403Webshell
Server IP : 178.212.43.201  /  Your IP : 10.100.0.33
Web Server : Apache/2.4.37 (Oracle Linux Server) OpenSSL/1.1.1k
System : Linux spa0007.srv.paxillus.pl 5.4.17-2136.355.3.1.el8uek.x86_64 #3 SMP Sat May 9 17:11:55 PDT 2026 x86_64
User : apache ( 48)
PHP Version : 7.4.33
Disable Function : NONE
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : OFF  |  Sudo : ON  |  Pkexec : ON
Directory :  /usr/share/doc/openscap/manual/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :


[ Back ]     

Current File : /usr/share/doc/openscap/manual/manual.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="generator" content="AsciiDoc 8.6.10">
<title>OpenSCAP User Manual</title>
<style type="text/css">
/* Shared CSS for AsciiDoc xhtml11 and html5 backends */

/* Default font. */
body {
  font-family: Georgia,serif;
}

/* Title font. */
h1, h2, h3, h4, h5, h6,
div.title, caption.title,
thead, p.table.header,
#toctitle,
#author, #revnumber, #revdate, #revremark,
#footer {
  font-family: Arial,Helvetica,sans-serif;
}

body {
  margin: 1em 5% 1em 5%;
}

a {
  color: blue;
  text-decoration: underline;
}
a:visited {
  color: fuchsia;
}

em {
  font-style: italic;
  color: navy;
}

strong {
  font-weight: bold;
  color: #083194;
}

h1, h2, h3, h4, h5, h6 {
  color: #527bbd;
  margin-top: 1.2em;
  margin-bottom: 0.5em;
  line-height: 1.3;
}

h1, h2, h3 {
  border-bottom: 2px solid silver;
}
h2 {
  padding-top: 0.5em;
}
h3 {
  float: left;
}
h3 + * {
  clear: left;
}
h5 {
  font-size: 1.0em;
}

div.sectionbody {
  margin-left: 0;
}

hr {
  border: 1px solid silver;
}

p {
  margin-top: 0.5em;
  margin-bottom: 0.5em;
}

ul, ol, li > p {
  margin-top: 0;
}
ul > li     { color: #aaa; }
ul > li > * { color: black; }

.monospaced, code, pre {
  font-family: "Courier New", Courier, monospace;
  font-size: inherit;
  color: navy;
  padding: 0;
  margin: 0;
}
pre {
  white-space: pre-wrap;
}

#author {
  color: #527bbd;
  font-weight: bold;
  font-size: 1.1em;
}
#email {
}
#revnumber, #revdate, #revremark {
}

#footer {
  font-size: small;
  border-top: 2px solid silver;
  padding-top: 0.5em;
  margin-top: 4.0em;
}
#footer-text {
  float: left;
  padding-bottom: 0.5em;
}
#footer-badges {
  float: right;
  padding-bottom: 0.5em;
}

#preamble {
  margin-top: 1.5em;
  margin-bottom: 1.5em;
}
div.imageblock, div.exampleblock, div.verseblock,
div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
div.admonitionblock {
  margin-top: 1.0em;
  margin-bottom: 1.5em;
}
div.admonitionblock {
  margin-top: 2.0em;
  margin-bottom: 2.0em;
  margin-right: 10%;
  color: #606060;
}

div.content { /* Block element content. */
  padding: 0;
}

/* Block element titles. */
div.title, caption.title {
  color: #527bbd;
  font-weight: bold;
  text-align: left;
  margin-top: 1.0em;
  margin-bottom: 0.5em;
}
div.title + * {
  margin-top: 0;
}

td div.title:first-child {
  margin-top: 0.0em;
}
div.content div.title:first-child {
  margin-top: 0.0em;
}
div.content + div.title {
  margin-top: 0.0em;
}

div.sidebarblock > div.content {
  background: #ffffee;
  border: 1px solid #dddddd;
  border-left: 4px solid #f0f0f0;
  padding: 0.5em;
}

div.listingblock > div.content {
  border: 1px solid #dddddd;
  border-left: 5px solid #f0f0f0;
  background: #f8f8f8;
  padding: 0.5em;
}

div.quoteblock, div.verseblock {
  padding-left: 1.0em;
  margin-left: 1.0em;
  margin-right: 10%;
  border-left: 5px solid #f0f0f0;
  color: #888;
}

div.quoteblock > div.attribution {
  padding-top: 0.5em;
  text-align: right;
}

div.verseblock > pre.content {
  font-family: inherit;
  font-size: inherit;
}
div.verseblock > div.attribution {
  padding-top: 0.75em;
  text-align: left;
}
/* DEPRECATED: Pre version 8.2.7 verse style literal block. */
div.verseblock + div.attribution {
  text-align: left;
}

div.admonitionblock .icon {
  vertical-align: top;
  font-size: 1.1em;
  font-weight: bold;
  text-decoration: underline;
  color: #527bbd;
  padding-right: 0.5em;
}
div.admonitionblock td.content {
  padding-left: 0.5em;
  border-left: 3px solid #dddddd;
}

div.exampleblock > div.content {
  border-left: 3px solid #dddddd;
  padding-left: 0.5em;
}

div.imageblock div.content { padding-left: 0; }
span.image img { border-style: none; vertical-align: text-bottom; }
a.image:visited { color: white; }

dl {
  margin-top: 0.8em;
  margin-bottom: 0.8em;
}
dt {
  margin-top: 0.5em;
  margin-bottom: 0;
  font-style: normal;
  color: navy;
}
dd > *:first-child {
  margin-top: 0.1em;
}

ul, ol {
    list-style-position: outside;
}
ol.arabic {
  list-style-type: decimal;
}
ol.loweralpha {
  list-style-type: lower-alpha;
}
ol.upperalpha {
  list-style-type: upper-alpha;
}
ol.lowerroman {
  list-style-type: lower-roman;
}
ol.upperroman {
  list-style-type: upper-roman;
}

div.compact ul, div.compact ol,
div.compact p, div.compact p,
div.compact div, div.compact div {
  margin-top: 0.1em;
  margin-bottom: 0.1em;
}

tfoot {
  font-weight: bold;
}
td > div.verse {
  white-space: pre;
}

div.hdlist {
  margin-top: 0.8em;
  margin-bottom: 0.8em;
}
div.hdlist tr {
  padding-bottom: 15px;
}
dt.hdlist1.strong, td.hdlist1.strong {
  font-weight: bold;
}
td.hdlist1 {
  vertical-align: top;
  font-style: normal;
  padding-right: 0.8em;
  color: navy;
}
td.hdlist2 {
  vertical-align: top;
}
div.hdlist.compact tr {
  margin: 0;
  padding-bottom: 0;
}

.comment {
  background: yellow;
}

.footnote, .footnoteref {
  font-size: 0.8em;
}

span.footnote, span.footnoteref {
  vertical-align: super;
}

#footnotes {
  margin: 20px 0 20px 0;
  padding: 7px 0 0 0;
}

#footnotes div.footnote {
  margin: 0 0 5px 0;
}

#footnotes hr {
  border: none;
  border-top: 1px solid silver;
  height: 1px;
  text-align: left;
  margin-left: 0;
  width: 20%;
  min-width: 100px;
}

div.colist td {
  padding-right: 0.5em;
  padding-bottom: 0.3em;
  vertical-align: top;
}
div.colist td img {
  margin-top: 0.3em;
}

@media print {
  #footer-badges { display: none; }
}

#toc {
  margin-bottom: 2.5em;
}

#toctitle {
  color: #527bbd;
  font-size: 1.1em;
  font-weight: bold;
  margin-top: 1.0em;
  margin-bottom: 0.1em;
}

div.toclevel0, div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
  margin-top: 0;
  margin-bottom: 0;
}
div.toclevel2 {
  margin-left: 2em;
  font-size: 0.9em;
}
div.toclevel3 {
  margin-left: 4em;
  font-size: 0.9em;
}
div.toclevel4 {
  margin-left: 6em;
  font-size: 0.9em;
}

span.aqua { color: aqua; }
span.black { color: black; }
span.blue { color: blue; }
span.fuchsia { color: fuchsia; }
span.gray { color: gray; }
span.green { color: green; }
span.lime { color: lime; }
span.maroon { color: maroon; }
span.navy { color: navy; }
span.olive { color: olive; }
span.purple { color: purple; }
span.red { color: red; }
span.silver { color: silver; }
span.teal { color: teal; }
span.white { color: white; }
span.yellow { color: yellow; }

span.aqua-background { background: aqua; }
span.black-background { background: black; }
span.blue-background { background: blue; }
span.fuchsia-background { background: fuchsia; }
span.gray-background { background: gray; }
span.green-background { background: green; }
span.lime-background { background: lime; }
span.maroon-background { background: maroon; }
span.navy-background { background: navy; }
span.olive-background { background: olive; }
span.purple-background { background: purple; }
span.red-background { background: red; }
span.silver-background { background: silver; }
span.teal-background { background: teal; }
span.white-background { background: white; }
span.yellow-background { background: yellow; }

span.big { font-size: 2em; }
span.small { font-size: 0.6em; }

span.underline { text-decoration: underline; }
span.overline { text-decoration: overline; }
span.line-through { text-decoration: line-through; }

div.unbreakable { page-break-inside: avoid; }


/*
 * xhtml11 specific
 *
 * */

div.tableblock {
  margin-top: 1.0em;
  margin-bottom: 1.5em;
}
div.tableblock > table {
  border: 3px solid #527bbd;
}
thead, p.table.header {
  font-weight: bold;
  color: #527bbd;
}
p.table {
  margin-top: 0;
}
/* Because the table frame attribute is overriden by CSS in most browsers. */
div.tableblock > table[frame="void"] {
  border-style: none;
}
div.tableblock > table[frame="hsides"] {
  border-left-style: none;
  border-right-style: none;
}
div.tableblock > table[frame="vsides"] {
  border-top-style: none;
  border-bottom-style: none;
}


/*
 * html5 specific
 *
 * */

table.tableblock {
  margin-top: 1.0em;
  margin-bottom: 1.5em;
}
thead, p.tableblock.header {
  font-weight: bold;
  color: #527bbd;
}
p.tableblock {
  margin-top: 0;
}
table.tableblock {
  border-width: 3px;
  border-spacing: 0px;
  border-style: solid;
  border-color: #527bbd;
  border-collapse: collapse;
}
th.tableblock, td.tableblock {
  border-width: 1px;
  padding: 4px;
  border-style: solid;
  border-color: #527bbd;
}

table.tableblock.frame-topbot {
  border-left-style: hidden;
  border-right-style: hidden;
}
table.tableblock.frame-sides {
  border-top-style: hidden;
  border-bottom-style: hidden;
}
table.tableblock.frame-none {
  border-style: hidden;
}

th.tableblock.halign-left, td.tableblock.halign-left {
  text-align: left;
}
th.tableblock.halign-center, td.tableblock.halign-center {
  text-align: center;
}
th.tableblock.halign-right, td.tableblock.halign-right {
  text-align: right;
}

th.tableblock.valign-top, td.tableblock.valign-top {
  vertical-align: top;
}
th.tableblock.valign-middle, td.tableblock.valign-middle {
  vertical-align: middle;
}
th.tableblock.valign-bottom, td.tableblock.valign-bottom {
  vertical-align: bottom;
}


/*
 * manpage specific
 *
 * */

body.manpage h1 {
  padding-top: 0.5em;
  padding-bottom: 0.5em;
  border-top: 2px solid silver;
  border-bottom: 2px solid silver;
}
body.manpage h2 {
  border-style: none;
}
body.manpage div.sectionbody {
  margin-left: 3em;
}

@media print {
  body.manpage div#toc { display: none; }
}


</style>
<script type="text/javascript">
/*<![CDATA[*/
var asciidoc = {  // Namespace.

/////////////////////////////////////////////////////////////////////
// Table Of Contents generator
/////////////////////////////////////////////////////////////////////

/* Author: Mihai Bazon, September 2002
 * http://students.infoiasi.ro/~mishoo
 *
 * Table Of Content generator
 * Version: 0.4
 *
 * Feel free to use this script under the terms of the GNU General Public
 * License, as long as you do not remove or alter this notice.
 */

 /* modified by Troy D. Hanson, September 2006. License: GPL */
 /* modified by Stuart Rackham, 2006, 2009. License: GPL */

// toclevels = 1..4.
toc: function (toclevels) {

  function getText(el) {
    var text = "";
    for (var i = el.firstChild; i != null; i = i.nextSibling) {
      if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
        text += i.data;
      else if (i.firstChild != null)
        text += getText(i);
    }
    return text;
  }

  function TocEntry(el, text, toclevel) {
    this.element = el;
    this.text = text;
    this.toclevel = toclevel;
  }

  function tocEntries(el, toclevels) {
    var result = new Array;
    var re = new RegExp('[hH]([1-'+(toclevels+1)+'])');
    // Function that scans the DOM tree for header elements (the DOM2
    // nodeIterator API would be a better technique but not supported by all
    // browsers).
    var iterate = function (el) {
      for (var i = el.firstChild; i != null; i = i.nextSibling) {
        if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
          var mo = re.exec(i.tagName);
          if (mo && (i.getAttribute("class") || i.getAttribute("className")) != "float") {
            result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
          }
          iterate(i);
        }
      }
    }
    iterate(el);
    return result;
  }

  var toc = document.getElementById("toc");
  if (!toc) {
    return;
  }

  // Delete existing TOC entries in case we're reloading the TOC.
  var tocEntriesToRemove = [];
  var i;
  for (i = 0; i < toc.childNodes.length; i++) {
    var entry = toc.childNodes[i];
    if (entry.nodeName.toLowerCase() == 'div'
     && entry.getAttribute("class")
     && entry.getAttribute("class").match(/^toclevel/))
      tocEntriesToRemove.push(entry);
  }
  for (i = 0; i < tocEntriesToRemove.length; i++) {
    toc.removeChild(tocEntriesToRemove[i]);
  }

  // Rebuild TOC entries.
  var entries = tocEntries(document.getElementById("content"), toclevels);
  for (var i = 0; i < entries.length; ++i) {
    var entry = entries[i];
    if (entry.element.id == "")
      entry.element.id = "_toc_" + i;
    var a = document.createElement("a");
    a.href = "#" + entry.element.id;
    a.appendChild(document.createTextNode(entry.text));
    var div = document.createElement("div");
    div.appendChild(a);
    div.className = "toclevel" + entry.toclevel;
    toc.appendChild(div);
  }
  if (entries.length == 0)
    toc.parentNode.removeChild(toc);
},


/////////////////////////////////////////////////////////////////////
// Footnotes generator
/////////////////////////////////////////////////////////////////////

/* Based on footnote generation code from:
 * http://www.brandspankingnew.net/archive/2005/07/format_footnote.html
 */

footnotes: function () {
  // Delete existing footnote entries in case we're reloading the footnodes.
  var i;
  var noteholder = document.getElementById("footnotes");
  if (!noteholder) {
    return;
  }
  var entriesToRemove = [];
  for (i = 0; i < noteholder.childNodes.length; i++) {
    var entry = noteholder.childNodes[i];
    if (entry.nodeName.toLowerCase() == 'div' && entry.getAttribute("class") == "footnote")
      entriesToRemove.push(entry);
  }
  for (i = 0; i < entriesToRemove.length; i++) {
    noteholder.removeChild(entriesToRemove[i]);
  }

  // Rebuild footnote entries.
  var cont = document.getElementById("content");
  var spans = cont.getElementsByTagName("span");
  var refs = {};
  var n = 0;
  for (i=0; i<spans.length; i++) {
    if (spans[i].className == "footnote") {
      n++;
      var note = spans[i].getAttribute("data-note");
      if (!note) {
        // Use [\s\S] in place of . so multi-line matches work.
        // Because JavaScript has no s (dotall) regex flag.
        note = spans[i].innerHTML.match(/\s*\[([\s\S]*)]\s*/)[1];
        spans[i].innerHTML =
          "[<a id='_footnoteref_" + n + "' href='#_footnote_" + n +
          "' title='View footnote' class='footnote'>" + n + "</a>]";
        spans[i].setAttribute("data-note", note);
      }
      noteholder.innerHTML +=
        "<div class='footnote' id='_footnote_" + n + "'>" +
        "<a href='#_footnoteref_" + n + "' title='Return to text'>" +
        n + "</a>. " + note + "</div>";
      var id =spans[i].getAttribute("id");
      if (id != null) refs["#"+id] = n;
    }
  }
  if (n == 0)
    noteholder.parentNode.removeChild(noteholder);
  else {
    // Process footnoterefs.
    for (i=0; i<spans.length; i++) {
      if (spans[i].className == "footnoteref") {
        var href = spans[i].getElementsByTagName("a")[0].getAttribute("href");
        href = href.match(/#.*/)[0];  // Because IE return full URL.
        n = refs[href];
        spans[i].innerHTML =
          "[<a href='#_footnote_" + n +
          "' title='View footnote' class='footnote'>" + n + "</a>]";
      }
    }
  }
},

install: function(toclevels) {
  var timerId;

  function reinstall() {
    asciidoc.footnotes();
    if (toclevels) {
      asciidoc.toc(toclevels);
    }
  }

  function reinstallAndRemoveTimer() {
    clearInterval(timerId);
    reinstall();
  }

  timerId = setInterval(reinstall, 500);
  if (document.addEventListener)
    document.addEventListener("DOMContentLoaded", reinstallAndRemoveTimer, false);
  else
    window.onload = reinstallAndRemoveTimer;
}

