Skip to content

oscap-vm - scan virtual machines and their images #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Oct 12, 2015
Merged

oscap-vm - scan virtual machines and their images #175

merged 9 commits into from
Oct 12, 2015

Conversation

mpreisler
Copy link
Member

Offline SCAP scanning for VMs that are shutdown or running. Uses guestfs tools. My aim was to be as consistent as possible, the tool is similar to oscap-ssh and oscap-docker.

Example usage:

# ./oscap-vm image /var/lib/libvirt/images/rhel7.2.qcow2 xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 
Mounting guestfs image '/var/lib/libvirt/images/rhel7.2.qcow2' to '/tmp/tmp.PgfWcB0R4g'...
Title   Encrypt Partitions
Rule    xccdf_org.ssgproject.content_rule_encrypt_partitions
Ident   CCE-27128-8
Result  notchecked

[snip]

Title   Enable SSH Warning Banner
Rule    xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
Ident   CCE-27314-4
Result  fail

Title   Create Warning Banners for All FTP Users
Rule    xccdf_org.ssgproject.content_rule_ftp_present_banner
Ident   CCE-RHEL7-CCE-TBD
Result  pass

Unmounting '/tmp/tmp.PgfWcB0R4g'...

# ./oscap-vm domain rhel7.2 xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 
Mounting guestfs domain 'rhel7.2' to '/tmp/tmp.c69yOdlBNZ'...
Title   Encrypt Partitions
Rule    xccdf_org.ssgproject.content_rule_encrypt_partitions
Ident   CCE-27128-8
Result  notchecked

[snip]

Title   Create Warning Banners for All FTP Users
Rule    xccdf_org.ssgproject.content_rule_ftp_present_banner
Ident   CCE-RHEL7-CCE-TBD
Result  pass

Unmounting '/tmp/tmp.c69yOdlBNZ'...

I will let the documentation speak for itself:

$ ./oscap-vm 
No arguments provided.
oscap-vm -- Tool for offline SCAP evaluation of virtual machines.

Your VM must use /dev/sda1 as the root partition for this script to
work. We think that other configurations are rare enough to limit
the script like that.

Usage:

$ oscap-vm image VM_STORAGE_IMAGE xccdf eval [options] INPUT_CONTENT
$ oscap-vm domain VM_DOMAIN xccdf eval [options] INPUT_CONTENT

supported oscap xccdf eval options are:
  --profile
  --tailoring-file
  --tailoring-id
  --cpe (external OVAL dependencies are not supported yet!)
  --oval-results
  --sce-results
  --check-engine-results
  --results
  --results-arf
  --report
  --skip-valid
  --fetch-remote-resources
  --progress
  --datastream-id
  --xccdf-id
  --benchmark-id
  --remediate

$ oscap-vm image VM_STORAGE_IMAGE oval eval [options] INPUT_CONTENT
$ oscap-vm domain VM_DOMAIN oval eval [options] INPUT_CONTENT

supported oscap oval eval options are:
  --id
  --variables
  --directives
  --results
  --report
  --skip-valid
  --datastream-id
  --oval-id
  --probe-root

$ oscap-vm image VM_STORAGE_IMAGE oval collect [options] INPUT_CONTENT
$ oscap-vm domain VM_DOMAIN oval collect [options] INPUT_CONTENT

supported oscap oval collect options are:
  --id
  --syschar
  --variables
  --skip-valid

See `man oscap` to learn more about semantics of these options.

@mpreisler
Copy link
Member Author

I just realized that I should have banned the remediation options. If I recall correctly remediation doesn't chroot and doesn't respect the OSCAP_PROBE_ROOT environment variable.

ybznek
ybznek reviewed Oct 9, 2015
View reviewed changes
utils/oscap-vm
echo "$ oscap-vm image VM_STORAGE_IMAGE xccdf eval [options] INPUT_CONTENT"
echo "$ oscap-vm domain VM_DOMAIN xccdf eval [options] INPUT_CONTENT"
echo
echo "supported oscap xccdf eval options are:"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe using of ouput of oscap xccdf eval --help will be better.
When oscap add/remove any new parameter, nobody will update this script.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about that when implementing oscap-ssh but the problem is that this doesn't support all the options. I didn't like the idea of filtering the output of oscap xccdf eval and removing the options this doesn't support. I'd much rather provide a list of options that are for sure supported and wait for a request to add more.

@mpreisler
Removed --remediate from supported options in oscap-vm
e4be8d0 
Remediation doesn't work in offline mode, oscap will tell that to the
user if it's attempted.
jan-cerny
jan-cerny reviewed Oct 9, 2015
View reviewed changes
utils/oscap-vm

# Learn more at https://www.redhat.com/archives/open-scap-list/2013-July/msg00000.html
export OSCAP_PROBE_ROOT="$(cd "$MOUNTPOINT"; pwd)"
export OSCAP_PROBE_OS_NAME="Linux" # TODO: This may be wrong!
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't be these values collected from the VM image, not from the host system ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, see the TODO comments :-)

If you have suggestions how to do that in a robust way I am all for it. I don't think this is critical for the first version though.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have similar deficiency in oscap-docker. I think we can merge this and fix it when we know how to correct it. I like we have PRIMARY_HOST_NAME filled in oscap-docker and oscap-vm similarly.

@isimluk
Copy link
Member

isimluk commented Oct 12, 2015

LGTM.

Special thanks for writing the man page!

isimluk added a commit that referenced this pull request Oct 12, 2015
@isimluk
Merge pull request #175 from mpreisler/oscap_vm
fdd96b0 
oscap-vm - scan virtual machines and their images
@isimluk isimluk merged commit fdd96b0 into OpenSCAP:maint-1.2 Oct 12, 2015
@mpreisler mpreisler deleted the oscap_vm branch October 12, 2015 10:12
@mpreisler
Copy link
Member Author

Thanks for the review!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mpreisler @isimluk @ybznek @jan-cerny