Tools
The BMC Client Management SCAP implementation includes different components, either dynamic libraries or command line tools:
libMtxScap.dll (libMtxScap.so for Linux and MacOS) | This dynamic library implements the different SCAP standards except OVAL. |
libMtxOval.dll (libMtxOval.so for Linux and MacOS) | This dynamic library implements the OVAL standard. |
mtxscap.exe (mtxscap for Linux and MacOS) | This command line tool is based on the two libraries above, and allows to process SCAP and OVAL contents. |
mtxscap-cmdlet.dll | This dynamic library implements the cmdlet_test. |
mtxscap.exe/mtxscap
This command line tool allows to parse, display or evaluate SCAP 1.0/1.1/1.2/1.3 and OVAL contents. BMC Client Management uses this binary to execute SCAP scans, but the binary can also be used externally through a Windows console or Unix terminal. The tool accepts different command line parameters and switches:
Command line switches to set the operation | Purpose |
|---|---|
Extract and print information from a SCAP package (version 1.2 or 1.3) specified through the --scap-file parameter. The displayed information includes the data stream collection, data streams, XCCDF checklists and profiles. When combined with -json, the information is displayed using the JSON format. | |
-parse | Parse the XML file specified through the --scap-file parameter. If more than one file must be parsed, use multiple --scap-file. By default, the parse operation does not validate the XML files. Use --xml-path to set the path where the schemas must be used in order to validate the files. |
-eval | Evaluate a SCAP or OVAL content. By default, SCAP is assumed unless the -oval switch is set. The eval operation expects multiple parameters to process the content. If multiple files must be set, use --scap-file for each file to load. |
-oval | Switch to OVAL mode. This mode can be used to evaluate OVAL definitions and supports different command line parameters. |
-help | Display help. |
Command line switches and parameters shared by the SCAP and OVAL modes | Purpose |
|---|---|
--log <filepath> | Specify the log file path. Use the special value 'stdout' to write the log to the console output. Note that in this case, both the output and log will be written to the console, unless -quiet is also set to keep only the log. |
-quiet | Do not display output. Use with --log set to the special value 'stdout' in order to redirect the log to the output. |
Command line switches and parameters for the SCAP mode | Purpose |
|---|---|
-json | Use this switch with the print operation to display SCAP 1.2/1.3 content information using a JSON format. If omitted, the print operation outputs a tree-based dataset. |
--scap-file <filepath> | Use this parameter to provide a content file. The parameter can be used more than once if multiple files must be supplied, such as for SCAP 1.0 and 1.1 contents, or when specifying external or XCCDF tailoring files. |
--xml-path <dir> | By default, the XML parser does not validate the documents. To activate the validation, specify the folder where the schemas can be found. Note that validation will be enabled, even if the configured folder does not include all the required schemas. Caution because all the files will be listed recursively from the configured folder. |
--temp-path <dir> | Configure the folder where temporary files can be created. When not set, the current working directory is used instead. |
--data-stream-id <string> | Configure the data stream identifier to use in order to process the SCAP package. This identifier can be omitted if the package to evaluate has a single data stream, in which case it is automatically selected. The data stream identifiers can be extracted using the -print operation. |
--checklist-id <string> | Configure the checklist identifier to use for the selected data stream in order to process the SCAP package. This identifier can be omitted if the package to evaluate has a single checklist for the selected data stream, in which case it is automatically selected. The checklist identifiers can be extracted using the -print operation. |
--profile-id <string> | Configure the profile identifier to use in order to customize the selected checklist. Profiles are optional and the SCAP package is evaluated without customization when no profile is specified. The profile identifiers can be extracted using the -print operation. |
--tailoring-id <string> | Configure the profile identifier to use in order to customize the package to evaluate. The configured profile identifier must belong to a tailoring component. The tailoring components and their associated profiles can be extracted using the -print operation. |
--xccdf-exceptions-file <filepath> | Use this parameter to provide the engine with a list of XCCDF rules to be marked as exceptions. These rules will be evaluated but the final status can be overridden, having an impact on the final scores. This can be used to ignore one or more XCCDF rules. |
--oval-directives <string> | Configure the OVAL directives to apply (full-with-system-characteristics, full-without-system-characteristics or thin). When omitted, default value full-with-system-characteristics is used. |
--arf-results-file <filepath> | Configure the ARF report file path. Do not write the report when omitted. |
--xccdf-results-file <filepath> | Configure the XCCDF report file path. Do not write the report when omitted. |
--oval-results-file <filepath> | Configure the OVAL report file path. Do not write the report when omitted. |
--xccdf-summary-file <filepath> | Configure the XCCDF summary file path. Unlike the other reports, this one will not be generated in XML but in JSON instead. It contains information about the XCCDF rules and scores. Do not write the report when omitted. |