}
asciidoc.install(4);
/*]]>*/
</script>
</head>
<body class="article">
<div id="header">
<h1>OpenSCAP User Manual</h1>
</div>
<div id="content">
<div id="preamble">
<div class="sectionbody">
<div class="imageblock" style="text-align:center;">
<div class="content">
<img src="./images/vertical-logo.png" alt="vertical-logo.png">
</div>
</div>
<div id="toc">
  <div id="toctitle">Table of Contents</div>
  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_introduction">1. Introduction</h2>
<div class="sectionbody">
<div class="paragraph"><p>This documentation provides information about OpenSCAP and its most common
operations. With OpenSCAP, you can check security configuration settings of a
system, and examine the system for signs of a compromise by using rules based on
standards and specifications.</p></div>
<div class="paragraph"><p>OpenSCAP uses <a href="http://scap.nist.gov/">SCAP</a> which is a line of specifications maintained by the
<a href="http://www.nist.gov/">NIST</a>. SCAP was created to provide a standardized approach for
maintaining system security. New specifications are governed by NIST&#8217;s SCAP
<a href="http://scap.nist.gov/timeline.html">Release cycle</a> in order to provide a
consistent and repeatable revision workflow. OpenSCAP mainly processes the
<a href="http://scap.nist.gov/specifications/xccdf/">XCCDF</a> which is a standard way of expressing a checklist content and
defines security checklists. It also combines with other specifications such as
<a href="https://cpe.mitre.org/">CPE</a>, <a href="https://cce.mitre.org/">CCE</a> and <a href="https://oval.mitre.org/">OVAL</a> to create a SCAP-expressed checklist
that can be processed by SCAP-validated products. For more information about the
SCAP please refer to <a href="http://open-scap.org/features/standards/">SCAP Standards</a>.</p></div>
<div class="paragraph"><p>OpenSCAP supports SCAP <a href="https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/SCAP-Releases/scap-1-3">1.3</a> and is backward compatible with SCAP
<a href="https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/SCAP-Releases/SCAP-1-2">1.2</a>, SCAP <a href="https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/SCAP-Releases/SCAP-1-1">1.1</a> and SCAP <a href="https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/SCAP-Releases/SCAP-1-0">1.0</a>. No special
treatment is required to import and process earlier versions of the SCAP
content.</p></div>
<div class="paragraph"><p>If you want to perform configuration or vulnerability scans of a local system
then the following must be available:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
A tool (<span class="monospaced">oscap</span> or SCAP Workbench)
</p>
</li>
<li>
<p>
SCAP content (SCAP source data stream, XCCDF, OVAL&#8230;)
</p>
</li>
</ol></div>
<div class="paragraph"><p>The <span class="monospaced">oscap</span> tool is a part of the <a href="https://open-scap.org/">OpenSCAP</a> project. If you&#8217;re
interested in a graphical alternative to this tool please visit
<a href="https://www.open-scap.org/tools/scap-workbench/">SCAP Workbench</a> page.</p></div>
<div class="paragraph"><p>We will use the <a href="http://open-scap.org/security-policies/scap-security-guide/">SCAP Security Guide</a> project to provide us the SCAP
content. It provides security policies written in a form of SCAP documents
covering many areas of security compliance, and it implements security guidances
recommended by respected authorities, namely <a href="https://www.pcisecuritystandards.org/security_standards/">PCI DSS</a>, <a href="http://iase.disa.mil/stigs/Pages/index.aspx">STIG</a>,
and <a href="http://usgcb.nist.gov/">USGCB</a>.</p></div>
<div class="paragraph"><p>You can also generate your own SCAP content if you have an understanding of at
least XCCDF or OVAL. XCCDF content is also frequently published online under
open source licenses, and you can customize this content to suit your needs
instead.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_installing_openscap">2. Installing OpenSCAP</h2>
<div class="sectionbody">
<div class="paragraph"><p>You can either build OpenSCAP from <a href="https://github.com/OpenSCAP/openscap">source code</a> or you can use an
existing build for your Linux distribution.</p></div>
<div class="paragraph"><p>For instructions about building from source code, please refer to
<a href="https://github.com/OpenSCAP/openscap/blob/maint-1.3/docs/developer/developer.adoc">OpenSCAP Developer Manual</a>.</p></div>
<div class="paragraph"><p>To install OpenSCAP on Red Hat Enterprise Linux 8 and newer, on CentOS 8 and
newer or on Fedora use the following command:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre># dnf install openscap-scanner</pre>
</div></div>
<div class="paragraph"><p>To install OpenSCAP on Red Hat Enterprise Linux 7 or CentOS 7 or older use the
following command:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre># yum install openscap-scanner</pre>
</div></div>
<div class="paragraph"><p>To install OpenSCAP on Debian or Ubuntu use the following command:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre># apt install libopenscap8</pre>
</div></div>
<div class="paragraph"><p>After the installation is completed you can start using the <span class="monospaced">oscap</span> command line
tool.</p></div>
<div class="paragraph"><p>To display the version of OpenSCAP, supported specifications, built-in CPE
names, and supported OVAL objects, type the following command:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap --version</pre>
</div></div>
<div class="sect2">
<h3 id="_getting_scap_content">2.1. Getting SCAP content</h3>
<div class="paragraph"><p>To perform any task with OpenSCAP you also need to have security policies in
SCAP format. We call them <strong>SCAP content</strong>. There are many providers of SCAP
content.</p></div>
<div class="paragraph"><p>In this document we will use SCAP content provided by <strong>SCAP Security Guide</strong>
(SSG). Many Linux distributions ship it in the <span class="monospaced">scap-security-guide</span> package.</p></div>
<div class="paragraph"><p>To install <span class="monospaced">scap-security-guide</span> on Red Hat Enterprise Linux 8 and newer, on
CentOS 8 and newer or on Fedora use the following command:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre># yum install scap-security-guide</pre>
</div></div>
<div class="paragraph"><p>To install <span class="monospaced">scap-security-guide</span>  on Red Hat Enterprise Linux 7 or CentOS 7 or
older use the following command:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre># yum install scap-security-guide</pre>
</div></div>
<div class="paragraph"><p>The SCAP content will be installed in the <span class="monospaced">/usr/share/xml/scap/ssg/content/</span>
directory.</p></div>
<div class="paragraph"><p>On other platforms, you can download the upstream release from
<a href="https://github.com/ComplianceAsCode/content/releases/">GitHub</a>.</p></div>
<div class="paragraph"><p>When the SCAP content is installed on your system, <span class="monospaced">oscap</span> can
process the content by specifying the file path to the content.</p></div>
<div class="paragraph"><p>You can also use any other SCAP content with OpenSCAP.</p></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_displaying_information_about_scap_content">3. Displaying information about SCAP content</h2>
<div class="sectionbody">
<div class="paragraph"><p>Information about an SCAP file can be displayed using the <span class="monospaced">oscap info</span> command.</p></div>
<div class="sect2">
<h3 id="_displaying_information_about_scap_source_data_streams">3.1. Displaying information about SCAP source data streams</h3>
<div class="paragraph"><p>The most common SCAP file type is an SCAP source data stream. In the following
example, we will display information about SCAP source data stream
<span class="monospaced">/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml</span> from the
<span class="monospaced">scap-security-guide</span> package.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Document type: Source Data Stream
Imported: 2021-01-12T04:50:11

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Checklists:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml
                Status: draft
                Generated: 2021-01-12
                Resolved: true
                Profiles:
                        Title: CIS Red Hat Enterprise Linux 8 Benchmark
                                Id: xccdf_org.ssgproject.content_profile_cis
                        Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
                                Id: xccdf_org.ssgproject.content_profile_cui
                        Title: Australian Cyber Security Centre (ACSC) Essential Eight
                                Id: xccdf_org.ssgproject.content_profile_e8
                        Title: Health Insurance Portability and Accountability Act (HIPAA)
                                Id: xccdf_org.ssgproject.content_profile_hipaa
                        Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
                                Id: xccdf_org.ssgproject.content_profile_pci-dss
                        Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 8
                                Id: xccdf_org.ssgproject.content_profile_stig
                        Title: Protection Profile for General Purpose Operating Systems
                                Id: xccdf_org.ssgproject.content_profile_ospp
                Referenced check files:
                        ssg-rhel8-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                        ssg-rhel8-ocil.xml
                                system: http://scap.nist.gov/schema/ocil/2
                        security-data-oval-com.redhat.rhsa-RHEL8.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5</pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
<strong>Document type</strong> describes what format the file is in. Common types include
XCCDF, OVAL, source data stream and result data stream.
</p>
</li>
<li>
<p>
<strong>Imported</strong> is the date the file was imported for use with OpenSCAP. Since
OpenSCAP uses the local filesystem and has no proprietary database format
the imported date is the same as file modification date.
</p>
</li>
<li>
<p>
<strong>Stream</strong> is the data stream ID.
</p>
</li>
<li>
<p>
<strong>Version</strong> is the version of the SCAP standard.
</p>
</li>
<li>
<p>
<strong>Checklists</strong> lists available checklists incorporated in the data stream that
you can use for the <span class="monospaced">--benchmark-id</span> command line attribute with <span class="monospaced">oscap xccdf
eval</span>. Also each checklist has the detailed information printed.
</p>
</li>
<li>
<p>
<strong>Status</strong> is the XCCDF Benchmark status. Common values include "accepted",
"draft", "deprecated" and "incomplete". Please refer to the XCCDF specification
for details.
</p>
</li>
<li>
<p>
<strong>Generated</strong> date is the date the file was created or generated. This date is
shown for XCCDF files and Checklists and is sourced from the XCCDF <strong>Status</strong>
element.
</p>
</li>
<li>
<p>
<strong>Profiles</strong> lists available profiles, their titles and IDs that you can use for
the <span class="monospaced">--profile</span> command line attribute.
</p>
</li>
</ul></div>
<div class="paragraph"><p>To display more detailed information about a profile including the profile
description, use the <span class="monospaced">--profile</span> option followed by the profile ID.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap info --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml</pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_displaying_information_about_scap_result_data_streams">3.2. Displaying information about SCAP result data streams</h3>
<div class="paragraph"><p>The <span class="monospaced">oscap info</span> command is also helpful with other SCAP file types such as
SCAP result data stream (ARF) files.</p></div>
<div class="paragraph"><p>OpenSCAP can display the evaluation start and end dates when given ARF file.</p></div>
<div class="paragraph"><p>In this example, we will display information about the ARF file <span class="monospaced">arf.xml</span>.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap info arf.xml
Document type: Result Data Stream
Imported: 2021-02-11T11:04:51

