oscap - Man Page

oscap [general-options] module operation [operation-options-and-arguments]

oscap is Security Content Automation Protocol (SCAP) toolkit based on OpenSCAP library. It provides various functions for different SCAP specifications (modules).

OpenSCAP tool claims to provide capabilities of Authenticated Configuration Scanner and Authenticated Vulnerability Scanner as defined by The National Institute of Standards and Technology.

-V,  --version

Print supported SCAP specifications, location of schema files, schematron files, CPE files, probes and supported OVAL objects. Displays a list of inbuilt CPE names.

-h,  --help

Help screen.

info

Determine type and print information about a file.

xccdf

The eXtensible Configuration Checklist Description Format.

oval

Open Vulnerability and Assessment Language.

ds

SCAP Data Stream

cpe

Common Platform Enumeration.

--verbose VERBOSITY_LEVEL

Turn on verbose mode at specified verbosity level. VERBOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.

--verbose-log-file FILE

Set filename to write additional information.

[options] any-scap-file.xml

This module prints information about SCAP content in a file specified on a command line. It determines SCAP content type, specification version, date of creation, date of import and so on. Info module doesn't require any additional operation switch.

For XCCDF or SCAP source data stream files, the info module prints out IDs of incorporated profiles, components, and data streams. These IDs can be used to specify the target for evaluation. Use options --profile, --xccdf-id (or --oval-id), and --datastream-id respectively.

--fetch-remote-resources

Allow download of remote components referenced from data stream.

--local-files DIRECTORY

Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.

--profile PROFILE

Show info of the profile with the given ID.

--profiles

Show profiles from the input file in the <id>:<title> format, one line per profile.

--references

Show list of references available in each benchmark.

eval [options] INPUT_FILE [oval-definitions-files]

Perform evaluation of XCCDF document file given as INPUT_FILE. Print result of each rule to standard output, including rule title, rule id and security identifier(CCE). Optionally you can give an SCAP source data stream as the INPUT_FILE instead of an XCCDF file (see --datastream-id).

oscap returns 0 if all rules pass. If there is an error during evaluation, the return code is 1. If there is at least one rule with either fail or unknown result, oscap finishes with return code 2.

Unless --skip-validation is used, the INPUT_FILE is validated using XSD schemas (depending on document type of INPUT_FILE) and rejected if invalid.

You may specify OVAL Definition files as the last parameter, XCCDF evaluation will then proceed only with those specified files. Otherwise, when oval-definitions-files parameter is missing, oscap tool will try to load all OVAL Definition files referenced from XCCDF automatically (search in the same path as XCCDF).

--profile PROFILE

Select a particular profile from XCCDF document. If "(all)" is given a virtual profile that selects all groups and rules will be used.

--rule RULE

Select a particular rule from XCCDF document. Only this rule will be evaluated. Any other rules required by this rule won't be evaluated. Rule will use values according to the selected profile. If no profile is selected, default values are used. This option can be used multiple times to specify multiple rules at once.

--skip-rule RULE

Skip a particular rule from XCCDF document. This option can be used multiple times to skip multiple rules at once.

--reference NAME:IDENTIFIER

Evaluate rules matching the given reference. This option can be used to check for evaluating compliance with a particular policy requirement. Rules that match the reference will be evaluated, other rules will be skipped and a result of notselected will be returned. The argument needs to be provided in the form NAME:IDENTIFIER (colon is a separator), where NAME is the reference name used as a text of xccdf:reference elements that are child of xccdf:Benchmark element and IDENTIFIER is a text of xccdf:reference element that is child of a particular xccdf:Rule element which has the same @href value as the xccdf:reference element of the NAME value. This feature requires SCAP content to be formed in the aforementioned way. For example: --reference "cis:4.1.3.19", --reference "anssi:BP28(R29)" List of references available in the given benchmark can be obtained by running the oscap info --references command.

