[Open-scap] Offline mode scanning
Daniel Kopecek
dkopecek at redhat.com
Mon May 13 15:20:34 UTC 2013
On 05/13/2013 05:00 PM, Steve Grubb wrote:
> On Monday, May 13, 2013 04:34:20 PM Daniel Kopecek wrote:
>> for some time now I've been working on a simple solution for scanning
>> images of virtual hosts with the OpenSCAP library.
>> We've been thinking about this for a time now, but the real work towards
>> a solution came after a discussion with
>> Richard W.M. Jones who came with two proposals. We've decided to try the
>> simple-but-not-so-robust one first -- just use
>> guestmount to mount the virtual host image somewhere and chroot() the
>> OpenSCAP probes there.
> Hmm...what if dependent libraries are missing? For example, suppose you wanted
> to scan a rhel4 guest and librpm wasn't at the right version?
The chroot(2) is called from inside the probe, right before probe_init()
is called.
So the probe is linked with libraries on the host system, not the guest.
This basically
defines the limit on what can be scanned. Only probes which read on-disk
information
will work.
> Also, I was thinking that for this to really be successful, it might need ome
> standards work. For example, if you run content that has a "check for daemons
> that are running without selinux policy", what would the expected result be
> since no daemon could possibly be running?
The current solution to this is to return 'not applicable'.
> Also, is there a list of probes that have a dependency on /proc, /sys, or
> /selinux? Which ones cannot be used in this kind of content?
No. That's a good suggestion, I'll try to compile such a list.
> My guess is this should be run through the OVAL Board to at least come up with
> some kind of expectation of results when content isn't specifically tuned for
> offline scanning.
Yeah, that would be helpful. The current set of enabled/disabled probes
and the default
result flag are just my best guess based on what I know about these probes.
> But this would be a really cool feature. I know that there are standards
> bodies that are wanting some kind of security check before booting a guest. It
> might be accomplished using offline scans, it might also be done via TNC. But
> this is very interesting work.
>
> Thanks,
> -Steve
>
>
Thanks for the suggestions!
Dan K.
More information about the Open-scap-list
mailing list