[Open-scap] Evaluating your OVAL definitions against an RPM database (was: Offline mode scanning)

Daniel Kopecek dkopecek at redhat.com
Wed Jul 3 13:05:27 UTC 2013 

Hello,
 I've extended the offline mode scanning a bit. There was an interest in
using openscap to evaluate OVAL definitions using only a list of
packages that are installed a system. I've implemented a solution for
RPM based system, i.e OVAL definitions that use only the rpminfo object.

Since there are the same problems with the system_info probe, which are
described in the first post of in this thread, I've just modified the
offline mode scanning to support sub-modes and currently there are two
of them:

	- chroot ... see the first post, nothing has changed here
	- rpmdb  ... new sub-mode triggered by defining the
	             OSCAP_PROBE_RPMDB_PATH environment variable

The OSCAP_PROBE_RPMDB_PATH has the same meaning as the _dbpath macro in
RPM. The path should point to a directory where the RPM database files
are located.

Assuming that you have copied the RPM db files from a system you'd like
to check into the directory /tmp/rpmdb-el5-guest on your local system,
the steps to evaluate your content are as follows:

	1. Set the path to the RPM database files

	 # export OSCAP_PROBE_RPMDB_PATH="/tmp/rpmdb-el5-guest"
 
	2. Set the required environment variables recognized by
	   the system_info probe:

	 # export OSCAP_PROBE_OS_NAME="Linux"
	 # export OSCAP_PROBE_OS_VERSION="2.6.18"
	 # export OSCAP_PROBE_ARCHITECTURE="x86_64"
	 # export OSCAP_PROBE_PRIMARY_HOST_NAME="virt-rhel5-usgcb"

	 Note that you may use any values you want here. These will be
	 stored in the system_info section of the OVAL result document.
 
	3. Run a scan as usual:
 
          # oscap xccdf eval ... ...

Note that the chroot and rpmdb sub-modes may be combined. Since oscap
will use the rpm library from the host system in the chroot offline
mode, it'll use default values for various RPM settings from the host
system when scanning an image of a different system. Setting the rpmdb
path explicitly will ensure that the rpminfo object will return correct
results in case the scanned system has the RPM database at a different
location than the host system.

I had to change the probe API a bit also. The example from the first
post:

	probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, true);

has changed to:

	probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED,
	                PROBE_OFFLINE_CHROOT);

	The second argument is a mask of supported modes. There are four
	possible values for this argument:
	
	PROBE_OFFLINE_CHROOT ... should be set if the probe is able to
	         run in a different root directory

	PROBE_OFFLINE_RPMDB  ... should be set if the probe is
	         accessing the RPM database and should be enabled in
	         this mode

	PROBE_OFFLINE_ALL    ... special value to enable the probe in
	         all possible offline sub-modes

	PROBE_OFFLINE_NONE   ... set if you don't want the probe to be
	         run in case any offline mode is active

	If you want to enable the probe in the chroot and rpmdb
	sub-modes but not in any other (which makes sense only we add
	yet another sub-mode in the future) then you can OR those
	together, i.e.:

	probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED,
	                PROBE_OFFLINE_CHROOT|PROBE_OFFLINE_RPMDB);


Dan K.
	

On Mon, 13 May 2013 16:34:20 +0200
Daniel Kopecek <dkopecek at redhat.com> wrote:

> Hello,
>   for some time now I've been working on a simple solution for
> scanning images of virtual hosts with the OpenSCAP library.
> We've been thinking about this for a time now, but the real work
> towards a solution came after a discussion with
> Richard W.M. Jones who came with two proposals. We've decided to try
> the simple-but-not-so-robust one first -- just use
> guestmount to mount the virtual host image somewhere and chroot() the 
> OpenSCAP probes there.
> 
> The implementation is now ready to be tested. It's available in our
> git repository in the offline-mode branch. If the testing
> doesn't reveal any serious issues or regressions, I'll merge it into
> the master branch. Please read the "how to test" section
> bellow if you want to try out the feature. Please report bugs if you 
> find some or write your suggestions if you have some.
> 
> We are aware of some problems already:
>      1. The system_info probe calls uname() to get to the desired 
> information.
>          - As a solution to this, a set of environment variables is 
> expected to be set and the values
>            of these variables are used instead of calling uname().
> The variable names are as follows:
> 
>              OSCAP_PROBE_OS_NAME
>              OSCAP_PROBE_OS_VERSION
>              OSCAP_PROBE_ARCHITECTURE
>              OSCAP_PROBE_PRIMARY_HOST_NAME
> 
>            Their names are based on the names of the required system 
> information elements documented here:
> 
> http://oval.mitre.org/language/version5.10.1/ovalsc/documentation/oval-system-characteristics-schema.html#SystemInfoType
> 
>      2. The rpm* related probes emit warnings to stderr because the 
> /proc filesystem is not present
>      3. The family probe has compile-time hard-coded results
>      4. Some probes are implemented so that they are of no use in 
> offline mode and fail or return unreliable results
>          - As a solution to this, I've implemented a new probe option
> to enable/disable the probe in offline mode. All probes
>            are disables by default and return a "not applicable"
> result. Probes which are safe to be run in offline mode we're
>            enabled by adding the following call to the probe_init() 
> function:
> 
>                probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, true);
> 
> How to test
> ===========
> 
>      1. Checkout the offline-mode branch from our git repository, 
> compile and install.
>      2. Set the probe root directory and mount a virtual host image 
> using guestmount in that directory:
> 
>          # export OSCAP_PROBE_ROOT="/mnt/guest"
>          # guestmount -a rhel-5-usgcb.img -i --ro "$OSCAP_PROBE_ROOT"
> 
>      3. Set the required environment variables recognized by the 
> system_info probe:
> 
>          # export OSCAP_PROBE_OS_NAME="Linux"
>          # export OSCAP_PROBE_OS_VERSION="2.6.18"
>          # export OSCAP_PROBE_ARCHITECTURE="x86_64"
>          # export OSCAP_PROBE_PRIMARY_HOST_NAME="virt-rhel5-usgcb"
> 
>         Note that you may use any values you want here. These will be 
> stored in the system_info section of the OVAL result document.
> 
>      4. Run a scan as usual:
> 
>          # oscap xccdf eval --profile 
> united_states_government_configuration_baseline \
>              --cpe usgcb-rhel5desktop-cpe-dictionary.xml 
> --fetch-remote-resources \
>              --results results.xml usgcb-rhel5desktop-xccdf.xml
> 
> 
> Dan K.
>

More information about the Open-scap-list mailing list