[Open-scap] Offline mode scanning
Steve Grubb
sgrubb at redhat.com
Thu May 16 12:47:48 UTC 2013
On Thursday, May 16, 2013 10:37:25 AM Richard W.M. Jones wrote:
> On Mon, May 13, 2013 at 11:00:53AM -0400, Steve Grubb wrote:
> > On Monday, May 13, 2013 04:34:20 PM Daniel Kopecek wrote:
> > > for some time now I've been working on a simple solution for scanning
> > >
> > > images of virtual hosts with the OpenSCAP library.
> > > We've been thinking about this for a time now, but the real work towards
> > > a solution came after a discussion with
> > > Richard W.M. Jones who came with two proposals. We've decided to try the
> > > simple-but-not-so-robust one first -- just use
> > > guestmount to mount the virtual host image somewhere and chroot() the
> > > OpenSCAP probes there.
> >
> > Hmm...what if dependent libraries are missing? For example, suppose
> > you wanted to scan a rhel4 guest and librpm wasn't at the right
> > version?
>
> In practice I can tell you that this works OK :-)
>
> There is also another issue which currently affects guestmount (only):
> It doesn't pass through SELinux labels. We will fix this upstream at
> some point, but it requires us to rework the way we use FUSE.
SE Linux labels are just extended attributes. Is there a generic problem of
passing through xattrs which could affect other things like fs capabilities or
ACL's?
-Steve
More information about the Open-scap-list
mailing list