OSCAP(8) | System Administration Utilities | OSCAP(8) |
NAME¶
oscap - OpenSCAP command line tool
SYNOPSIS¶
oscap [general-options] module operation [operation-options-and-arguments]
DESCRIPTION¶
oscap is Security Content Automation Protocol (SCAP) toolkit based on OpenSCAP library. It provides various functions for different SCAP specifications (modules).
OpenSCAP tool claims to provide capabilities of Authenticated Configuration Scanner and Authenticated Vulnerability Scanner as defined by The National Institute of Standards and Technology.
GENERAL OPTIONS¶
- -V, --version
- Print supported SCAP specification, location of schema files, schematron files, CPE files, probes and supported OVAL objects. Displays a list of inbuilt CPE names.
- -h, --help
- Help screen.
MODULES¶
- info
- Determine type and print information about a file.
- xccdf
- The eXtensible Configuration Checklist Description Format.
- oval
- Open Vulnerability and Assessment Language.
- ds
- SCAP Data Stream
- cpe
- Common Platform Enumeration.
- cvss
- Common Vulnerability Scoring System
- cve
- Common Vulnerabilities and Exposures
INFO OPERATIONS¶
- [options] any-scap-file.xml
For XCCDF or Datastream files, info module prints out IDs of incorporated profiles, components, and datastreams. These IDs can be used to specify the target for evaluation. Use options --profile, --xccdf-id (or --oval-id), and --datastream-id respectively.
--fetch-remote-resources
XCCDF OPERATIONS¶
oscap returns 0 if all rules pass. If there is an error during evaluation, the return code is 1. If there is at least one rule with either fail or unknown result, oscap-scan finishes with return code 2.
Unless --skip-valid is used, the INPUT_FILE is validated using XSD schemas (depending on document type of INPUT_FILE) and rejected if invalid.
You may specify OVAL Definition files as the last parameter, XCCDF evaluation will then proceed only with those specified files. Otherwise, when oval-definitions-files parameter is missing, oscap tool will try to load all OVAL Definition files referenced from XCCDF automatically (search in the same path as XCCDF).
- --skip-valid
- --skip-valid
- --force
- Force resolving XCCDF document even if it is already marked as resolved.
- --schematron
- Turn on Schematron-based validation. It is able to find more errors and inconsistencies but is much slower. Schematron is available only for XCCDF version 1.2.
- --skip-valid
- --profile ID
- Apply profile with given ID to the Benchmark before further processing takes place.
- Available submodules:
- guide [options] xccdf-file
- --output FILE
- Write the guide to this file instead of standard output.
- --hide-profile-info
- Information on chosen profile (e.g. rules selected by the profile) will be excluded from the document.
- --output FILE
- Write the report to this file instead of standard output.
- --result-id ID
- ID of the XCCDF TestResult from which the report will be generated.
- --show what
- Specify what result types shall be displayed in the result report. The default is to show everything except for rules with results notselected and notapplicable. The what part is a comma-separated list of result types to display in addition to the default. If result type is prefixed by a dash '-', it will be excluded from the results. If what is prefixed by an equality sign '=', a following list specifies exactly what rule types to include in the report. Result types are: pass, fixed, notchecked, notapplicable, notselected, informational, unknown, error, fail.
- --oval-template template-string
- To use the ability to include additional information from OVAL in xccdf result file, a template which will be used to obtain OVAL result file names has to be specified. The template can be either a filename or a string containing wildcard character (percent sign '%'). Wildcard will be replaced by the original OVAL definition file name as referenced from the XCCDF file. This way it is possible to obtain OVAL information even from XCCDF documents referencing several OVAL files. To use this option with results from an XCCDF evaluation, specify %.result.xml as a OVAL file name template.
- --sce-template template-string
- To use the ability to include additional information from SCE in XCCDF result file, a template which will be used to obtain SCE result file names has to be specified. The template can be either a filename or a string containing wildcard character (percent sign '%'). Wildcard will be replaced by the original SCE script file name as referenced from the XCCDF file. This way it is possible to obtain SCE information even from XCCDF documents referencing several SCE files. To use this option with results from an XCCDF evaluation, specify %.result.xml as a SCE file name template.
- Result-oriented fixes are generated using result-id provided to select only the failing rules from results in xccdf-file, it skips all other rules.
- Profile-oriented fixes are generated using all rules within the provided profile. If no result-id/profile are provided, (default) profile will be used to generate fixes.
- --fix-type TYPE
- Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN.
- --output FILE
- Write the report to this file instead of standard output.
- --result-id ID
- Fixes will be generated for failed rule-results of the specified TestResult.
- --template ID|FILE
- Template to be used to generate the script. If it contains a dot '.' it is interpreted as a location of a file with the template definition. Otherwise it identifies a template from standard set which currently includes: bash (default if no --template switch present). Brief explanation of the process of writing your own templates is in the XSL file xsl/legacy-fix.xsl in the openscap data directory. You can also take a look at the default template xsl/legacy-fixtpl-bash.xml.
- --xccdf-id ID
- Takes component ref with given ID from checklists. This allows to select a particular XCCDF component even in cases where there are 2 XCCDFs in one datastream. If none is given, the first component from the checklists element is used.
- --benchmark-id ID
- Selects a component ref from any datastream that references a component with XCCDF Benchmark such that its @id attribute matches given string exactly.
- --tailoring-file TAILORING_FILE
- Use given file for XCCDF tailoring. Select profile from tailoring file to apply using --profile. If both --tailoring-file and --tailoring-id are specified, --tailoring-file takes priority.
- --tailoring-id COMPONENT_REF_ID
- Use tailoring component in input source datastream for XCCDF tailoring. The tailoring component must be specified by its Ref-ID (value of component-ref/@id attribute in input source datastream). Select profile from tailoring component to apply using --profile. If both --tailoring-file and --tailoring-id are specified, --tailoring-file takes priority.
