[Open-scap] Offline mode scanning

Steve Grubb sgrubb at redhat.com
Mon May 13 15:00:53 UTC 2013 

On Monday, May 13, 2013 04:34:20 PM Daniel Kopecek wrote:
>   for some time now I've been working on a simple solution for scanning
> images of virtual hosts with the OpenSCAP library.
> We've been thinking about this for a time now, but the real work towards
> a solution came after a discussion with
> Richard W.M. Jones who came with two proposals. We've decided to try the
> simple-but-not-so-robust one first -- just use
> guestmount to mount the virtual host image somewhere and chroot() the
> OpenSCAP probes there.

Hmm...what if dependent libraries are missing? For example, suppose you wanted 
to scan a rhel4 guest and librpm wasn't at the right version?

Also, I was thinking that for this to really be successful, it might need ome 
standards work. For example, if you run content that has a "check for daemons 
that are running without selinux policy", what would the expected result be 
since no daemon could possibly be running?

Also, is there a list of probes that have a dependency on /proc, /sys, or 
/selinux? Which ones cannot be used in this kind of content?

My guess is this should be run through the OVAL Board to at least come up with 
some kind of expectation of results when content isn't specifically tuned for 
offline scanning.

But this would be a really cool feature. I know that there are standards 
bodies that are wanting some kind of security check before booting a guest. It 
might be accomplished using offline scans, it might also be done via TNC. But 
this is very interesting work.

Thanks,
-Steve

 
> The implementation is now ready to be tested. It's available in our git
> repository in the offline-mode branch. If the testing
> doesn't reveal any serious issues or regressions, I'll merge it into the
> master branch. Please read the "how to test" section
> bellow if you want to try out the feature. Please report bugs if you
> find some or write your suggestions if you have some.
> 
> We are aware of some problems already:
>      1. The system_info probe calls uname() to get to the desired
> information.
>          - As a solution to this, a set of environment variables is
> expected to be set and the values
>            of these variables are used instead of calling uname(). The
> variable names are as follows:
> 
>              OSCAP_PROBE_OS_NAME
>              OSCAP_PROBE_OS_VERSION
>              OSCAP_PROBE_ARCHITECTURE
>              OSCAP_PROBE_PRIMARY_HOST_NAME
> 
>            Their names are based on the names of the required system
> information elements documented here:
> 
> http://oval.mitre.org/language/version5.10.1/ovalsc/documentation/oval-syste
> m-characteristics-schema.html#SystemInfoType
> 
>      2. The rpm* related probes emit warnings to stderr because the
> /proc filesystem is not present
>      3. The family probe has compile-time hard-coded results
>      4. Some probes are implemented so that they are of no use in
> offline mode and fail or return unreliable results
>          - As a solution to this, I've implemented a new probe option to
> enable/disable the probe in offline mode. All probes
>            are disables by default and return a "not applicable" result.
> Probes which are safe to be run in offline mode we're
>            enabled by adding the following call to the probe_init()
> function:
> 
>                probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, true);
> 
> How to test
> ===========
> 
>      1. Checkout the offline-mode branch from our git repository,
> compile and install.
>      2. Set the probe root directory and mount a virtual host image
> using guestmount in that directory:
> 
>          # export OSCAP_PROBE_ROOT="/mnt/guest"
>          # guestmount -a rhel-5-usgcb.img -i --ro "$OSCAP_PROBE_ROOT"
> 
>      3. Set the required environment variables recognized by the
> system_info probe:
> 
>          # export OSCAP_PROBE_OS_NAME="Linux"
>          # export OSCAP_PROBE_OS_VERSION="2.6.18"
>          # export OSCAP_PROBE_ARCHITECTURE="x86_64"
>          # export OSCAP_PROBE_PRIMARY_HOST_NAME="virt-rhel5-usgcb"
> 
>         Note that you may use any values you want here. These will be
> stored in the system_info section of the OVAL result document.
> 
>      4. Run a scan as usual:
> 
>          # oscap xccdf eval --profile
> united_states_government_configuration_baseline \
>              --cpe usgcb-rhel5desktop-cpe-dictionary.xml
> --fetch-remote-resources \
>              --results results.xml usgcb-rhel5desktop-xccdf.xml
> 
> 
> Dan K.
> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

More information about the Open-scap-list mailing list