--tailoring-file TAILORING_FILE

Use given file for XCCDF tailoring. Select profile from tailoring file to apply using --profile. If both --tailoring-file and --tailoring-id are specified, --tailoring-file takes priority.

--tailoring-id COMPONENT_REF_ID

Use tailoring component in input source data stream for XCCDF tailoring. The tailoring component must be specified by its Ref-ID (value of component-ref/@id attribute in input source data stream). Select profile from tailoring component to apply using --profile. If both --tailoring-file and --tailoring-id are specified, --tailoring-file takes priority.

--cpe CPE_FILE

Use given CPE dictionary or language (auto-detected) for applicability checks. (Some CPE names are provided by openscap, see oscap --version for inbuilt CPE names)

--results FILE

Write XCCDF results into FILE.

--results-arf FILE

Writes results to a given FILE in Asset Reporting Format. It is recommended to use this option instead of --results when dealing with data streams.

--stig-viewer FILE

Writes XCCDF results into FILE. The rule result IDs in FILE are modified according to STIG references in evaluated content. The FILE can be simply imported into DISA STIG Viewer. See https://public.cyber.mil/stigs/srg-stig-tools/ for information about DISA STIG Viewer.

--thin-results

Thin Results provides only minimal amount of information in OVAL/ARF results. The option --without-syschar is automatically enabled when you use Thin Results.

--without-syschar

Don't provide system characteristics in OVAL/ARF result files.

--report FILE

Write HTML report into FILE.

--oval-results

Generate OVAL Result file for each OVAL session used for evaluation. File with name 'original-oval-definitions-filename.result.xml' will be generated for each referenced OVAL file in current working directory. To change the directory where OVAL files are generated change the CWD using the `cd` command.

--check-engine-results

After evaluation is finished, each loaded check engine plugin is asked to export its results. The export itself is plugin specific, please refer to documentation of the plugin for more details.

--export-variables

Generate OVAL Variables documents which contain external variables' values that were provided to the OVAL checking engine during evaluation. The filename format is 'original-oval-definitions-filename-session-index.variables-variables-index.xml'.

--datastream-id ID

Uses a data stream with that particular ID from the given data stream collection. If not given the first data stream is used. Only applies if you give source data stream in place of an XCCDF file.

--xccdf-id ID

Takes component ref with given ID from checklists. This allows one to select a particular XCCDF component even in cases where there are multiple XCCDFs in a single data stream. If none is given, the first component from the checklists element is used.

--benchmark-id ID

Selects a component ref from any data stream that references a component with XCCDF Benchmark such that its @id attribute matches given string exactly. Please note that this is not the recommended way of selecting a component-ref. You are advised to use --xccdf-id AND/OR --datastream-id for more precision. --benchmark-id is only used when both --xccdf-id and --datastream-id are not present on the command line!

--skip-validation

Do not validate input/output files.

--skip-signature-validation

Do not validate digital signatures in digitally signed SCAP source data streams.

--enforce-signature

Process only digitally signed SCAP source data streams. Data streams without a signature would be rejected if this switch is used.

--fetch-remote-resources

Allow download of remote OVAL content referenced from XCCDF by check-content-ref/@href.

--local-files DIRECTORY

Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.

--remediate

Execute XCCDF remediation in the process of XCCDF evaluation. This option automatically executes content of XCCDF fix elements for failed rules, and thus this shall be avoided unless for trusted content. Use of this option is always at your own risk.

remediate [options] INPUT_FILE [oval-definitions-files]

This module provides post-scan remediation. It assumes that the INPUT_FILE is result of `oscap xccdf eval` operation. The input file must contain TestResult element. This module executes XCCDF fix elements for failed rule-result contained in the given TestResult. Use of this option is always at your own risk and it shall be avoided unless for trusted content.

--result-id ID

ID of the XCCDF TestResult element which shall be remedied. If this option is missing the last TestResult (in top-down processing) will be remedied.

--skip-validation

Do not validate input/output files.

