Provided by: libopenscap8_1.0.2-1_amd64 bug

NAME

       oscap - OpenSCAP command line tool

SYNOPSIS

       oscap [general-options] module operation [operation-options-and-arguments]

DESCRIPTION

       oscap is Security Content Automation Protocol (SCAP) toolkit based on OpenSCAP library. It
       provides various functions for different SCAP specifications(modules).

       OpenSCAP tool claims to provide capabilities of Authenticated  Configuration  Scanner  and
       Authenticated  Vulnerability Scanner as defined by The National Institute of Standards and
       Technology.

GENERAL OPTIONS

       -V, --version
              Print supported SCAP specification, location of schema files, schematron files, CPE
              files, probes and supported OVAL objects.  Displays a list of inbuilt CPE names.

       -h, --help
              Help screen.

MODULES

       info   Determine type and print information about a file.

       xccdf  The eXtensible Configuration Checklist Description Format.

       oval   Open Vulnerability and Assessment Language.

       ds     SCAP Data Stream

       cpe    Common Platform Enumeration.

       cvss   Common Vulnerability Scoring System

       cve    Common Vulnerabilities and Exposures

INFO OPERATIONS

       any-scap-file.xml
              This  module prints information about SCAP content in a file specified on a command
              line. It determines SCAP content type, specification  version,  date  of  creation,
              date  of  import  and  so on. Info module doesn't require any additional opperation
              switch.

              For XCCDF or Datastream files, info module prints out IDs of incorporated profiles,
              components,  and  datastreams.  These  IDs  can  be  used to specify the target for
              evaluation. Use options --profile, --xccdf-id (or --oval-id),  and  --datastream-id
              respectively.

XCCDF OPERATIONS

       eval [options] INPUT_FILE [oval-definitions-files]
              Perform evaluation of XCCDF document file given as INPUT_FILE. Print result of each
              rule to standard output, including rule title, rule id and security identifier(CVE,
              CCE).  Optionally  you can give a source datastream as the INPUT_FILE instead of an
              XCCDF file (see --datastream-id).

              oscap returns 0 if all rules pass. If there is  an  error  during  evaluation,  the
              return code is 1. If there is at least one rule with either fail or unknown result,
              oscap-scan finishes with return code 2.

              Unless --skip-valid  is  used,  the  INPUT_FILE  is  validated  using  XSD  schemas
              (depending on document type of INPUT_FILE) and rejected if invalid.

              You  may specify OVAL Definition files as the last parameter, XCCDF evaluation will
              then proceed only with those specified  files.  Otherwise,  when  oval-definitions-
              files  parameter  is missing, oscap tool will try to load all OVAL Definition files
              referenced from XCCDF automatically (search in the same path as XCCDF).

              --profile PROFILE
                     Select a particular profile from XCCDF document.

              --tailoring-file TAILORING_FILE
                     Use  given  file  for  XCCDF  tailoring.  If   both   --tailoring-file   and
                     --tailoring-id are specified, --tailoring files takes priority!

              --tailoring-id COMPONENT_ID
                     Use  component of given ID (in input source datastream) for XCCDF tailoring.
                     If both --tailoring-file and --tailoring-id are specified, --tailoring files
                     takes priority!

              --cpe CPE_FILE
                     Use  given  CPE  dictionary  or  language  (auto-detected) for applicability
                     checks. (Some CPE names are provided by openscap, see  oscap  --version  for
                     Inbuilt CPE names)

              --results FILE
                     Write XCCDF results into FILE.

              --results-arf FILE
                     Writes  results to a given FILE in Asset Reporting Format. It is recommended
                     to use this option instead of --results when dealing with datastreams.

              --report FILE
                     Write HTML report into FILE. You also have to  specify  --results  for  this
                     feature  to work. Please see --oval-results to enable additional information
                     in the report.