Asset: asset0
        ARF report: xccdf1
                Report request: collection1
                Result ID: xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_ospp
                Source benchmark: /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
                Source profile: xccdf_org.ssgproject.content_profile_ospp
                Evaluation started: 2021-02-11T11:03:06+01:00
                Evaluation finished: 2021-02-11T11:04:51+01:00
                Platform CPEs:
                        cpe:/o:fedoraproject:fedora:25
                        cpe:/o:fedoraproject:fedora:26
                        cpe:/o:fedoraproject:fedora:27</pre>
</div></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_scanning">4. Scanning</h2>
<div class="sectionbody">
<div class="paragraph"><p>The main goal of OpenSCAP is to perform configuration and vulnerability scans of
a local system. OpenSCAP is able to evaluate SCAP source data streams, XCCDF
benchmarks and OVAL definitions and generate the appropriate results.</p></div>
<div class="paragraph"><p>SCAP content can be provided either in a single file (as an SCAP source data
stream), or as multiple separate XML files.</p></div>
<div class="sect2">
<h3 id="_scanning_using_scap_source_data_streams">4.1. Scanning using SCAP source data streams</h3>
<div class="paragraph"><p>Commonly, all required input files are bundled together in an SCAP source data
stream. Scanning using an SCAP source data stream can be performed by the
<span class="monospaced">oscap xccdf eval</span> command, with some additional parameters available.
The basic syntax of the <span class="monospaced">oscap xccdf eval</span> command is the following:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre># oscap xccdf eval --profile PROFILE_ID --results-arf ARF_FILE --report REPORT_FILE SOURCE_DATA_STREAM_FILE</pre>
</div></div>
<div class="paragraph"><p>Where:</p></div>
<div class="ulist"><ul>
<li>
<p>
<span class="monospaced">PROFILE_ID</span> is the ID of an XCCDF profile
</p>
</li>
<li>
<p>
<span class="monospaced">ARF_FILE</span> is the file path where the results in SCAP results data stream
format (ARF) will be generated
</p>
</li>
<li>
<p>
<span class="monospaced">REPORT_FILE</span> is the file path where a report in HTML format will be generated
</p>
</li>
<li>
<p>
<span class="monospaced">SOURCE_DATA_STREAM_FILE</span> is the file path of the evaluated SCAP source data
stream
</p>
</li>
</ul></div>
<div class="paragraph"><p>For example, to evaluate the <span class="monospaced">xccdf_org.ssgproject.content_profile_ospp</span> profile
from the <span class="monospaced">/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml</span> SCAP source
data stream run this command:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre># oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --results-arf results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml</pre>
</div></div>
<div class="paragraph"><p>The progress and results will be shown in the terminal. Full results are
generated in <span class="monospaced">results.xml</span> as an SCAP result data stream. Detailed results can
be found in the HTML report <span class="monospaced">report.html</span>.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ firefox report.html</pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Tip</div>
</td>
<td class="content">Instead of the complete profile ID you can provide only a suffix of the
profile ID. For example, instead of <span class="monospaced">--profile
xccdf_org.ssgproject.content_profile_ospp</span> you can use just <span class="monospaced">--profile ospp</span>.</td>
</tr></table>
</div>
</div>
<div class="sect2">
<h3 id="_selecting_scap_source_data_stream_components">4.2. Selecting SCAP source data stream components</h3>
<div class="paragraph"><p>To evaluate a specific XCCDF benchmark that is part of a specific SCAP source
data stream, use the following command:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval --datastream-id DS_ID --xccdf-id CREF --results-arf ARF_FILE SOURCE_DATA_STREAM_FILE</pre>
</div></div>
<div class="paragraph"><p>Where:</p></div>
<div class="ulist"><ul>
<li>
<p>
<span class="monospaced">DS_ID</span> is the ID of <span class="monospaced">&lt;ds:data-stream&gt;</span> element to be evaluated
</p>
</li>
<li>
<p>
<span class="monospaced">XCCDF_ID</span> is ID of the <span class="monospaced">&lt;ds:component-ref&gt;</span> element pointing to the
desired XCCDF document
</p>
</li>
<li>
<p>
<span class="monospaced">ARF_FILE</span> is a file containing the scan results in a form of an SCAP
result data stream
</p>
</li>
<li>
<p>
<span class="monospaced">SOURCE_DATA_STREAM_FILE</span> is the SCAP source data stream file
</p>
</li>
</ul></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">If you omit <span class="monospaced">--datastream-id</span> on the command line, the first data
stream from the collection will be used. If you omit <span class="monospaced">--xccdf-id</span>, the
first component from the checklists element will be used. If you omit
both, the first data stream that has a component in the checklists
element will be used - the first component in its checklists element
will be used.</td>
</tr></table>
</div>
<div class="paragraph"><p>To evaluate a specific XCCDF benchmark that is part of an SCAP source data
stream use the following options:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval --benchmark-id BENCHMARK_ID --results-arf ARF_XML SOURCE_DATA_STREAM_FILE</pre>
</div></div>
<div class="paragraph"><p>Where:</p></div>
<div class="ulist"><ul>
<li>
<p>
<span class="monospaced">SOURCE_DATA_STREAM_FILE</span> is a file representing the SCAP source data stream
</p>
</li>
<li>
<p>
<span class="monospaced">BENCHMARK_ID</span> is the value of the "id" attribute of <span class="monospaced">&lt;xccdf:Benchmark&gt;</span>
containing component
</p>
</li>
<li>
<p>
<span class="monospaced">ARF_FILE</span> is a file containing the scan results in a form of an SCAP
result data stream
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_evaluating_standalone_oval_definitions">4.3. Evaluating Standalone OVAL Definitions</h3>
<div class="paragraph"><p>The SCAP document can have a form of a single OVAL file (an OVAL Definition
file). The <span class="monospaced">oscap</span> tool processes the OVAL Definition file during evaluation of
OVAL definitions. It collects system information, evaluates it and generates an
OVAL Result file. The result of evaluation of each OVAL definition is printed to
standard output stream. The following examples describe the most common
scenarios involving an OVAL Definition file.</p></div>
<div class="paragraph"><p>To evaluate OVAL definitions within the given OVAL Definition file the
<span class="monospaced">oscap oval eval</span> command can be used. Its basic form is the following:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap oval eval --results RESULTS_FILE OVAL_FILE</pre>
</div></div>
<div class="paragraph"><p>Where:</p></div>
<div class="ulist"><ul>
<li>
<p>
<span class="monospaced">OVAL_FILE</span> is the OVAL Definition file
</p>
</li>
<li>
<p>
<span class="monospaced">RESULTS_FILE</span> is the path where OVAL Results file will be stored
</p>
</li>
</ul></div>
<div class="paragraph"><p>It&#8217;s possible to select and evaluate one particular definition
within the given OVAL Definition file using <span class="monospaced">--id</span> option:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap oval eval --id oval:rhel:def:1000 --results oval-results.xml oval.xml</pre>
</div></div>
<div class="paragraph"><p>Where the OVAL definition being evaluated has ID <span class="monospaced">oval:rhel:def:1000</span>,
<span class="monospaced">oval.xml</span> is the OVAL Definition file and <span class="monospaced">oval-results.xml</span> is the
OVAL Result file.</p></div>
<div class="paragraph"><p>To evaluate all definitions from the OVAL component that are part of a
particular data stream component within a SCAP source data stream, run the
following command:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap oval eval --datastream-id ds.xml --oval-id xccdf.xml --results oval-results.xml scap-ds.xml</pre>
</div></div>
<div class="paragraph"><p>Where <span class="monospaced">ds.xml</span> is the ID of a specific data stream, <span class="monospaced">xccdf.xml</span> is an XCCDF file
specifying the OVAL component, <span class="monospaced">oval-results.xml</span> is the OVAL Result file, and
<span class="monospaced">scap-ds.xml</span> is the SCAP source data stream collection.</p></div>
<div class="paragraph"><p>When the SCAP content is represented by multiple XML files, the OVAL
Definition file can be distributed along with the XCCDF file. In such a
situation, OVAL Definitions may depend on variables that are exported
from the XCCDF file during the scan, and separate evaluation of the OVAL
definition(s) would produce misleading results. Therefore, any external
variables has to be exported to a special file that is used during the
OVAL definitions evaluation. The following commands are examples of this
scenario:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf export-oval-variables \
--profile united_states_government_configuration_baseline \
usgcb-rhel5desktop-xccdf.xml</pre>
</div></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap oval eval \
--variables usgcb-rhel5desktop-oval.xml-0.variables-0.xml \
--results usgcb-results-oval.xml
usgcb-rhel5desktop-oval.xml</pre>
</div></div>
<div class="paragraph"><p>Where <strong>united_states_government_configuration_baseline</strong> represents a
profile in the XCCDF document, <strong>usgcb-rhel5desktop-xccdf.xml</strong> is a file
specifying the XCCDF document, <strong>usgcb-rhel5desktop-oval.xml</strong> is the OVAL
Definition file, <strong>usgcb-rhel5desktop-oval.xml-0.variables-0.xml</strong> is the
file containing exported variables from the XCCDF file, and
<strong>usgcb-results-oval.xml</strong> is the the OVAL Result file.</p></div>
<div class="paragraph"><p>An OVAL directives file can be used to control whether results should be "thin" or "full".
This file can be loaded by OpenSCAP using <strong>--directives &lt;file&gt;</strong> option.</p></div>
<div class="paragraph"><p>Example of an OVAL directive file which enables thin results instead of
full results:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>&lt;?xml version="1.0" encoding="UTF-8"?&gt;
&lt;oval_directives
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
  xmlns:oval-res="http://oval.mitre.org/XMLSchema/oval-results-5"
  xmlns="http://oval.mitre.org/XMLSchema/oval-directives-5"
  xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-results-5
    oval-results-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5
    oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-directives-5
    oval-directives-schema.xsd"&gt;
  &lt;generator&gt;
    &lt;oval:product_name&gt;OpenSCAP&lt;/oval:product_name&gt;
    &lt;!-- make sure the OVAL version matches your input --&gt;
    &lt;oval:schema_version&gt;5.8&lt;/oval:schema_version&gt;
    &lt;oval:timestamp&gt;2017-02-04T00:00:00&lt;/oval:timestamp&gt;
  &lt;/generator&gt;
  &lt;directives include_source_definitions="true"&gt;
    &lt;oval-res:definition_true reported="true" content="thin"/&gt;
    &lt;oval-res:definition_false reported="true" content="thin"/&gt;
    &lt;oval-res:definition_unknown reported="true" content="thin"/&gt;
    &lt;oval-res:definition_error reported="true" content="thin"/&gt;
    &lt;oval-res:definition_not_evaluated reported="true" content="thin"/&gt;
    &lt;oval-res:definition_not_applicable reported="true" content="thin"/&gt;
  &lt;/directives&gt;
&lt;/oval_directives&gt;</pre>
</div></div>
<div class="paragraph"><p>If your use-case requires thin OVAL results you most likely also want
to omit system characteristics. You can use the <span class="monospaced">--without-syschar</span>
option to that effect.</p></div>
<div class="paragraph"><p>Usage of OVAL directives file when scanning a plain OVAL file:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap oval eval --directives directives.xml --without-syschar --results oval-results.xml oval.xml</pre>
</div></div>
<div class="paragraph"><p>Usage of OVAL directives file when scanning OVAL component from a source data stream:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap oval eval --directives directives.xml --without-syschar --datastream-id ds.xml --oval-id oval.xml --results oval-results.xml scap-ds.xml</pre>
</div></div>
<div class="paragraph"><p>It is not always clear which OVAL file will be used when multiple files
are distributed. In case you are evaluating an XCCDF file you can use:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap info ssg-rhel7-xccdf.xml
Document type: XCCDF Checklist
Checklist version: 1.1
Imported: 2017-01-20T14:20:43
Status: draft
Generated: 2017-01-19
Resolved: true
Profiles:
        standard
        pci-dss
        C2S
        rht-ccp
        common
        stig-rhel7-workstation-upstream
        stig-rhel7-server-gui-upstream
        stig-rhel7-server-upstream
        stig-rhevh-upstream
        ospp-rhel7-server
        nist-cl-il-al
        cjis-rhel7-server
        docker-host
        nist-800-171-cui
Referenced check files:
        ssg-rhel7-oval.xml
                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        ssg-rhel7-ocil.xml
                system: http://scap.nist.gov/schema/ocil/2
        https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
                system: http://oval.mitre.org/XMLSchema/oval-definitions-5</pre>
</div></div>
<div class="paragraph"><p>In the output you can see all referenced check files. In this case we see
that <span class="monospaced">ssg-rhel7-oval.xml</span> is referenced. To see contents of this file you
can open it in a text editor.</p></div>
<div class="paragraph"><p>You can use <span class="monospaced">oscap info</span> with source data stream files as well. Source
data stream will often reference OVAL files that are bundled in it.
It is also possible to extract OVAL files from source data stream using
<span class="monospaced">oscap ds sds-split</span>.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap ds sds-split ssg-rhel7-ds.xml extracted/
$ ls -1 extracted/
scap_org.open-scap_cref_output--ssg-rhel7-cpe-dictionary.xml
scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
ssg-rhel7-cpe-oval.xml
ssg-rhel7-ocil.xml
ssg-rhel7-oval.xml</pre>
</div></div>
<div class="paragraph"><p>After splitting the source data stream you can inspect OVAL and XCCDF files
individually using a text editor. Keep in mind that this is only an example and
file names depend on contents of the source data stream you are splitting and
that you can also inspect XCCDF and OVAL content directly in a source data
stream or a result data stream.</p></div>
</div>
<div class="sect2">
<h3 id="_evaluating_xccdf">4.4. Evaluating XCCDF</h3>
<div class="paragraph"><p>When evaluating an XCCDF benchmark, <span class="monospaced">oscap</span> usually processes an XCCDF
file, an OVAL file and the CPE dictionary. It performs system
analysis and produces XCCDF results based on this analysis. The results
of the scan do not have to be saved in a separate file but can be
attached to the XCCDF file. The evaluation result of each XCCDF rule
within an XCCDF checklist is printed to standard output stream. The CVE
and CCE identifiers associated with the rules are printed as well. The
following is a sample output for a single XCCDF rule:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>Title   Verify permissions on 'group' file
Rule    usgcb-rhel5desktop-rule-2.2.3.1.j
Ident   CCE-3967-7
Result  pass</pre>
</div></div>
<div class="paragraph"><p>The meaning of results is defined by <a href="https://csrc.nist.gov/CSRC/media/Publications/nistir/7275/rev-4/final/documents/nistir-7275r4_updated-march-2012_clean.pdf">XCCDF Specification</a>.
This table lists the possible results of a single rule:</p></div>
<table class="tableblock frame-all grid-all"
style="
width:100%;
">
<caption class="title">Table 1. XCCDF results</caption>
<col style="width:33%;">
<col style="width:33%;">
<col style="width:33%;">
<tbody>
<tr>
<td class="tableblock halign-left valign-top" ><p class="tableblock">Result</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">Description</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">Example Situation</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top" ><p class="tableblock">pass</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">The target system or system component satisfied all the conditions of the rule.</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock"></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top" ><p class="tableblock">fail</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">The target system or system component did not satisfy all the conditions of the rule.</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock"></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top" ><p class="tableblock">error</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">The checking engine could not complete the evaluation, therefore the status of the target’s compliance with the rule is not certain.</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">OpenSCAP was run with insufficient privileges and could not gather all of the necessary information.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top" ><p class="tableblock">unknown</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">The testing tool encountered some problem and the result is unknown.</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">OpenSCAP was unable to interpret the output of the checking engine (the output has no meaning to OpenSCAP).</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top" ><p class="tableblock">notapplicable</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">The rule was not applicable to the target of the test.</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">The rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top" ><p class="tableblock">notchecked</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">The rule was not evaluated by the checking engine. This status is designed for rules that have no &lt;xccdf:check&gt; elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">The rule does not reference any OVAL check.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top" ><p class="tableblock">notselected</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">The rule was not selected in the benchmark. OpenSCAP does not display rules that were not selected.</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">The rule exists in the benchmark, but is not a part of selected profile.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top" ><p class="tableblock">informational</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">The rule was checked, but the output from the checking engine is simply information for auditors or administrators; it is not a compliance category. This status value is designed for rules whose main purpose is to extract information from the target rather than test the target.</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock"></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top" ><p class="tableblock">fixed</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock">The rule had initially evaluated to "fail", but was then fixed by automated remediation and therefore it now evaluates as "pass".</p></td>
<td class="tableblock halign-left valign-top" ><p class="tableblock"></p></td>
</tr>
</tbody>
</table>
<div class="paragraph"><p>The CPE dictionary is used to determine whether the content is
applicable on the target platform or not. Any content that is not
applicable will result in each relevant XCCDF rule being evaluated to
"notapplicable".</p></div>
<div class="paragraph"><p>The following examples show the most common scenarios of XCCDF benchmark
evaluation:</p></div>
<div class="ulist"><ul>
<li>
<p>
To evaluate a specific profile in an XCCDF file run this command:
</p>
</li>
</ul></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval --profile Desktop --results xccdf-results.xml --cpe cpe-dictionary.xml scap-xccdf.xml</pre>
</div></div>
<div class="paragraph"><p>Where <span class="monospaced">scap-xccdf.xml</span> is the XCCDF document, <span class="monospaced">Desktop</span> is the selected
profile from the XCCDF document, <span class="monospaced">xccdf-results.xml</span> is a file storing
the scan results, and <span class="monospaced">cpe-dictionary.xml</span> is the CPE dictionary.</p></div>
<div class="ulist"><ul>
<li>
<p>
You can additionally add <span class="monospaced">--rule</span> option to the above command to evaluate
a specific rule:
</p>
</li>
</ul></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval --profile Desktop --rule ensure_gpgcheck_globally_activated  --results xccdf-results.xml --cpe cpe-dictionary.xml scap-xccdf.xml</pre>
</div></div>
<div class="paragraph"><p>Where <span class="monospaced">ensure_gpgcheck_globally_activated</span> is the only rule from the <span class="monospaced">Desktop</span>
profile which will be evaluated.</p></div>
<div class="paragraph"><p>The <span class="monospaced">--rule</span> option can be used multiple times to evaluate multiple rules at once.</p></div>
<div class="ulist"><ul>
<li>
<p>
You can skip some rules by using the <span class="monospaced">--skip-rule</span> option.
</p>
</li>
</ul></div>
<div class="paragraph"><p>In the examples above we are generating XCCDF result files using the <span class="monospaced">--results</span>
command-line argument. You can use <span class="monospaced">--results-arf</span> to generate an SCAP result
data stream (also called ARF - Asset Reporting Format) XML instead.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval --benchmark-id benchmark_id --results-arf arf-results.xml scap-ds.xml</pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_generating_results_compatible_with_stig_viewer">4.5. Generating results compatible with STIG Viewer</h3>
<div class="paragraph"><p>DISA STIG Viewer is a graphical user interface (GUI) application that enables
easy viewing of SCAP-formatted Security Technical Implementation Guides
(STIGs). For more information on DISA STIG Viewer see the
<a href="https://public.cyber.mil/stigs/srg-stig-tools/">SRG / STIG Tools</a> website.</p></div>
<div class="paragraph"><p>OpenSCAP can generate results compatible with STIG Viewer even when evaluating
SCAP content that uses different rule IDs than the official DISA STIG format,
for example, content from the <span class="monospaced">scap-security-guide</span> package or third-party
content.</p></div>
<div class="paragraph"><p>To produce results compatible with STIG Viewer, each rule in an SCAP source data
stream must contain a reference to a STIG Rule ID, and the value of the <span class="monospaced">href</span>
attribute must be either
<span class="monospaced">http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx</span> or
<span class="monospaced">https://public.cyber.mil/stigs/srg-stig-tools/</span>.</p></div>
<div class="paragraph"><p>For example:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>&lt;Rule id="rpm_verify_permissions"&gt;
  ...
  &lt;reference href="https://public.cyber.mil/stigs/srg-stig-tools/"&gt;SV-86473r2_rule&lt;/reference&gt;
  ...
&lt;/Rule&gt;</pre>
</div></div>
<div class="paragraph"><p>In the following example, we use the
<span class="monospaced">/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml</span> file provided by the
<span class="monospaced">scap-security-guide</span> RPM package. This data stream file meets both
prerequisites for rules.</p></div>
<div class="paragraph"><p>1) Scan your system using the <span class="monospaced">oscap</span> command with the <span class="monospaced">--stig-viewer</span> option.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer results-stig.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml</pre>
</div></div>
<div class="paragraph"><p>2) Download a STIG file of your choice, for example, from the
<a href="https://public.cyber.mil/stigs/downloads/">STIGs Document Library</a>, and extract
it. The version of the STIG must conform to the version of the
<span class="monospaced">xccdf_org.ssgproject.content_profile_stig</span> profile.</p></div>
<div class="paragraph"><p>3) In STIG Viewer, click on <span class="monospaced">File</span> and then on <span class="monospaced">Import STIG</span>. Then, select the
STIG in <span class="monospaced">STIGs</span> panel on the left side. Click on <span class="monospaced">Checklists</span> and then on
<span class="monospaced">Create Checklists - Check Marked STIG(s)</span>.</p></div>
<div class="paragraph"><p>4) Import the OpenSCAP scan results by clicking on <span class="monospaced">Import</span> and then on <span class="monospaced">XCCDF
Results File</span>. Locate the <span class="monospaced">results-stig.xml</span> file obtained in step 1. STIG
Viewer shows the results subsequently.</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">The <span class="monospaced">--stig-viewer</span> option serves for evaluating an SCAP source data stream
other than a STIG provided by DISA, for example, <span class="monospaced">scap-security-guide</span> content
and loading the generated file in STIG Viewer into a checklist created from a
STIG by DISA. When evaluating a STIG provided by DISA using <span class="monospaced">oscap</span>, use the
<span class="monospaced">--results</span> option instead. Similarly, when creating checklists based on
<span class="monospaced">scap-security-guide</span> content in STIG Viewer and evaluating
<span class="monospaced">scap-security-guide</span> by oscap, use <span class="monospaced">--results</span> instead of <span class="monospaced">--stig-viewer</span>.</td>
</tr></table>
</div>
</div>
<div class="sect2">
<h3 id="_checking_for_compliance_with_a_particular_requirement_coverage">4.6. Checking for compliance with a particular requirement coverage</h3>
<div class="paragraph"><p>A common theme is to check system status based on requirements of a particular policy.
OpenSCAP can select rules that are related to a specific requirement based on the references in the rules.</p></div>
<div class="paragraph"><p>1) List references that are supported in your scap content using the <span class="monospaced">oscap info --references</span> command.
This will list of available reference names and their URIs.
For example:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap info --references /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
... snip ...
                References:
                        anssi: http://www.ssi.gouv.fr/administration/bonnes-pratiques/
                        cis: https://www.cisecurity.org/benchmark/red_hat_linux/
                        disa: https://public.cyber.mil/stigs/cci/
... snip ...</pre>
</div></div>
<div class="paragraph"><p>2) Run the evaluation with the <span class="monospaced">--reference</span> option, using the name obtained in the previous step and the requirement ID, separated by a colon.
That will filter the list of rules so that only rules that have the given reference ID assigned would be evaluated.
For example:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval --profile cis --reference cis:3.3.2 /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml</pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">If the <span class="monospaced">oscap info --references</span> command doesn&#8217;t list any reference names in the <span class="monospaced">References</span> section of its output, it means that the provided SCAP content doesn&#8217;t support this feature.</td>
</tr></table>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_remediating_system">5. Remediating system</h2>
<div class="sectionbody">
<div class="paragraph"><p>OpenSCAP allows one to automatically remediate systems that have been found in a
non-compliant state. For system remediation the rules in SCAP content need to
have a remediation script attached. For example, the SCAP source data streams in
the <span class="monospaced">scap-security-guide</span> package contain rules with remediation fix scripts.</p></div>
<div class="paragraph"><p>System remediation consists of the following steps:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
The <span class="monospaced">oscap</span> command performs a regular XCCDF evaluation.
</p>
</li>
<li>
<p>
An assessment of the results is performed by evaluating the OVAL definitions.
 Each rule that has failed is marked as a candidate for remediation.
</p>
</li>
<li>
<p>
The <span class="monospaced">oscap</span> program searches for an appropriate <span class="monospaced">&lt;xccdf:fix&gt;</span> element,
 resolves it, prepares the environment, and executes the fix script.
</p>
</li>
<li>
<p>
Any output of the fix script is captured by <span class="monospaced">oscap</span> and stored within the
 <span class="monospaced">&lt;xccdf:rule-result&gt;</span> element. The return value of the fix script is stored as
 well.
</p>
</li>
<li>
<p>
Whenever <span class="monospaced">oscap</span> executes a fix script, it immediately evaluates the OVAL
 definition again (to verify that the fix script has been applied correctly).
 During this second run, if the OVAL evaluation returns success, the result of
 the rule is <strong>fixed</strong>, otherwise it is an <strong>error</strong>.
</p>
</li>
<li>
<p>
Detailed results of the remediation are stored in an output XCCDF file. It
 contains two <span class="monospaced">&lt;xccdf:TestResult&gt;</span> elements. The first <span class="monospaced">&lt;xccdf:TestResult&gt;</span>
 element represents the scan prior to the remediation. The second
 <span class="monospaced">&lt;xccdf:TestResult&gt;</span> is derived from the first one and contains remediation
 results.
</p>
</li>
</ol></div>
<div class="paragraph"><p>There are three modes of operation of <span class="monospaced">oscap</span> with regard to remediation:
online, offline, and review.</p></div>
<div class="sect2">
<h3 id="_remediation_during_scanning">5.1. Remediation during scanning</h3>
<div class="paragraph"><p>The remediation scripts can be executed at the time of scanning. Evaluation and
remediation are performed as a part of a single command.</p></div>
<div class="paragraph"><p>To enable remediation during scanning, use the <span class="monospaced">oscap xccdf eval</span> command with
the <span class="monospaced">--remediate</span> command-line option.</p></div>
<div class="paragraph"><p>In this example we will execute remediation during evaluation of the OSPP profile:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre># oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp --results-arf results.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml</pre>
</div></div>
<div class="paragraph"><p>The output of this command consists of two sections. The first section shows the
result of the scan prior to the remediation, and the second section shows the
result of the scan after applying the remediation. The second part can contain
only <strong>fixed</strong> and <strong>error</strong> results. The <strong>fixed</strong> result indicates that the scan performed
after the remediation passed. The <strong>error</strong> result indicates that even after
applying the remediation, the evaluation still does not pass.</p></div>
</div>
<div class="sect2">
<h3 id="_remediation_after_scanning">5.2. Remediation after scanning</h3>
<div class="paragraph"><p>This feature allows you to postpone fix execution.</p></div>
<div class="paragraph"><p>In first step, the system is only evaluated, and the results are stored in the
<span class="monospaced">&lt;xccdf:TestResult&gt;</span> element in an XCCDF results file.</p></div>
<div class="paragraph"><p>In the second step, <span class="monospaced">oscap</span> executes the fix scripts and verifies the result. It
is safe to store the results into the input file, no data will be lost. During
offline remediation, a new <span class="monospaced">&lt;xccdf:TestResult&gt;</span> element is created that is based
on the input one and inherits all the data. The newly created
<span class="monospaced">&lt;xccdf:TestResult&gt;</span> differs only in the <span class="monospaced">&lt;xccdf:rule-result&gt;</span> elements that
have failed. For those, remediation is executed.</p></div>
<div class="paragraph"><p>For example:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre># oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --results results.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml</pre>
</div></div>
<div class="listingblock">
<div class="content monospaced">
<pre># oscap xccdf remediate --results remediation-results.xml results.xml</pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_reviewing_remediations">5.3. Reviewing remediations</h3>
<div class="paragraph"><p>The review mode allows users to store remediation instructions to a file for
further review. The remediation content is not executed during this operation.
To generate remediation instructions in the form of a shell script, run:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
Run a scan and generate XCCDF results file using the <span class="monospaced">--results</span> option.
</p>
<div class="listingblock">
<div class="content monospaced">
<pre># oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --results results.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml</pre>
</div></div>
</li>
<li>
<p>
Obtain the results ID.
</p>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap info results.xml</pre>
</div></div>
</li>
<li>
<p>
Generate the fix based on the scan results.
</p>
<div class="listingblock">
<div class="content monospaced">
<pre># oscap xccdf generate fix --fix-type bash --output my-remediation-script.sh --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_ospp results.xml</pre>
</div></div>
</li>
</ol></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_tailoring">6. Tailoring</h2>
<div class="sectionbody">
<div class="paragraph"><p>This section describes tailoring of content using a tailoring file.
Tailoring allows you to change behavior of SCAP content without its direct modification.</p></div>
<div class="sect2">
<h3 id="_creating_tailoring_files">6.1. Creating Tailoring files</h3>
<div class="paragraph"><p>Tailoring files can be easily created using <a href="https://www.open-scap.org/tools/scap-workbench/">SCAP Workbench</a> which is a GUI application.</p></div>
<div class="paragraph"><p>On the command line, tailoring files can be created using the <span class="monospaced">autotailor</span> tool.
This tool is a part of the <span class="monospaced">openscap-utils</span> package.</p></div>
<div class="paragraph"><p>The basic syntax is:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ autotailor \
--select RULE_ID --unselect RULE_ID --var-value VAR=VALUE \
--output TAILORING_FILE --new_profile_id NEW_PROFILE_ID
DS_FILENAME BASE_PROFILE_ID</pre>
</div></div>
<div class="paragraph"><p>Where:</p></div>
<div class="ulist"><ul>
<li>
<p>
<span class="monospaced">--select RULE_ID</span> adds a rule with <span class="monospaced">RULE_ID</span>. This argument can be
added multiple times if needed.
</p>
</li>
<li>
<p>
<span class="monospaced">--unselect RULE_ID</span> adds a rule with <span class="monospaced">RULE_ID</span>. This argument can be
added multiple times if needed.
</p>
</li>
<li>
<p>
<span class="monospaced">--var-value VAR=VALUE</span> specifies modification of the XCCDF value in the
form <span class="monospaced">&lt;varname&gt;=&lt;value&gt;</span>
</p>
</li>
<li>
<p>
<span class="monospaced">TAILORING_FILE</span> is a path to the file that will be created
</p>
</li>
<li>
<p>
<span class="monospaced">NEW_PROFILE_ID</span> is the ID of the customized profile
</p>
</li>
<li>
<p>
<span class="monospaced">DS_FILENAME</span> is the path to SCAP source data stream that is tailored
</p>
</li>
<li>
<p>
<span class="monospaced">BASE_PROFILE_ID</span> is the original profile that we want to customize
</p>
</li>
</ul></div>
<div class="paragraph"><p>The script creates a new file with a new profile with ID in a form <span class="monospaced">BASE_PROFILE_ID_customized</span>.</p></div>
<div class="paragraph"><p>In the following example, we will create a customized profile with ID <span class="monospaced">custom</span> based on the OSPP profile from the SCAP Security Guide for Red Hat Enterprise Linux 8 (located in <span class="monospaced">/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml</span> which is provided by the <span class="monospaced">scap-security-guide</span> RPM package) which will remove the rule <span class="monospaced">service_usbguard_enabled</span> and save it as a XCCDF Tailoring file into <span class="monospaced">/tmp/tailoring.xml</span>.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ autotailor --unselect service_usbguard_enabled --output /tmp/tailoring.xml \
--new-profile-id custom /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml ospp</pre>
</div></div>
<div class="paragraph"><p>The <span class="monospaced">autotailor</span> tool can also consume <a href="https://github.com/ComplianceAsCode/schemas/tree/main/tailoring">JSON tailoring</a> files and convert them into XCCDF Tailoring.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ autotailor --json-tailoring custom.json /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml</pre>
</div></div>
<div class="paragraph"><p>For more details about other options of the <span class="monospaced">autotailor</span> program please read the <span class="monospaced">autotailor(8)</span> man page or run <span class="monospaced">autotailor --help</span>.</p></div>
</div>
<div class="sect2">
<h3 id="_using_tailoring_files">6.2. Using Tailoring files</h3>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
List profiles in the tailoring file
</p>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap info ssg-rhel8-ds-tailoring.xml
Document type: XCCDF Tailoring
Imported: 2016-08-31T11:08:16
Benchmark Hint: /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Profiles:
        xccdf_org.ssgproject.content_profile_C2S_customized</pre>
</div></div>
</li>
<li>
<p>
Run a scan. The command evaluates tailored data stream by
<span class="monospaced">ssg-rhel8-ds-tailoring.xml</span> tailoring file. XCCDF results can be found in
<span class="monospaced">results.xml</span> file.
</p>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_C2S_customized \
--tailoring-file ssg-rhel8-ds-tailoring.xml \
--results results.xml
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml</pre>
</div></div>
</li>
</ol></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Warning</div>
</td>
<td class="content">Use the ID of the customized profile (from the tailoring file), do not
use the ID of the original profile.</td>
</tr></table>
</div>
<div class="paragraph"><p>Instead of external tailoring file, you can also use tailoring component
integrated to data stream.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap info simple-ds.xml

