[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Open-scap] Offline mode scanning



On 05/13/2013 05:00 PM, Steve Grubb wrote:
On Monday, May 13, 2013 04:34:20 PM Daniel Kopecek wrote:
   for some time now I've been working on a simple solution for scanning
images of virtual hosts with the OpenSCAP library.
We've been thinking about this for a time now, but the real work towards
a solution came after a discussion with
Richard W.M. Jones who came with two proposals. We've decided to try the
simple-but-not-so-robust one first -- just use
guestmount to mount the virtual host image somewhere and chroot() the
OpenSCAP probes there.
Hmm...what if dependent libraries are missing? For example, suppose you wanted
to scan a rhel4 guest and librpm wasn't at the right version?
The chroot(2) is called from inside the probe, right before probe_init() is called. So the probe is linked with libraries on the host system, not the guest. This basically defines the limit on what can be scanned. Only probes which read on-disk information
will work.

Also, I was thinking that for this to really be successful, it might need ome
standards work. For example, if you run content that has a "check for daemons
that are running without selinux policy", what would the expected result be
since no daemon could possibly be running?
The current solution to this is to return 'not applicable'.
Also, is there a list of probes that have a dependency on /proc, /sys, or
/selinux? Which ones cannot be used in this kind of content?
No. That's a good suggestion, I'll try to compile such a list.
My guess is this should be run through the OVAL Board to at least come up with
some kind of expectation of results when content isn't specifically tuned for
offline scanning.
Yeah, that would be helpful. The current set of enabled/disabled probes and the default
result flag are just my best guess based on what I know about these probes.
But this would be a really cool feature. I know that there are standards
bodies that are wanting some kind of security check before booting a guest. It
might be accomplished using offline scans, it might also be done via TNC. But
this is very interesting work.

Thanks,
-Steve

Thanks for the suggestions!

Dan K.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]