- --stylesheet FILE
- Specify an absolute path to a custom stylesheet to format the output.
- --output FILE
-
Write the document into file.
OVAL OPERATIONS¶
INPUT_FILE can be either OVAL Definition File or SCAP Source Datastream, it depends on used options.
Unless --skip-valid is used, the INPUT_FILE is validated using XSD schemas (depending on document type of INPUT_FILE) and rejected if invalid.
- --id DEFINITION-ID
- Evaluate ONLY specified OVAL Definition from OVAL Definition File.
- --variables FILE
- Provide external variables expected by OVAL Definition File.
- --directives FILE
- Use OVAL Directives content to specify desired results content.
- --without-syschar
- Don't provide system characteristics in result file.
- --results FILE
- Write OVAL Results into file.
- --report FILE
- Create human readable (HTML) report from OVAL Results.
- --datastream-id ID
- --skip-valid
- Do not validate input/output files.
--fetch-remote-resources Allow download of remote
components referenced from Datastream.
- --verbose VERBOSITY_LEVEL
- Turn on verbose mode at specified verbosity level. VERBOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
- --verbose-log-file FILE
- Set filename to write additional information.
- --id OBJECT-ID
- Collect system characteristics ONLY for specified OVAL Object.
- --variables FILE
- Provide external variables expected by OVAL Definitions.
- --syschar FILE
- Write OVAL System Characteristic into file.
- --skip-valid
- Do not validate input/output files.
- --verbose VERBOSITY_LEVEL
- Turn on verbose mode at specified verbosity level. VERBOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
- --verbose-log-file FILE
- Set filename to write additional information.
- --variables FILE
- Provide external variables expected by OVAL Definitions.
- --directives FILE
- Use OVAL Directives content to specify desired results content.
- --skip-valid
- Do not validate input/output files.
- --verbose VERBOSITY_LEVEL
- Turn on verbose mode at specified verbosity level. VERBOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.
- --verbose-log-file FILE
- Set filename to write additional information.
- --definitions, --variables, --syschar, --results --directives
- Type of the OVAL document is automatically detected by default. If you want enforce certain document type, you can use one of these options.
- --schematron
- Turn on Schematron-based validation. It is able to find more errors and inconsistencies but is much slower.
- --output FILE
- Write the report to this file instead of standard output.
CPE OPERATIONS¶
match name dictionary.xml
validate cpe-dict-file
CVSS OPERATIONS¶
AV:[L|A|N] B Access vector: Local, Adjacent network, Network
AC:[H|M|L] B Access complexity: High, Medium, Low
AU:[M|S|N] B Required authentication: Multiple instances, Single instance, None
C:[N|P|C] B Confidentiality impact: None, Partial, Complete
I:[N|P|C] B Integrity impact: None, Partial, Complete
A:[N|P|C] B Availability impact: None, Partial, Complete
E:[ND|U|POC|F|H] T Exploitability: Not Defined, Unproven, Proof of Concept, Functional, High
RL:[ND|OF|TF|W|U] T Remediation Level: Not Defined, Official Fix, Temporary Fix, Workaround, Unavailable
RC:[ND|UC|UR|C] T Report Confidence: Not Defined, Unconfirmed, Uncorroborated, Confirmed
CDP:[ND|N|L|LM|MH|H] E Collateral Damage Potential: Not Defined, None, Low, Low-Medium, Medium-High, High
TD:[ND|N|L|M|H] E Target Distribution: Not Defined, None, Low, Medium, High
CR:[ND|L|M|H] E Confidentiality requirement: Not Defined, Low, Medium, High
IR:[ND|L|M|H] E Integrity requirement: Not Defined, Low, Medium, High
AR:[ND|L|M|H] E Availability requirement: Not Defined, Low, Medium, High
DS OPERATIONS¶
- --skip-valid
- Do not validate input/output files.
- --datastream-id DATASTREAM_ID
- Uses a datastream with that particular ID from the given datastream collection. If not given the first datastream is used.
- --skip-valid
- Do not validate input/output files.
- --datastream-id DATASTREAM_ID
- Uses a datastream with that particular ID from the given datastream collection. If not given the first datastream is used.
- --xccdf-id XCCDF_ID
- Takes component ref with given ID from checklists. This allows to select a particular XCCDF component even in cases where there are 2 XCCDFs in one datastream.
- --skip-valid
- Do not validate input/output files.
- --fetch-remote-resources
- Allow download of remote components referenced from Datastream.
- --skip-valid
- Do not validate input/output files.
- --skip-valid
- Do not validate input/output files.
CVE OPERATIONS¶
EXIT STATUS¶
EXAMPLES¶
Evaluate XCCDF content using CPE dictionary and produce html report. In this case we use United States Government Configuration Baseline (USGCB) for Red Hat Enterprise Linux 5 Desktop.
oscap xccdf eval --fetch-remote-resources --oval-results \ --profile united_states_government_configuration_baseline \ --report usgcb-rhel5desktop.report.html \ --results usgcb-rhel5desktop-xccdf.xml.result.xml \ --cpe usgcb-rhel5desktop-cpe-dictionary.xml \ usgcb-rhel5desktop-xccdf.xml
CONTENT¶
SCAP Security Guide - https://github.com/OpenSCAP/scap-security-guide/
REPORTING BUGS¶
Please report bugs using https://github.com/OpenSCAP/openscap/issues Make sure you include the full output of `oscap --v` in the bug report.
AUTHORS¶
Peter Vrabec <pvrabec@redhat.com> Šimon Lukašík Martin Preisler <mpreisle@redhat.com>
March 2017 | Red Hat |