              --oval-results
                     Generate OVAL Result file for each OVAL session used  for  evaluation.  File
                     with  name 'original-oval-definitions-filename.result.xml' will be generated
                     for each referenced OVAL file in current working directory. This option  (in
                     conjunction  with  the --report option) also enables inclusion of additional
                     OVAL information in the XCCDF report. To change  the  directory  where  OVAL
                     files are generated change the CWD using the `cd` command.

              --check-engine-results
                     After  evaluation  is  finished, each loaded check engine plugin is asked to
                     export its results. The export itself is plugin specific,  please  refer  to
                     documentation of the plugin for more details.

              --export-variables
                     Generate  OVAL  Variables documents which contain external variables' values
                     that were provided to  the  OVAL  checking  engine  during  evaluation.  The
                     filename      format     is     'original-oval-definitions-filename-session-
                     index.variables-variables-index.xml'.

              --datastream-id ID
                     Uses a  datastream  with  that  particular  ID  from  the  given  datastream
                     collection.  If  not given the first datastream is used. Only applies if you
                     give source datastream in place of an XCCDF file.

              --xccdf-id ID
                     Takes component ref with given ID from checklists. This allows to  select  a
                     particular  XCCDF  component  even  in cases where there are 2 XCCDFs in one
                     datastream. If none is  given,  the  first  component  from  the  checklists
                     element is used.

              --benchmark-id ID
                     Selects a component ref from any datastream that references a component with
                     XCCDF Benchmark such that its @id attribute matches  given  string  exactly.
                     Please  note  that this is not the recommended way of selecting a component-
                     ref. You are advised to  use  --xccdf-id  AND/OR  --datastream-id  for  more
                     precision.   --benchmark-id   is   only   used   when  both  --xccdf-id  and
                     --datastream-id are not present on the command line!

              --skip-valid
                     Do not validate input/output files.

              --fetch-remote-resources
                     Allow download of remote  OVAL  content  referenced  from  XCCDF  by  check-
                     content-ref/@href.

              --remediate
                     Execute  XCCDF remediatation in the process of XCCDF evaluation. This option
                     automatically executes content of XCCDF fix elements for failed  rules,  and
                     thus this shall be avoided unless for trusted content. Use of this option is
                     always at your own risk.

       remediate [options] INPUT_FILE [oval-definitions-files]
              This module provides post-scan remediation.  It  assumes  that  the  INPUT_FILE  is
              result  of  `oscap  xccdf  eval`  operation. The input file must contain TestResult
              element. This module executes XCCDF fix elements for failed  rule-result  contained
              in the given TestResult. Use of this option is always at your own risk and it shall
              be avoided unless for trusted content.

              --result-id ID
                     ID of the XCCDF TestResult element which shall be remediated. If this option
                     is missing the last TestResult (in top-down processing) will be remediated.

              --skip-valid
                     Do not validate input/output files.

              --fetch-remote-resources
                     Allow  download  of  remote  OVAL  content  referenced  from XCCDF by check-
                     content-ref/@href.

              --cpe CPE_FILE
                     Use given CPE  dictionary  or  language  (auto-detected)  for  applicability
                     checks.

              --results FILE
                     Write XCCDF results into FILE.

              --results-arf FILE
                     Writes  results to a given FILE in Asset Reporting Format. It is recommended
                     to use this option instead of --results when dealing with datastreams.

              --report FILE
                     Write HTML report into FILE. You also have to  specify  --results  for  this
                     feature to work.

              --oval-results
                     Generate  OVAL  Result  file for each OVAL session used for evaluation. File
                     with name 'original-oval-definitions-filename.result.xml' will be  generated
                     for  each  referenced  OVAL  file.  This  option  (with conjunction with the
                     --report option) also enables inclusion of additional  OVAL  information  in
                     the XCCDF report.

              --check-engine-results
                     After  evaluation  is  finished, each loaded check engine plugin is asked to
                     export its results. The export itself is plugin specific,  please  refer  to
                     documentation of the plugin for more details.

