Benchmark such that its  @id  attribute  matches
                            given string exactly.

                     --xccdf-id ID
                            Takes component ref with given ID from checklists. This allows one to
                            select a particular XCCDF component even in  cases  where  there  are
                            multiple  XCCDFs in a single data stream. If none is given, the first
                            component from the checklists element is used.

                     --tailoring-file TAILORING_FILE
                            Use given file for XCCDF tailoring.  Select  profile  from  tailoring
                            file   to   apply  using  --profile.  If  both  --tailoring-file  and
                            --tailoring-id are specified, --tailoring-file takes priority.

                     --tailoring-id COMPONENT_REF_ID
                            Use tailoring  component  in  input  source  data  stream  for  XCCDF
                            tailoring.  The  tailoring  component must be specified by its Ref-ID
                            (value of component-ref/@id attribute in input source  data  stream).
                            Select  profile from tailoring component to apply using --profile. If
                            both --tailoring-file and --tailoring-id are specified,  --tailoring-
                            file takes priority.

                     --skip-signature-validation
                            Do  not  validate  digital signatures in digitally signed SCAP source
                            data streams.

                     --enforce-signature
                            Process only digitally signed SCAP source data streams. Data  streams
                            without a signature would be rejected if this switch is used.

              report [options] xccdf-file
                     Generate a HTML document containing results of an XCCDF Benchmark execution.
                     Unless the --output option is specified it will be written to  the  standard
                     output.

                     --output FILE
                            Write the report to this file instead of standard output.

                     --result-id ID
                            ID of the XCCDF TestResult from which the report will be generated.

                     --oval-template template-string
                            To  use  the  ability  to include additional information from OVAL in
                            xccdf result file, a template which  will  be  used  to  obtain  OVAL
                            result  file  names has to be specified. The template can be either a
                            filename or a string  containing  wildcard  character  (percent  sign
                            '%').  Wildcard will be replaced by the original OVAL definition file
                            name as referenced from the XCCDF file. This way it  is  possible  to
                            obtain OVAL information even from XCCDF documents referencing several
                            OVAL files. To use this option with results from an XCCDF evaluation,
                            specify %.result.xml as a OVAL file name template.

                     --sce-template template-string
                            To  use  the  ability  to  include additional information from SCE in
                            XCCDF result file, a template which will be used to obtain SCE result
                            file names has to be specified. The template can be either a filename
                            or  a  string  containing  wildcard  character  (percent  sign  '%').
                            Wildcard  will  be  replaced  by the original SCE script file name as
                            referenced from the XCCDF file. This way it is possible to obtain SCE
                            information  even from XCCDF documents referencing several SCE files.
                            To use this option with results from  an  XCCDF  evaluation,  specify
                            %.result.xml as a SCE file name template.

              fix [options] xccdf-file
                     Generate  a script that shall bring the system to a state of compliance with
                     given XCCDF Benchmark. There are  2  possibilities  when  generating  fixes:
                     Result-oriented  fixes  (--result-id) or Profile-oriented fixes (--profile).
                     Result-oriented takes precedences over  Profile-oriented,  if  result-id  is
                     given, oscap will ignore any profile provided.

                     Result-oriented  fixes are generated using result-id provided to select only
                     the failing rules from results in xccdf-file, it skips all other rules.

                     Profile-oriented fixes are generated using all  rules  within  the  provided
                     profile.  If  no  result-id/profile  are provided, (default) profile will be
                     used to generate fixes.

                     --fix-type TYPE
                            Specify fix type. There are multiple programming languages  in  which
                            the  fix  script  can  be  generated.  TYPE  should  be one of: bash,
                            ansible, puppet, anaconda, ignition, kubernetes,  blueprint.  Default
                            is  bash.  This option is mutually exclusive with --template, because
                            fix type already determines the template URN.

                     --output FILE
                            Write the report to this file instead of standard output.

                     --result-id ID
                            Fixes will be generated for  failed  rule-results  of  the  specified
                            TestResult.

                     --template ID|FILE
                            Template  to be used to generate the script. If it contains a dot '.'
                            it is  interpreted  as  a  location  of  a  file  with  the  template
                            definition.  Otherwise  it  identifies  a  template from standard set
                            which currently includes:  bash  (default  if  no  --template  switch
                            present).  Brief  explanation  of  the  process  of  writing your own
                            templates is in the XSL file xsl/legacy-fix.xsl in the openscap  data
                            directory.  You  can  also  take  a  look  at  the  default  template
                            xsl/legacy-fixtpl-bash.xml.