Document type: Source Data Stream
Imported: 2016-02-02T14:06:14

Stream: scap_org.open-scap_datastream_from_xccdf_simple-xccdf.xml
Generated: (null)
Version: 1.2
Checklists:
        Ref-Id: scap_org.open-scap_cref_simple-xccdf.xml
                Status: incomplete
                Resolved: false
                Profiles:
                        xccdf_org.open-scap_profile_override
                Referenced check files:
                        simple-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        Ref-Id: scap_org.open-scap_cref_simple-tailoring.xml
                Benchmark Hint: (null)
                Profiles:
                        xccdf_org.open-scap_profile_default
                        xccdf_org.open-scap_profile_unselecting
                        xccdf_org.open-scap_profile_override
Checks:
        Ref-Id: scap_org.open-scap_cref_simple-oval.xml
No dictionaries.</pre>
</div></div>
<div class="paragraph"><p>To choose tailoring component <span class="monospaced">scap_org.open-scap_cref_simple-tailoring.xml</span>,
the command below can be used.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval \
--tailoring-id scap_org.open-scap_cref_simple-tailoring.xml \
--profile xccdf_org.open-scap_profile_default \
--results results.xml simple-ds.xml</pre>
</div></div>
<div class="paragraph"><p>The command above evaluates content using tailoring component
<span class="monospaced">scap_org.open-scap_cref_simple-tailoring.xml</span> from source data stream. Scan
results are stored in <span class="monospaced">results.xml</span> file.</p></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_scanning_with_script_check_engine_sce">7. Scanning with Script Check Engine (SCE)</h2>
<div class="sectionbody">
<div class="paragraph"><p>The Script Check Engine (SCE) is an alternative check engine for XCCDF checklist
evaluation.  SCE allows you to call shell scripts out of the XCCDF document.
This approach might be suitable for various use cases, mostly when OVAL checks
are not required. More information about SCE usage is available on this page:
<a href="https://www.open-scap.org/features/other-standards/sce/">Using SCE</a>.</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Warning</div>
</td>
<td class="content">SCE is not part of any SCAP specification.</td>
</tr></table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_validating_scap_content">8. Validating SCAP Content</h2>
<div class="sectionbody">
<div class="paragraph"><p>The <span class="monospaced">oscap</span> tool can be used to validate the security content
against standard SCAP XML schemas. The validation results are printed to the
standard error stream (stderr). The general syntax of the validation command
is the following:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap module validate [module_options_and_arguments] FILE</pre>
</div></div>
<div class="paragraph"><p>where <span class="monospaced">FILE</span> is the full path to the file being validated. As a <span class="monospaced">module</span> you
can use:</p></div>
<div class="ulist"><ul>
<li>
<p>
xccdf,
</p>
</li>
<li>
<p>
oval,
</p>
</li>
<li>
<p>
cpe or
</p>
</li>
<li>
<p>
cve.
</p>
</li>
</ul></div>
<div class="paragraph"><p>The only exception is the data stream module (ds), which uses the sds-validate
operation instead of validate. So for example, it would be like:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap ds sds-validate scap-ds.xml</pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">Note that all SCAP components within the given data stream are validated
automatically and none of the components is specified separately.</td>
</tr></table>
</div>
<div class="paragraph"><p>There is an extra Schematron-based validation enabled when you validate OVAL or
XCCDF specification. This validation method is slower but it provides deeper analysis.</p></div>
<div class="paragraph"><p>Run one of the following commands to validate an OVAL or XCCDF document without
Schematron checks:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf validate --skip-schematron xccdf-file.xml</pre>
</div></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap oval validate --skip-schematron oval-file.xml</pre>
</div></div>
<div class="paragraph"><p>The results of validation are printed to standard error stream (stderr).</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">Please note that for the rest of <span class="monospaced">oscap</span> functionality, unless you specify
--skip-validation (--skip-valid), validation will automatically occur before
files are used. Therefore, you do not need to explicitly validate a data stream
before use. Though it will not include the Schematron-based validation step.</td>
</tr></table>
</div>
<div class="sect2">
<h3 id="_validating_digital_signature_in_scap_source_data_stream">8.1. Validating digital signature in SCAP source data stream</h3>
<div class="paragraph"><p>When evaluating a digitally signed SCAP source data stream OpenSCAP validates
the digital signature of the data stream. The signature validation is performed
automatically while loading the file. Data streams with invalid signatures would
be rejected and would not be evaluated. OpenSCAP uses
<a href="https://www.aleksey.com/xmlsec/">XML Security Library</a> with OpenSSL backend to
validate the digital signature.</p></div>
<div class="paragraph"><p>The signature validation only checks that the datastream hasn&#8217;t been altered
since its latest signature. OpenSCAP doesn&#8217;t address trustworthiness of
certificates or public keys that are part of the <span class="monospaced">KeyInfo</span> signature element and
that are used to verify the signature. You should verify those keys yourself to
prevent evaluation of datastreams that have been modified and signed by bad
actors.</p></div>
<div class="paragraph"><p>The signature validation can be skipped by adding the
<span class="monospaced">--skip-signature-validation</span> option to the <span class="monospaced">oscap xccdf eval</span> command.</p></div>
<div class="paragraph"><p>Also, signature validation can be enforced (effectively rendering all unsigned
data streams invalid) with the <span class="monospaced">--enforce-signature</span> option to the <span class="monospaced">oscap xccdf eval</span> command.</p></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_generating_reports_guides_and_scripts">9. Generating reports, guides and scripts</h2>
<div class="sectionbody">
<div class="paragraph"><p>Another useful features of <span class="monospaced">oscap</span> is the ability to generate documents in a
human-readable HTML format. This feature is used to generate security guides and
checklists, which serve as a source of information, as well as guidance for
secure system configuration. The results of system scans can also be transformed
to well-readable result reports. Moreover, remediation scripts and Ansible
playbooks can be generated if the SCAP content contains these data.</p></div>
<div class="paragraph"><p>The general command syntax is the following:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>oscap module generate sub-module [specific_module/sub-module_options_and_arguments] file</pre>
</div></div>
<div class="paragraph"><p>Where module is either <span class="monospaced">xccdf</span> or <span class="monospaced">oval</span>, <span class="monospaced">sub-module</span> is a type of
the generated document, and file represents an XCCDF or OVAL file. A sub-module
can be either <span class="monospaced">report</span>, <span class="monospaced">guide</span>, <span class="monospaced">custom</span> or <span class="monospaced">fix</span>. Please see
 <span class="monospaced">man oscap</span> for more details.</p></div>
<div class="sect2">
<h3 id="_generating_html_guides">9.1. Generating HTML guides</h3>
<div class="paragraph"><p>To generate a HTML guide from an SCAP source data stream or an XCCDF file use the <span class="monospaced">oscap xccdf generate guide</span> command.</p></div>
<div class="paragraph"><p>Generating a guide with profile checklist (see an
<a href="https://static.open-scap.org/examples/guide-checklist.html">example</a>):</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf generate guide --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml &gt; guide.html</pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_generating_html_reports">9.2. Generating HTML reports</h3>
<div class="paragraph"><p>To generate HTML scan reports after scan from the scan results in ARF or XCCDF
format the <span class="monospaced">oscap xccdf generate report</span> command can be used.</p></div>
<div class="paragraph"><p>Generating the HTML report with information about checks (see an
<a href="https://static.open-scap.org/examples/report-xccdf-oval.html">example</a>):</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf generate report arf.xml &gt; report.html</pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Tip</div>
</td>
<td class="content">The HTML report can be generated also during scan by adding the <span class="monospaced">--report</span>
option to the <span class="monospaced">oscap xccdf eval</span> command.</td>
</tr></table>
</div>
</div>
<div class="sect2">
<h3 id="_generating_bash_scripts">9.3. Generating bash scripts</h3>
<div class="paragraph"><p>To generate a bash remediation script from an XCCDF profile, use the <span class="monospaced">oscap
xccdf generate fix</span> command. OpenSCAP will extract remediation scripts for all
rules in the given profile to a file.</p></div>
<div class="paragraph"><p>For example, to generate a bash remediation script for RHEL 8 OSPP profile, run:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf generate fix --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml &gt; fix.sh</pre>
</div></div>
<div class="paragraph"><p>The output contains fixes for all rules in the given profile including those
rules that would pass. It&#8217;s because system isn&#8217;t scanned during this command. If
you want to generate remediation only for the failed rules based on scan
results, refer to <a href="#_reviewing_remediations">Reviewing remediations</a>.</p></div>
</div>
<div class="sect2">
<h3 id="_generating_ansible_playbooks">9.4. Generating Ansible Playbooks</h3>
<div class="paragraph"><p>Similar to generating bash scripts, OpenSCAP is able to extract Ansible tasks
associated with XCCDF rules and generate an Ansible Playbook that can be used to
configure the operating system according to the given profile. To generate
Anisble Playbook use the <span class="monospaced">oscap xccdf generate fix</span> command with <span class="monospaced">--fix-type
ansible</span> option.</p></div>
<div class="paragraph"><p>For example, to generate Ansible Playbook from RHEL 8 OSPP profile, run:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf generate fix --profile ospp --fix-type ansible /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml &gt; playbook.yml</pre>
</div></div>
<div class="paragraph"><p>The generated Ansible Playbook is generated from an OpenSCAP profile without
preliminary evaluation. It attempts to fix every selected rule, even if the
system is already compliant. The output contains fixes for all rules in the
given profile including those rules that would pass. It&#8217;s because system isn&#8217;t
scanned during this command. If you want to generate remediation only for the
failed rules based on scan results, refer to <a href="#_reviewing_remediations">Reviewing remediations</a>.</p></div>
</div>
<div class="sect2">
<h3 id="_generating_image_builder_blueprints">9.5. Generating Image Builder Blueprints</h3>
<div class="paragraph"><p>OpenSCAP can also create a remediation in form of Image Builder (OSBuild) Blueprint. This remeditaion
is intendeded to be used as a bootstrap for image creation and usually it will contain only essential
elements of the configuration, elements that would be hard or impossible to change after the image
is created, like partitioning or set of installed packages.</p></div>
<div class="paragraph"><p>It is recommended to combine this type of remediation with other types, executed on the running system.</p></div>
<div class="paragraph"><p>For example, to generate a blueprint remediation for RHEL 8 OSPP profile, run:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf generate fix --profile ospp --fix-type blueprint /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml &gt; blueprint.toml</pre>
</div></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_details_on_scap_conformance">10. Details on SCAP conformance</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_check_engines">10.1. Check Engines</h3>
<div class="paragraph"><p>Most XCCDF content uses the OVAL check engine. This is when OVAL
Definitions are being evaluated in order to assess a system. Complete
information of an evaluation is recorded in OVAL Results files, as
defined by the OVAL specification. By examining these files it&#8217;s
possible check what definitions were used for the evaluation and why the
results are as they are. Please note these files are not generated
unless <span class="monospaced">--oval-results</span> is used.</p></div>
<div class="paragraph"><p>Some content may use alternative check engines, for example the
<a href="https://www.open-scap.org/features/other-standards/sce/">SCE</a> check engine.</p></div>
<div class="paragraph"><p>Results of rules with a check that requires a check engine not supported
by OpenSCAP will be reported as <strong>notchecked</strong>. Check contents are not
read or interpreted in any way unless the check system is known and
supported. Following is an evaluation output of an XCCDF with unknown
check system:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval sds-datastream.xml