              --export-variables
                     Generate  OVAL  Variables documents which contain external variables' values
                     that were provided to  the  OVAL  checking  engine  during  evaluation.  The
                     filename      format     is     'original-oval-definitions-filename-session-
                     index.variables-variables-index.xml'.

       resolve -o output-file xccdf-file
              Resolve an XCCDF file as described in the  XCCDF  specification.  It  will  flatten
              inheritance  hierarchy  of  XCCDF  profiles,  groups,  rules, and values. Result is
              another XCCDF document, which will be written to output-file.

              --force
                     Force resolving XCCDF document even if it is already marked as resolved.

       validate [options] xccdf-file
              Validate given XCCDF file against a XML schema. Every found error is printed to the
              standard  error. Return code is 0 if validation succeeds, 1 if validation could not
              be performed due to some error, 2 if the XCCDF document is not valid.

       export-oval-variables [options] xccdf-file [oval-definitions-files]
              Collect all the XCCDF values that would be used by  OVAL  during  evaluation  of  a
              certain  profile  and  export  them  as  OVAL  external-variables  document(s). The
              filename  format  is   'original-oval-definitions-filename-session-index.variables-
              variables-index.xml'.

              --profile PROFILE
                     Select a particular profile from XCCDF document.

              --fetch-remote-resources
                     Allow  download  of  remote  OVAL  content  referenced  from XCCDF by check-
                     content-ref/@href.

              --skip-valid
                     Do not validate input/output files.

              --datastream-id ID
                     Uses a  datastream  with  that  particular  ID  from  the  given  datastream
                     collection.  If  not given the first datastream is used. Only applies if you
                     give source datastream in place of an XCCDF file.

              --xccdf-id ID
                     Takes component ref with given ID from checklists. This allows to  select  a
                     particular  XCCDF  component  even  in cases where there are 2 XCCDFs in one
                     datastream.

              --cpe CPE_FILE
                     Use given CPE  dictionary  or  language  (auto-detected)  for  applicability
                     checks.  The  variables documents are created only for xccdf:Rules which are
                     applicable.

       generate [options] <submodule> [submodule-specific-options]
              Generate another document form an XCCDF file  such  as  security  guide  or  result
              report.

              --profile ID
                     Apply profile with given ID to the Benchmark before further processing takes
                     place.

              --format FMT
                     Specify output format. This option applies only on document generators (i.e.
                     guide, report). Available formats: html (default), docbook.

              Available submodules:

              guide [options] xccdf-file
                     Generate  a  formatted  document  containing  a  security guide from a XCCDF
                     Benchmark. Unless the --output option is specified it will be written to the
                     standard  output.  Without profile being set only groups (not rules) will be
                     included in the output.

                     --output FILE
                            Write the guide to this file instead of standard output.

                     --hide-profile-info
                            Information on chosen profile (e.g. rules selected  by  the  profile)
                            will be excluded from the document.

              report [options] xccdf-file
                     Generate  a  document  containing  results  of  a XCCDF Benchmark execution.
                     Unless the --output option is specified it will be written to  the  standard
                     output.  ID  of  the  TestResult  element  to visualise defaults to the most
                     recent result (according to the end-time attribute).

                     --output FILE
                            Write the report to this file instead of standard output.

                     --result-id ID
                            ID of the XCCDF TestResult from which the report will be generated.

                     --show what
                            Specify what result types shall be displayed in  the  result  report.
                            The  default  is  to  show  everything  except for rules with results
                            notselected and notapplicable. The what  part  is  a  comma-separated
                            list of result types to display in addition to the default. If result
                            type is prefixed by a dash '-', it will be excluded from the results.
                            If  what  is  prefixed  by  an  equality  sign  '=', a following list
                            specifies exactly what rule types to include in  the  report.  Result
                            types  are:  pass,  fixed,  notchecked,  notapplicable,  notselected,
                            informational, unknown, error, fail.