--fetch-remote-resources

Allow download of remote OVAL content referenced from XCCDF by check-content-ref/@href.

--local-files DIRECTORY

Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.

--cpe CPE_FILE

Use given CPE dictionary or language (auto-detected) for applicability checks.

--results FILE

Write XCCDF results into FILE.

--results-arf FILE

Writes results to a given FILE in Asset Reporting Format. It is recommended to use this option instead of --results when dealing with data streams.

--stig-viewer FILE

Writes XCCDF results into FILE. The rule result IDs in FILE are modified according to STIG references in evaluated content. The FILE can be simply imported into DISA STIG Viewer. See https://public.cyber.mil/stigs/srg-stig-tools/ for information about DISA STIG Viewer.

--report FILE

Write HTML report into FILE.

--oval-results

Generate OVAL Result file for each OVAL session used for evaluation. File with name 'original-oval-definitions-filename.result.xml' will be generated for each referenced OVAL file.

--check-engine-results

After evaluation is finished, each loaded check engine plugin is asked to export its results. The export itself is plugin specific, please refer to documentation of the plugin for more details.

--export-variables

Generate OVAL Variables documents which contain external variables' values that were provided to the OVAL checking engine during evaluation. The filename format is 'original-oval-definitions-filename-session-index.variables-variables-index.xml'.

--progress

Switch to sparse output suitable for progress reporting. Format of the output is "$rule_id:$result\n".

--progress-full

Switch to sparse but a bit more saturated output also suitable for progress reporting. Format of the output is "$rule_id|$rule_title|$result\n".

resolve -o output-file xccdf-file

Resolve an XCCDF file as described in the XCCDF specification. It will flatten inheritance hierarchy of XCCDF profiles, groups, rules, and values. Result is another XCCDF document, which will be written to output-file.

--force

Force resolving XCCDF document even if it is already marked as resolved.

validate [options] xccdf-file

Validate given XCCDF file against a XML schema. Every found error is printed to the standard error. Return code is 0 if validation succeeds, 1 if validation could not be performed due to some error, 2 if the XCCDF document is not valid.

--skip-schematron

Turn off Schematron-based validation. It is able to find more errors and inconsistencies but is much slower. Schematron is available only for XCCDF version 1.2.

export-oval-variables [options] xccdf-file [oval-definitions-files]

Collect all the XCCDF values that would be used by OVAL during evaluation of a certain profile and export them as OVAL external-variables document(s). The filename format is 'original-oval-definitions-filename-session-index.variables-variables-index.xml'.

--profile PROFILE

Select a particular profile from XCCDF document.

--fetch-remote-resources

Allow download of remote OVAL content referenced from XCCDF by check-content-ref/@href.

--local-files DIRECTORY

Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.

--skip-validation

Do not validate input/output files.

--datastream-id ID

Uses a data stream with that particular ID from the given data stream collection. If not given the first data stream is used. Only applies if you give an SCAP source data stream in place of an XCCDF file.

--xccdf-id ID

Takes component ref with given ID from checklists. This allows one to select a particular XCCDF component even in cases where there are 2 XCCDFs in one data stream.

--benchmark-id ID

Selects a component ref from any data stream that references a component with XCCDF Benchmark such that its @id attribute matches given string exactly. Please note that this is not the recommended way of selecting a component-ref. You are advised to use --xccdf-id AND/OR --datastream-id for more precision. --benchmark-id is only used when both --xccdf-id and --datastream-id are not present on the command line!

--cpe CPE_FILE

Use given CPE dictionary or language (auto-detected) for applicability checks. The variables documents are created only for xccdf:Rules which are applicable.

generate [options] <submodule> [submodule-specific-options]

Generate another document from an XCCDF file such as security guide or result report.

--profile ID

Apply profile with given ID to the Benchmark before further processing takes place.

Available submodules:

guide [options] xccdf-file

Generate a HTML document containing a security guide from an XCCDF Benchmark. Unless the --output option is specified it will be written to the standard output. Without profile being set only groups (not rules) will be included in the output.