                     --xccdf-id ID
                            Takes component ref with given ID from checklists. This allows one to
                            select  a  particular  XCCDF  component even in cases where there are
                            multiple XCCDFs in a single data stream. If none is given, the  first
                            component from the checklists element is used.

                     --benchmark-id ID
                            Selects  a  component  ref  from  any  data  stream that references a
                            component with XCCDF Benchmark such that its  @id  attribute  matches
                            given string exactly.

                     --tailoring-file TAILORING_FILE
                            Use  given  file  for  XCCDF tailoring. Select profile from tailoring
                            file  to  apply  using  --profile.  If  both   --tailoring-file   and
                            --tailoring-id are specified, --tailoring-file takes priority.

                     --tailoring-id COMPONENT_REF_ID
                            Use  tailoring  component  in  input  source  data  stream  for XCCDF
                            tailoring. The tailoring component must be specified  by  its  Ref-ID
                            (value  of  component-ref/@id attribute in input source data stream).
                            Select profile from tailoring component to apply using --profile.  If
                            both  --tailoring-file and --tailoring-id are specified, --tailoring-
                            file takes priority.

                     --skip-signature-validation
                            Do not validate digital signatures in digitally  signed  SCAP  source
                            data streams.

                     --enforce-signature
                            Process  only digitally signed SCAP source data streams. Data streams
                            without a signature would be rejected if this switch is used.

              custom --stylesheet xslt-file [options] xccdf-file
                     Generate a custom output (depending on given XSLT file) from an XCCDF file.

                     --stylesheet FILE
                            Specify an absolute path to a custom stylesheet to format the output.

                     --output FILE
                             Write the document into file.

OVAL OPERATIONS

       eval [options] INPUT_FILE
              Probe the system and evaluate all definitions  from  OVAL  Definition  file.  Print
              result  of  each  definition  to  standard  output.  The  return  code is 0 after a
              successful evaluation. On error, value 1 is returned.

              INPUT_FILE can be either OVAL Definition  File  or  SCAP  source  data  stream,  it
              depends on used options.

              Unless  --skip-validation (--skip-valid) is used, the INPUT_FILE is validated using
              XSD schemas (depending on document type of INPUT_FILE) and rejected if invalid.

              --id DEFINITION-ID
                     Evaluate ONLY specified OVAL Definition from OVAL Definition File.

              --variables FILE
                     Provide external variables expected by OVAL Definition File.

              --directives FILE
                     Use OVAL Directives content to specify desired results content.

              --without-syschar
                     Don't provide system characteristics in result file.

              --results FILE
                     Write OVAL Results into file.

              --report FILE
                     Create human readable (HTML) report from OVAL Results.

              --datastream-id ID
                     Uses a data stream with that  particular  ID  from  the  given  data  stream
                     collection.  If not given the first data stream is used. Only applies if you
                     give source data stream in place of an OVAL file.

              --oval-id ID
                     Takes component ref with given ID from checks. This allows one to  select  a
                     particular  OVAL component even in cases where there are multiple OVALs in a
                     single data stream.

              --skip-valid, --skip-validation
                     Do not validate input/output files.

              --fetch-remote-resources
                     Allow download of remote components referenced from data stream.

              --local-files DIRECTORY
                     Instead of downloading remote data stream components from the  network,  use
                     data  stream  components  stored locally as files in the given directory. In
                     place of the remote data stream component OpenSCAP will  attempt  to  use  a
                     file  whose  file name is equal to @name attribute of the uri element within
                     the catalog element within the component-ref element in the data  stream  if
                     such file exists.

       collect [options] definitions-file
              Probe  the  system  and  gather  system  characteristics  for  all  objects in OVAL
              Definition file.

              --id OBJECT-ID
                     Collect system characteristics ONLY for specified OVAL Object.

              --variables FILE
                     Provide external variables expected by OVAL Definitions.

              --syschar FILE
                     Write OVAL System Characteristic into file.

              --skip-valid, --skip-validation
                     Do not validate input/output files.

       analyse [options] --results FILE definitions-file syschar-file
              In this mode, the oscap tool does not perform data collection on the local  system,
              but  relies  upon  the input file, which may have been generated on another system.
              The output (OVAL Results) is printed to file specified by --results parameter.