                     --oval-template template-string
                            To use the ability to include additional  information  from  OVAL  in
                            xccdf  result  file,  a  template  which  will be used to obtain OVAL
                            result file names has to be specified. The template can be  either  a
                            filename  or  a  string  containing  wildcard character (percent sign
                            '%'). Wildcard will be replaced by the original OVAL definition  file
                            name  as  referenced  from the XCCDF file. This way it is possible to
                            obtain OVAL information even from XCCDF documents referencing several
                            OVAL files. To use this option with results from an XCCDF evaluation,
                            specify %.result.xml as a OVAL file name template.

              fix [options] xccdf-file
                     Generate a script that shall bring the system to a state of compliance  with
                     given XCCDF Benchmark.

                     --output FILE
                            Write the report to this file instead of standard output.

                     --result-id ID
                            Fixes  will  be  generated  for  failed rule-results of the specified
                            TestResult.

                     --template ID|FILE
                            Template to be used to generate the script. If it contains a dot  '.'
                            it  is  interpreted  as  a  location  of  a  file  with  the template
                            definition. Otherwise it identifies  a  template  from  standard  set
                            which  currently  includes:  bash  (default  if  no --template switch
                            present). Brief explanation  of  the  process  of  writing  your  own
                            templates  is  in  the  XSL  file  xsl/fix.xsl  in  the openscap data
                            directory.  You  can  also  take  a  look  at  the  default  template
                            xsl/fixtpl-bash.xml.

              custom --stylesheet xslt-file [options] xccdf-file
                     Generate a custom output (depending on given XSLT file) from an XCCDF file.

                     --stylesheet FILE
                            Specify an absolute path to a custom stylesheet to format the output.

                     --output FILE
                             Write the document into file.

OVAL OPERATIONS

       eval [options] INPUT_FILE
              Probe  the  system  and  evaluate  all definitions from OVAL Definition file. Print
              result of each definition to  standard  output.  The  return  code  is  0  after  a
              successful evaluation. On error, value 1 is returned.

              INPUT_FILE can be either OVAL Definition File or SCAP Source Datastream, it depends
              on used options.

              Unless --skip-valid  is  used,  the  INPUT_FILE  is  validated  using  XSD  schemas
              (depending on document type of INPUT_FILE) and rejected if invalid.

              --id DEFINITION-ID
                     Evaluate ONLY specified OVAL Definition from OVAL Definition File.

              --variables FILE
                     Provide external variables expected by OVAL Definition File.

              --directives FILE
                     Use OVAL Directives content to specify desired results content.

              --results FILE
                     Write OVAL Results into file.

              --report FILE
                     Create human readable (HTML) report from OVAL Results.

              --datastream-id ID
                     Uses  a  datastream  with  that  particular  ID  from  the  given datastream
                     collection. If not given the first datastream is used. Only applies  if  you
                     give source datastream in place of an OVAL file.

              --oval-id ID
                     Takes  component  ref  with  given  ID  from checks. This allows to select a
                     particular OVAL component even in cases where  there  are  2  OVALs  in  one
                     datastream.

              --skip-valid
                     Do not validate input/output files.

       collect [options] definitions-file
              Probe  the  system  and  gather  system  characteristics  for  all  objects in OVAL
              Definition file.

              --id OBJECT-ID
                     Collect system characteristics ONLY for specified OVAL Object.

              --variables FILE
                     Provide external variables expected by OVAL Definitions.

              --syschar FILE
                     Write OVAL System Characteristic into file.

              --skip-valid
                     Do not validate input/output files.

       analyse [options] --results FILE definitions-file syschar-file
              In this mode, the oscap tool does not perform data collection on the local  system,
              but  relies  upon  the input file, which may have been generated on another system.
              The output (OVAL Results) is printed to file specified by --results parameter.

              --variables FILE
                     Provide external variables expected by OVAL Definitions.

