| oscap.8 | oscap.8 | |||
|---|---|---|---|---|
| skipping to change at line 49 | skipping to change at line 49 | |||
| --id OBJECT-ID | --id OBJECT-ID | |||
| Collect system characteristics ONLY for specified O VAL | Collect system characteristics ONLY for specified O VAL | |||
| Object. | Object. | |||
| --variables FILE | --variables FILE | |||
| Provide external variables expected by OVAL Definition s. | Provide external variables expected by OVAL Definition s. | |||
| --syschar FILE | --syschar FILE | |||
| Write OVAL System Characteristic into file | Write OVAL System Characteristic into file | |||
| --skip-valid | ||||
| Do not validate input/output files. | ||||
| eval [options] definitions-file | eval [options] definitions-file | |||
| Probe the system and evaluate all definitions from OVAL Defi ni‐ | Probe the system and evaluate all definitions from OVAL Defi ni‐ | |||
| tion file. Print result of each definition to standard outp ut. | tion file. Print result of each definition to standard outp ut. | |||
| oscap returns 0 if all definitions pass. If there is an er ror | oscap returns 0 if all definitions pass. If there is an er ror | |||
| during evaluation, the return code is 1. If there is at le ast | during evaluation, the return code is 1. If there is at le ast | |||
| one failed result definition, oscap-scan finishes with ret urn | one failed result definition, oscap-scan finishes with ret urn | |||
| code 2. | code 2. | |||
| --id DEFINITION-ID | --id DEFINITION-ID | |||
| Evaluate ONLY specified OVAL Definition. | Evaluate ONLY specified OVAL Definition. | |||
| --variables FILE | --variables FILE | |||
| Provide external variables expected by OVAL Definition s. | Provide external variables expected by OVAL Definition s. | |||
| --directives FILE | ||||
| Use OVAL Directives content to specify desired resu | ||||
| lts | ||||
| content. | ||||
| --results FILE | --results FILE | |||
| Write OVAL Results into file. | Write OVAL Results into file. | |||
| --report FILE | --report FILE | |||
| Create human readable (HTML) report from OVAL Results. | Create human readable (HTML) report from OVAL Results. | |||
| --skip-valid | --skip-valid | |||
| Do not validate input files before evaluation. | Do not validate input/output files. | |||
| analyse [options] definitions-file syschar-file | analyse [options] --results FILE definitions-file syschar-file | |||
| In this mode, the oscap tool does not perform data collection on | In this mode, the oscap tool does not perform data collection on | |||
| the local system, but relies upon the input file, which may h ave | the local system, but relies upon the input file, which may h ave | |||
| been generated on another system. The output (OVAL Results) | been generated on another system. The output (OVAL Results) | |||
| is | is | |||
| printed to standard output. | printed to file specified by --results parameter | |||
| --variables FILE | --variables FILE | |||
| Provide external variables expected by OVAL Definition s. | Provide external variables expected by OVAL Definition s. | |||
| --directives FILE | ||||
| Use OVAL Directives content to specify desired resu | ||||
| lts | ||||
| content. | ||||
| --skip-valid | ||||
| Do not validate input/output files. | ||||
| validate-xml [options] definitions-file | validate-xml [options] definitions-file | |||
| Validate given OVAL file against a XML schema. Every found er ror | Validate given OVAL file against a XML schema. Every found er ror | |||
| is printed to the standard output. Return code is 0 if vali da‐ | is printed to the standard output. Return code is 0 if vali da‐ | |||
| tion succeeds, 1 if validation could not be performed due to | tion succeeds, 1 if validation could not be performed due to | |||
| some error, 2 if the OVAL document is not valid. | some error, 2 if the OVAL document is not valid. | |||
| --definitions, --variables, --syschar, --results | --definitions, --variables, --syschar, --results --directives | |||
| Specify whether the validated document is an OVAL defi | Specify whether the validated document is an OVAL Defi | |||
| ni‐ | ni‐ | |||