              --variables FILE
                     Provide external variables expected by OVAL Definitions.

              --directives FILE
                     Use OVAL Directives content to specify desired results content.

              --skip-valid, --skip-validation
                     Do not validate input/output files.

       validate [options] oval-file
              Validate given OVAL file against a XML schema. Every found error is printed to  the
              standard  error. Return code is 0 if validation succeeds, 1 if validation could not
              be performed due to some error, 2 if the OVAL document is not valid.

              --definitions, --variables, --syschar, --results --directives
                     Type of the OVAL document is automatically detected by default. If you  want
                     enforce certain document type, you can use one of these options.

              --skip-schematron
                     Turn  off  Schematron-based  validation.  It is able to find more errors and
                     inconsistencies but is much slower.

       generate <submodule> [submodule-specific-options]
              Generate another document from an OVAL file.

              Available submodules:

              report [options] oval-results-file
                     Generate a formatted HTML page containing visualisation of an  OVAL  results
                     file.  Unless  the  --output  option  is specified it will be written to the
                     standard output.

                     --output FILE
                            Write the report to this file instead of standard output.

CPE OPERATIONS

       check name
              Check whether name is in correct CPE format.

       match name dictionary.xml
              Find an exact match of CPE name in the dictionary.

       validate cpe-dict-file
              Validate given CPE dictionary file against a  XML  schema.  Every  found  error  is
              printed  to  the  standard  error.  Return  code  is 0 if validation succeeds, 1 if
              validation could not be performed due to some error, 2 if the XCCDF document is not
              valid.

CVSS OPERATIONS

       score cvss_vector
              Calculate  score  from  a CVSS vector. Prints base score for base CVSS vector, base
              and temporal score for temporal CVSS vector, base and  temporal  and  environmental
              score for environmental CVSS vector.

       describe cvss_vector
              Describe  individual  components  of  a  CVSS vector in a human-readable format and
              print partial scores.

       CVSS vector consists of several slash-separated components specified as  key-value  pairs.
       Each  key  can  be  specified at most once. Valid CVSS vector has to contain at least base
       CVSS metrics, i.e. AV, AC, AU, C, I, and A. Following table summarizes the components  and
       possible  values  (second  column  is  metric  category: B for base, T for temporal, E for
       environmental):

              AV:[L|A|N]            B   Access vector: Local, Adjacent network, Network

              AC:[H|M|L]            B   Access complexity: High, Medium, Low

              AU:[M|S|N]             B    Required  authentication:  Multiple  instances,  Single
              instance, None

              C:[N|P|C]             B   Confidentiality impact: None, Partial, Complete

              I:[N|P|C]             B   Integrity impact: None, Partial, Complete

              A:[N|P|C]             B   Availability impact: None, Partial, Complete

              E:[ND|U|POC|F|H]       T   Exploitability: Not Defined, Unproven, Proof of Concept,
              Functional, High

              RL:[ND|OF|TF|W|U]     T   Remediation Level: Not Defined, Official  Fix,  Temporary
              Fix, Workaround, Unavailable

              RC:[ND|UC|UR|C]          T     Report   Confidence:   Not   Defined,   Unconfirmed,
              Uncorroborated, Confirmed

              CDP:[ND|N|L|LM|MH|H]  E   Collateral Damage Potential: Not Defined, None, Low, Low-
              Medium, Medium-High, High

              TD:[ND|N|L|M|H]       E   Target Distribution: Not Defined, None, Low, Medium, High

              CR:[ND|L|M|H]          E    Confidentiality  requirement: Not Defined, Low, Medium,
              High

              IR:[ND|L|M|H]         E   Integrity requirement: Not Defined, Low, Medium, High

              AR:[ND|L|M|H]         E   Availability requirement: Not Defined, Low, Medium, High

DS OPERATIONS

       sds-compose [options] SOURCE_XCCDF TARGET_SDS
              Creates an SCAP source data stream from the XCCDF file given  in  SOURCE_XCCDF  and
              stores  the  result  in  TARGET_SDS. Dependencies like OVAL files are automatically
              detected and bundled in the created source data stream.

