oscap

oscap [global-options] module [module-specific-options] [arguments]

--help
    Displays help information for the command or a specific module.

--version
    Shows the oscap tool's version information.

--verbose
    Increases the verbosity of output messages to standard error.

--debug
    Enables debug output, providing more detailed internal information for troubleshooting.

--root <directory>
    Specifies an alternative root directory to scan instead of the live system's root (e.g., for scanning a chrooted environment).

--skip-valid
    Skips the validation of input XML files against their respective schemas. Use with caution as it may lead to unreliable results.

--local-files
    Restricts scanning operations to local files and directories, preventing network access for content retrieval.

oscap is the command-line utility for OpenSCAP, an open-source project providing a standardized platform for security automation. It enables users to scan systems for security compliance, assess vulnerabilities, and enforce security policies based on various open security content standards.

OpenSCAP leverages standards like SCAP (Security Content Automation Protocol), which includes sub-specifications such as XCCDF (Extensible Configuration Checklist Description Format) for checklists, OVAL (Open Vulnerability and Assessment Language) for vulnerability definitions, and CPE (Common Platform Enumeration) for system identification. oscap acts as the primary interface to perform these operations, allowing system administrators and security auditors to automate security audits, generate detailed reports, and ensure systems adhere to specific security baselines, such as DISA STIGs or CIS Benchmarks. It supports scanning local systems as well as remote machines, and can be used for both compliance reporting and remediation tasks.

Scanning with oscap often requires root privileges to access system configuration files and audit data for comprehensive and accurate assessments. The --remediate option (used with modules like xccdf eval) makes irreversible changes to the system; use it with extreme caution and ensure proper backups or a testing environment. oscap relies heavily on specific SCAP content files (e.g., XCCDF, OVAL) which must be installed and up-to-date for accurate and relevant security checks.

The oscap command operates through various modules, each performing a specific task related to SCAP content and system assessment. This modular design makes oscap highly versatile. Common modules include:

• info: Displays metadata and information about SCAP content files (e.g., XCCDF, OVAL).
• eval: Evaluates a system against a security baseline defined in an XCCDF or OVAL file, producing a detailed assessment report.
• scan: A general-purpose module often used as a wrapper for evaluations or combined scanning tasks.
• fix: Applies remediations to a system based on rules defined in an XCCDF profile, attempting to bring the system into compliance.
• cpe: Manages Common Platform Enumeration dictionaries and checks system CPE identity.
• ds: Manages operations related to SCAP Data Streams, which bundle various SCAP content components.

oscap is a tool that processes security content; it does not contain the security rules itself. It requires SCAP content, which defines the security baselines (XCCDF profiles) and vulnerability definitions (OVAL definitions) that oscap uses to perform scans and assessments. This content is typically provided by separate packages like scap-security-guide (SSG), which offers comprehensive security policies for various operating systems and compliance frameworks (e.g., CIS Benchmarks, DISA STIGs). Without relevant and up-to-date content, oscap cannot perform meaningful security checks or generate compliance reports.

After an evaluation, oscap can generate results and reports in several standardized and human-readable formats. These outputs are crucial for auditing, compliance reporting, and identifying areas for remediation:

• SCAP Results (ARF): The standardized SCAP-Results XML format (Asset Reporting Format), which contains all findings and evidence.
• HTML Reports: Human-readable reports, often generated from the ARF, providing a user-friendly summary viewable in a web browser.
• OVAL Results XML: Specific XML output containing the results of OVAL evaluations.
• XCCDF Results XML: Specific XML output containing the results of XCCDF evaluations, detailing rule applicability and compliance status.

OpenSCAP is an open-source project primarily initiated and developed by Red Hat. Its genesis was rooted in the need for a standardized, automated approach to security configuration and compliance within Linux environments. The project was designed to implement and facilitate the use of the National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP) standards. Over the years, OpenSCAP and its command-line interface oscap have evolved into a robust framework, widely adopted in enterprise Linux distributions and government systems for automated security auditing, vulnerability management, and policy enforcement, demonstrating a strong commitment to open security standards and automation.

ssg-tools(8), auditctl(8), dnf(8), yum(8)