| tions file, external OVAL Variables, OVAL system char | tions file, external OVAL Variables, OVAL System Char | |||
| ac‐ | ac‐ | |||
| teristics file, or OVAL results file. Default: defi | teristics file, OVAL Results file or OVAL Directi | |||
| ni‐ | ves | |||
| tions. | file. Default: definitions. | |||
| --schematron | --schematron | |||
| Turn on Schematron-based validation. It is able to f ind | Turn on Schematron-based validation. It is able to f ind | |||
| more errors and inconsistencies but is much slower. | more errors and inconsistencies but is much slower. | |||
| generate <submodule> [submodule-specific-options] | generate <submodule> [submodule-specific-options] | |||
| Generate another document form an OVAL file. | Generate another document form an OVAL file. | |||
| Available submodules: | Available submodules: | |||
| report [options] oval-results-file | report [options] oval-results-file | |||
| Generate a formatted HTML page containing visualisat ion | Generate a formatted HTML page containing visualisat ion | |||
| of an OVAL results file. Unless the --output option is | of an OVAL results file. Unless the --output option is | |||
| specified it will be written to the standard output. | specified it will be written to the standard output. | |||
| --output FILE | --output FILE | |||
| Write the report to this file instead of stand ard | Write the report to this file instead of stand ard | |||
| output. | output. | |||
| list-probes [options] | ||||
| List supported object types (i.e. probes) | ||||
| --static | ||||
| List all probes defined in the internal tables. | ||||
| --dynamic | ||||
| List all probes supported on the current system (this | ||||
| is | ||||
| default behavior). | ||||
| --verbose | ||||
| Be verbose. | ||||
| XCCDF OPERATIONS | XCCDF OPERATIONS | |||
| eval [options] xccdf-file [oval-definitions-files] | eval [options] xccdf-file [oval-definitions-files] | |||
| Perform evaluation driven by XCCDF file and use OVAL as check ing | Perform evaluation driven by XCCDF file and use OVAL as check ing | |||
| engine. Print result of each rule to standard output. os cap | engine. Print result of each rule to standard output. os cap | |||
| returns 0 if all rules pass. If there is an error during eval ua‐ | returns 0 if all rules pass. If there is an error during eval ua‐ | |||
| tion, the return code is 1. If there is at least one fai led | tion, the return code is 1. If there is at least one fai led | |||
| rule, oscap-scan finishes with return code 2. | rule, oscap-scan finishes with return code 2. | |||
| You may specify all required OVAL Definition files as l | You may specify all required OVAL Definition files as l | |||
| ast | ast | |||
| parameters. If you don't do that, oscap tool will try to l | parameters. If you don't do that, oscap tool will try to l | |||
| oad | oad | |||
| all OVAL Definition files referenced from XCCDF automa ti‐ | all OVAL Definition files referenced from XCCDF automa ti‐ | |||
| caly(search in the same path as XCCDF). | caly(search in the same path as XCCDF). | |||
| --profile PROFILE | --profile PROFILE | |||
| Select profile from XCCDF document, otherwise the fi | Select a particular profile from XCCDF document. | |||
| rst | ||||
| profile is used. | ||||
| --results FILE | --results FILE | |||
| Write XCCDF results into file. | Write XCCDF results into file. | |||
| --report FILE | --report FILE | |||
| Write HTML report into file. You also have to spec ify | Write HTML report into file. You also have to spec ify | |||
| --result for this feature to work. | --result for this feature to work. | |||
| --oval-results | --oval-results | |||
| Generate OVAL Result file for each OVAL session used for | Generate OVAL Result file for each OVAL session used for | |||
| skipping to change at line 151 | skipping to change at line 177 | |||
| OVAL information in the XCCDF report. | OVAL information in the XCCDF report. | |||
| --export-variables | --export-variables | |||
| Generate OVAL Variables documents which contain exter nal | Generate OVAL Variables documents which contain exter nal | |||
| variables' values that were provided to the OVAL check ing | variables' values that were provided to the OVAL check ing | |||