              --skip-valid, --skip-validation
                     Do not validate input/output files.

       sds-add [options] NEW_COMPONENT EXISTING_SDS
              Adds given NEW_COMPONENT file to the existing source  data  stream  (EXISTING_SDS).
              Component  file might be OVAL, XCCDF or CPE Dictionary file. Dependencies like OVAL
              files are automatically detected and bundled in target source data stream.

              --datastream-id DATASTREAM_ID
                     Uses a data stream with that  particular  ID  from  the  given  data  stream
                     collection. If not given the first data stream is used.

              --skip-valid, --skip-validation
                     Do not validate input/output files.

       sds-split [options] SOURCE_DS TARGET_DIR
              Splits  given  source  data  stream into multiple files and stores all the files in
              TARGET_DIR.

              --datastream-id DATASTREAM_ID
                     Uses a data stream with that  particular  ID  from  the  given  data  stream
                     collection. If not given the first data stream is used.

              --xccdf-id XCCDF_ID
                     Takes component ref with given ID from checklists. This allows one to select
                     a particular XCCDF component even in cases where there are  multiple  XCCDFs
                     in a single data stream.

              --skip-valid, --skip-validation
                     Do not validate input/output files.

              --fetch-remote-resources
                     Allow download of remote components referenced from data stream.

              --local-files DIRECTORY
                     Instead  of  downloading remote data stream components from the network, use
                     data stream components stored locally as files in the  given  directory.  In
                     place  of  the  remote  data stream component OpenSCAP will attempt to use a
                     file whose file name is equal to @name attribute of the uri  element  within
                     the  catalog  element within the component-ref element in the data stream if
                     such file exists.

       sds-validate SOURCE_DS
              Validate given source data stream file against a XML schema. Every found  error  is
              printed  to  the  standard  error.  Return  code  is 0 if validation succeeds, 1 if
              validation could not be performed due to some error, 2 if the source data stream is
              not valid.

       rds-create [options] SDS TARGET_ARF XCCDF_RESULTS [OVAL_RESULTS [OVAL_RESULTS ..]]
              Takes  given  source  data stream, XCCDF and OVAL results and creates a result data
              stream (in Asset Reporting Format) and saves it to file given in TARGET_ARF.

              --skip-valid, --skip-validation
                     Do not validate input/output files.

       rds-split [options] [--report-id REPORT_ID] RDS TARGET_DIR
              Takes given result data stream (also called  ARF  =  asset  reporting  format)  and
              splits given report and its respective report-request to given target directory. If
              no report-id is given, we assume user wants the first applicable report in top-down
              order in the file.

              --skip-valid, --skip-validation
                     Do not validate input/output files.

       rds-validate SOURCE_RDS
              Validate  given  result data stream file against a XML schema. Every found error is
              printed to the standard error. Return code  is  0  if  validation  succeeds,  1  if
              validation could not be performed due to some error, 2 if the result data stream is
              not valid.

CVE OPERATIONS

       validate cve-nvd-feed.xml
              Validate given CVE data feed.

       find CVE cve-nvd-feed.xml
              Find given CVE in data feed and report base score,  vector  string  and  vulnerable
              software list.

EXIT STATUS

       Normally,  the  exit  status is 0 when operation finished successfully and 1 otherwise. In
       cases when oscap performs evaluation of the system it may return 2 indicating  success  of
       the operation but incompliance of the assessed system.

EXAMPLES

       Evaluate  XCCDF  content using CPE dictionary and produce HTML report. In this case we use
       United States Government Configuration Baseline (USGCB) for Red  Hat  Enterprise  Linux  5
       Desktop.

               oscap xccdf eval --fetch-remote-resources --oval-results \
                       --profile united_states_government_configuration_baseline \
                       --report usgcb-rhel5desktop.report.html \
                       --results usgcb-rhel5desktop-xccdf.xml.result.xml \
                       --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
                       usgcb-rhel5desktop-xccdf.xml

CONTENT

        SCAP Security Guide - https://github.com/OpenSCAP/scap-security-guide/

        National Vulnerability Database - http://web.nvd.nist.gov/view/ncp/repository

        Red Hat CVE content repository - https://www.redhat.com/security/data/metrics/ds/v2/

REPORTING BUGS

       Please report bugs using https://github.com/OpenSCAP/openscap/issues
       Make sure you include the full output of `oscap --v` in the bug report.

AUTHORS

       Peter Vrabec <pvrabec@redhat.com>
       Šimon Lukašík
       Martin Preisler <mpreisle@redhat.com>