Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, February 9, 2022
 
 

oscap (8)

Name

oscap - OpenSCAP command line tool

Synopsis

oscap  [general-options]  module operation [operation-options-and-argu-
ments]

Description

System Administration Utilities                                       OSCAP(8)



NAME
       oscap - OpenSCAP command line tool


SYNOPSIS
       oscap  [general-options]  module operation [operation-options-and-argu-
       ments]


DESCRIPTION
       oscap is Security Content Automation Protocol (SCAP) toolkit  based  on
       OpenSCAP  library.  It  provides  various  functions for different SCAP
       specifications (modules).

       OpenSCAP tool claims to provide capabilities of Authenticated  Configu-
       ration  Scanner  and  Authenticated Vulnerability Scanner as defined by
       The National Institute of Standards and Technology.


GENERAL OPTIONS
       -V, --version
              Print supported SCAP specifications, location of  schema  files,
              schematron  files, CPE files, probes and supported OVAL objects.
              Displays a list of inbuilt CPE names.

       -h, --help
              Help screen.


MODULES
       info   Determine type and print information about a file.

       xccdf  The eXtensible Configuration Checklist Description Format.

       oval   Open Vulnerability and Assessment Language.

       ds     SCAP Data Stream

       cpe    Common Platform Enumeration.

       cvss   Common Vulnerability Scoring System

       cve    Common Vulnerabilities and Exposures


COMMON OPTIONS FOR ALL MODULES
       --verbose VERBOSITY_LEVEL
              Turn  on  verbose  mode  at  specified  verbosity  level.   VER-
              BOSITY_LEVEL is one of: DEVEL, INFO, WARNING, ERROR.

       --verbose-log-file FILE
              Set filename to write additional information.


INFO OPERATIONS
       [options] any-scap-file.xml
              This  module  prints  information  about  SCAP content in a file
              specified on a command line. It determines  SCAP  content  type,
              specification  version,  date of creation, date of import and so
              on. Info module doesn't require any additional operation switch.

              For XCCDF or Datastream files, info module  prints  out  IDs  of
              incorporated  profiles,  components,  and datastreams. These IDs
              can be used to specify the target for  evaluation.  Use  options
              --profile,   --xccdf-id   (or  --oval-id),  and  --datastream-id
              respectively.

              --fetch-remote-resources
                     Allow  download  of  remote  components  referenced  from
                     Datastream.

              --profile PROFILE
                     Show info of the profile with the given ID.

              --profiles
                     Show  profiles  from  the  input file in the <id>:<title>
                     format, one line per profile.


XCCDF OPERATIONS
       eval [options] INPUT_FILE [oval-definitions-files]
              Perform evaluation of XCCDF document file given  as  INPUT_FILE.
              Print  result  of  each  rule to standard output, including rule
              title, rule id and security identifier(CVE, CCE). Optionally you
              can  give  a  source  datastream as the INPUT_FILE instead of an
              XCCDF file (see --datastream-id).

              oscap returns 0 if all rules pass. If there is an  error  during
              evaluation,  the return code is 1. If there is at least one rule
              with either fail or unknown  result,  oscap-scan  finishes  with
              return code 2.

              Unless  --skip-valid  is used, the INPUT_FILE is validated using
              XSD schemas (depending  on  document  type  of  INPUT_FILE)  and
              rejected if invalid.

              You  may  specify  OVAL  Definition files as the last parameter,
              XCCDF evaluation will then proceed  only  with  those  specified
              files. Otherwise, when oval-definitions-files parameter is miss-
              ing, oscap tool will try to load all OVAL Definition files  ref-
              erenced  from  XCCDF  automatically  (search in the same path as
              XCCDF).

              --profile PROFILE
                     Select a  particular  profile  from  XCCDF  document.  If
                     "(all)"  is  given  a  virtual  profile  that selects all
                     groups and rules will be used.

              --rule RULE
                     Select a particular rule from XCCDF document.  Only  this
                     rule will be evaluated. Rule will use values according to
                     the selected profile. If no profile is selected,  default
                     values are used.

              --tailoring-file TAILORING_FILE
                     Use  given  file for XCCDF tailoring. Select profile from
                     tailoring file to apply using --profile. If  both  --tai-
                     loring-file  and  --tailoring-id are specified, --tailor-
                     ing-file takes priority.