              --directives FILE
                     Use OVAL Directives content to specify desired results content.

              --skip-valid
                     Do not validate input/output files.

       validate [options] oval-file
              Validate given OVAL file against a XML schema. Every found error is printed to  the
              standard  error. Return code is 0 if validation succeeds, 1 if validation could not
              be performed due to some error, 2 if the OVAL document is not valid.

              --definitions, --variables, --syschar, --results --directives
                     Type of the OVAL document is automatically detected by default. If you  want
                     enforce certain document type, you can use one of these options.

              --schematron
                     Turn  on  Schematron-based  validation.  It  is able to find more errors and
                     inconsistencies but is much slower.

       generate <submodule> [submodule-specific-options]
              Generate another document form an OVAL file.

              Available submodules:

              report [options] oval-results-file
                     Generate a formatted HTML page containing visualisation of an  OVAL  results
                     file.  Unless  the  --output  option  is specified it will be written to the
                     standard output.

                     --output FILE
                            Write the report to this file instead of standard output.

       list-probes [options]
              List supported object types (i.e. probes)

              --static
                     List all probes defined in the internal tables.

              --dynamic
                     List all probes supported on the current system (this is default behavior).

              --verbose
                     Be verbose.

CPE OPERATIONS

       check name
              Check whether name is in correct CPE format.

       match name dictionary.xml
              Find an exact match of CPE name in the dictionary.

       validate cpe-dict-file
              Validate given CPE dictionary file against a  XML  schema.  Every  found  error  is
              printed  to  the  standard  error.  Return  code  is 0 if validation succeeds, 1 if
              validation could not be performed due to some error, 2 if the XCCDF document is not
              valid.

CVSS OPERATIONS

       score cvss_vector
              Calculate  score  from  a CVSS vector. Prints base score for base CVSS vector, base
              and temporal score for temporal CVSS vector, base and  temporal  and  environmental
              score for environmental CVSS vector.

       describe cvss_vector
              Describe  individual  components  of  a  CVSS vector in a human-readable format and
              print partial scores.

       CVSS vector consists of several slash-separated components specified as  key-value  pairs.
       Each  key  can  be  specified at most once. Valid CVSS vector has to contain at least base
       CVSS metrics, i.e. AV, AC, AU, C, I, and A. Following table summarizes the components  and
       possible  values  (second  column  is  metric  category: B for base, T for temporal, E for
       environmental):

              AV:[L|A|N]            B   Access vector: Local, Adjacent network, Network

              AC:[H|M|L]            B   Access complexity: High, Medium, Low

              AU:[M|S|N]             B    Required  authentication:  Multiple  instances,  Single
              instance, None

              C:[N|P|C]             B   Confidentiality impact: None, Partial, Complete

              I:[N|P|C]             B   Integrity impact: None, Partial, Complete

              A:[N|P|C]             B   Availability impact: None, Partial, Complete

              E:[ND|U|POC|F|H]       T   Exploitability: Not Defined, Unproven, Proof of Concept,
              Functional, High

              RL:[ND|OF|TF|W|U]     T   Remediation Level: Not Defined, Official  Fix,  Temporary
              Fix, Workaround, Unavailable

              RC:[ND|UC|UR|C]          T     Report   Confidence:   Not   Defined,   Unconfirmed,
              Uncorroborated, Confirmed

              CDP:[ND|N|L|LM|MH|H]  E   Collateral Damage Potential: Not Defined, None, Low, Low-
              Medium, Medium-High, High

              TD:[ND|N|L|M|H]       E   Target Distribution: Not Defined, None, Low, Medium, High

              CR:[ND|L|M|H]          E    Confidentiality  requirement: Not Defined, Low, Medium,
              High

              IR:[ND|L|M|H]         E   Integrity requirement: Not Defined, Low, Medium, High

              AR:[ND|L|M|H]         E   Availability requirement: Not Defined, Low, Medium, High

