XSLT C Shell M4 Makefile C++ Other
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
.github Added GitHub issue template Jun 15, 2018
ac_probes Bump version after release May 29, 2018
config/snippet Test driver must not be part of openscap repo. Sep 26, 2014
cpe Add Fedora 30 CPE Aug 17, 2018
dist Updated bash completion. Dec 1, 2017
docs Added guide for writing and running tests for OpenSCAP Jun 26, 2018
lib lib/sys/types.h is product, it should not be in repo. Sep 3, 2014
m4 Made the configure macros work with old versions of autoconf. Mar 21, 2018
release_tools Update release tools README Jun 25, 2018
schemas CVE: IDs are now 4-7 digits long Jan 15, 2018
src Fix misleading identation inside macros Aug 10, 2018
swig Refactored the Python handling in build scripts. Mar 20, 2018
tests Use dollar syntax instead of backticks Aug 10, 2018
utils Remove '\r' characters from help output Apr 27, 2018
xsl Merge pull request #1082 from mpreisler/show_benchmark_version_html_r… Jun 27, 2018
.gitignore Hide Makefiles, /Testing in gitignore Jun 6, 2018
.pep8speaks.yml Added 99-width PEP8 config. Apr 20, 2018
.travis.yml Merge pull request #1046 from matejak/tests_fixes Jun 20, 2018
AUTHORS Add V. Batts into Authors. Jan 15, 2018
COPYING * create fedora specfile Jan 16, 2009
INSTALL cvss library Jan 11, 2009
Makefile.am Remove basic Python implementation of oval_probes.c May 10, 2018
NEWS openscap-1.2.17 May 29, 2018
README.md Updated contribution guide Jun 26, 2018
acinclude.m4 [buildsys] configure: added option to enable building with SSP Aug 4, 2010
autogen.sh remove AC_CONFIG_MACRO_DIR(m4) Mar 30, 2010
confgen.sh confgen.sh: don't overwrite configure.ac in case of a failure Dec 6, 2012
configure.ac Bump version after release May 29, 2018
libopenscap.pc.in Use the TLS version of the openscap website in pkgconfig file Aug 15, 2017
run.in Enable common openscap_api.py build for python2 and python3 Aug 30, 2017
sonar-project.properties Added CI stuff. May 10, 2018



Open Source Security Compliance Solution


The oscap program is a command line tool that allows users to load, scan, validate, edit, and export SCAP documents.


Choose 1a or 1b depending on whether you want sources from a release tarball or the git repository.

  1. a) Use a release tarball:
# replace ${version} with the desired version
wget https://github.com/OpenSCAP/openscap/releases/download/${version}/openscap-${version}.tar.gz
tar -xzpf openscap-${version}.tar.gz
cd openscap-${version}


  1. b) Use fresh sources from git repository. You will also need the following packages to be installed on your system:
autoconf automake libtool

Now get sources from git repository and run ./autogen.sh:

git clone https://github.com/OpenSCAP/openscap.git
cd openscap
  1. To build the library you will need the following build dependencies (some of these are optional, if they are not detected, openscap will be compiled without respective optional features):
dbus-devel GConf2-devel libacl-devel libblkid-devel libcap-devel libcurl-devel \
libgcrypt-devel libselinux-devel libxml2-devel libxslt-devel make openldap-devel \
pcre-devel perl-XML-Parser perl-XML-XPath perl-devel python-devel rpm-devel swig \

On Ubuntu 16.04 the command to install these package is

sudo apt-get install -y autoconf automake libtool make libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt20-dev libselinux1-dev libxslt1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libldap2-dev libpcre3-dev python-dev swig libxml-parser-perl libxml-xpath-perl libperl5.22 python-dev libbz2-dev librpm-dev swig

When you have all the build dependencies installed you can run the following commands to build the library:

  1. After building the library you might want to run library self-checks. To do that you need to have these additional packages installed:
wget lua which procps-ng initscripts chkconfig sendmail

and it is also required to have sendmail service running on the system:

systemctl start sendmail.service

Now you can execute the following command to run library self-checks:

make check

Note: If you want to run make distcheck you will also need to install asciidoctor. You can either install rubygem-asciidoctor package (available on Fedora), or you can install rubygems package and then run gem install asciidoctor.

It's also possible to use the make check to test any other oscap binary present in the system. You just have to set the path of the binary to the CUSTOM_OSCAP variable:

export CUSTOM_OSCAP=/usr/bin/oscap; make check

Not every check tests the oscap tool, however, when the CUSTOM_OSCAP variable is set, only the checks which do are executed.

  1. Run the installation procedure by executing the following command:
make install


We welcome all contributions to the OpenSCAP project. If you would like to contribute, either by fixing existing issues or adding new features, please check out our contribution guide to get started. If you would like to discuss anything, ask questions, or if you need additional help getting started, you can either send a message to our FreeNode IRC channel, #openscap, or to our mailing list.

Use cases

SCAP Content Validation

  • The following example shows how to validate a given source data stream; all components within the data stream are validated (XCCDF, OVAL, OCIL, CPE, and possibly other components):
oscap ds sds-validate scap-ds.xml


  • To evaluate all definitions within the given OVAL Definition file, run the following command:
oscap oval eval --results oval-results.xml scap-oval.xml

where scap-oval.xml is the OVAL Definition file and oval-results.xml is the OVAL Result file.

  • To evaluate all definitions from the OVAL component that are part of a particular data stream within a SCAP data stream collection, run the following command:
oscap oval eval --datastream-id ds.xml --oval-id xccdf.xml --results oval-results.xml scap-ds.xml

where ds.xml is the given data stream, xccdf.xml is an XCCDF file specifying the OVAL component, oval-results.xml is the OVAL Result file, and scap-ds.xml is a file representing the SCAP data stream collection.

  • To evaluate a specific profile in an XCCDF file run this command:
oscap xccdf eval --profile Desktop --results xccdf-results.xml --cpe cpe-dictionary.xml scap-xccdf.xml

where scap-xccdf.xml is the XCCDF document, Desktop is the selected profile from the XCCDF document, xccdf-results.xml is a file storing the scan results, and cpe-dictionary.xml is the CPE dictionary.

  • To evaluate a specific XCCDF benchmark that is part of a data stream within a SCAP data stream collection run the following command:
oscap xccdf eval --datastream-id ds.xml --xccdf-id xccdf.xml --results xccdf-results.xml scap-ds.xml

where scap-ds.xml is a file representing the SCAP data stream collection, ds.xml is the particular data stream, xccdf.xml is ID of the component-ref pointing to the desired XCCDF document, and xccdf-results.xml is a file containing the scan results.

Document generation

  • without XCCDF rules
oscap xccdf generate guide XCCDF-FILE > XCCDF-GUIDE-FILE
  • with XCCDF rules
oscap xccdf generate guide --profile PROFILE XCCDF-FILE > XCCDF-GUIDE-FILE
  • generate report from scanning
oscap xccdf generate report XCCDF-RESULT-FILE > XCCDF-REPORT-FILE