Space banner

   

This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.

Tools

The BMC Client Management SCAP implementation includes different components, either dynamic libraries or command line tools. Most of them are located in <agent_dir>/bin .

libMtxScap.dll (libMtxScap.so for Linux and Mac OS X)

This dynamic library actually implements the different SCAP standards except OVAL.

mtxscap.exe (mtxscap for Linux and Mac OS X)

This command line tool is a wrapper for the library above.

mtxoval.exe (mtxoval for Linux and Mac OS X)

This binary (which is a fork of the OVALDI open source software) actually implements the OVAL standard.

mtxscap.exe Options

This command line tool is a wrapper for the libMtxScap library. It makes it possible to parse, display or evaluate SCAP 1.0/1.1/1.2 content. BMC Client Management uses this binary for processing SCAP scans but the binary can also be used by end users through a Windows console or Unix terminal. The tool accepts different command line switches, divided in two parts. The first group of switches is aimed at enabling/disabling features. These all start with a single ‘‘ character (ex: -p). The second group of switches expects a parameter directly following the switch keyword. These all start with a double ‘‘ character (ex: --scap-file scap_gov.nist_USGCB-Windows-7.xml). Below is the list of command line switches:

Command line switch

Purpose

Default

--mtxoval-path

Path to the mtxoval.exe (mtxoval under Linux and Mac OS X systems).

mtxoval.exe (mtxoval under Linux and Mac OS X)

--temp-path

Temporary path where temporary files required by the underlying process will be created.

temp

--oval-directives

The desired OVAL results output. This switch accepts the following values:

  • full-with-system-characteristics
  • full-without-system-characteristics
  • thin

full-with-system-characteristics

--xml-path

Path to the various XML schemas. This parameter may be omitted in which case the input SCAP files will not be validated.

--scap-file

Path to the SCAP file to process. In case of SCAP 1.0/1.1 content, multiple files can be supplied. In this case, the switch must be repeated for each file to supply (ex: --scap-file file1.xml -scap-file file2.xml)

--data-stream-id

Identifier of the data stream to process. This parameter is mainly required when processing SCAP content having more than a single data stream. If the SCAP content includes a single data stream, this parameter can be omitted.

--checklist-id

Identifier of the XCCDF checklist to process. This parameter is mainly required when processing a data stream having more than a single checklist. If the data stream includes a single checklist, this parameter can be omitted.

--profile-id

Identifier of the XCCDF profile to apply. This parameter is optional regardless of the number of profiles registered in the checklist to process. If this parameter is omitted, then no profile is applied.

--xccdf-exceptions-file

Path to an optional file where XCCDF rule identifiers are registered. These are exceptions and shall be taken into account in order to alter the scan results. As a consequence, the rules enumerated in this file will always have the status "pass", indicating exceptions to the official results.

--arf-results-file

Path to the output ARF results file. This parameter will be ignored unless the supplied SCAP content is version 1.2.

--xccdf-results-file

Path to the output XCCDF results file. This parameter is always available, whatever the processed SCAP version.

--error-path

Path to the output error file where key error code may be written. This file will only be emitted under certain conditions. For example, when the supplied SCAP content is not applicable to the system.

--log

Path to the desired output log file. This parameter accepts the special value "stdout", in which case, log lines will be written directly to console or terminal.

-parse

Request a SCAP content parsing operation. Depending on the xml path command line switch, this can be either a validating or non-validating parsing operation.

-print

Request a SCAP content print operation. This includes parsing the supplied SCAP content and displaying summary.

-eval

Request a SCAP content evaluation operation. Depending on the various switch values, ARF and/or XCCDF results files can be generated.

-quiet

Provides a mechanism for reducing the amount of data written to the console or terminal.

-no-banner

Avoid writing the banner to the console or terminal.

mtxoval.exe Options MD5Hash

This binary (which is a fork of the OVALDI open source software) actually implements the OVAL standard. This tool can either be used internally by mtxscap or called by end users through a Windows console or Unix terminal. Depending on the target SCAP version, the tool must be applied on an OVAL definitions file or on a SCAP 1.2 data stream collection document. In this case, the component identifier for the underlying OVAL definitions should be supplied. Below, the list of command line switches:

Command line switch

Purpose

Default

-o <path>

Path to the oval-definitions XML file.

definitions.xml

-b <identifier>

Identifier for the OVAL definitions component to retrieve. This parameter is mandatory when processing SCAP 1.2 content and should be omitted otherwise.