--error-file <filepath> | Configure the error file path. In case of evaluation error, this file can contain an error code. |
Command line switches and parameters for the OVAL mode | Purpose |
|---|---|
--input <filepath> | Use this parameter to provide an OVAL definitions input file. By default, the system characteristics will be collected and analyzed to generate the OVAL results. |
-checksum | Do not evaluate the input file but compute the file checksum instead. The digest algorithm must be provided using either -md5 or -sha1. |
-md5 | Calculate the input file checksum using the MD5 digest algorithm. |
-sha1 | Calculate the input file checksum using the SHA1 digest algorithm. |
--md5 <string> | Calculate the input file checksum and compare the value with the expected string. If the two values do not match, abort the process. The calculated and provided checksums shall use the MD5 digest algorithm. |
--sha1 <string> | Calculate the input file checksum and compare the value with the expected string. If the two values do not match, abort the process. The calculated and provided checksums shall use the SHA1 digest algorithm. |
--schemas <filepath> | By default, the XML parser does not validate the documents. To activate the validation, specify the folder where the schemas can be found. Note that validation will be enabled, even if the configured folder does not include all the required schemas. Caution because all the files will be listed recursively from the configured folder. |
--component <string> | It is possible to provide one SCAP 1.2/1.3 input file instead of an OVAL definitions file. In this case, the component identifier under which the OVAL definitions can be found is expected. Note that if no identifier is provided, then the first OVAL definitions document will be used. |
--sys <filepath> | Configure the OVAL system characteristics file path. If combined with the -no-collect switch, the system characteristics information be loaded from the configured file and not collected. When combined with the -no-analyze switch, the system characteristics information will only be collected and no evaluation will be done. When -no-collect and -no-analyze are omitted, both the data collection and evaluation will be executed. |
-no-collect | Read the system characteristics from the file configured using the --sys command line parameter. In this case, no data collection will be done. |
-no-analyze | Collect the system characteristics and write the file configured using the --sys command line parameter. In this case, no evaluation will be done. |
--dir <filepath> | Configure the OVAL directives file path. The OVAL results will be guided by the directives loaded from this file. |
--def <filepath> | Configure the OVAL definitions file path. If defined, this file must list the OVAL definition identifiers to take into account. Notice that in this case, the system characteristics collection is restricted to the involved objects and the evaluation is limited to the configured OVAL definitions. When omitted, all the OVAL definition identifiers are taken into account. |
--var <filepath> | Configure the OVAL variables file path. If defined, this file must contain the list of external variables to be used for the evaluation operation. |
--res <filepath> | Configure the OVAL results file path. This file will be produced with the output of the evaluation operation, based on the OVAL directives. |
SCAP OVAL tests
The following OVAL tests are supported:
- ind-def:environmentvariable_test
- ind-def:environmentvariable58_test
- ind-def:family_test
- ind-def:filehash_test
- ind-def:filehash58_test
- ind-def:filemd5_test
- ind-def:ldap_test
- ind-def:textfilecontent_test
- ind-def:textfilecontent54_test
- ind-def:unknown_test
- ind-def:variable_test
- ind-def:xmlfilecontent_test
- linux-def:dpkginfo_test
- linux-def:iflisteners_test
- linux-def:inetlisteningservers_test
- linux-def:partition_test
- linux-def:rpminfo_test
- linux-def:rpmverify_test
- linux-def:rpmverifyfile_test
- linux-def:rpmverifypackage_test
- linux-def:selinuxsecuritycontext_test
- linux-def:selinuxboolean_test
- unix-def:file_test
- unix-def:inetd_test
- unix-def:interface_test
- unix-def:password_test
- unix-def:process_test
- unix-def:process58_test
- unix-def:runlevel_test
- unix-def:shadow_test
- unix-def:sysctl_test
- unix-def:uname_test
- unix-def:xinetd_test
- macos-def:accountinfo_test
- macos-def:inetlisteningserver510_test
- macos-def:nvram_test
- macos-def:pwpolicy59_test
- win-def:accesstoken_test
- win-def:activedirectory_test
- win-def:auditeventpolicy_test
- win-def:auditeventpolicysubcategories_test
- win-def:dnscache_test
- win-def:fileauditedpermissions53_test
- win-def:fileauditedpermissions_test
- win-def:fileeffectiverights53_test
- win-def:fileeffectiverights_test
- win-def:file_test
- win-def:group_test
- win-def:group_sid_test
- win-def:interface_test
- win-def:license_test
- win-def:lockoutpolicy_test
- win-def:metabase_test
- win-def:ntuser_test
- win-def:passwordpolicy_test
- win-def:port_test
- win-def:printereffectiverights_test
- win-def:process58_test
- win-def:process_test
- win-def:registry_test
- win-def:regkeyauditedpermissions53_test
- win-def:regkeyauditedpermissions_test
- win-def:regkeyeffectiverights53_test
- win-def:regkeyeffectiverights_test
- win-def:serviceeffectiverights_test
- win-def:service_test
- win-def:sharedresource_test
- win-def:sid_test
- win-def:sid_sid_test
- win-def:user_test
- win-def:user_sid55_test
- win-def:user_sid_test
- win-def:volume_test
- win-def:wmi57_test
- win-def:wmi_test
- win-def:wuaupdatesearcher_test
- win-def:cmdlet_test (This test is implemented through the mtxscap-cmdlet.dll dynamic library. The library would fail to load in which case the test would also fail if the Microsoft .NET 4 Framework is not installed.)