              --tailoring-id COMPONENT_REF_ID
                     Use tailoring component in input  source  datastream  for
                     XCCDF  tailoring.  The tailoring component must be speci-
                     fied by its Ref-ID (value of component-ref/@id  attribute
                     in  input source datastream). Select profile from tailor-
                     ing component to apply using --profile. If both --tailor-
                     ing-file  and  --tailoring-id are specified, --tailoring-
                     file takes priority.

              --cpe CPE_FILE
                     Use given CPE dictionary or language (auto-detected)  for
                     applicability  checks.  (Some  CPE  names are provided by
                     openscap, see oscap --version for Inbuilt CPE names)

              --results FILE
                     Write XCCDF results into FILE.

              --results-arf FILE
                     Writes results to a given FILE in Asset Reporting Format.
                     It is recommended to use this option instead of --results
                     when dealing with datastreams.

              --stig-viewer FILE
                     Writes XCCDF results into FILE in a  format  readable  by
                     DISA             STIG             Viewer.             See
                     http://iase.disa.mil/stigs/Pages/stig-viewing-guid-
                     ance.aspx.   This  option  should  be  used  to  generate
                     results for DISA STIG Viewer older than 2.6. To use  DISA
                     STIG Viewer 2.6 or newer, use --results instead.

              --thin-results
                     Thin  Results provides only minimal amount of information
                     in OVAL/ARF  results.  The  option  --without-syschar  is
                     automatically enabled when you use Thin Results.

              --without-syschar
                     Don't  provide  system characteristics in OVAL/ARF result
                     files.

              --report FILE
                     Write HTML report into FILE.

              --oval-results
                     Generate OVAL Result file for each OVAL session used  for
                     evaluation.  File  with  name 'original-oval-definitions-
                     filename.result.xml' will be generated  for  each  refer-
                     enced  OVAL  file in current working directory. To change
                     the directory where OVAL files are generated  change  the
                     CWD using the `cd` command.

              --check-engine-results
                     After  evaluation  is  finished, each loaded check engine
                     plugin is asked to export its results. The export  itself
                     is  plugin specific, please refer to documentation of the
                     plugin for more details.

              --export-variables
                     Generate OVAL Variables documents which contain  external
                     variables' values that were provided to the OVAL checking
                     engine during evaluation. The filename format is  'origi-
                     nal-oval-definitions-filename-session-index.variables-
                     variables-index.xml'.

              --datastream-id ID
                     Uses a datastream with that particular ID from the  given
                     datastream  collection. If not given the first datastream
                     is used. Only applies if you give  source  datastream  in
                     place of an XCCDF file.

              --xccdf-id ID
                     Takes  component  ref with given ID from checklists. This
                     allows to select a particular  XCCDF  component  even  in
                     cases where there are 2 XCCDFs in one datastream. If none
                     is given, the first component from the checklists element
                     is used.

              --benchmark-id ID
                     Selects  a  component ref from any datastream that refer-
                     ences a component with XCCDF Benchmark such that its  @id
                     attribute  matches given string exactly. Please note that
                     this is not the recommended way of selecting a component-
                     ref.  You  are  advised to use --xccdf-id AND/OR --datas-
                     tream-id for more precision. --benchmark-id is only  used
                     when  both --xccdf-id and --datastream-id are not present
                     on the command line!

              --skip-valid
                     Do not validate input/output files.

              --fetch-remote-resources
                     Allow download of remote  OVAL  content  referenced  from
                     XCCDF by check-content-ref/@href.

              --remediate
                     Execute XCCDF remediation in the process of XCCDF evalua-
                     tion. This option automatically executes content of XCCDF
                     fix  elements  for  failed  rules, and thus this shall be
                     avoided unless for trusted content. Use of this option is
                     always at your own risk.

       remediate [options] INPUT_FILE [oval-definitions-files]
              This  module provides post-scan remediation. It assumes that the
              INPUT_FILE is result of `oscap xccdf eval` operation. The  input
              file must contain TestResult element. This module executes XCCDF
              fix elements for  failed  rule-result  contained  in  the  given
              TestResult. Use of this option is always at your own risk and it
              shall be avoided unless for trusted content.

              --result-id ID
                     ID of the XCCDF TestResult element which shall  be  reme-
                     died.  If  this option is missing the last TestResult (in
                     top-down processing) will be remedied.

              --skip-valid
                     Do not validate input/output files.

