oscap

Langue: en

Version: 385865 (fedora - 01/12/10)

Section: 8 (Commandes administrateur)

NAME

oscap - OpenSCAP command line tool

SYNOPSIS

oscap [general-options] module operation [operation-options-and-arguments]

DESCRIPTION

oscap is Security Content Automation Protocol (SCAP) toolkit based on OpenSCAP library. It provides various functions for different SCAP specifications(modules).

GENERAL OPTIONS

-V, --version
SCAP specification supported by the module.
-q, --quiet
No output for certain operations, only return code.
-h, --help
Help screen.

MODULES

oval
Open Vulnerability and Assessment Language.
xccdf
The eXtensible Configuration Checklist Description Format.
cvss
Common Vulnerability Scoring System

OVAL OPERATIONS

collect oval-definitions-file
Probe the system and gather system characteristics for objects in OVAL Definition file. Print output (OVAL System Characteristic) to standart output.

eval [options] oval-definitions-file

Probe the system and evaluate all definitions from OVAL Definition file. Print result of each definition to standard output. oscap returns 0 if all definitions pass. If there is an error during evaluation, the return code is 1. If there is at least one failed result definition, oscap-scan finishes with return code 2.
--result-file FILE
Write OVAL Results into file.
--report-file FILE
Write HTML results report into file.
eval-id [--result-file FILE] --id definition-id oval-definitions-file
Probe the system and evaluate specified definition from OVAL Definition file. Print results of evaluation to standard output.
validate-xml [options] oval-file
Validate given OVAL file against a XML schema. Every found error is printed to the standard output. Return code is 0 if validation succeeds, 1 if validation could not be performed due to some error, 2 if the OVAL document is not valid.
--version VER
Specify version of the specification the document shall conform to.
--definitions, --syschar, --results
Specify whether the validated document is an OVAL definitions file, OVAL system characteristics file, or OVAL results file. Default: definitions.
generate <submodule> [submodule-specific-options]
Generate another document form an OVAL file.
Available submodules:
report [options] oval-results-file
Generate a formatted HTML page containing visualisation of an OVAL results file. Unless the --output option is specified it will be written to the standard output.
--output FILE
Write the report to this file instead of standard output.

XCCDF OPERATIONS

eval [options] xccdf-file [oval-definitions-files]
Perform evaluation driven by XCCDF file and use OVAL as checking engine. Print result of each rule to standard output. oscap returns 0 if all rules pass. If there is an error during evaluation, the return code is 1. If there is at least one failed rule, oscap-scan finishes with return code 2.
You may specify all required OVAL Definition files as last parameters. If you don't do that, oscap tool will try to load all OVAL Definition files referenced from XCCDF automaticaly(search in the same path as XCCDF).
--profile PROFILE
Select profile from XCCDF document, otherwise the first profile is used.
--result-file FILE
Write XCCDF results into file.
--report-file FILE
Write HTML report into file. You also have to specify --result-file for this feature to work.
--oval-results
Generate OVAL Result file for each OVAL session used for evaluation.
resolve -o output-file xccdf-file
Resolve an XCCDF file as described in the XCCDF specification. It will flatten inheritance hierarchy of XCCDF profiles, groups, rules, and values. Result is another XCCDF document, which will be written to output-file.
--force
Force resolving XCCDF document even if it is already marked as resolved.
validate-xml [options] xccdf-file
Validate given XCCDF file against a XML schema. Every found error is printed to the standard output. Return code is 0 if validation succeeds, 1 if validation could not be performed due to some error, 2 if the XCCDF document is not valid.
--version VER
Specify version of the specification the document shall conform to.
generate [options] <submodule> [submodule-specific-options]
Generate another document form an XCCDF file such as security guide or result report.
--profile ID
Apply profile with given ID to the Benchmark before further processing takes place.
Available submodules:
guide [options] xccdf-file
Generate a formatted HTML page containing a security guide from a XCCDF Benchmark. Unless the --output option is specified it will be written to the standard output.
--output FILE
Write the guide to this file instead of standard output.
--hide-profile-info
Information on chosen profile (e.g. rules selected by the profile) will be excluded from the document.
report [options] xccdf-file
Generate a formatted HTML page containing results of a XCCDF Benchmark execution. Unless the --output option is specified it will be written to the standard output. ID of the TestResult element to visualise defaults to the most recent result (according to the end-time attribute).
--output FILE
Write the report to this file instead of standard output.
--result-id ID
ID of the XCCDF TestResult from which the report will be generated.
--show what
Specify what result types shall be displayed in the result report. The default is to show everything except for rules with results notselected and notapplicable. The what part is a comma-separated list of result types to display in addition to the default. If result type is prefixed by a dash '-', it will be excluded from the results. If what is prefixed by an equality sign '=', a following list specifies exactly what rule types to include in the report. Result types are: pass, fixed, notchecked, notapplicable, notselected, informational, unknown, error, fail.
fix [options] xccdf-file
Generate a script that shall bring the system to a state of compliance with given XCCDF Benchmark.
--output FILE
Write the report to this file instead of standard output.
--result-id ID
With this option the script generating engine will pick rules that failed for given test and generate fixes only for them.
--template ID|FILE
Template to be used to generate the script. If it contains a dot '.' it is interpreted as a location of a file with the template definition. Otherwise it identifies a template from standard set which currently includes: bash (default if no --template switch present). Brief explanation of the process of writing your own templates is in the XSL file xsl/fix.xsl in the openscap data directory. You can also take a look at the default template xsl/fixtpl-bash.xml.

CVSS OPERATIONS

base metrics
Calculate base score from Access Vector (AV), Access Complexity (AC), Authentication(AU), Confidentiality Impact(CI), Integrity Impact(II) and Availability Impact(AI) metric.

temporal --base <num> [metrics]

Calculate temporal score from base score, Exploitability(EX), Remediation Level(RL) and Report Confidence(RC) metric.

environmental metrics

Calculate environmental score from Collateral Damage Potential(CD), Target Distribution(TD), Confidentiality Requirement (CR), Integrity Requirement(IR), Availability Requirement(AR), Access Vector (AV), Access Complexity (AC), Authentication(AU), Confidentiality Impact(CI), Integrity Impact(II), Availability Impact(AI), Exploitability(EX), Remediation Level(RL) and Report Confidence(RC) metric.

metrics:

--AV=[local|adjacent-network|network] - Access Vector (required)
--AC=[low|medium|high] - Access Complexity (required)
--AU=[none|single|multiple] - Authentication (required)
--CI=[none|partial|complete] - Confidentiality Impact (required)
--II=[none|partial|complete] - Integrity Impact (required)
--AI=[none|partial|complete] - Availability Impact (required)
--EX=[unproven|proof-of-concept|functional|high|not-defined] - Exploitability
--RL=[official-fix|temporary-fix|workaround|unavailable|not-defined] - Remediation Level
--RC=[unconfirmed|uncorrporated|confirmed|not-defined] - Report Confidence
--CD=[none|low|low-medium|medium-high|high|not-defined] - Collateral Damage Potential
--TD=[none|low|medium|high|not-defined] - Target Distribution
--CR=[low|medium|high|not-defined] - Confidentiality Requirement
--IR=[low|medium|high|not-defined] - Integrity Requirement
--AR=[low|medium|high|not-defined] - Availability Requirement

CONTENT

National Vulnerability Database - http://web.nvd.nist.gov/view/ncp/repository
Red Hat content repository - http://www.redhat.com/security/data/oval/

AUTHOR

Peter Vrabec <pvrabec@redhat.com>