--output FILE

Write the guide to this file instead of standard output.

--hide-profile-info

This option has no effect and is kept only for backward compatibility purposes.

--benchmark-id ID

Selects a component ref from any datastream that references a component with XCCDF Benchmark such that its @id attribute matches given string exactly.

--xccdf-id ID

Takes component ref with given ID from checklists. This allows one to select a particular XCCDF component even in cases where there are multiple XCCDFs in a single data stream. If none is given, the first component from the checklists element is used.

--tailoring-file TAILORING_FILE

Use given file for XCCDF tailoring. Select profile from tailoring file to apply using --profile. If both --tailoring-file and --tailoring-id are specified, --tailoring-file takes priority.

--tailoring-id COMPONENT_REF_ID

Use tailoring component in input source data stream for XCCDF tailoring. The tailoring component must be specified by its Ref-ID (value of component-ref/@id attribute in input source data stream). Select profile from tailoring component to apply using --profile. If both --tailoring-file and --tailoring-id are specified, --tailoring-file takes priority.

--skip-signature-validation

Do not validate digital signatures in digitally signed SCAP source data streams.

--enforce-signature

Process only digitally signed SCAP source data streams. Data streams without a signature would be rejected if this switch is used.

report [options] xccdf-file

Generate a HTML document containing results of an XCCDF Benchmark execution. Unless the --output option is specified it will be written to the standard output.

--output FILE

Write the report to this file instead of standard output.

--result-id ID

ID of the XCCDF TestResult from which the report will be generated.

fix [options] xccdf-file

Generate a script that shall bring the system to a state of compliance with given XCCDF Benchmark. There are 2 possibilities when generating fixes: Result-oriented fixes (--result-id) or Profile-oriented fixes (--profile). Result-oriented takes precedences over Profile-oriented, if result-id is given, oscap will ignore any profile provided.

Result-oriented fixes are generated using result-id provided to select only the failing rules from results in xccdf-file, it skips all other rules.

It isn't possible to generate result-oriented fixes for the kickstart fix type.

Profile-oriented fixes are generated using all rules within the provided profile. If no result-id/profile are provided, (default) profile will be used to generate fixes.

--fix-type TYPE

Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint, kickstart. Default is bash.

--output FILE

Write the report to this file instead of standard output.

--result-id ID

Fixes will be generated for failed rule-results of the specified TestResult.

--xccdf-id ID

Takes component ref with given ID from checklists. This allows one to select a particular XCCDF component even in cases where there are multiple XCCDFs in a single data stream. If none is given, the first component from the checklists element is used.

--benchmark-id ID

Selects a component ref from any data stream that references a component with XCCDF Benchmark such that its @id attribute matches given string exactly.

--tailoring-file TAILORING_FILE

Use given file for XCCDF tailoring. Select profile from tailoring file to apply using --profile. If both --tailoring-file and --tailoring-id are specified, --tailoring-file takes priority.

--tailoring-id COMPONENT_REF_ID

Use tailoring component in input source data stream for XCCDF tailoring. The tailoring component must be specified by its Ref-ID (value of component-ref/@id attribute in input source data stream). Select profile from tailoring component to apply using --profile. If both --tailoring-file and --tailoring-id are specified, --tailoring-file takes priority.

--skip-signature-validation

Do not validate digital signatures in digitally signed SCAP source data streams.

--enforce-signature

Process only digitally signed SCAP source data streams. Data streams without a signature would be rejected if this switch is used.

custom --stylesheet xslt-file [options] xccdf-file

Generate a custom output (depending on given XSLT file) from an XCCDF file.

--stylesheet FILE

Specify an absolute path to a custom stylesheet to format the output.

--output FILE

Write the document into file.

eval [options] INPUT_FILE

Probe the system and evaluate all definitions from OVAL Definition file. Print result of each definition to standard output. The return code is 0 after a  successful evaluation. On error, value 1 is returned.