Title   Check group file contents
Rule    xccdf_org.example_rule_system_authcontent-group
Result  notchecked

Title   Check password file contents
Rule    xccdf_org.example_rule_system_authcontent-passwd
Result  notchecked

Title   Check shadow file contents
Rule    xccdf_org.example_rule_system_authcontent-shadow
Result  notchecked

...</pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">The <strong>notchecked</strong> result is also reported for rules that have no
check implemented. <strong>notchecked</strong> means that there was no check in that
particular rule that could be evaluated.</td>
</tr></table>
</div>
</div>
<div class="sect2">
<h3 id="_cve_cce_cpe_and_other_identifiers">10.2. CVE, CCE, CPE and other identifiers</h3>
<div class="paragraph"><p>Each XCCDF Rule can have <span class="monospaced">&lt;xccdf:ident&gt;</span> elements inside. These elements
allow the content creator to reference various external identifiers like
CVE, CCE, CPE and others.</p></div>
<div class="paragraph"><p>When scanning, <span class="monospaced">oscap</span> outputs identifiers of scanned rules regardless of
their results. For example:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>Title   Ensure Repodata Signature Checking is Not Disabled For Any Repos
Rule    rule-2.1.2.3.6.a
Result  pass

Title   Verify user who owns 'shadow' file
Rule    rule-2.2.3.1.a
Ident   CCE-3918-0
Result  pass

