oscap-vm - scan virtual machines and their images #175

Merged
merged 9 commits into from Oct 12, 2015

Conversation

Projects
None yet
4 participants
@mpreisler
Member

mpreisler commented Oct 8, 2015

Offline SCAP scanning for VMs that are shutdown or running. Uses guestfs tools. My aim was to be as consistent as possible, the tool is similar to oscap-ssh and oscap-docker.

Example usage:

# ./oscap-vm image /var/lib/libvirt/images/rhel7.2.qcow2 xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 
Mounting guestfs image '/var/lib/libvirt/images/rhel7.2.qcow2' to '/tmp/tmp.PgfWcB0R4g'...
Title   Encrypt Partitions
Rule    xccdf_org.ssgproject.content_rule_encrypt_partitions
Ident   CCE-27128-8
Result  notchecked

[snip]

Title   Enable SSH Warning Banner
Rule    xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
Ident   CCE-27314-4
Result  fail

Title   Create Warning Banners for All FTP Users
Rule    xccdf_org.ssgproject.content_rule_ftp_present_banner
Ident   CCE-RHEL7-CCE-TBD
Result  pass

Unmounting '/tmp/tmp.PgfWcB0R4g'...
# ./oscap-vm domain rhel7.2 xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 
Mounting guestfs domain 'rhel7.2' to '/tmp/tmp.c69yOdlBNZ'...
Title   Encrypt Partitions
Rule    xccdf_org.ssgproject.content_rule_encrypt_partitions
Ident   CCE-27128-8
Result  notchecked

[snip]

Title   Create Warning Banners for All FTP Users
Rule    xccdf_org.ssgproject.content_rule_ftp_present_banner
Ident   CCE-RHEL7-CCE-TBD
Result  pass

Unmounting '/tmp/tmp.c69yOdlBNZ'...

I will let the documentation speak for itself:

$ ./oscap-vm 
No arguments provided.
oscap-vm -- Tool for offline SCAP evaluation of virtual machines.

Your VM must use /dev/sda1 as the root partition for this script to
work. We think that other configurations are rare enough to limit
the script like that.

Usage:

$ oscap-vm image VM_STORAGE_IMAGE xccdf eval [options] INPUT_CONTENT
$ oscap-vm domain VM_DOMAIN xccdf eval [options] INPUT_CONTENT

supported oscap xccdf eval options are:
  --profile
  --tailoring-file
  --tailoring-id
  --cpe (external OVAL dependencies are not supported yet!)
  --oval-results
  --sce-results
  --check-engine-results
  --results
  --results-arf
  --report
  --skip-valid
  --fetch-remote-resources
  --progress
  --datastream-id
  --xccdf-id
  --benchmark-id
  --remediate

$ oscap-vm image VM_STORAGE_IMAGE oval eval [options] INPUT_CONTENT
$ oscap-vm domain VM_DOMAIN oval eval [options] INPUT_CONTENT

supported oscap oval eval options are:
  --id
  --variables
  --directives
  --results
  --report
  --skip-valid
  --datastream-id
  --oval-id
  --probe-root

$ oscap-vm image VM_STORAGE_IMAGE oval collect [options] INPUT_CONTENT
$ oscap-vm domain VM_DOMAIN oval collect [options] INPUT_CONTENT

supported oscap oval collect options are:
  --id
  --syschar
  --variables
  --skip-valid

See `man oscap` to learn more about semantics of these options.
@mpreisler

This comment has been minimized.

Show comment
Hide comment
@mpreisler

mpreisler Oct 8, 2015

Member

I just realized that I should have banned the remediation options. If I recall correctly remediation doesn't chroot and doesn't respect the OSCAP_PROBE_ROOT environment variable.

Member

mpreisler commented Oct 8, 2015

I just realized that I should have banned the remediation options. If I recall correctly remediation doesn't chroot and doesn't respect the OSCAP_PROBE_ROOT environment variable.