| engine during evaluation. The filename format is 'ori gi‐ | engine during evaluation. The filename format is 'ori gi‐ | |||
| nal-oval-definitions-filename-session-index.variables- | nal-oval-definitions-filename-session-index.variables- | |||
| variables-index.xml'. | variables-index.xml'. | |||
| --skip-valid | --skip-valid | |||
| Do not validate input files before evaluation. | Do not validate input/output files. | |||
| resolve -o output-file xccdf-file | resolve -o output-file xccdf-file | |||
| Resolve an XCCDF file as described in the XCCDF specificati on. | Resolve an XCCDF file as described in the XCCDF specificati on. | |||
| It will flatten inheritance hierarchy of XCCDF profiles, grou ps, | It will flatten inheritance hierarchy of XCCDF profiles, grou ps, | |||
| rules, and values. Result is another XCCDF document, which w ill | rules, and values. Result is another XCCDF document, which w ill | |||
| be written to output-file. | be written to output-file. | |||
| --force | --force | |||
| Force resolving XCCDF document even if it is alre ady | Force resolving XCCDF document even if it is alre ady | |||
| marked as resolved. | marked as resolved. | |||
| validate-xml [options] xccdf-file | validate-xml [options] xccdf-file | |||
| Validate given XCCDF file against a XML schema. Every fo und | Validate given XCCDF file against a XML schema. Every fo und | |||
| error is printed to the standard output. Return code is 0 if | error is printed to the standard output. Return code is 0 if | |||
| validation succeeds, 1 if validation could not be performed due | validation succeeds, 1 if validation could not be performed due | |||
| to some error, 2 if the XCCDF document is not valid. | to some error, 2 if the XCCDF document is not valid. | |||
| export-oval-variables [options] xccdf-file [oval-definitions-files] | ||||
| Collect all the XCCDF values that would be used by OVAL dur | ||||
| ing | ||||
| evaluation of a certain profile and export them as OVAL ext | ||||
| er‐ | ||||
| nal-variables document(s). The filename format is 'origin | ||||
| al- | ||||
| oval-definitions-filename-session-index.variables-variables- | ||||
| index.xml'. | ||||
| --profile PROFILE | ||||
| Select a particular profile from XCCDF document. | ||||
| generate [options] <submodule> [submodule-specific-options] | generate [options] <submodule> [submodule-specific-options] | |||
| Generate another document form an XCCDF file such as secur ity | Generate another document form an XCCDF file such as secur ity | |||
| guide or result report. | guide or result report. | |||
| --profile ID | --profile ID | |||
| Apply profile with given ID to the Benchmark before f ur‐ | Apply profile with given ID to the Benchmark before f ur‐ | |||
| ther processing takes place. | ther processing takes place. | |||
| --format FMT | --format FMT | |||
| Specify output format. This option applies only on do cu‐ | Specify output format. This option applies only on do cu‐ | |||
| skipping to change at line 277 | skipping to change at line 313 | |||
| xsl/fixtpl-bash.xml. | xsl/fixtpl-bash.xml. | |||
| CPE OPERATIONS | CPE OPERATIONS | |||
| check name | check name | |||
| Check whether name is in correct CPE format. | Check whether name is in correct CPE format. | |||
| match name dictionary.xml | match name dictionary.xml | |||
| Find an exact match of CPE name in the dictionary. | Find an exact match of CPE name in the dictionary. | |||
| CVSS OPERATIONS | CVSS OPERATIONS | |||
| base metrics | score cvss_vector | |||
| Calculate base score from Access Vector (AV), Access Complex | Calculate score from a CVSS vector. Prints base score for b | |||
| ity | ase | |||
| (AC), Authentication(AU), Confidentiality Impact(CI), Integr | CVSS vector, base and temporal score for temporal CVSS vect | |||
| ity | or, | |||
| Impact(II) and Availability Impact(AI) metric. | base and temporal and environmental score for environmental C | |||
| VSS | ||||
| temporal --base <num> [metrics] | vector. | |||
| Calculate temporal score from base score, Exploitability(E | ||||
| X), | ||||
| Remediation Level(RL) and Report Confidence(RC) metric. | ||||
