[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Open-scap] Offline mode scanning



Hello,
for some time now I've been working on a simple solution for scanning images of virtual hosts with the OpenSCAP library. We've been thinking about this for a time now, but the real work towards a solution came after a discussion with Richard W.M. Jones who came with two proposals. We've decided to try the simple-but-not-so-robust one first -- just use guestmount to mount the virtual host image somewhere and chroot() the OpenSCAP probes there.

The implementation is now ready to be tested. It's available in our git repository in the offline-mode branch. If the testing doesn't reveal any serious issues or regressions, I'll merge it into the master branch. Please read the "how to test" section bellow if you want to try out the feature. Please report bugs if you find some or write your suggestions if you have some.

We are aware of some problems already:
1. The system_info probe calls uname() to get to the desired information. - As a solution to this, a set of environment variables is expected to be set and the values of these variables are used instead of calling uname(). The variable names are as follows:

            OSCAP_PROBE_OS_NAME
            OSCAP_PROBE_OS_VERSION
            OSCAP_PROBE_ARCHITECTURE
            OSCAP_PROBE_PRIMARY_HOST_NAME

Their names are based on the names of the required system information elements documented here:

http://oval.mitre.org/language/version5.10.1/ovalsc/documentation/oval-system-characteristics-schema.html#SystemInfoType

2. The rpm* related probes emit warnings to stderr because the /proc filesystem is not present
    3. The family probe has compile-time hard-coded results
4. Some probes are implemented so that they are of no use in offline mode and fail or return unreliable results - As a solution to this, I've implemented a new probe option to enable/disable the probe in offline mode. All probes are disables by default and return a "not applicable" result. Probes which are safe to be run in offline mode we're enabled by adding the following call to the probe_init() function:

              probe_setoption(PROBEOPT_OFFLINE_MODE_SUPPORTED, true);

How to test
===========

1. Checkout the offline-mode branch from our git repository, compile and install. 2. Set the probe root directory and mount a virtual host image using guestmount in that directory:

        # export OSCAP_PROBE_ROOT="/mnt/guest"
        # guestmount -a rhel-5-usgcb.img -i --ro "$OSCAP_PROBE_ROOT"

3. Set the required environment variables recognized by the system_info probe:

        # export OSCAP_PROBE_OS_NAME="Linux"
        # export OSCAP_PROBE_OS_VERSION="2.6.18"
        # export OSCAP_PROBE_ARCHITECTURE="x86_64"
        # export OSCAP_PROBE_PRIMARY_HOST_NAME="virt-rhel5-usgcb"

Note that you may use any values you want here. These will be stored in the system_info section of the OVAL result document.

    4. Run a scan as usual:

# oscap xccdf eval --profile united_states_government_configuration_baseline \ --cpe usgcb-rhel5desktop-cpe-dictionary.xml --fetch-remote-resources \
            --results results.xml usgcb-rhel5desktop-xccdf.xml


Dan K.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]