Title   Verify group who owns 'shadow' file
Rule    rule-2.2.3.1.b
Ident   CCE-3988-3
Result  pass</pre>
</div></div>
<div class="paragraph"><p>All identifiers (if any) are printed to stdout for each rule. Since
standard output doesn&#8217;t allow for compact identifier metadata to be
displayed, only the identifiers themselves are displayed there.</p></div>
<div class="paragraph"><p>Identifiers are also part of the HTML report output. If the identifier
is a CVE you can click it to display its metadata from the official NVD
database (requires internet connection). OpenSCAP doesn&#8217;t provide
metadata for other types of identifiers.</p></div>
<div class="paragraph"><p>Another place where these identifiers can be found are machine-readable SCAP
result data stream (ARF) files. This file can be generated during the scan by
adding <span class="monospaced">--results-arf</span> option.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_common \
--fetch-remote-resources --results-arf results.xml \
/usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml</pre>
</div></div>
<div class="paragraph"><p>Result data stream file <span class="monospaced">results.xml</span> contains these identifiers in <span class="monospaced">&lt;xccdf:rule-result&gt;</span>
elements.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>&lt;rule-result
  idref="xccdf_org.ssgproject.content_rule_partition_for_tmp"
  time="2017-01-20T14:30:18" severity="low" weight="1.000000"&gt;
  &lt;result&gt;pass&lt;/result&gt;
  &lt;ident system="https://nvd.nist.gov/cce/index.cfm"&gt;CCE-27173-4&lt;/ident&gt;
  &lt;check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"&gt;
    &lt;check-content-ref name="oval:ssg-partition_for_tmp:def:1" href="#oval0"/&gt;
  &lt;/check&gt;
&lt;/rule-result&gt;</pre>
</div></div>
<div class="paragraph"><p>Since OpenSCAP 1.2.9 you can use the Group-By feature of HTML report
to get an overview of results based on their identifiers and references.</p></div>
<div class="paragraph"><p>The HTML report can also be used to look-up Rules by their identifiers.
You can type the identifier (e.g.: CCE-27173-4) in the search box in
the HTML report and only rules with this identifier will be shown.
This can be used for any type of XCCDF identifier or reference.
You can also click on the rule title to show more details and see all
its identifiers, including the identifier you looked for.
This relies heavily on SCAP content quality, if the identifiers are
not present in the source content they will not be available in the
HTML report.</p></div>
<div class="paragraph"><p>If you want to map two identifiers&#8201;&#8212;&#8201;e.g.: map CCE identifier to
NIST 800-53 identifier&#8201;&#8212;&#8201;you need to look-up the CCE ID in the
HTML report through the search box using the first identifier. And then,
by grouping by NIST SP 800-53 ID, you can see all NIST 800-53 IDs
related to the searched CCE ID.</p></div>
</div>
<div class="sect2">
<h3 id="_bundled_cce_data">10.3. Bundled CCE data</h3>
<div class="paragraph"><p>OpenSCAP does not provide any static or product bundled CCE data. Thus
it has no way of displaying the last generated, updated and officially
published dates of static or product bundled CCE data because the dates
are not defined.</p></div>
</div>
<div class="sect2">
<h3 id="_cpe_applicability">10.4. CPE applicability</h3>
<div class="paragraph"><p>XCCDF rules in the content may target only specific platforms and hold
no meaning on other platforms. Such an XCCDF rule contains an
<span class="monospaced">&lt;xccdf:platform&gt;`</span> element in its body. This element references a CPE
name or CPE2 platform (defined using <span class="monospaced">&lt;cpe2:platform-specification&gt;</span>)
that could be defined in a CPE dictionary file or a CPE language file
or it can also be embedded directly in the XCCDF document.</p></div>
<div class="paragraph"><p>An XCCDF rule can contain multiple <span class="monospaced">&lt;xccdf:platform&gt;</span> elements. It is
deemed applicable if at least one of the listed platforms is applicable.
If an XCCDF rule contains no <span class="monospaced">&lt;xccdf:platform&gt;</span> elements it is considered
always applicable.</p></div>
<div class="paragraph"><p>If the CPE name or CPE2 platform is defined in an external file, use the
 <span class="monospaced">--cpe</span> option and <span class="monospaced">oscap</span> auto-detects format of the file. The following
command is an example of the XCCDF content evaluation using CPE name
from an external file:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval --results xccdf-results.xml --cpe external-cpe-file.xml xccdf-file.xml</pre>
</div></div>
<div class="paragraph"><p>Where <span class="monospaced">xccdf-file.xml</span> is the XCCDF document, <span class="monospaced">xccdf-results.xml</span> is a file
containing the scan results, and <span class="monospaced">external-cpe-file.xml</span> is the CPE
dictionary or a language file.</p></div>
<div class="paragraph"><p>If you are evaluating a source data stream, <span class="monospaced">oscap</span> automatically
registers all CPEs contained within the data stream. No extra steps have
to be taken. You can also register an additional external CPE file, as
shown by the command below:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval --datastream-id ds.xml --xccdf-id xccdf.xml --results xccdf-results.xml --cpe additional-external-cpe.xml scap-ds.xml</pre>
</div></div>
<div class="paragraph"><p>Where <span class="monospaced">scap-ds.xml</span> is a file representing the SCAP data stream
collection, <span class="monospaced">ds.xml</span> is the particular data stream, <span class="monospaced">xccdf.xml</span> is the
XCCDF document, <span class="monospaced">xccdf-results.xml</span> is a file containing the scan
results, and <span class="monospaced">additional-external-cpe.xml</span> is the additional CPE
dictionary or language file.</p></div>
<div class="paragraph"><p>The <span class="monospaced">oscap</span> tool will use an OVAL file attached to the CPE dictionary to
determine applicability of any CPE name in the dictionary.</p></div>
<div class="paragraph"><p>Apart from the instructions above, no extra steps have to be taken for
content using <span class="monospaced">&lt;cpe:fact-ref&gt;</span> or <span class="monospaced">&lt;cpe2:fact-ref&gt;</span>. See the following
sections for details on resolving.</p></div>
<div class="sect3">
<h4 id="_xccdf_platform_applicability_resolution">10.4.1. xccdf:platform applicability resolution</h4>
<div class="paragraph"><p>When a CPE name or language model platform is referenced via
<span class="monospaced">&lt;xccdf:platform&gt;</span> elements, resolution happens in the following order:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
Look into embedded CPE2 language model if name is found and applicable deem
 it applicable
</p>
</li>
<li>
<p>
If not found or not applicable, look into external CPE2 language models
 (order of registration)
</p>
</li>
<li>
<p>
If not found or not applicable, look into embedded CPE dictionary
</p>
</li>
<li>
<p>
If not found or not applicable, look into external CPE dictionaries (order of
 registration)
</p>
</li>
</ol></div>
<div class="paragraph"><p>If the CPE name is not found in any of the sources, it is deemed not
applicable. If it is found in any of the sources but not applicable, we
look for it elsewhere.</p></div>
</div>
<div class="sect3">
<h4 id="_cpe_fact_ref_and_cpe2_fact_ref_resolution">10.4.2. cpe:fact-ref and cpe2:fact-ref resolution</h4>
<div class="paragraph"><p>CPE name referenced from within <span class="monospaced">fact-ref</span> is resolved in the following
order:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
Look into embedded CPE dictionary, if name is found and applicable
deem it applicable
</p>
</li>
<li>
<p>
If not found or not applicable, look into external CPE dictionaries
(order of registration)
</p>
</li>
</ol></div>
</div>
<div class="sect3">
<h4 id="_built_in_cpe_naming_dictionary">10.4.3. Built-in CPE Naming Dictionary</h4>
<div class="paragraph"><p>Apart from the external CPE Dictionaries, <span class="monospaced">oscap</span> comes with an inbuilt
CPE Dictionary. The built-in CPE Dictionary contains only a few products
(sub-set of <a href="http://nvd.nist.gov/cpe.cfm">Official CPE Dictionary</a>) and it
is used as a fall-back option when there is no other CPE source found.</p></div>
<div class="paragraph"><p>The list of inbuilt CPE names can be found in the output of</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap --version</pre>
</div></div>
<div class="paragraph"><p>The built-in CPE dictionary will be deprecated in OpenSCAP 1.4.0.</p></div>
</div>
</div>
<div class="sect2">
<h3 id="_notes_on_the_concept_of_multiple_oval_values">10.5. Notes on the Concept of Multiple OVAL Values</h3>
<div class="paragraph"><p>This section describes advanced concepts of OVAL Variables and their
implementation in <span class="monospaced">oscap</span>. The SCAP specification allows for an OVAL
variable to have multiple values during a single assessment run. There
are two variable modes which can be combined:</p></div>
<div class="ulist"><ul>
<li>
<p>
Multival&#8201;&#8212;&#8201;A variable is assigned with multiple values at the same
time. As an example, consider a variable which refers to preferred
permission of a given file, that may take multiple values like: <em>600</em>,
<em>400</em>. The evaluation tries to match each (or all) and then outputs a
single OVAL Definition result.
</p>
</li>
<li>
<p>
Multiset&#8201;&#8212;&#8201;A variable is assigned with a different value (or
multival) for different evaluations. This is known as a
<strong>variable_instance</strong>. As an example consider an OVAL definition which
checks that a package given by a variable is not installed. For the first
evaluation of the definition, the variable can be assigned with
<em>telnet-server</em> value, for second time the variable can be assigned with
<em>tftp-server</em> value. Therefore both evaluations may output different
results. Thus, the OVAL Results file may contain multiple results for
the same definition, these are distinguished by <strong>variable_instance</strong>
attribute.
</p>
</li>
</ul></div>
<div class="paragraph"><p>These two concepts are a source of confusion for both the content
authors and the result consumers. On one hand, the first concept is well
supported by the standard and the OVAL Variable file format. It allows
multiple <strong>&lt;value&gt;</strong> elements for each <strong>&lt;variable&gt;</strong> element. On the other
hand, the second concept is not supported by an OVAL Variable schema
which prevents fully automated evaluation of the multisets (unless you
use XCCDF to bridge that gap).</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Tip</div>
</td>
<td class="content"><span class="monospaced">oscap</span> supports both variable modes as described below.</td>
</tr></table>
</div>
<div class="sect3">
<h4 id="_sources_of_variable_values">10.5.1. Sources of Variable Values</h4>
<div class="paragraph"><p>First we need to understand how a single value can be bound to a
variable in the OVAL checking engine. There are three ways to do this:</p></div>
<div class="paragraph"><p>1)  OVAL Variables File&#8201;&#8212;&#8201;The values of external variables can be
defined in an external file. Such a file is called an OVAL Variable File
and can be recognized by using the following command: <span class="monospaced">oscap info
file.xml</span>. The OVAL Variables file can be passed to the evaluation by
 <span class="monospaced">--variables</span> argument such as:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap oval eval \
--variables usgcb-rhel5desktop-oval.xml-0.variables-0.xml \
--results usgcb-results-oval.xml \
usgcb-rhel5desktop-oval.xml</pre>
</div></div>
<div class="paragraph"><p>2)  XCCDF Bindings&#8201;&#8212;&#8201;The values of external variables can be given from
an XCCDF file. In the XCCDF file within each <span class="monospaced">&lt;xccdf:check&gt;</span> element,
there might be <span class="monospaced">&lt;xccdf:check-export&gt;</span> elements. These elements allow
transition of <span class="monospaced">&lt;xccdf:value&gt;</span> elements to <span class="monospaced">&lt;oval:variables&gt;</span> elements. The
following command allows users to export variable bindings from XCCDF to
an OVAL Variables file:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf export-oval-variables --profile united_states_government_configuration_baseline usgcb-rhel5desktop-xccdf.xml</pre>
</div></div>
<div class="paragraph"><p>3)  Values within an OVAL Definition File&#8201;&#8212;&#8201;Variables' values defined
directly in the OVAL definitions file <span class="monospaced">&lt;constant_variable&gt;</span> and
<span class="monospaced">&lt;local_variable&gt;</span> elements.</p></div>
</div>
<div class="sect3">
<h4 id="_evaluation_of_multiple_oval_values">10.5.2. Evaluation of Multiple OVAL Values</h4>
<div class="paragraph"><p>With <span class="monospaced">oscap</span>, there are two possible ways how two or more values can be
specified for a variable used by one OVAL definition. The approach you choose
depends on what mode you want to use, multival or multiset.</p></div>
<div class="paragraph"><p>The <span class="monospaced">oscap</span> handles multiple OVAL values seamlessly. Users don&#8217;t need to do
anything differently than for a normal scan.
The command below demonstrates evaluation of an SCAP source data stream, which
may include multiset, multival, or both concepts combined, or none of them.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval --profile my_baseline --results-arf scap-arf.xml --cpe additional-external-cpe.xml scap-ds.xml</pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_multival">10.5.3. Multival</h4>
<div class="paragraph"><p>Multival can pass multiple values to a single OVAL definition
evaluation. This can be accomplished by all three ways as described in
previous section.</p></div>
<div class="paragraph"><p>1)  OVAL Variables file&#8201;&#8212;&#8201;This option is straight forward. The file
format (XSD schema) allows for multiple <span class="monospaced">&lt;value&gt;</span> elements within each
<span class="monospaced">&lt;variable&gt;</span> element.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>&lt;variable id="oval:com.example.www:var:1" datatype="string" comment="Unknown"&gt;
  &lt;value&gt;600&lt;/value&gt;
  &lt;value&gt;400&lt;/value&gt;
&lt;/variable&gt;</pre>
</div></div>
<div class="paragraph"><p>2)  XCCDF Bindings&#8201;&#8212;&#8201;Use multiple <span class="monospaced">&lt;xccdf:check-export&gt;</span> referring to the
very same OVAL variable binding with multiple different XCCDF values.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>&lt;check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"&gt;
  &lt;check-export value-id="xccdf_com.example.www_value_1"
    export-name="oval:com.example.www:var:1"/&gt;
  &lt;check-export value-id="xccdf_com.example.www_value_2"
    export-name="oval:com.example.www:var:1"/&gt;
  &lt;check-content-ref href="my-test-oval.xml" name="oval:com.example.www:def:1"/&gt;
&lt;/check&gt;</pre>
</div></div>
<div class="paragraph"><p>3)  Values within OVAL Definitions file&#8201;&#8212;&#8201;This is similar to using a
Variables file, there are multiple <span class="monospaced">&lt;value&gt;</span> elements allowed within
<span class="monospaced">&lt;constant_variable&gt;</span> or <span class="monospaced">&lt;local_variable&gt;</span> elements.</p></div>
</div>
<div class="sect3">
<h4 id="_multiset">10.5.4. Multiset</h4>
<div class="paragraph"><p>Multiset allows for the very same OVAL definition to be evaluated
multiple times using different values assigned to the variables for each
evaluation. In OpenSCAP, this is only possible by option (2) XCCDF
Bindings. The following XCCDF snippet evaluates twice the very same OVAL
Definition, each time it binds a different value to the OVAL variable.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>&lt;Rule id="xccdf_moc.elpmaxe.www_rule_1" selected="true"&gt;
  &lt;check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"&gt;
    &lt;check-export value-id="xccdf_moc.elpmaxe.www_value_1" export-name="oval:com.example.www:var:1"/&gt;
    &lt;check-content-ref href="my-test-oval.xml" name="oval:com.example.www:def:1"/&gt;
  &lt;/check&gt;
&lt;/Rule&gt;
&lt;Rule id="xccdf_moc.elpmaxe.www_rule_2" selected="true"&gt;
  &lt;check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"&gt;
    &lt;check-export value-id="xccdf_moc.elpmaxe.www_value_2" export-name="oval:com.example.www:var:1"/&gt;
    &lt;check-content-ref href="my-test-oval.xml" name="oval:com.example.www:def:1"/&gt;
  &lt;/check&gt;
&lt;/Rule&gt;</pre>
</div></div>
<div class="paragraph"><p>After the evaluation, the OVAL results file will contain multiple
result-definitions and multiple result-tests and multiple
collected-objects. The elements of the same id will be differentiated by
the value of the <strong>variable_instance</strong> attribute. Each of the
definitions/tests/object might have a different result of evaluation.
The following snippet of OVAL results file illustrates output of a
multiset evaluation.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>&lt;tests&gt;
  &lt;test test_id="oval:com.example.www:tst:1" version="1"
    check="at least one" result="true" variable_instance="1"&gt;
    &lt;tested_item item_id="1117551" result="true"/&gt;
    &lt;tested_variable variable_id="oval:com.example.www:var:1"&gt;600&lt;/tested_variable&gt;
  &lt;/test&gt;
  &lt;test test_id="oval:com.example.www:tst:1" version="1"
    check="at least one" result="false" variable_instance="2"&gt;
    &lt;tested_item item_id="1117551" result="false"/&gt;
    &lt;tested_variable variable_id="oval:com.example.www:var:1"&gt;400&lt;/tested_variable&gt;
  &lt;/test&gt;
&lt;/tests&gt;</pre>
</div></div>
</div>
</div>
<div class="sect2">
<h3 id="_evaluating_xccdf_rules_with_multiple_checks">10.6. Evaluating XCCDF rules with multiple checks</h3>
<div class="paragraph"><p>Normally, each XCCDF rule references to a single check with a specified name.
However, if <span class="monospaced">@name</span> attribute of <span class="monospaced">xccdf:check-content-ref</span> of a given rule is omitted,
multiple checks can be executed to evaluate the rule.
This is common for <span class="monospaced">security_patches_up_to_date</span> check.
By default, only a single result is produced for an XCCDF rule in such case, and the
result is computed from all results of checks in the referenced location.
In case user wants to see separate results for each check (one <span class="monospaced">xccdf:check-result</span> element
in results document for each check evaluated), then <span class="monospaced">multi-check</span> attribute
of <span class="monospaced">xccdf:check</span> element must be set to <strong>true</strong>.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>&lt;Rule
  id="xccdf_org.nist-testsuite.content_rule_security_patches_up_to_date"
  selected="false" weight="10.0"&gt;
  &lt;title xml:lang="en-US"&gt;Security Patches Up-To-Date&lt;/title&gt;
  &lt;description xml:lang="en-US"&gt;All known security patches have been installed.&lt;/description&gt;
  &lt;requires idref="xccdf_org.nist-testsuite.content_group_CM-6"/&gt;
  &lt;requires idref="xccdf_org.nist-testsuite.content_group_SI-2"/&gt;
  &lt;check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" multi-check="true"&gt;
    &lt;check-content-ref href="r1100-scap11-win_rhel-patches.xml"/&gt;
  &lt;/check&gt;
&lt;/Rule&gt;</pre>
</div></div>
<div class="paragraph"><p>In XCCDF specification older than 1.2, the <span class="monospaced">multi-check</span> element is not defined,
which means that only a single result is always produced.
To produce separate results for each check from the content older than XCCDF version 1.2,
you need to convert it first into XCCDF 1.2 using the following command:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ xsltproc --stringparam reverse_DNS com.example.www /usr/share/openscap/xsl/xccdf_1.1_to_1.2.xsl xccdf.xml &gt; xccdf-1.2.xml</pre>
</div></div>
<div class="paragraph"><p>And then patch the content using a text editor, adding <span class="monospaced">multi-check</span> as
shown in the example Rule snippet above.</p></div>
<div class="paragraph"><p>To create a source data stream from the patched content, the following command can be used:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap ds sds-compose xccdf-1.2.xml source_ds.xml</pre>
</div></div>
<div class="paragraph"><p>If the original XCCDF file referenced a custom CPE dictionary, you also have to inject
the CPE dictionary into the source data stream in order to create a valid source data stream.
To add a CPE dictionary component into your data stream in place, use this command:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap ds sds-add cpe_dictionary.xml source_ds.xml</pre>
</div></div>
<div class="paragraph"><p>Now the <span class="monospaced">source_ds.xml</span> data stream can be evaluated as usual.</p></div>
</div>
<div class="sect2">
<h3 id="_identifying_swid_tags">10.7. Identifying SWID tags</h3>
<div class="paragraph"><p>OpenSCAP identifies SWID tags using OVAL inventory class definitions that are
part of an SCAP source data stream or a standalone OVAL Definition file.</p></div>
<div class="paragraph"><p>It supports the following 3 methods of SWID tags detection:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
One or more <span class="monospaced">cpe2-dict:check</span> elements that reference an OVAL inventory
class definition that searches for the presence of a matching SWID tag.
</p>
</li>
<li>
<p>
A <span class="monospaced">cpe:check-fact-ref</span> element that references an OVAL inventory class
definition that searches for the presence of a matching SWID tag.
</p>
</li>
<li>
<p>
An OVAL definition that references another OVAL inventory class definition
using the <span class="monospaced">oval-def:extend_definition</span> element where the extended definition
searches for the presence of a matching SWID tag.
</p>
</li>
</ol></div>
<div class="paragraph"><p>The <span class="monospaced">oscap</span> command handles the SWID tag detection transparently. The detection
algorithm is using OVAL&#8217;s <span class="monospaced">xmlfilecontent</span> test. The OVAL inventory class definitions can be
evaluated in a standard way, i.e. by using the <span class="monospaced">oscap oval eval</span> for a
standalone OVAL Definition file or <span class="monospaced">oscap xccdf eval</span> for definitions that are
part of an SCAP source data stream.</p></div>
<div class="paragraph"><p>For example, the following command can be used to evaluate an SCAP source data
stream that contains OVAL inventory class definitions that search for the
presence of a matching SWID tag (referenced XML files can be obtained from the
<a href="https://csrc.nist.gov/CSRC/media/Projects/scap-validation-program/documents/SCAP1.3ValidationTestContent_1-3.0.0.0.zip">SCAP 1.3 validation test suite</a>).</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval --results-arf arf.xml --profile xccdf_gov.nist.validation_profile_r2850-rhel r2850-rhel-datastream.xml</pre>
</div></div>
<div class="paragraph"><p>As another example, the following command can be used to evaluate a standalone OVAL
Definition file that contains OVAL inventory class definitions that search for
the presence of a matching SWID tag:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap oval eval --results results.xml r2860-rhel-oval.xml</pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_notes_on_specifics_of_oval_implementation">10.8. Notes on specifics of OVAL implementation</h3>
<div class="sect3">
<h4 id="_excluding_non_local_filesystems_using_the_recurse_file_system_local_attribute_of_a_filebehaviors_entity">10.8.1. Excluding non-local filesystems using the recurse_file_system="local" attribute of a FileBehaviors entity</h4>
<div class="paragraph"><p>The scanner loosely follows the OVAL&#8217;s idea behind this attribute to behave like
the coreutils utility <strong>df</strong> (<span class="monospaced">df -l</span>). This is the list of filesystems, that are
not considered local by the scanner:</p></div>
<div class="ulist"><ul>
<li>
<p>
proc, sysfs
</p>
</li>
<li>
<p>
afs
</p>
</li>
<li>
<p>
ceph
</p>
</li>
<li>
<p>
cifs
</p>
</li>
<li>
<p>
smb3, smbfs
</p>
</li>
<li>
<p>
sshfs
</p>
</li>
<li>
<p>
ncpfs, ncp
</p>
</li>
<li>
<p>
nfs, nfs4
</p>
</li>
<li>
<p>
gfs, gfs2
</p>
</li>
<li>
<p>
glusterfs
</p>
</li>
<li>
<p>
gpfs
</p>
</li>
<li>
<p>
pvfs2
</p>
</li>
<li>
<p>
ocfs2
</p>
</li>
<li>
<p>
lustre
</p>
</li>
<li>
<p>
davfs
</p>
</li>
</ul></div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_list_of_accepted_environment_variables">11. List of accepted environment variables</h2>
<div class="sectionbody">
<div class="paragraph"><p>OpenSCAP accepts the following environment variables.
If OpenSCAP is executed with verbosity level INFO or DEVEL their runtime values will be listed at the beginning of the log.</p></div>
<div class="ulist"><ul>
<li>
<p>
<span class="monospaced">OSCAP_CHECK_ENGINE_PLUGIN_DIR</span> - Defines path to a directory that contains plug-in libraries implementing additional check engines, eg. SCE.
</p>
</li>
<li>
<p>
<span class="monospaced">OSCAP_CONTAINER_VARS</span> - Additional environment variables read by environmentvariable58_probe. The variables are separated by <span class="monospaced">\n</span>. It is used by <span class="monospaced">oscap-podman</span> and <span class="monospaced">oscap-docker</span> scripts during container scanning.
</p>
</li>
<li>
<p>
<span class="monospaced">OSCAP_EVALUATION_TARGET</span> - Change value of target facts <span class="monospaced">urn:xccdf:fact:identifier</span> and <span class="monospaced">urn:xccdf:fact:asset:identifier:ein</span> in XCCDF results. Used during offline scanning to pass the name of the target system.
</p>
</li>
<li>
<p>
<span class="monospaced">OSCAP_FULL_VALIDATION</span> - If set, XML schema validation will be performed in every step of SCAP content processing.
</p>
</li>
<li>
<p>
<span class="monospaced">OSCAP_OVAL_COMMAND_OPTIONS</span> - Additional command line options for <span class="monospaced">oscap oval</span> module. The value of this environment variable is appended to the actual command line options of <span class="monospaced">oscap</span> command.
</p>
</li>
<li>
<p>
<span class="monospaced">OSCAP_PCRE_EXEC_RECURSION_LIMIT</span> - Set recursion limit of regular expression matching using <span class="monospaced">pcre_exec</span>/<span class="monospaced">pcre2_match</span> functions.
</p>
</li>
<li>
<p>
<span class="monospaced">OSCAP_PROBE_ROOT</span> - Path to a directory which contains mounted filesystem to be evaluated. Used for offline scanning.
</p>
</li>
<li>
<p>
<span class="monospaced">SEXP_VALIDATE_DISABLE</span> - If set, <span class="monospaced">oscap</span> will not validate SEXP expressions during its execution.
</p>
</li>
<li>
<p>
<span class="monospaced">SOURCE_DATE_EPOCH</span> - Timestamp in seconds since epoch. This timestamp will be used instead of the current time to populate <span class="monospaced">timestamp</span> attributes in SCAP source data streams created by <span class="monospaced">oscap ds sds-compose</span> sub-module. This is used for reproducible builds of data streams.
</p>
</li>
<li>
<p>
<span class="monospaced">OSCAP_PROBE_MEMORY_USAGE_RATIO</span> - maximum memory usage ratio (used/total) for OpenSCAP probes, default: 0.1
</p>
</li>
<li>
<p>
