[Open-scap] Offline scanning - SCE, probes
Zbynek Moravec
zmoravec at redhat.com
Wed Apr 13 21:47:51 UTC 2016
Hi
We plan to implement offline scan support for SCE scripts. I would like to ask
for our opinion.
We have two? options how to deal with SCE offline scan support
- 1] pass new root path to script (env variable)
- Script will decide how to scan new root, it can use path prefix, chroot..
- 2] oscap will do chroot before execute script
- Script don't need to know that it is in different root
Pros/Cons:
1]
+ easy to implement in oscap
+ script can use best way to perform offline_scan
- old SCE scripts are not compatible
- lot of work to deal with offline scan in every script
- not easy way to detect offline scan support of script
2]
+ we can use old SCE scripts, easily write new one
- potentially execute evil code(grep/... called from script) with root rights (but in chroot)
- offline scan of incompatible architecture will not work (but majority use x86_64)
- complicated way to execute script in new root if FS is read_only and script cannot be copied
there
Which of these two methods is better? Or do you any have better idea?
Similar question I have about probes which support offline scan.
Simplified phases of rpm probe life.
1] begin
2] chroot
3] init - rpmReadConfigFiles
4] collect
5] end
During phase 3, some of dynamic libraries are loaded from new root.
Question is - when to load libraries?
- before chroot
- We can try to force libraries to load their dynamic parts before chroot,
but it require some effort.
- after chroot
- again, we will run container code with root rights in chroot
Thank you for your opinion!
Zbynek Moravec
OpenSCAP
More information about the Open-scap-list
mailing list