[Open-scap] Offline scanning - SCE, probes

Zbynek Moravec zmoravec at redhat.com
Fri Apr 15 11:02:40 UTC 2016 

Ok, to perform offline SCE scan we can use these ways:

A) add wrapper script script what contains original script but do chroot
  - maybe easy for bash, python, "impossible" for binaries - but they aren't really used
  - not universal solution

B) fexecve(int fd, char *const argv[], char *const envp[]);
  - open file on host -> do chroot -> do fexecve
  - we need access to /proc and we don't have after chroot in general 

C) unionfs/... - have some writable layer over read only image
  - it is quite complicated, and we need extra dependency

D) bind mount - e.g mount /tmp/oscap-tmp-sce-scripts -> /tmp/container/tmp, chroot /tmp/container
  - mounted container can be read-only, so we cannot create any directory to mount point,
    but we can use container /tmp to do this
  - I don't think that any sce script depends on original content of /tmp
  - maybe advantage - container image is read only, but sce script can use RW mounted /tmp

I personally prefer D, but A should be working too.
Something against? Or do you have any new idea?

Thank you for your opinions.

----- Original Message -----
> From: "Shawn Wells" <shawn at redhat.com>
> To: open-scap-list at redhat.com
> Sent: Thursday, April 14, 2016 4:17:26 PM
> Subject: Re: [Open-scap] Offline scanning - SCE, probes
> 
> 
> 
> On 4/14/16 4:07 AM, Jan Cerny wrote:
> > Hi Zbyněk,
> >
> >
> > ----- Original Message -----
> >> >From: "Zbynek Moravec"<zmoravec at redhat.com>
> >> >To:open-scap-list at redhat.com
> >> >Sent: Wednesday, April 13, 2016 11:47:51 PM
> >> >Subject: [Open-scap] Offline scanning - SCE, probes
> >> >
> >> >Hi
> >> >
> >> >We plan to implement offline scan support for SCE scripts. I would like
> >> >to
> >> >ask
> >> >for our opinion.
> > Thanks for sharing this with the community!
> +1!
> 
> 
> >> >
> >> >We have two? options how to deal with SCE offline scan support
> >> >- 1] pass new root path to script (env variable)
> >> >   - Script will decide how to scan new root, it can use path prefix,
> >> >   chroot..
> > This approach sounds like delegating the problem to authors of SCE checks
> > scripts.
> > Each script will have to support offline scan in its own way.
> > But I suspect that somewhere in first line of those scripts chroot will be
> > anyway called.
> >
> >> >- 2] oscap will do chroot before execute script
> >> >   - Script don't need to know that it is in different root
> > I think that we want this second option, because then the SCE scipts
> > could be simple and universal and everybody will be able to use his old
> > content to scan his containers and VMs.
> Another +1. The same content should work between RHEL deployment models
> (bare metal, docker, VMs....).
> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

More information about the Open-scap-list mailing list