<span class="monospaced">OSCAP_PROBE_MAX_COLLECTED_ITEMS</span> - maximal count of collected items by OpenSCAP probe for a single OVAL object evaluation
</p>
</li>
<li>
<p>
<span class="monospaced">OSCAP_PROBE_IGNORE_PATHS</span> - Skip given paths during evaluation. If multiple paths should be skipped they need to be separated by a colon. The paths should be absolute canonical paths.
</p>
</li>
<li>
<p>
<span class="monospaced">OSCAP_PREFERRED_ENGINE</span> - Set a preffered check engine for XCCDF rules. If a rule has multiple checks, the checks for the preffered check engine will be used. Allowed values: <span class="monospaced">SCE</span>, <span class="monospaced">OVAL</span>. If this variable is set to <span class="monospaced">SCE</span> and a rule has both SCE and OVAL checks the SCE check will be used. If this variable is set to <span class="monospaced">OVAL</span> and a rule has both SCE and OVAL checks the OVAL check will be used. If this environment variable isn&#8217;t set, the standard XCCDF mechanism will be used for check selection.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Also, OpenSCAP uses <span class="monospaced">libcurl</span> library which also can be configured using environment variables. See <a href="https://curl.se/libcurl/c/libcurl-env.html">the list of libcurl environment variables</a>.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_using_external_or_remote_resources">12. Using external or remote resources</h2>
<div class="sectionbody">
<div class="paragraph"><p>Some SCAP content references external resources. For example, older versions of SCAP Security Guide (prior to version 0.1.73)
used external OVAL file to check that the system is up to date and has no known
security vulnerabilities. However, other content can use external resources for
other purposes.</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">Starting with version 0.1.73, SCAP Security Guide content doesn&#8217;t use external resources anymore.</td>
</tr></table>
</div>
<div class="paragraph"><p>When you are evaluating SCAP content with external resources the <span class="monospaced">oscap</span> tool
will warn you:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_common \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content</pre>
</div></div>
<div class="paragraph"><p>By default the <span class="monospaced">oscap</span> tool will not blindly download and execute remote content.
If you trust your local content and the remote content it references, you can use
the <span class="monospaced">--fetch-remote-resources</span> option to automatically download it using the
<span class="monospaced">oscap</span> tool.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval \
--fetch-remote-resources \
--profile xccdf_org.ssgproject.content_profile_common \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok
Title   Ensure /var/log Located On Separate Partition
Rule    xccdf_org.ssgproject.content_rule_partition_for_var_log
...</pre>
</div></div>
<div class="paragraph"><p>On systems that don&#8217;t have a direct internet access or if the user doesn&#8217;t want OpenSCAP to connect to the network it&#8217;s possible to download the remote content using other tools, save it to a directory and then pass it to OpenSCAP as a file.
To do that, use <span class="monospaced">--local-files</span> instead of <span class="monospaced">--fetch-remote-resources</span> as argument of the <span class="monospaced">oscap</span> command.</p></div>
<div class="paragraph"><p>In place of the remote data stream component OpenSCAP  will attempt to use a file whose file name is equal to <span class="monospaced">name</span> attribute of the <span class="monospaced">uri</span> element within the <span class="monospaced">catalog</span> element within the <span class="monospaced">component-ref</span> element representing a checklist in the data stream if such file exists.</p></div>
<div class="paragraph"><p>In the following example, the <span class="monospaced">ssg-rhel8-ds.xml</span> is an SCAP source datastream.
It needs some checks from a remote component. The remote component&#8217;s <span class="monospaced">component-ref</span> ID is <span class="monospaced">scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml</span>  and the <span class="monospaced">component-ref</span> is pointing to <span class="monospaced">https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml</span>.
The checks from the remote component are used in the only checklist in the data stream.
The <span class="monospaced">component-ref</span> of the checklist component contains a <span class="monospaced">catalog</span> where one of the <span class="monospaced">uri</span> elements maps the remote component&#8217;s <span class="monospaced">component-ref</span> ID in the <span class="monospaced">uri</span> attribute to the actual name <span class="monospaced">security-data-oval-com.redhat.rhsa-RHEL8.xml</span> which is the value of the <span class="monospaced">name</span> attribute.
Therefore, we can download the remote data from <span class="monospaced">https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml</span> and save it as <span class="monospaced">security-data-oval-com.redhat.rhsa-RHEL8.xml</span> to some directory.
Then, we execute <span class="monospaced">oscap</span> with <span class="monospaced">--local-files</span> and provide a path to the directory where it&#8217;s located.
It will pick the file and use it instead of the remote data and it won&#8217;t connect to the network.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ mkdir ~/scap-files
$ wget -O ~/scap-files/security-data-oval-com.redhat.rhsa-RHEL8.xml https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml
...
$ oscap xccdf eval --local-files ~/scap-files --profile ospp ssg-rhel8-ds.xml</pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">The <span class="monospaced">--local-files</span> option works only with SCAP 1.3 source data streams. It can&#8217;t be used with SCAP 1.2 source data streams.</td>
</tr></table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_practical_examples">13. Practical Examples</h2>
<div class="sectionbody">
<div class="paragraph"><p>This section demonstrates practical usage of certain security content provided
for Red Hat products.</p></div>
<div class="paragraph"><p>These practical examples show usage of industry standard checklists that
were validated by NIST.</p></div>
<div class="sect2">
<h3 id="_auditing_system_settings_with_scap_security_guide">13.1. Auditing System Settings with SCAP Security Guide</h3>
<div class="paragraph"><p>The SSG project contains guidance for settings of Red Hat Enterprise Linux 7.</p></div>
<div class="paragraph"><p>1) Install the SSG</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ sudo yum install -y scap-security-guide</pre>
</div></div>
<div class="paragraph"><p>2) To inspect the security content use the <span class="monospaced">oscap info</span> module:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap info /usr/share/xml/scap/ssg/rhel7/ssg-rhel7-ds.xml</pre>
</div></div>
<div class="paragraph"><p>The output of this command contains available configuration profiles. To audit
your system settings choose the
 <span class="monospaced">xccdf_org.ssgproject.content_profile_rht-ccp</span> profile and run the
evaluation command . For example, the The following command is used to assess
the given system against a draft SCAP profile for Red Hat Certified Cloud
Providers:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_rht-ccp \
--results ssg-rhel7-xccdf-result.xml \
--report ssg-rhel7-report.html \
/usr/share/xml/scap/ssg/rhel7/ssg-rhel7-ds.xml</pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_auditing_security_vulnerabilities_of_red_hat_products">13.2. Auditing Security Vulnerabilities of Red Hat Products</h3>
<div class="paragraph"><p>The Red Hat Security Response Team provides OVAL definitions for all
vulnerabilities (identified by CVE name) that affect Red Hat Enterprise
Linux 3, 4, 5, 6, 7 and 8. This enable users to perform a vulnerability scan
and diagnose whether system is vulnerable or not. The data is provided in
three ways&#8201;&#8212;&#8201;OVAL file, OVAL + XCCDF and an SCAP source data stream.</p></div>
<div class="sect3">
<h4 id="_oval_xccdf">13.2.1. OVAL + XCCDF</h4>
<div class="paragraph"><p>1)  Download the content</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ wget https://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml
$ wget https://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml</pre>
</div></div>
<div class="paragraph"><p>2)  Run the scan</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval --results results.xml --report report.html com.redhat.rhsa-all.xccdf.xml</pre>
</div></div>
<div class="paragraph"><p>This is the sample output. It reports that Red Hat Security
Advisory (RHSA-2013:0911) was issued but update was not applied so a
system is affected by multiple CVEs (CVE-2013-1935, CVE-2013-1943,
CVE-2013-2017)</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>Title   RHSA-2013:0911: kernel security, bug fix, and enhancement update (Important)
Rule    oval-com.redhat.rhsa-def-20130911
Ident   CVE-2013-1935
Ident   CVE-2013-1943
Ident   CVE-2013-2017
Result  fail</pre>
</div></div>
<div class="paragraph"><p>Human readable report <strong>report.html</strong> is generated, as well as "machine"
readable report <strong>results.xml</strong>. Both files hold information about
vulnerability status of scanned system. They map RHSA to CVEs and report
what security advisories are not applied to the scanned system. CVE identifiers
are linked with National Vulnerability Databases where additional information
like CVE description, CVSS score, CVSS vector, etc. are stored.</p></div>
</div>
<div class="sect3">
<h4 id="_oval_only">13.2.2. OVAL only</h4>
<div class="paragraph"><p>1)  Download the content</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ wget https://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml</pre>
</div></div>
<div class="paragraph"><p>2)  Run the scan</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap oval eval --results results.xml --report report.html com.redhat.rhsa-all.xml</pre>
</div></div>
<div class="paragraph"><p>This is the sample output. It reports that Red Hat Security
Advisory (RHSA-2013:0911) was issued but update was not applied.
Notice that the standard output is different from the XCCDF + OVAL output.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>Definition oval:com.redhat.rhsa:def:20130911: true</pre>
</div></div>
<div class="paragraph"><p>As in case of XCCDF+OVAL, human readable report <strong>report.html</strong>, and "machine"
readable report <strong>results.xml</strong> are generated. Look of <strong>report.html</strong> is different
to the one generated when XCCDF checklist is used as a basis for the scan, the
information in it again holds information about vulnerability status of scanned
system, and mapping of RHSA to CVEs. CVE identifiers are linked with Red Hat
database where additional information like CVE description, CVSS score, CVSS
vector etc. are stored.</p></div>
</div>
<div class="sect3">
<h4 id="_source_data_stream">13.2.3. Source data stream</h4>
<div class="paragraph"><p>The Source data stream use-case is very similar to OVAL+XCCDF. The only
difference is that you don&#8217;t have to download two separate files.</p></div>
<div class="paragraph"><p>1)  Download the content</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ wget https://www.redhat.com/security/data/metrics/ds/com.redhat.rhsa-all.ds.xml</pre>
</div></div>
<div class="paragraph"><p>2)  Run the scan</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval --results results.xml --report report.html com.redhat.rhsa-all.ds.xml</pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_more_specialized_files">13.2.4. More Specialized Files</h4>
<div class="paragraph"><p>The files we used above cover multiple Red Hat products. If you only want to
scan one product - for example a specific version of Red Hat Enterprise Linux -
we advise to download a smaller specialized file covering just this one version.
Using a smaller file will utilize less bandwidth and make the evaluation
quicker.</p></div>
<div class="paragraph"><p>For example for Red Hat Enterprise Linux 7 the plain OVAL file is located at:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ wget https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml</pre>
</div></div>
<div class="paragraph"><p>You can get a list of all the plain OVAL files by visiting
<a href="https://www.redhat.com/security/data/oval/v2/">https://www.redhat.com/security/data/oval/v2/</a></p></div>
<div class="paragraph"><p>The list of available data stream files is available at
<a href="https://www.redhat.com/security/data/metrics/ds/v2/">https://www.redhat.com/security/data/metrics/ds/v2/</a></p></div>
</div>
<div class="sect3">
<h4 id="_disclaimer">13.2.5. Disclaimer</h4>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">Note that these OVAL definitions are designed to only cover software and
updates released by Red Hat. You need to provide additional definitions in order
to detect the patch status of third-party software.</td>
</tr></table>
</div>
<div class="paragraph"><p>To find out more information about this project, see
<a href="https://www.redhat.com/security/data/metrics/">https://www.redhat.com/security/data/metrics/</a>.</p></div>
</div>
</div>
<div class="sect2">
<h3 id="_how_to_evaluate_pci_dss_on_rhel7">13.3. How to Evaluate PCI-DSS on RHEL7</h3>
<div class="paragraph"><p>This section describes how to evaluate the Payment Card Industry Data Security
Standard (PCI-DSS) on Red Hat Enterprise Linux 7.</p></div>
<div class="paragraph"><p>1) Install SSG which provides the PCI-DSS SCAP content</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ sudo yum install -y scap-security-guide</pre>
</div></div>
<div class="paragraph"><p>2) Verify that the PCI-DSS profile is present</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml</pre>
</div></div>
<div class="paragraph"><p>3) Evaluate the PCI-DSS content</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval \
--results results.xml \
--profile xccdf_org.ssgproject.content_profile_pci-dss \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml</pre>
</div></div>
<div class="paragraph"><p>4) Generate report readable in a web browser.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf generate report --output report.html results.xml</pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_how_to_evaluate_disa_stig">13.4. How to Evaluate DISA STIG</h3>
<div class="paragraph"><p>This section describes how to evaluate the Defense Information Systems Agency
(DISA) Security Technical Implementation Guide (STIG) on Red Hat Eneterprise
Linux 7.</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
Download the DISA STIG content.
</p>
<div class="listingblock">
<div class="content monospaced">
<pre>$ wget https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R2_STIG_SCAP_1-2_Benchmark.zip</pre>
</div></div>
</li>
<li>
<p>
Unpack the content.
</p>
<div class="listingblock">
<div class="content monospaced">
<pre>$ unzip U_RHEL_7_V3R2_STIG_SCAP_1-2_Benchmark.zip</pre>
</div></div>
</li>
<li>
<p>
Display a list of available profiles.
</p>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap info U_RHEL_7_V3R2_STIG_SCAP_1-2_Benchmark.xml</pre>
</div></div>
</li>
<li>
<p>
Evaluate your favorite profile, for example <strong>MAC-1_Public</strong>, and write
ARF results into the results.xml file.
</p>
<div class="listingblock">
<div class="content monospaced">
<pre># oscap xccdf eval \
--profile xccdf_mil.disa.stig_profile_MAC-1_Public \
--results-arf results.xml \
--report report.html \
U_RHEL_7_V3R2_STIG_SCAP_1-2_Benchmark.xml</pre>
</div></div>
</li>
</ol></div>
<div class="paragraph"><p>If you are interested in DISA STIG content for other systems please refer to
<a href="https://public.cyber.mil/stigs/downloads/">DoD Cyber Exchange</a>.</p></div>
</div>
<div class="sect2">
<h3 id="_how_to_evaluate_united_states_government_configuration_baseline_usgcb">13.5. How to Evaluate United States Government Configuration Baseline (USGCB)</h3>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">NIST offers no official USGCB for RHEL6 as of September 2014 but you can
acquire the content from the <a href="https://github.com/OpenSCAP/scap-security-guide">SSG</a> project.</td>
</tr></table>
</div>
<div class="paragraph"><p>The USGCB content for represents Tier IV Checklist for Red Hat
Enterprise Linux 5 (as defined by NIST Special Publication 800-70).</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Warning</div>
</td>
<td class="content">Proper evaluation of the USGCB document requires OpenSCAP version 0.9.1
or later.</td>
</tr></table>
</div>
<div class="paragraph"><p>After ensuring that version of OpenSCAP on your system is
sufficient, perform the following tasks:</p></div>
<div class="paragraph"><p>1)  Download the USGCB content.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ wget http://usgcb.nist.gov/usgcb/content/scap/USGCB-rhel5desktop-1.2.5.0.zip</pre>
</div></div>
<div class="paragraph"><p>2)  Unpack the USGCB content.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ unzip USGCB-rhel5desktop-1.2.5.0.zip</pre>
</div></div>
<div class="paragraph"><p>3)  Run evaluation of the USGCB content.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval \
--profile united_states_government_configuration_baseline \
--cpe usgcb-rhel5desktop-cpe-dictionary.xml \
--oval-results \
--fetch-remote-resources \
--results results.xml \
usgcb-rhel5desktop-xccdf.xml</pre>
</div></div>
<div class="paragraph"><p>4) Generate a scan report that is readable in a web browser.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf generate report --output report.html results.xml</pre>
</div></div>
<div class="paragraph"><p>Additional reports can be generated from detailed OVAL result files.
Scanner outputs OVAL results files in the current directory, for each
OVAL file on input there is one output. In case of USGCB, there is
one OVAL file distributed along the XCCDF, another one which is
downloaded from Red Hat Repository. The latter contains CVE information
for each evaluated definition.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap oval generate report --output oval-report-1.html usgcb-rhel5desktop-oval.xml.result.xml
$ oscap oval generate report --output oval-report-2.html http%3A%2F%2Fwww.redhat.com%2Fsecurity%2Fdata%2Foval%2Fcom.redhat.rhsa-all.xml.result.xml</pre>
</div></div>
<div class="paragraph"><p>If you&#8217;re interested in running evaluation of the USGCB on a remote machine using
a GUI please see:
<a href="https://open-scap.org/resources/documentation/evaluate-remote-machine-for-usgcb-compliance-with-scap-workbench/">Evaluate
Remote Machine for USGCB Compliance with SCAP Workbench</a> tutorial.</p></div>
</div>
<div class="sect2">
<h3 id="_how_to_evaluate_third_party_guidances">13.6. How to Evaluate Third-Party Guidances</h3>
<div class="paragraph"><p>The SCAP content repository hosted at <a href="https://web.nvd.nist.gov/view/ncp/repository">National Vulnerability Database</a>
(NVD) can be searched for publicly available guidances for a given
product. For example, as per 2013/05/11 there are
<a href="http://web.nvd.nist.gov/view/ncp/repository?tier=3&amp;product=Red+Hat+Enterprise+Linux+5">two</a>
Tier III checklists for Red Hat Enterprise Linux 5. Analogously, the
MITRE Corp. hosts <a href="http://oval.mitre.org/rep-data/">repository</a> of OVAL
content for various platforms, sorted by versions and classes.</p></div>
<div class="paragraph"><p>Likewise the USGCB, any downloaded guidance can be evaluated by
OpenSCAP.</p></div>
<div class="ulist"><ul>
<li>
<p>
Examplary evaluation of DoD Consensus Security Configuration Checklist
for Red Hat Enterprise Linux 5 (2.0)
</p>
</li>
</ul></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ wget http://nvd.nist.gov/ncp/DoD-RHEL5-desktop.zip
$ unzip DoD-RHEL5-desktop.zip
$ oscap xccdf eval \
--profile DOD_baseline_1.0.0.1 \
--cpe dcb-rhel5_cpe-dictionary.xml \
--results result.xml \
--oval-results \
dcb-rhel5_xccdf.xml</pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
Examplary evaluation of Red Hat 5 STIG Benchmark (Version 1, Release 12)
</p>
</li>
</ul></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ wget http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_5_V1R12_STIG_SCAP_1-1_Benchmark.zip
$ unzip U_RedHat_5_V1R12_STIG_SCAP_1-1_Benchmark.zip
$ oscap xccdf eval \
--profile MAC-2_Public \
--cpe U_RedHat_5_V1R12_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml \
--results result.xml \
--oval-results \
U_RedHat_5_V1R12_STIG_SCAP_1-1_Benchmark-xccdf.xml</pre>
</div></div>
<div class="paragraph"><p>Furthermore, any individual file from the archive can be inspected using
the <span class="monospaced">oscap info</span> command line option. The oscap program does not have
the concept of importing SCAP files, therefore it can process any SCAP
files available on the filesystem. That is possible because the SCAP
standard files are native file formats of the OpenSCAP.</p></div>
</div>
<div class="sect2">
<h3 id="_how_to_check_that_patches_are_up_to_date_on_red_hat_enterprise_linux_6_or_7">13.7. How to check that patches are up-to-date on Red Hat Enterprise Linux 6 or 7</h3>
<div class="paragraph"><p>This section describes how to check that software patches are up-to-date using
external OVAL content.</p></div>
<div class="paragraph"><p>1) Install the SSG</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ sudo yum install -y scap-security-guide</pre>
</div></div>
<div class="paragraph"><p>2a) Evaluate common profile for RHEL 6</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_common \
--fetch-remote-resources \
--results-arf results.xml \
/usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml</pre>
</div></div>
<div class="paragraph"><p>2b) Evaluate common profile for RHEL 7</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_common \
--fetch-remote-resources \
--results-arf results.xml \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml</pre>
</div></div>
<div class="paragraph"><p>This command evaluates common profile for Red Hat Enterprise Linux 6 or 7. Part of
the profile is a rule to check that patches are up-to-date. To evaluate the rule
correctly, oscap tool needs to download an up-to-date OVAL file from Red Hat servers. This can be
allowed using <span class="monospaced">--fetch-remote-resources</span> option. Result of this scan will be saved
in <span class="monospaced">results.xml</span> using ARF format.</p></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_scanning_remote_and_virtual_machines_or_containers">14. Scanning remote and virtual machines or containers</h2>
<div class="sectionbody">
<div class="paragraph"><p>Apart from the <span class="monospaced">oscap</span> command, OpenSCAP provides also other utilities for
special purposes. Those utilities use <span class="monospaced">oscap</span> under the hood, but they
enable users to perform advanced tasks in a single command.
This manual gives a quick overview of and shows basic usage of these tools.
Each of the tools have its own manual page that gives more detailed information.</p></div>
<div class="paragraph"><p>To install these tools install the <span class="monospaced">openscap-utils</span> package.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre># dnf install openscap-utils</pre>
</div></div>
<div class="sect2">
<h3 id="_scanning_remote_machines">14.1. Scanning remote machines</h3>
<div class="paragraph"><p>The <span class="monospaced">oscap-ssh</span> command is a simple tool for scanning remote machines with
OpenSCAP over network and collecting results.</p></div>
<div class="paragraph"><p>The tool uses SSH connection to copy the SCAP content to a remote machine, then
it runs an evaluation of the target system and downloads the results back.
The remote machine needs to have OpenSCAP installed.</p></div>
<div class="paragraph"><p>The tool can evaluate source data streams and OVAL files.
Usage of the tool mimics usage and options of <span class="monospaced">oscap</span> tool.</p></div>
<div class="paragraph"><p>In the following example, we will scan a remote Fedora server located on IP address
<strong>192.168.1.13</strong> that listens for SSH connections on port <strong>22</strong>.
The server will be scanned for compliance with the <strong>Common Profile for General-Purpose
Fedora Systems</strong> provided by SCAP Security Guide.
HTML report is written out as <strong>report.html</strong> on the local machine.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap-ssh [email protected] 22 xccdf eval \
--profile xccdf_org.ssgproject.content_profile_common \
--report report.html \
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml</pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_scanning_containers_and_container_images_using_oscap_podman">14.2. Scanning containers and container images using oscap-podman</h3>
<div class="paragraph"><p>The <span class="monospaced">oscap-podman</span> tool can be used to scan Linux containers and container images.
Usage of the tool mimics usage and options of <span class="monospaced">oscap</span> tool.</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content"><span class="monospaced">oscap-podman</span> is available only on Fedora and Red Hat Enterprise Linux 8
or newer. On other systems use <span class="monospaced">oscap-docker</span> instead.</td>
</tr></table>
</div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
Get the ID of a container or a container image, for example:
</p>
<div class="listingblock">
<div class="content monospaced">
<pre># podman images
REPOSITORY                       TAG     IMAGE ID      CREATED       SIZE
registry.access.redhat.com/ubi8  latest  3269c37eae33  2 months ago  208 MB</pre>
</div></div>
</li>
<li>
<p>
Evaluate the SCAP content, for example:
</p>
<div class="listingblock">
<div class="content monospaced">
<pre># oscap-podman 3269c37eae33 xccdf eval --report report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml</pre>
</div></div>
</li>
</ol></div>
<div class="paragraph"><p>Note that the <span class="monospaced">oscap-podman</span> command requires root privileges.</p></div>
</div>
<div class="sect2">
<h3 id="_building_hardened_bootable_container_images_using_oscap_im">14.3. Building hardened bootable container images using oscap-im</h3>
<div class="paragraph"><p>The <span class="monospaced">oscap-im</span> tool is a convenience script that makes building hardened bootable container images easier.
This tool is designed to be used during the build of the bootable container image.</p></div>
<div class="paragraph"><p>Include <span class="monospaced">oscap-im</span> in your <span class="monospaced">Containerfile</span> that will be used to build your bootable container image.
The <span class="monospaced">Containerfile</span> first needs to install the <span class="monospaced">openscap-utils</span> package which ships the <span class="monospaced">oscap-im</span> tool.</p></div>
<div class="paragraph"><p>Also, SCAP content needs to be installed to the image before <span class="monospaced">oscap-im</span> will be run.
Although any SCAP content can be consumed by the tool, the SCAP source data streams shipped in <span class="monospaced">scap-security-guide</span> are specially cared to be compatible with bootable containers.</p></div>
<div class="paragraph"><p>Example <span class="monospaced">Containerfile</span>:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>FROM quay.io/centos-bootc/centos-bootc:stream9