+ echo "$ oscap-vm image VM_STORAGE_IMAGE xccdf eval [options] INPUT_CONTENT"
+ echo "$ oscap-vm domain VM_DOMAIN xccdf eval [options] INPUT_CONTENT"
+ echo
+ echo "supported oscap xccdf eval options are:"

This comment has been minimized.

@ybznek

ybznek Oct 9, 2015

Contributor

Maybe using of ouput of oscap xccdf eval --help will be better.
When oscap add/remove any new parameter, nobody will update this script.

@ybznek

ybznek Oct 9, 2015

Contributor

Maybe using of ouput of oscap xccdf eval --help will be better.
When oscap add/remove any new parameter, nobody will update this script.

This comment has been minimized.

@mpreisler

mpreisler Oct 9, 2015

Member

I thought about that when implementing oscap-ssh but the problem is that this doesn't support all the options. I didn't like the idea of filtering the output of oscap xccdf eval and removing the options this doesn't support. I'd much rather provide a list of options that are for sure supported and wait for a request to add more.

@mpreisler

mpreisler Oct 9, 2015

Member

I thought about that when implementing oscap-ssh but the problem is that this doesn't support all the options. I didn't like the idea of filtering the output of oscap xccdf eval and removing the options this doesn't support. I'd much rather provide a list of options that are for sure supported and wait for a request to add more.

Removed --remediate from supported options in oscap-vm
Remediation doesn't work in offline mode, oscap will tell that to the
user if it's attempted.
+
+# Learn more at https://www.redhat.com/archives/open-scap-list/2013-July/msg00000.html
+export OSCAP_PROBE_ROOT="$(cd "$MOUNTPOINT"; pwd)"
+export OSCAP_PROBE_OS_NAME="Linux" # TODO: This may be wrong!

This comment has been minimized.

@jan-cerny

jan-cerny Oct 9, 2015

Member

Shouldn't be these values collected from the VM image, not from the host system ?

@jan-cerny

jan-cerny Oct 9, 2015

Member

Shouldn't be these values collected from the VM image, not from the host system ?

This comment has been minimized.

@mpreisler

mpreisler Oct 9, 2015

Member

Yup, see the TODO comments :-)

If you have suggestions how to do that in a robust way I am all for it. I don't think this is critical for the first version though.

@mpreisler

mpreisler Oct 9, 2015

Member

Yup, see the TODO comments :-)

If you have suggestions how to do that in a robust way I am all for it. I don't think this is critical for the first version though.

This comment has been minimized.

@isimluk

isimluk Oct 12, 2015

Member

We have similar deficiency in oscap-docker. I think we can merge this and fix it when we know how to correct it. I like we have PRIMARY_HOST_NAME filled in oscap-docker and oscap-vm similarly.

@isimluk

isimluk Oct 12, 2015

Member

We have similar deficiency in oscap-docker. I think we can merge this and fix it when we know how to correct it. I like we have PRIMARY_HOST_NAME filled in oscap-docker and oscap-vm similarly.

@isimluk

This comment has been minimized.

Show comment
Hide comment
@isimluk

isimluk Oct 12, 2015

Member

LGTM.

Special thanks for writing the man page!

Member

isimluk commented Oct 12, 2015

LGTM.

Special thanks for writing the man page!

isimluk added a commit that referenced this pull request Oct 12, 2015

Merge pull request #175 from mpreisler/oscap_vm
oscap-vm - scan virtual machines and their images

@isimluk isimluk merged commit fdd96b0 into OpenSCAP:maint-1.2 Oct 12, 2015

1 check passed

default No test results found.
Details

@mpreisler mpreisler deleted the mpreisler:oscap_vm branch Oct 12, 2015

@mpreisler

This comment has been minimized.

Show comment
Hide comment
@mpreisler

mpreisler Oct 12, 2015

Member

Thanks for the review!

Member

mpreisler commented Oct 12, 2015

Thanks for the review!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment