Rechercher une page de manuel
oscap
Langue: en
Version: 385865 (fedora - 01/12/10)
Section: 8 (Commandes administrateur)
Sommaire
NAME
oscap - OpenSCAP command line toolSYNOPSIS
oscap [general-options] module operation [operation-options-and-arguments]DESCRIPTION
oscap is Security Content Automation Protocol (SCAP) toolkit based on OpenSCAP library. It provides various functions for different SCAP specifications(modules).GENERAL OPTIONS
- -V, --version
- SCAP specification supported by the module.
- -q, --quiet
- No output for certain operations, only return code.
- -h, --help
- Help screen.
MODULES
- oval
- Open Vulnerability and Assessment Language.
- xccdf
- The eXtensible Configuration Checklist Description Format.
- cvss
- Common Vulnerability Scoring System
OVAL OPERATIONS
- collect oval-definitions-file
-
- Probe the system and gather system characteristics for objects in OVAL Definition file. Print output (OVAL System Characteristic) to standart output.
eval [options] oval-definitions-file
- Probe the system and evaluate all definitions from OVAL Definition file. Print result of each definition to standard output. oscap returns 0 if all definitions pass. If there is an error during evaluation, the return code is 1. If there is at least one failed result definition, oscap-scan finishes with return code 2.
-
- --result-file FILE
- Write OVAL Results into file.
- --report-file FILE
- Write HTML results report into file.
- eval-id [--result-file FILE] --id definition-id oval-definitions-file
-
- Probe the system and evaluate specified definition from OVAL Definition file. Print results of evaluation to standard output.
- validate-xml [options] oval-file
-
- Validate given OVAL file against a XML schema. Every found error is printed to the standard output. Return code is 0 if validation succeeds, 1 if validation could not be performed due to some error, 2 if the OVAL document is not valid.
-
- --version VER
- Specify version of the specification the document shall conform to.
- --definitions, --syschar, --results
- Specify whether the validated document is an OVAL definitions file, OVAL system characteristics file, or OVAL results file. Default: definitions.
- generate <submodule> [submodule-specific-options]
-
- Generate another document form an OVAL file.
-
- Available submodules:
- report [options] oval-results-file
-
- Generate a formatted HTML page containing visualisation of an OVAL results file. Unless the --output option is specified it will be written to the standard output.
-
- --output FILE
- Write the report to this file instead of standard output.
XCCDF OPERATIONS
- eval [options] xccdf-file [oval-definitions-files]
-
- Perform evaluation driven by XCCDF file and use OVAL as checking engine. Print result of each rule to standard output. oscap returns 0 if all rules pass. If there is an error during evaluation, the return code is 1. If there is at least one failed rule, oscap-scan finishes with return code 2.
You may specify all required OVAL Definition files as last parameters. If you don't do that, oscap tool will try to load all OVAL Definition files referenced from XCCDF automaticaly(search in the same path as XCCDF). -
- --profile PROFILE
-
- Select profile from XCCDF document, otherwise the first profile is used.
- --result-file FILE
-
- Write XCCDF results into file.
- --report-file FILE
-
- Write HTML report into file. You also have to specify --result-file for this feature to work.
- --oval-results
- Generate OVAL Result file for each OVAL session used for evaluation.
- Perform evaluation driven by XCCDF file and use OVAL as checking engine. Print result of each rule to standard output. oscap returns 0 if all rules pass. If there is an error during evaluation, the return code is 1. If there is at least one failed rule, oscap-scan finishes with return code 2.
- resolve -o output-file xccdf-file
-
- Resolve an XCCDF file as described in the XCCDF specification. It will flatten inheritance hierarchy of XCCDF profiles, groups, rules, and values. Result is another XCCDF document, which will be written to output-file.
-
- --force
- Force resolving XCCDF document even if it is already marked as resolved.
- validate-xml [options] xccdf-file
-
- Validate given XCCDF file against a XML schema. Every found error is printed to the standard output. Return code is 0 if validation succeeds, 1 if validation could not be performed due to some error, 2 if the XCCDF document is not valid.
-
- --version VER
- Specify version of the specification the document shall conform to.
- generate [options] <submodule> [submodule-specific-options]
-
- Generate another document form an XCCDF file such as security guide or result report.