              --fetch-remote-resources
                     Allow download of remote  OVAL  content  referenced  from
                     XCCDF by check-content-ref/@href.

              --cpe CPE_FILE
                     Use  given CPE dictionary or language (auto-detected) for
                     applicability checks.

              --results FILE
                     Write XCCDF results into FILE.

              --results-arf FILE
                     Writes results to a given FILE in Asset Reporting Format.
                     It is recommended to use this option instead of --results
                     when dealing with datastreams.

              --stig-viewer FILE
                     Writes XCCDF results into FILE in a  format  readable  by
                     DISA             STIG             Viewer.             See
                     http://iase.disa.mil/stigs/Pages/stig-viewing-guid-
                     ance.aspx.   This  option  should  be  used  to  generate
                     results for DISA STIG Viewer older than 2.6. To use  DISA
                     STIG Viewer 2.6 or newer, use --results instead.

              --report FILE
                     Write HTML report into FILE.

              --oval-results
                     Generate  OVAL Result file for each OVAL session used for
                     evaluation. File  with  name  'original-oval-definitions-
                     filename.result.xml'  will  be  generated for each refer-
                     enced OVAL file.

              --check-engine-results
                     After evaluation is finished, each  loaded  check  engine
                     plugin  is asked to export its results. The export itself
                     is plugin specific, please refer to documentation of  the
                     plugin for more details.

              --export-variables
                     Generate  OVAL Variables documents which contain external
                     variables' values that were provided to the OVAL checking
                     engine  during evaluation. The filename format is 'origi-
                     nal-oval-definitions-filename-session-index.variables-
                     variables-index.xml'.

              --progress
                     Switch  to sparse output suitable for progress reporting.
                     Format of the output is "$rule_id:$result\n".

       resolve -o output-file xccdf-file
              Resolve an XCCDF file as described in the  XCCDF  specification.
              It will flatten inheritance hierarchy of XCCDF profiles, groups,
              rules, and values. Result is another XCCDF document, which  will
              be written to output-file.

              --force
                     Force  resolving  XCCDF  document  even  if it is already
                     marked as resolved.

       validate [options] xccdf-file
              Validate given XCCDF file against  a  XML  schema.  Every  found
              error is printed to the standard error. Return code is 0 if val-
              idation succeeds, 1 if validation could not be performed due  to
              some error, 2 if the XCCDF document is not valid.

              --schematron
                     Turn  on  Schematron-based validation. It is able to find
                     more errors  and  inconsistencies  but  is  much  slower.
                     Schematron is available only for XCCDF version 1.2.

       export-oval-variables [options] xccdf-file [oval-definitions-files]
              Collect  all  the XCCDF values that would be used by OVAL during
              evaluation of a certain profile and export them as  OVAL  exter-
              nal-variables  document(s).  The  filename  format is 'original-
              oval-definitions-filename-session-index.variables-variables-
              index.xml'.

              --profile PROFILE
                     Select a particular profile from XCCDF document.

              --fetch-remote-resources
                     Allow  download  of  remote  OVAL content referenced from
                     XCCDF by check-content-ref/@href.

              --skip-valid
                     Do not validate input/output files.

              --datastream-id ID
                     Uses a datastream with that particular ID from the  given
                     datastream  collection. If not given the first datastream
                     is used. Only applies if you give  source  datastream  in
                     place of an XCCDF file.

              --xccdf-id ID
                     Takes  component  ref with given ID from checklists. This
                     allows to select a particular  XCCDF  component  even  in
                     cases where there are 2 XCCDFs in one datastream.

              --cpe CPE_FILE
                     Use  given CPE dictionary or language (auto-detected) for
                     applicability checks. The variables documents are created
                     only for xccdf:Rules which are applicable.

       generate [options] <submodule> [submodule-specific-options]
              Generate  another  document  from an XCCDF file such as security
              guide or result report.

              --profile ID
                     Apply profile with given ID to the Benchmark before  fur-
                     ther processing takes place.

              Available submodules:

              guide [options] xccdf-file
                     Generate a HTML document containing a security guide from
                     an XCCDF Benchmark. Unless the --output option is  speci-
                     fied  it  will be written to the standard output. Without
                     profile  being  set  only  groups  (not  rules)  will  be
                     included in the output.

                     --output FILE
                            Write  the  guide to this file instead of standard
                            output.

