[Open-scap] Offline mode scanning
dkopecek at redhat.com
Mon May 13 14:34:20 UTC 2013
for some time now I've been working on a simple solution for scanning
images of virtual hosts with the OpenSCAP library.
We've been thinking about this for a time now, but the real work towards
a solution came after a discussion with
Richard W.M. Jones who came with two proposals. We've decided to try the
simple-but-not-so-robust one first -- just use
guestmount to mount the virtual host image somewhere and chroot() the
OpenSCAP probes there.
The implementation is now ready to be tested. It's available in our git
repository in the offline-mode branch. If the testing
doesn't reveal any serious issues or regressions, I'll merge it into the
master branch. Please read the "how to test" section
bellow if you want to try out the feature. Please report bugs if you
find some or write your suggestions if you have some.
We are aware of some problems already:
1. The system_info probe calls uname() to get to the desired
- As a solution to this, a set of environment variables is
expected to be set and the values
of these variables are used instead of calling uname(). The
variable names are as follows:
Their names are based on the names of the required system
information elements documented here:
2. The rpm* related probes emit warnings to stderr because the
/proc filesystem is not present
3. The family probe has compile-time hard-coded results
4. Some probes are implemented so that they are of no use in
offline mode and fail or return unreliable results
- As a solution to this, I've implemented a new probe option to
enable/disable the probe in offline mode. All probes
are disables by default and return a "not applicable" result.
Probes which are safe to be run in offline mode we're
enabled by adding the following call to the probe_init()
How to test
1. Checkout the offline-mode branch from our git repository,
compile and install.
2. Set the probe root directory and mount a virtual host image
using guestmount in that directory:
# export OSCAP_PROBE_ROOT="/mnt/guest"
# guestmount -a rhel-5-usgcb.img -i --ro "$OSCAP_PROBE_ROOT"
3. Set the required environment variables recognized by the
# export OSCAP_PROBE_OS_NAME="Linux"
# export OSCAP_PROBE_OS_VERSION="2.6.18"
# export OSCAP_PROBE_ARCHITECTURE="x86_64"
# export OSCAP_PROBE_PRIMARY_HOST_NAME="virt-rhel5-usgcb"
Note that you may use any values you want here. These will be
stored in the system_info section of the OVAL result document.
4. Run a scan as usual:
# oscap xccdf eval --profile
--results results.xml usgcb-rhel5desktop-xccdf.xml
More information about the Open-scap-list