-
- --profile ID
- Apply profile with given ID to the Benchmark before further processing takes place.
- Available submodules:
- guide [options] xccdf-file
-
- Generate a formatted HTML page containing a security guide from a XCCDF Benchmark. Unless the --output option is specified it will be written to the standard output.
-
- --output FILE
- Write the guide to this file instead of standard output.
- --hide-profile-info
- Information on chosen profile (e.g. rules selected by the profile) will be excluded from the document.
- report [options] xccdf-file
-
- Generate a formatted HTML page containing results of a XCCDF Benchmark execution. Unless the --output option is specified it will be written to the standard output. ID of the TestResult element to visualise defaults to the most recent result (according to the end-time attribute).
-
- --output FILE
- Write the report to this file instead of standard output.
- --result-id ID
- ID of the XCCDF TestResult from which the report will be generated.
- --show what
- Specify what result types shall be displayed in the result report. The default is to show everything except for rules with results notselected and notapplicable. The what part is a comma-separated list of result types to display in addition to the default. If result type is prefixed by a dash '-', it will be excluded from the results. If what is prefixed by an equality sign '=', a following list specifies exactly what rule types to include in the report. Result types are: pass, fixed, notchecked, notapplicable, notselected, informational, unknown, error, fail.
- fix [options] xccdf-file
-
- Generate a script that shall bring the system to a state of compliance with given XCCDF Benchmark.
-
- --output FILE
- Write the report to this file instead of standard output.
- --result-id ID
- With this option the script generating engine will pick rules that failed for given test and generate fixes only for them.
- --template ID|FILE
- Template to be used to generate the script. If it contains a dot '.' it is interpreted as a location of a file with the template definition. Otherwise it identifies a template from standard set which currently includes: bash (default if no --template switch present). Brief explanation of the process of writing your own templates is in the XSL file xsl/fix.xsl in the openscap data directory. You can also take a look at the default template xsl/fixtpl-bash.xml.
CVSS OPERATIONS
- base metrics
-
- Calculate base score from Access Vector (AV), Access Complexity (AC), Authentication(AU), Confidentiality Impact(CI), Integrity Impact(II) and Availability Impact(AI) metric.
temporal --base <num> [metrics]
- Calculate temporal score from base score, Exploitability(EX), Remediation Level(RL) and Report Confidence(RC) metric.
environmental metrics
- Calculate environmental score from Collateral Damage Potential(CD), Target Distribution(TD), Confidentiality Requirement (CR), Integrity Requirement(IR), Availability Requirement(AR), Access Vector (AV), Access Complexity (AC), Authentication(AU), Confidentiality Impact(CI), Integrity Impact(II), Availability Impact(AI), Exploitability(EX), Remediation Level(RL) and Report Confidence(RC) metric.
metrics:
- --AV=[local|adjacent-network|network] - Access Vector (required)
- --AC=[low|medium|high] - Access Complexity (required)
- --AU=[none|single|multiple] - Authentication (required)
- --CI=[none|partial|complete] - Confidentiality Impact (required)
- --II=[none|partial|complete] - Integrity Impact (required)
- --AI=[none|partial|complete] - Availability Impact (required)
- --EX=[unproven|proof-of-concept|functional|high|not-defined] - Exploitability
- --RL=[official-fix|temporary-fix|workaround|unavailable|not-defined] - Remediation Level
- --RC=[unconfirmed|uncorrporated|confirmed|not-defined] - Report Confidence
- --CD=[none|low|low-medium|medium-high|high|not-defined] - Collateral Damage Potential
- --TD=[none|low|medium|high|not-defined] - Target Distribution
- --CR=[low|medium|high|not-defined] - Confidentiality Requirement
- --IR=[low|medium|high|not-defined] - Integrity Requirement
- --AR=[low|medium|high|not-defined] - Availability Requirement
CONTENT
- National Vulnerability Database - http://web.nvd.nist.gov/view/ncp/repository
- Red Hat content repository - http://www.redhat.com/security/data/oval/
AUTHOR
Peter Vrabec <pvrabec@redhat.com>Contenus ©2006-2024 Benjamin Poulain
Design ©2006-2024 Maxime Vantorre