-v <string>

Path to the file where OVAL variables are configured.

external-variables.xml

-f <path>

Path to the file containing a list of OVAL definitions to be evaluated.

-m

Do not verify the input file with an MD5 hash.

-c <path>

Path to the Schematron OVAL definitions file. If this parameter is omitted, then no validation will be performed on the input file.

xml\oval-definitions-schematron.xsl

-a <path>

Path to the various XML schemas.

xml

-i <path>

Path to the system characteristics file to be used. If this parameter is omitted, then mtxoval will create a new system characteristics content.

-d <path>

Path to the output file where system characteristics should be written.

system-characteristics.xml

-g <path>

Path to the OVAL directives to be used.

directives.xml

-r <path>

Path to the output file where OVAL definitions results should be written.

results.xml

-s

Do not apply stylesheet to the results file.

-t <path>

Path to the stylesheet document to apply on results.

xml\results_to_html.xsl

-x <path>

Path to the file where transformed results must be written.

results.html

-j <path>

Path to the Schematron OVAL system characteristics file.

xml\oval- system-characteristics-schematron.xsl

-k <path>

Path to the Schematron OVAL results file.

xml\oval-results-schematron.xsl

-p

Provides verbose output.

-l <integer>

Activate the desired log level:

  • DEBUG = 1
  • INFO = 2
  • MESSAGE = 3
  • FATAL = 4

-p

Provides verbose output.

SCAP OVAL tests

The following OVAL tests are supported:

  • ind-def:environmentvariable_test
  • ind-def:environmentvariable58_test
  • ind-def:family_test
  • ind-def:filehash_test
  • ind-def:filehash58_test
  • ind-def:filemd5_test
  • ind-def:ldap_test
  • ind-def:textfilecontent_test
  • ind-def:textfilecontent54_test
  • ind-def:unknown_test
  • ind-def:variable_test
  • ind-def:xmlfilecontent_test
  • linux-def:dpkginfo_test
  • linux-def:iflisteners_test
  • linux-def:inetlisteningservers_test
  • linux-def:partition_test
  • linux-def:rpminfo_test
  • linux-def:rpmverify_test
  • linux-def:rpmverifyfile_test
  • linux-def:rpmverifypackage_test
  • linux-def:selinuxsecuritycontext_test
  • linux-def:selinuxboolean_test
  • unix-def:file_test
  • unix-def:inetd_test
  • unix-def:interface_test
  • unix-def:password_test
  • unix-def:process_test
  • unix-def:process58_test
  • unix-def:runlevel_test
  • unix-def:shadow_test
  • unix-def:sysctl_test
  • unix-def:uname_test
  • unix-def:xinetd_test
  • win-def:accesstoken_test
  • win-def:activedirectory_test
  • win-def:auditeventpolicy_test
  • win-def:auditeventpolicysubcategories_test
  • win-def:cmdlet_test (This test is not supported by lightweight mtxoval_u.exe binary. This component will be used in place of mtxoval.exe when Microsoft .NET 4 Framework is not installed.)
  • win-def:dnscache_test
  • win-def:file_test
  • win-def:fileauditedpermissions_test
  • win-def:fileauditedpermissions53_test
  • win-def:fileeffectiverights_test
  • win-def:fileeffectiverights53_test
  • win-def:group_test
  • win-def:group_sid_test
  • win-def:interface_test
  • win-def:lockoutpolicy_test
  • win-def:metabase_test
  • win-def:passwordpolicy_test
  • win-def:port_test
  • win-def:printereffectiverights_test
  • win-def:process_test
  • win-def:process58_test
  • win-def:registry_test
  • win-def:regkeyauditedpermissions_test
  • win-def:regkeyauditedpermissions53_test
  • win-def:regkeyeffectiverights_test
  • win-def:regkeyeffectiverights53_test
  • win-def:serviceeffectiverights_test
  • win-def:sharedresource_test
  • win-def:sid_sid_test
  • win-def:sid_test
  • win-def:user_test
  • win-def:user_sid_test
  • win-def:user_sid55_test
  • win-def:volume_test
  • win-def:wmi_test
  • win-def:wmi57_test
  • win-def:wuaupdatesearcher_test
Was this page helpful? Yes No Submitting... Thank you

Comments