| environmental metrics | describe cvss_vector | |||
| Calculate environmental score from Collateral Damage Pot | Describe individual components of a CVSS vector in a human-re | |||
| en‐ | ad‐ | |||
| tial(CD), Target Distribution(TD), Confidentiality Requirem | able format and print partial scores. | |||
| ent | ||||
| (CR), Integrity Requirement(IR), Availability Requirement(A | ||||
| R), | ||||
| Access Vector (AV), Access Complexity (AC), Authentication(A | ||||
| U), | ||||
| Confidentiality Impact(CI), Integrity Impact(II), Availabil | ||||
| ity | ||||
| Impact(AI), Exploitability(EX), Remediation Level(RL) and Rep | ||||
| ort | ||||
| Confidence(RC) metric. | ||||
| metrics: | CVSS vector consists of several slash-separated components specified | |||
| as | ||||
| key-value pairs. Each key can be specified at most once. Valid C | ||||
| VSS | ||||
| vector has to contain at least base CVSS metrics, i.e. AV, AC, AU, | ||||
| C, | ||||
| I, and A. Following table summarizes the components and possible val | ||||
| ues | ||||
| (second column is metric category: B for base, T for temporal, E | ||||
| for | ||||
| environmental): | ||||
| --AV=[local|adjacent-network|network] - Access Vector (required) | AV:[L|A|N] B Access vector: Local, Adjacent n | |||
| et‐ | ||||
| work, Network | ||||
| --AC=[low|medium|high] - Access Complexity (required) | AC:[H|M|L] B Access complexity: High, Medium, Lo w | |||
| --AU=[none|single|multiple] - Authentication (required) | AU:[M|S|N] B Required authentication: Multi | |||
| ple | ||||
| instances, Single instance, None | ||||
| --CI=[none|partial|complete] - Confidentiality Impact (required) | C:[N|P|C] B Confidentiality impact: None, Parti | |||
| al, | ||||
| Complete | ||||
| --II=[none|partial|complete] - Integrity Impact (required) | I:[N|P|C] B Integrity impact: None, Partial, C | |||
| om‐ | ||||
| plete | ||||
| --AI=[none|partial|complete] - Availability Impact (required) | A:[N|P|C] B Availability impact: None, Parti | |||
| al, | ||||
| Complete | ||||
| --EX=[unproven|proof-of-concept|functional|high|not-defined] | E:[ND|U|POC|F|H] T Exploitability: Not Defined, Unprov | |||
| - | en, | |||
| Exploitability | Proof of Concept, Functional, High | |||
| --RL=[official-fix|temporary-fix|workaround|unavailable|not-defined] | RL:[ND|OF|TF|W|U] T Remediation Level: Not Defined, Of | |||
| - | fi‐ | |||
| Remediation Level | cial Fix, Temporary Fix, Workaround, Unavailable | |||
| --RC=[unconfirmed|uncorrporated|confirmed|not-defined] - Report Con | RC:[ND|UC|UR|C] T Report Confidence: Not Defined, Unc | |||
| fi‐ | on‐ | |||
| dence | firmed, Uncorroborated, Confirmed | |||
| --CD=[none|low|low-medium|medium-high|high|not-defined] - Collate | CDP:[ND|N|L|LM|MH|H] E Collateral Damage Potential: | |||
| ral | Not | |||
| Damage Potential | Defined, None, Low, Low-Medium, Medium-High, High | |||
| --TD=[none|low|medium|high|not-defined] - Target Distribution | TD:[ND|N|L|M|H] E Target Distribution: Not Defin | |||
| ed, | ||||
| None, Low, Medium, High | ||||
| --CR=[low|medium|high|not-defined] - Confidentiality Requirement | CR:[ND|L|M|H] E Confidentiality requirement: | |||
| Not | ||||
| Defined, Low, Medium, High | ||||
| --IR=[low|medium|high|not-defined] - Integrity Requirement | IR:[ND|L|M|H] E Integrity requirement: Not Defin | |||
| ed, | ||||
| Low, Medium, High | ||||
| --AR=[low|medium|high|not-defined] - Availability Requirement | AR:[ND|L|M|H] E Availability requirement: Not Defin | |||
| ed, | ||||
| Low, Medium, High | ||||
| CONTENT | CONTENT | |||
| National Vulnerability Database - | National Vulnerability Database - | |||
| http://web.nvd.nist.gov/view/ncp/repository | http://web.nvd.nist.gov/view/ncp/repository | |||
| Red Hat content repository - http://www.redhat.com/security/data/ov al/ | Red Hat content repository - http://www.redhat.com/security/data/ov al/ | |||
| AUTHOR | AUTHOR | |||
| Peter Vrabec <pvrabec@redhat.com> | Peter Vrabec <pvrabec@redhat.com> | |||
| Red Hat Jun 2010 OSCAP (8) | Red Hat Jun 2010 OSCAP (8) | |||
| End of changes. 32 change blocks. | ||||
| 72 lines changed or deleted | 128 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||