                     --hide-profile-info
                            This option has no effect and  is  kept  only  for
                            backward compatibility purposes.

                     --benchmark-id ID
                            Selects  a  component ref from any datastream that
                            references a component with XCCDF  Benchmark  such
                            that   its  @id  attribute  matches  given  string
                            exactly.

                     --xccdf-id ID
                            Takes component ref with given ID from checklists.
                            This allows to select a particular XCCDF component
                            even in cases where there  are  2  XCCDFs  in  one
                            datastream.  If none is given, the first component
                            from the checklists element is used.

                     --tailoring-file TAILORING_FILE
                            Use given file for XCCDF tailoring. Select profile
                            from  tailoring  file to apply using --profile. If
                            both --tailoring-file and --tailoring-id are spec-
                            ified, --tailoring-file takes priority.

                     --tailoring-id COMPONENT_REF_ID
                            Use tailoring component in input source datastream
                            for XCCDF tailoring. The tailoring component  must
                            be  specified  by  its Ref-ID (value of component-
                            ref/@id attribute  in  input  source  datastream).
                            Select  profile  from tailoring component to apply
                            using  --profile.  If  both  --tailoring-file  and
                            --tailoring-id   are  specified,  --tailoring-file
                            takes priority.

              report [options] xccdf-file
                     Generate a HTML document containing results of  an  XCCDF
                     Benchmark execution. Unless the --output option is speci-
                     fied it will be written to the standard output.

                     --output FILE
                            Write the report to this file instead of  standard
                            output.

                     --result-id ID
                            ID  of  the XCCDF TestResult from which the report
                            will be generated.

                     --oval-template template-string
                            To use the ability to include additional  informa-
                            tion  from  OVAL  in xccdf result file, a template
                            which will be used  to  obtain  OVAL  result  file
                            names  has  to  be  specified. The template can be
                            either a filename or a string containing  wildcard
                            character  (percent  sign  '%').  Wildcard will be
                            replaced by the original OVAL definition file name
                            as  referenced from the XCCDF file. This way it is
                            possible to  obtain  OVAL  information  even  from
                            XCCDF documents referencing several OVAL files. To
                            use this option with results from an XCCDF evalua-
                            tion,  specify  %.result.xml  as  a OVAL file name
                            template.

                     --sce-template template-string
                            To use the ability to include additional  informa-
                            tion  from  SCE  in  XCCDF result file, a template
                            which will be used to obtain SCE result file names
                            has  to be specified. The template can be either a
                            filename or a string containing wildcard character
                            (percent  sign  '%'). Wildcard will be replaced by
                            the original SCE script file  name  as  referenced
                            from  the  XCCDF  file. This way it is possible to
                            obtain SCE information even from  XCCDF  documents
                            referencing  several SCE files. To use this option
                            with results from  an  XCCDF  evaluation,  specify
                            %.result.xml as a SCE file name template.

              fix [options] xccdf-file
                     Generate  a script that shall bring the system to a state
                     of compliance with given XCCDF  Benchmark.  There  are  2
                     possibilities   when  generating  fixes:  Result-oriented
                     fixes (--result-id)  or  Profile-oriented  fixes  (--pro-
                     file).  Result-oriented  takes  precedences over Profile-
                     oriented, if result-id is given, oscap  will  ignore  any
                     profile provided.

                     Result-oriented  fixes are generated using result-id pro-
                     vided to select only the failing rules  from  results  in
                     xccdf-file, it skips all other rules.

                     Profile-oriented  fixes  are  generated  using  all rules
                     within the provided profile. If no result-id/profile  are
                     provided,  (default)  profile  will  be  used to generate
                     fixes.

                     --fix-type TYPE
                            Specify fix type. There are  multiple  programming
                            languages  in  which  the fix script can be gener-
                            ated. TYPE should be one of: bash,  ansible,  pup-
                            pet,  anaconda,  ignition,  kubernetes. Default is
                            bash.  This  option  is  mutually  exclusive  with
                            --template,  because  fix  type already determines
                            the template URN.

                     --output FILE
                            Write the report to this file instead of  standard
                            output.

                     --result-id ID
                            Fixes will be generated for failed rule-results of
                            the specified TestResult.

