1. Using OpenSCAP for Security Compliance
  2. OSCAP Information and Reference

3 OSCAP Information and Reference

You can obtain information about your installation of OSCAP that can help you understand how the tool is configured and what it can support. This information may be helpful when debugging issues within OSCAP.

The oscap command includes several subcommands that control different behaviors and that enable the tool to interact with several different file types.

Displaying Information About OSCAP

Use oscap -V to display the following information about the OSCAP tool:

  • Supported SCAP specifications

  • Any loaded plug-in capabilities

  • Locations of schema, CPE, and probe files

  • Inbuilt CPE names

  • Supported OVAL objects and associated SCAP probes

Sample output: 

OpenSCAP command line tool (oscap) 1.3.6
Copyright 2009--2021 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
SCAP Version: 1.3
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
CVRF Version: 1.1

==== Capabilities added by auto-loaded plugins ====
No plugins have been auto-loaded...

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe

==== Inbuilt CPE names ====
...

==== Supported OVAL objects and associated OpenSCAP probes ====
OVAL family   OVAL object                  OpenSCAP probe              
----------    ----------                   ----------                  
independent   environmentvariable          probe_environmentvariable
independent   environmentvariable58        probe_environmentvariable58
independent   family                       probe_family
...

Note:

Inbuilt Common Platform Enumeration (CPE) dictionaries are deprecated and will be removed in a future release. CPE dictionaries are used to provide standard naming schemes for hardware, software and packages so that they can be easily referenced within code. CPE dictionaries can be included as part of a data stream and the dictionaries used for Oracle Linux platforms are included in the data stream files shipped within the scap-security-guide package .

oscap Command Reference

The general command syntax of oscap is: 

oscap [options] module operation [operation_options_and_arguments]

oscap supports the following module types:

  • cpe - Performs operations using a Common Platform Enumeration (CPE) file.
  • cve - Performs operations using a Common Vulnerabilities and Exposures (CVE) file.
  • cvss - Performs operations using a Common Vulnerability Scoring System (CVSS) file.
  • ds - Performs operations using a SCAP Data Stream (DS).
  • info - Determines a file's type and prints information about the file.
  • oval - Performs operations using an Open Vulnerability and Assessment Language (OVAL) file.
  • xccdf - Performs operations using a file in eXtensible Configuration Checklist Description Format (XCCDF).

Generally, the most useful modules are info, oval, and xccdf for scanning Oracle Linux systems. When using the oval and xccdf modules, the most useful operations are:

  • eval

    For an OVAL file, oscap probes the system, evaluates each definition in the file, and then prints the results to the standard output.

    For a specified profile in an XCCDF file, oscap tests the system against each rule in the file and prints the results to the standard output.

  • generate

    For an OVAL XML results file, generate report converts the specified file to an HTML report.

    For an XCCDF file, generate guide outputs a full security guide for a specified profile.

  • validate

    Validates an OVAL or XCCDF file against an XML schema to check for errors.

You can use the -h command option to view help for each subcommand available. For example: 

oscap -h
oscap xccdf -h
oscap xccdf generate -h

For more information, see the oscap(8) manual page.