INPUT_FILE can be either OVAL Definition File or SCAP source data stream, it depends on used options.

Unless --skip-validation is used, the INPUT_FILE is validated using XSD schemas (depending on document type of INPUT_FILE) and rejected if invalid.

--id DEFINITION-ID

Evaluate ONLY specified OVAL Definition from OVAL Definition File.

--variables FILE

Provide external variables expected by OVAL Definition File.

--directives FILE

Use OVAL Directives content to specify desired results content.

--without-syschar

Don't provide system characteristics in result file.

--results FILE

Write OVAL Results into file.

--report FILE

Create human readable (HTML) report from OVAL Results.

--datastream-id ID

Uses a data stream with that particular ID from the given data stream collection. If not given the first data stream is used. Only applies if you give source data stream in place of an OVAL file.

--oval-id ID

Takes component ref with given ID from checks. This allows one to select a particular OVAL component even in cases where there are multiple OVALs in a single data stream.

--skip-validation

Do not validate input/output files.

--fetch-remote-resources

Allow download of remote components referenced from data stream.

--local-files DIRECTORY

Instead of downloading remote data stream components from the network, use data stream components stored locally as files in the given directory. In place of the remote data stream component OpenSCAP will attempt to use a file whose file name is equal to @name attribute of the uri element within the catalog element within the component-ref element in the data stream if such file exists.

collect [options] definitions-file

Probe the system and gather system characteristics for all objects in OVAL Definition file.

--id OBJECT-ID

Collect system characteristics ONLY for specified OVAL Object.

--variables FILE

Provide external variables expected by OVAL Definitions.

--syschar FILE

Write OVAL System Characteristic into file.

--skip-validation

Do not validate input/output files.

analyse [options] --results FILE definitions-file syschar-file

In this mode, the oscap tool does not perform data collection on the local system, but relies upon the input file, which may have been generated on another system. The output (OVAL Results) is printed to file specified by --results parameter.

--variables FILE

Provide external variables expected by OVAL Definitions.

--directives FILE

Use OVAL Directives content to specify desired results content.

--skip-validation

Do not validate input/output files.

validate [options] oval-file

Validate given OVAL file against a XML schema. Every found error is printed to the standard error. Return code is 0 if validation succeeds, 1 if validation could not be performed due to some error, 2 if the OVAL document is not valid.

--definitions, --variables, --syschar, --results --directives

Type of the OVAL document is automatically detected by default. If you want enforce certain document type, you can use one of these options.

--skip-schematron

Turn off Schematron-based validation. It is able to find more errors and inconsistencies but is much slower.

generate <submodule> [submodule-specific-options]

Generate another document from an OVAL file.

Available submodules:

report [options] oval-results-file

Generate a formatted HTML page containing visualisation of an OVAL results file. Unless the --output option is specified it will be written to the standard output.

--output FILE

Write the report to this file instead of standard output.

check name

Check whether name is in correct CPE format.

match name dictionary.xml

validate cpe-dict-file

sds-validate SOURCE_DS

Validate given source data stream file against a XML schema. Every found error is printed to the standard error. Return code is 0 if validation succeeds, 1 if validation could not be performed due to some error, 2 if the source data stream is not valid.

rds-validate SOURCE_RDS

Validate given result data stream file against a XML schema. Every found error is printed to the standard error. Return code is 0 if validation succeeds, 1 if validation could not be performed due to some error, 2 if the result data stream is not valid.

Please report bugs using https://github.com/OpenSCAP/openscap/issues
Make sure you include the full output of `oscap --v` in the bug report.

Peter Vrabec <pvrabec@redhat.com>
Šimon Lukašík
Martin Preisler <mpreisle@redhat.com>

oscap-chroot(8), oscap-docker(8), oscap-podman(8), oscap-ssh(8), oscap-vm(8), scap-security-guide(8).