[Open-scap] Offline mode scanning

Richard W.M. Jones rjones at redhat.com
Thu May 16 09:37:25 UTC 2013 

On Mon, May 13, 2013 at 11:00:53AM -0400, Steve Grubb wrote:
> On Monday, May 13, 2013 04:34:20 PM Daniel Kopecek wrote:
> >   for some time now I've been working on a simple solution for scanning
> > images of virtual hosts with the OpenSCAP library.
> > We've been thinking about this for a time now, but the real work towards
> > a solution came after a discussion with
> > Richard W.M. Jones who came with two proposals. We've decided to try the
> > simple-but-not-so-robust one first -- just use
> > guestmount to mount the virtual host image somewhere and chroot() the
> > OpenSCAP probes there.
>
> Hmm...what if dependent libraries are missing? For example, suppose
> you wanted to scan a rhel4 guest and librpm wasn't at the right
> version?

In practice I can tell you that this works OK :-)

There is also another issue which currently affects guestmount (only):
It doesn't pass through SELinux labels.  We will fix this upstream at
some point, but it requires us to rework the way we use FUSE.

> Also, I was thinking that for this to really be successful, it might
> need ome standards work. For example, if you run content that has a
> "check for daemons that are running without selinux policy", what
> would the expected result be since no daemon could possibly be
> running?

Agreed this is a problem and may require a change to the standards.

[...]

> But this would be a really cool feature. I know that there are
> standards bodies that are wanting some kind of security check before
> booting a guest. It might be accomplished using offline scans, it
> might also be done via TNC. But this is very interesting work.

What we are aiming for is to be able to scan guests in a cloud either
after they are uploaded / before they are run, or later, depending on
the cloud admin's policy.  Clouds are fun places because random people
that you only know from their credit card number can upload any kind
of random image and try to run it.

It's trivially possible to disguise an image: make it look like one
type of operating system instead of another.  So this doesn't catch
malicious actors.  It's more about helping the naive so they don't
upload some image which we know is going to be remotely exploited
minutes after they start running it.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW

More information about the Open-scap-list mailing list