                     --template ID|FILE
                            Template to be used to generate the script. If  it
                            contains a dot '.' it is interpreted as a location
                            of a file with the template definition.  Otherwise
                            it  identifies  a template from standard set which
                            currently includes: bash (default if no --template
                            switch  present). Brief explanation of the process
                            of writing your own templates is in the  XSL  file
                            xsl/legacy-fix.xsl in the openscap data directory.
                            You can also take a look at the  default  template
                            xsl/legacy-fixtpl-bash.xml.

                     --xccdf-id ID
                            Takes component ref with given ID from checklists.
                            This allows to select a particular XCCDF component
                            even  in  cases  where  there  are 2 XCCDFs in one
                            datastream. If none is given, the first  component
                            from the checklists element is used.

                     --benchmark-id ID
                            Selects  a  component ref from any datastream that
                            references a component with XCCDF  Benchmark  such
                            that   its  @id  attribute  matches  given  string
                            exactly.

                     --tailoring-file TAILORING_FILE
                            Use given file for XCCDF tailoring. Select profile
                            from  tailoring  file to apply using --profile. If
                            both --tailoring-file and --tailoring-id are spec-
                            ified, --tailoring-file takes priority.

                     --tailoring-id COMPONENT_REF_ID
                            Use tailoring component in input source datastream
                            for XCCDF tailoring. The tailoring component  must
                            be  specified  by  its Ref-ID (value of component-
                            ref/@id attribute  in  input  source  datastream).
                            Select  profile  from tailoring component to apply
                            using  --profile.  If  both  --tailoring-file  and
                            --tailoring-id   are  specified,  --tailoring-file
                            takes priority.

              custom --stylesheet xslt-file [options] xccdf-file
                     Generate a custom output (depending on given  XSLT  file)
                     from an XCCDF file.

                     --stylesheet FILE
                            Specify an absolute path to a custom stylesheet to
                            format the output.

                     --output FILE
                             Write the document into file.


OVAL OPERATIONS
       eval [options] INPUT_FILE
              Probe the system and evaluate all definitions from OVAL  Defini-
              tion  file.  Print result of each definition to standard output.
              The return code is 0 after a  successful evaluation.  On  error,
              value 1 is returned.

              INPUT_FILE  can  be  either  OVAL Definition File or SCAP Source
              Datastream, it depends on used options.

              Unless --skip-valid is used, the INPUT_FILE is  validated  using
              XSD  schemas  (depending  on  document  type  of INPUT_FILE) and
              rejected if invalid.

              --id DEFINITION-ID
                     Evaluate ONLY specified OVAL Definition from OVAL Defini-
                     tion File.

              --variables FILE
                     Provide  external  variables  expected by OVAL Definition
                     File.

              --directives FILE
                     Use OVAL Directives content to  specify  desired  results
                     content.

              --without-syschar
                     Don't provide system characteristics in result file.

              --results FILE
                     Write OVAL Results into file.

              --report FILE
                     Create human readable (HTML) report from OVAL Results.

              --datastream-id ID
                     Uses  a datastream with that particular ID from the given
                     datastream collection. If not given the first  datastream
                     is  used.  Only  applies if you give source datastream in
                     place of an OVAL file.

              --oval-id ID
                     Takes component ref  with  given  ID  from  checks.  This
                     allows  to  select  a  particular  OVAL component even in
                     cases where there are 2 OVALs in one datastream.

              --skip-valid
                     Do not validate input/output files.

              --fetch-remote-resources
                     Allow  download  of  remote  components  referenced  from
                     Datastream.


       collect [options] definitions-file
              Probe  the  system  and  gather  system  characteristics for all
              objects in OVAL Definition file.

              --id OBJECT-ID
                     Collect system characteristics ONLY  for  specified  OVAL
                     Object.

              --variables FILE
                     Provide external variables expected by OVAL Definitions.

              --syschar FILE
                     Write OVAL System Characteristic into file.

              --skip-valid
                     Do not validate input/output files.



       analyse [options] --results FILE definitions-file syschar-file
              In this mode, the oscap tool does not perform data collection on
              the local system, but relies upon the input file, which may have
              been  generated  on another system. The output (OVAL Results) is
              printed to file specified by --results parameter.

              --variables FILE
                     Provide external variables expected by OVAL Definitions.

              --directives FILE
                     Use OVAL Directives content to  specify  desired  results
                     content.

