[Open-scap] Offline mode scanning

Daniel Kopecek dkopecek at redhat.com
Mon May 13 14:34:20 UTC 2013 

Hello,
  for some time now I've been working on a simple solution for scanning 
images of virtual hosts with the OpenSCAP library.
We've been thinking about this for a time now, but the real work towards 
a solution came after a discussion with
Richard W.M. Jones who came with two proposals. We've decided to try the 
simple-but-not-so-robust one first -- just use
guestmount to mount the virtual host image somewhere and chroot() the 
OpenSCAP probes there.

The implementation is now ready to be tested. It's available in our git 
repository in the offline-mode branch. If the testing
doesn't reveal any serious issues or regressions, I'll merge it into the 
master branch. Please read the "how to test" section
bellow if you want to try out the feature. Please report bugs if you 
find some or write your suggestions if you have some.

We are aware of some problems already:
     1. The system_info probe calls uname() to get to the desired 
information.
         - As a solution to this, a set of environment variables is 
expected to be set and the values
           of these variables are used instead of calling uname(). The 
variable names are as follows:

             OSCAP_PROBE_OS_NAME
             OSCAP_PROBE_OS_VERSION
             OSCAP_PROBE_ARCHITECTURE
             OSCAP_PROBE_PRIMARY_HOST_NAME

           Their names are based on the names of the required system 
information elements documented here:

http://oval.mitre.org/language/version5.10.1/ovalsc/documentation/oval-system-characteristics-schema.html#SystemInfoType

     2. The rpm* related probes emit warnings to stderr because the 
/proc filesystem is not present
     3. The family probe has compile-time hard-coded results
     4. Some probes are implemented so that they are of no use in 
offline mode and fail or return unreliable results
         - As a solution to this, I've implemented a new probe option to 
enable/disable the probe in offline mode. All probes
           are disables by default and return a "not applicable" result. 
Probes which are safe to be run in offline mode we're
           enabled by adding the following call to the probe_init() 
function:

               probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, true);

How to test
===========

     1. Checkout the offline-mode branch from our git repository, 
compile and install.
     2. Set the probe root directory and mount a virtual host image 
using guestmount in that directory:

         # export OSCAP_PROBE_ROOT="/mnt/guest"
         # guestmount -a rhel-5-usgcb.img -i --ro "$OSCAP_PROBE_ROOT"

     3. Set the required environment variables recognized by the 
system_info probe:

         # export OSCAP_PROBE_OS_NAME="Linux"
         # export OSCAP_PROBE_OS_VERSION="2.6.18"
         # export OSCAP_PROBE_ARCHITECTURE="x86_64"
         # export OSCAP_PROBE_PRIMARY_HOST_NAME="virt-rhel5-usgcb"

        Note that you may use any values you want here. These will be 
stored in the system_info section of the OVAL result document.

     4. Run a scan as usual:

         # oscap xccdf eval --profile 
united_states_government_configuration_baseline \
             --cpe usgcb-rhel5desktop-cpe-dictionary.xml 
--fetch-remote-resources \
             --results results.xml usgcb-rhel5desktop-xccdf.xml


Dan K.

More information about the Open-scap-list mailing list