RUN dnf install -y openscap-utils scap-security-guide

RUN oscap-im --profile stig /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml</pre>
</div></div>
<div class="paragraph"><p>Once you have your <span class="monospaced">Containerfile</span>, execute the image build:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>podman build -t hardened_image .</pre>
</div></div>
<div class="paragraph"><p>The <span class="monospaced">oscap-im</span> tool installs and removes all packages required by the selected profile to or from the image.
Then, it runs a scan and remediation with the selected profile.
It doesn&#8217;t use offline scanning.
The configuration files and other content in the image are modified by this process, depending on the used SCAP content.</p></div>
<div class="paragraph"><p>The built bootable container image can be then deployed and booted.
After booting the image, the state of the resulting system will be in line with the selected security profile.</p></div>
<div class="paragraph"><p>The <span class="monospaced">oscap-im</span> tool can&#8217;t be used anywhere else than in a <span class="monospaced">Containerfile</span>.</p></div>
</div>
<div class="sect2">
<h3 id="_scanning_of_docker_containers_and_images_using_oscap_docker">14.4. Scanning of Docker containers and images using oscap-docker</h3>
<div class="paragraph"><p>The <span class="monospaced">oscap-docker</span> is used to scan Docker containers and images. It can
assess vulnerabilities in the container or image and check their compliance
with security policies. Usage of the tool mimics usage and options
of <span class="monospaced">oscap</span> tool.</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content"><span class="monospaced">oscap-docker</span> isn&#8217;t available on Fedora and on Red Hat Enterprise Linux 8
or newer. On other systems use <span class="monospaced">oscap-podman</span> instead.</td>
</tr></table>
</div>
<div class="paragraph"><p>The <span class="monospaced">oscap-docker</span> tool uses a technique called offline scanning.
That means that the filesystem of the container is mounted to a directory
on the host. The mounted filesystem is read-only. OpenSCAP then assess
the container from the host. Therefore no agent is installed
in the container and container is not touched or changed in any way.</p></div>
<div class="paragraph"><p>In the first example, we will perform a vulnerability assessment
of an Docker image of Red Hat Enterprise Linux 7 (named <strong>rhel7</strong>). The command
will attach docker image, determine OS variant/version, download CVE stream
applicable to the given image and finally it will evaluate the image
for vulnerabilities. CVE stream is a list of vulnerabilities in SCAP format
and is downloaded directly from Red Hat.
HTML report is written out as <strong>report.html</strong> on the local machine.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap-docker image-cve rhel7 --report report.html</pre>
</div></div>
<div class="paragraph"><p>In the second example, we will check the same <strong>rhel7</strong> image for
compliance with a security policy specified in an XCCDF checklist.</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre>$ oscap-docker image rhel7 xccdf eval --report report.html xccdf.xml</pre>
</div></div>
<div class="paragraph"><p>To scan running containers, commands are very similar, just replace
"image-cve" with "container-cve" and "image" with "container".</p></div>
</div>
<div class="sect2">
<h3 id="_scanning_of_virtual_machines_using_oscap_vm">14.5. Scanning of virtual machines using oscap-vm</h3>
<div class="paragraph"><p>OpenSCAP provides a simple tool to evaluate virtual machines called <span class="monospaced">oscap-vm</span>.</p></div>
<div class="paragraph"><p>The tool can scan given virtual machine directly from the virtualisation host.
Usage of the tool mimics usage and options of <span class="monospaced">oscap</span> tool.</p></div>
<div class="paragraph"><p>Similarly to <span class="monospaced">oscap-docker</span>, this utility also uses offline scanning,
so it doesn&#8217;t install anything in the guest, doesn&#8217;t require OpenSCAP
installed in the guest and it doesn&#8217;t create or change anything in the
guest&#8217;s filesystem.</p></div>
</div>
<div class="sect2">
<h3 id="_scanning_arbitrary_filesystems_using_oscap_chroot">14.6. Scanning arbitrary filesystems using oscap-chroot</h3>
<div class="paragraph"><p>A very simple script <span class="monospaced">oscap-chroot</span> can be used to perform
an offline scan of a filesystem that is mounted at arbitrary path.
It can be used for scanning of custom objects that are not supported
by <span class="monospaced">oscap-docker</span> or <span class="monospaced">oscap-vm</span>, like containers in other
formats than Docker.
Again, usage of the tool mimics usage and options of <span class="monospaced">oscap</span> tool.</p></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_scanning_and_remediating_the_system_at_boot_time">15. Scanning and remediating the system at boot time</h2>
<div class="sectionbody">
<div class="paragraph"><p>OpenSCAP can scan and remediate the system at boot time using systemd&#8217;s <span class="monospaced">system-update.target</span>.
The <span class="monospaced">oscap-remediate.service</span> is expecting the <span class="monospaced">/system-update</span> symlink (universal trigger for all services in system-update&#8217;s requires list) which points to a file with base name <span class="monospaced">oscap-remediate-offline.conf.sh</span>.
The file itself could be located anywhere, but it should be accessible at boot time. This configuration file is essentially a Bash script with a set of environment variables, loaded with <span class="monospaced">source</span> by the service.
Upon the start the service will immediately remove the symlink to prevent invocation loop but it won&#8217;t touch the configuration file itself. A helper tool, <span class="monospaced">oscap-remediate-offline</span>, can be used to bootstrap the configuration and prime the <span class="monospaced">/system-update</span> symlink, but its flexibility is limited and in general it should only be used for debugging.</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<div class="title">Warning</div>
</td>
<td class="content">The <span class="monospaced">oscap-remediate-offline</span> tool should not be considered as a stable API for priming the service. The <strong>only</strong> API of the service is the configuration file and the <span class="monospaced">/system-update</span> symlink pointing to it.</td>
</tr></table>
</div>
<div class="paragraph"><p>Configuration variables:</p></div>
<div class="listingblock">
<div class="content monospaced">
<pre># Mandatory -----------------------------

# The path to the data stream file
OSCAP_REMEDIATE_DS=/some/data_stream.xml

# The ID of the profile to use
OSCAP_REMEDIATE_PROFILE_ID=some_profile

# Optional ------------------------------

# Data stream, XCCDF or Benchmark IDs
# Benchmark ID and DS + XCCDF IDs pair are mutually
# exclusive. DS + XCCDF IDs will take precedence
OSCAP_REMEDIATE_DATASTREAM_ID=some_ds_id
OSCAP_REMEDIATE_XCCDF_ID=some_xccdf_id
OSCAP_REMEDIATE_BENCHMARK_ID=some_bench_id

# Tailoring file and tailoring component ID
OSCAP_REMEDIATE_TAILORING=/some/tailoring.xml
OSCAP_REMEDIATE_TAILORING_ID=tailoring_id

# Where to write ARF result and HTML report
# No defaults, they won't be generated if
# they are not requested explicitly
OSCAP_REMEDIATE_ARF_RESULT=/some/arf_res.xml
OSCAP_REMEDIATE_HTML_REPORT=/some/report.html

# Log file name and verbosity
OSCAP_REMEDIATE_VERBOSE_LOG=/var/some_verbose.log
# Optional even if OSCAP_REMEDIATE_VERBOSE_LOG is provided (default: INFO)
OSCAP_REMEDIATE_VERBOSE_LEVEL=INFO</pre>
</div></div>
</div>
</div>
<div class="sect1">
<h2 id="_frequently_asked_questions_faqs">16. Frequently Asked Questions (FAQs)</h2>
<div class="sectionbody">
<div class="paragraph"><p><strong>Why do I get "notchecked" results when I use e.g. <a href="https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V2R3_STIG.zip">STIG checklist</a>?</strong></p></div>
<div class="paragraph"><p>The downloaded guidance contains rule descriptions, but it doesn&#8217;t contain OVAL checks which could be used for evaluation by OpenSCAP. You can find guidances with implemented OVAL checks and also with remediations at <a href="https://github.com/ComplianceAsCode/content">ComplianceAsCode</a> project, which contains wide range of profiles.</p></div>
<div class="paragraph"><p><strong>How can I create a tailoring file if I can&#8217;t install SCAP Workbench?</strong></p></div>
<div class="paragraph"><p>Use the <span class="monospaced">autotailor</span> tool which allows you to create tailoring files using command line options.
For more information, please refer to section <a href="#_tailoring">Tailoring</a>.</p></div>
<div class="paragraph"><p><strong>I try to apply a tailoring file, but OpenSCAP still evaluates rules that I have unselected. How can I enforce my changes of the profile?</strong></p></div>
<div class="paragraph"><p>Make sure that you provide the ID of the customized profile in <span class="monospaced">--profile</span> option instead of the ID of the original profile.
If you created the tailoring file using <span class="monospaced">autotailor</span> and you haven&#8217;t used the <span class="monospaced">-p</span> or <span class="monospaced">--new-profile-id</span> option, the ID of the customized profile is the original profile ID with <span class="monospaced">_customized</span> suffix appended.
If you created the tailoring file using SCAP Workbench, you were prompted to choose the ID of the customized profile. By default, the ID of the customized profile is the original profile ID with <span class="monospaced">_customized</span> suffix appended.
You can find the ID of the customized profile with <span class="monospaced">oscap info &lt;your_tailoring_file&gt;</span> command.</p></div>
<div class="paragraph"><p><strong>My SCAP source data stream contains rule <span class="monospaced">security_patches_up_to_date</span> which needs to download some data from the internet to work.</strong>
<strong>But I&#8217;m in an air gapped environment so it can&#8217;t download it.</strong>
<strong>Can I download it separately and pass it to oscap?</strong></p></div>
<div class="paragraph"><p>Yes, it&#8217;s possible, you can download the file on other computer that is connected to the internet and then copy the file to the system where you run <span class="monospaced">oscap</span>.
Instead of the <span class="monospaced">--fetch-remote-resources</span> option you will use the <span class="monospaced">--local-files</span> option.
This option works only with SCAP 1.3 source data streams. It can&#8217;t be used with SCAP 1.2 source data streams.
For more information, please refer to section <a href="#_using_external_or_remote_resources">Using external or remote resources</a>.</p></div>
</div>
</div>
</div>
<div id="footnotes"><hr></div>
<div id="footer">
</div>
</body>
</html>

Youez - 2016 - github.com/yon3zu
LinuXploit