              --skip-valid
                     Do not validate input/output files.


       validate [options] oval-file
              Validate given OVAL file against a XML schema. Every found error
              is printed to the standard error. Return code is 0 if validation
              succeeds,  1  if  validation  could not be performed due to some
              error, 2 if the OVAL document is not valid.

              --definitions, --variables, --syschar, --results --directives
                     Type of the OVAL document is  automatically  detected  by
                     default.  If  you want enforce certain document type, you
                     can use one of these options.

              --schematron
                     Turn on Schematron-based validation. It is able  to  find
                     more errors and inconsistencies but is much slower.

       generate <submodule> [submodule-specific-options]
              Generate another document from an OVAL file.

              Available submodules:

              report [options] oval-results-file
                     Generate  a  formatted HTML page containing visualisation
                     of an OVAL results file. Unless the  --output  option  is
                     specified it will be written to the standard output.

                     --output FILE
                            Write  the report to this file instead of standard
                            output.


CPE OPERATIONS
       check name
              Check whether name is in correct CPE format.

       match name dictionary.xml
              Find an exact match of CPE name in the dictionary.

       validate cpe-dict-file
              Validate given CPE dictionary file against a XML  schema.  Every
              found  error  is printed to the standard error. Return code is 0
              if validation succeeds, 1 if validation could not  be  performed
              due to some error, 2 if the XCCDF document is not valid.


CVSS OPERATIONS
       score cvss_vector
              Calculate  score  from a CVSS vector. Prints base score for base
              CVSS vector, base and temporal score for temporal  CVSS  vector,
              base and temporal and environmental score for environmental CVSS
              vector.

       describe cvss_vector
              Describe individual components of a CVSS vector in a human-read-
              able format and print partial scores.

       CVSS vector consists of several slash-separated components specified as
       key-value pairs. Each key can be specified at  most  once.  Valid  CVSS
       vector  has  to contain at least base CVSS metrics, i.e. AV, AC, AU, C,
       I, and A. Following table summarizes the components and possible values
       (second  column  is  metric category: B for base, T for temporal, E for
       environmental):

              AV:[L|A|N]            B   Access vector:  Local,  Adjacent  net-
              work, Network

              AC:[H|M|L]            B   Access complexity: High, Medium, Low

              AU:[M|S|N]              B    Required  authentication:  Multiple
              instances, Single instance, None

              C:[N|P|C]             B   Confidentiality impact: None, Partial,
              Complete

              I:[N|P|C]              B   Integrity impact: None, Partial, Com-
              plete

              A:[N|P|C]             B   Availability  impact:  None,  Partial,
              Complete

              E:[ND|U|POC|F|H]      T   Exploitability: Not Defined, Unproven,
              Proof of Concept, Functional, High

              RL:[ND|OF|TF|W|U]     T   Remediation Level: Not Defined,  Offi-
              cial Fix, Temporary Fix, Workaround, Unavailable

              RC:[ND|UC|UR|C]       T   Report Confidence: Not Defined, Uncon-
              firmed, Uncorroborated, Confirmed

              CDP:[ND|N|L|LM|MH|H]   E    Collateral  Damage  Potential:   Not
              Defined, None, Low, Low-Medium, Medium-High, High

              TD:[ND|N|L|M|H]        E    Target  Distribution:  Not  Defined,
              None, Low, Medium, High

              CR:[ND|L|M|H]          E    Confidentiality   requirement:   Not
              Defined, Low, Medium, High

              IR:[ND|L|M|H]          E    Integrity  requirement: Not Defined,
              Low, Medium, High

              AR:[ND|L|M|H]         E   Availability requirement: Not Defined,
              Low, Medium, High

DS OPERATIONS
       sds-compose [options] SOURCE_XCCDF TARGET_SDS
              Creates  a  source  datastream  from  the  XCCDF  file  given in
              SOURCE_XCCDF and stores the result in  TARGET_SDS.  Dependencies
              like OVAL files are automatically detected and bundled in target
              source datastream.

              --skip-valid
                     Do not validate input/output files.

       sds-add [options] NEW_COMPONENT EXISTING_SDS
              Adds given NEW_COMPONENT file to the existing source  datastream
              (EXISTING_SDS).  Component file might be OVAL, XCCDF or CPE Dic-
              tionary file. Dependencies like  OVAL  files  are  automatically
              detected and bundled in target source datastream.

              --datastream-id DATASTREAM_ID
                     Uses  a datastream with that particular ID from the given
                     datastream collection. If not given the first  datastream
                     is used.