DS OPERATIONS

       sds-compose SOURCE_XCCDF TARGET_SDS
              Creates a source datastream from the XCCDF file given in  SOURCE_XCCDF  and  stores
              the  result  in TARGET_SDS. Dependencies like OVAL files are automatically detected
              and bundled in target source datastream.

       sds-add [options] NEW_COMPONENT EXISTING_SDS
              Adds given NEW_COMPONENT file to the  existing  source  datastream  (EXISTING_SDS).
              Component  file might be OVAL, XCCDF or CPE Dictionary file. Dependencies like OVAL
              files are automatically detected  an bundled in target source datastream.

              --datastream-id DATASTREAM_ID
                     Uses a  datastream  with  that  particular  ID  from  the  given  datastream
                     collection. If not given the first datastream is used.

       sds-split [options] SOURCE_DS TARGET_DIR
              Splits  given  source  datastream  into  multiple files and stores all the files in
              TARGET_DIR.

              --datastream-id DATASTREAM_ID
                     Uses a  datastream  with  that  particular  ID  from  the  given  datastream
                     collection. If not given the first datastream is used.

              --xccdf-id XCCDF_ID
                     Takes  component  ref with given ID from checklists. This allows to select a
                     particular XCCDF component even in cases where there are  2  XCCDFs  in  one
                     datastream.

       sds-validate SOURCE_DS
              Validate  given  source  datastream file against a XML schema. Every found error is
              printed to the standard error. Return code  is  0  if  validation  succeeds,  1  if
              validation  could not be performed due to some error, 2 if the source datastream is
              not valid.

       rds-create SDS TARGET_ARF XCCDF_RESULTS [OVAL_RESULTS [OVAL_RESULTS ..]]
              Takes given source  datastream,  XCCDF  and  OVAL  results  and  creates  a  result
              datastream (in Asset Reporting Format) and saves it to file given in TARGET_ARF.

       rds-split [--report-id REPORT_ID] RDS TARGET_DIR
              Takes given result datastream (also called ARF = asset reporting format) and splits
              given report and its respective report-request to given  target  directory.  If  no
              report-id  is  given,  we assume user wants the first applicable report in top-down
              order in the file.

       rds-validate SOURCE_RDS
              Validate given result datastream file against a XML schema. Every  found  error  is
              printed  to  the  standard  error.  Return  code  is 0 if validation succeeds, 1 if
              validation could not be performed due to some error, 2 if the result datastream  is
              not valid.

CVE OPERATIONS

       validate cve-nvd-feed.xml
              Validate given CVE data feed.

       find CVE cve-nvd-feed.xml
              Find  given  CVE  in  data feed and report base score, vector string and vulnerable
              software list.

EXIT STATUS

       Normally, the exit status is 0 when operation finished successfully and  1  otherwise.  In
       cases  when  oscap performs evaluation of the system it may return 2 indicating success of
       the operation but incompliance of the assessed system.

EXAMPLES

       Evaluate XCCDF content using CPE dictionary and produce html report. In this case  we  use
       United  States  Government  Configuration  Baseline (USGCB) for Red Hat Enterprise Linux 5
       Desktop.

               oscap xccdf eval --fetch-remote-resources --oval-results \
                       --profile united_states_government_configuration_baseline \
                       --report usgcb-rhel5desktop.report.html \
                       --results usgcb-rhel5desktop-xccdf.xml.result.xml \
                       --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
                       usgcb-rhel5desktop-xccdf.xml

CONTENT

        National Vulnerability Database - http://web.nvd.nist.gov/view/ncp/repository

        Red Hat content repository - http://www.redhat.com/security/data/oval/

REPORTING BUGS

       Please report bugs using https://fedorahosted.org/openscap/
       Make sure you include the full output of `oscap --v` in the bug report.

AUTHORS

       Peter Vrabec <pvrabec@redhat.com>
       Šimon Lukašík
       Martin Preisler <mpreisle@redhat.com>