              --skip-valid
                     Do not validate input/output files.

       sds-split [options] SOURCE_DS TARGET_DIR
              Splits  given  source  datastream into multiple files and stores
              all the files in TARGET_DIR.

              --datastream-id DATASTREAM_ID
                     Uses a datastream with that particular ID from the  given
                     datastream  collection. If not given the first datastream
                     is used.

              --xccdf-id XCCDF_ID
                     Takes component ref with given ID from  checklists.  This
                     allows  to  select  a  particular XCCDF component even in
                     cases where there are 2 XCCDFs in one datastream.

              --skip-valid
                     Do not validate input/output files.

              --fetch-remote-resources
                     Allow  download  of  remote  components  referenced  from
                     Datastream.

       sds-validate SOURCE_DS
              Validate  given  source  datastream  file  against a XML schema.
              Every found error is printed to the standard error. Return  code
              is  0  if validation succeeds, 1 if validation could not be per-
              formed due to some error, 2 if  the  source  datastream  is  not
              valid.

       rds-create   [options]   SDS   TARGET_ARF  XCCDF_RESULTS  [OVAL_RESULTS
       [OVAL_RESULTS ..]]
              Takes given source datastream, XCCDF and OVAL results  and  cre-
              ates  a  result datastream (in Asset Reporting Format) and saves
              it to file given in TARGET_ARF.

              --skip-valid
                     Do not validate input/output files.

       rds-split [options] [--report-id REPORT_ID] RDS TARGET_DIR
              Takes given result datastream (also called ARF = asset reporting
              format)  and  splits  given  report  and  its respective report-
              request to given target directory. If no report-id is given,  we
              assume  user wants the first applicable report in top-down order
              in the file.

              --skip-valid
                     Do not validate input/output files.

       rds-validate SOURCE_RDS
              Validate given result datastream  file  against  a  XML  schema.
              Every  found error is printed to the standard error. Return code
              is 0 if validation succeeds, 1 if validation could not  be  per-
              formed  due  to  some  error,  2 if the result datastream is not
              valid.


CVE OPERATIONS
       validate cve-nvd-feed.xml
              Validate given CVE data feed.

       find CVE cve-nvd-feed.xml
              Find given CVE in data feed and report base score, vector string
              and vulnerable software list.


EXIT STATUS
       Normally, the exit status is 0 when operation finished successfully and
       1 otherwise. In cases when oscap performs evaluation of the  system  it
       may  return  2  indicating success of the operation but incompliance of
       the assessed system.


EXAMPLES
       Evaluate XCCDF content using CPE dictionary and produce html report. In
       this  case  we  use  United  States  Government  Configuration Baseline
       (USGCB) for Red Hat Enterprise Linux 5 Desktop.

               oscap xccdf eval --fetch-remote-resources --oval-results \
                       --profile united_states_government_configuration_baseline \
                       --report usgcb-rhel5desktop.report.html \
                       --results usgcb-rhel5desktop-xccdf.xml.result.xml \
                       --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
                       usgcb-rhel5desktop-xccdf.xml

CONTENT
        SCAP Security Guide - https://github.com/OpenSCAP/scap-security-guide/

        National             Vulnerability             Database              -
       http://web.nvd.nist.gov/view/ncp/repository

        Red Hat content repository - http://www.redhat.com/security/data/oval/



REPORTING BUGS
       Please report bugs using https://github.com/OpenSCAP/openscap/issues
       Make sure you include the full output of `oscap --v` in the bug report.


AUTHORS
       Peter Vrabec <pvrabec@redhat.com>
       imon Lukak
       Martin Preisler <mpreisle@redhat.com>



ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+------------------------------+
       |ATTRIBUTE TYPE |       ATTRIBUTE VALUE        |
       +---------------+------------------------------+
       |Availability   | security/compliance/openscap |
       +---------------+------------------------------+
       |Stability      | Uncommitted                  |
       +---------------+------------------------------+

NOTES
       Source  code  for open source software components in Oracle Solaris can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-
       code-downloads.html.

       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source    was    downloaded   from    https://github.com/OpenSCAP/open-
       scap/releases/download/1.3.4/openscap-1.3.4.tar.gz.

       Further information about this software can be found on the open source
       community website at http://www.open-scap.org.



Red Hat                          October 2018                         OSCAP(8)