1oscap-vm(8) System Administration Utilities oscap-vm(8)
2
3
4
6 oscap-vm - Tool for offline SCAP evaluation of virtual machines.
7
8
10 oscap-vm domain VM_DOMAIN [OSCAP_OPTIONS] INPUT_CONTENT
11
12 oscap-vm image VM_STORAGE_IMAGE [OSCAP_OPTIONS] INPUT_CONTENT
13
14
16 oscap-vm performs SCAP evaluation of virtual machine domains or virtual
17 machine images.
18
19 The tool mounts the filesystem of given virtual machine and runs
20 oscap(8) to asses the mounted filesystem. The virtual machine is
21 mounted read only, which prevents damaging of the virtual machine dur‐
22 ing the scan. The evaluation is performed offline which means that it
23 is performed from the host and no additional software is installed in
24 the virtual machine.
25
26 oscap-vm is a convenience wrapper on the top of the oscap(8) utility.
27 Most of the SCAP capabilities provided by oscap(8) are available in
28 oscap-vm as well.
29
30
32 To mount the virtual machine filesystem, oscap-vm uses libguestfs to
33 access the filestystem and FUSE (the "filesystem in userspace") to make
34 it a mountable device.
35
36 The tool requires bash, guestmount, mktemp and umount to work properly.
37 If guestmount(1) command is not present on your system, the tool will
38 try to use older fusermount(1) utility instead.
39
40
42 Usage of the tool mimics usage and options of oscap(8) tool.
43
44 The type of scan target (either domain or image) has to be specified
45 first. Then identify the target by the domain name (name of a named
46 libvirt domain) or the image path, respectively. Domain UUIDs can be
47 used instead of names. Any domains including the running domains can be
48 scanned.
49
50 The rest of the options are passed directly to oscap(8) utility. For
51 the detailed description of its options please refer to oscap(8) manual
52 page. However some of its options are not supported in oscap-vm because
53 offline evaluation is used.
54
55 Last argument is SCAP content input file.
56
57 Supported common options are:
58 --verbose <verbosity_level>
59 --verbose-log-file <file>
60
61
62 Evaluation of XCCDF content
63 xccdf eval module evaluates XCCDF files or SCAP source datastreams.
64 Result of each rule is printed to standard output, including rule
65 title, rule id and security identifier (CVE, CCE).
66
67
68 oscap-vm image VM_STORAGE_IMAGE xccdf eval [options] INPUT_CONTENT
69 oscap-vm domain VM_DOMAIN xccdf eval [options] INPUT_CONTENT
70
71 Supported oscap xccdf eval options are:
72 --profile <name>
73 --rule <name>
74 --tailoring-file <file>
75 --tailoring-id <component-id>
76 --cpe <name> (external OVAL dependencies are not supported yet!)
77 --oval-results
78 --check-engine-results
79 --results <file>
80 --results-arf <file>
81 --thin-results
82 --without-syschar
83 --report <file>
84 --skip-valid
85 --fetch-remote-resources
86 --progress
87 --datastream-id <id>
88 --xccdf-id <id>
89 --benchmark-id <id>
90
91 Remediation of virtual machines is not supported.
92
93
94 Evaluation of OVAL content
95 oval eval module scans the system and evaluate definitions from given
96 OVAL Definitions file.
97
98
99 oscap-vm image VM_STORAGE_IMAGE oval eval [options] INPUT_CONTENT
100 oscap-vm domain VM_DOMAIN oval eval [options] INPUT_CONTENT
101
102 Supported oscap oval eval options are:
103 --id <definition-id>
104 --variables <file>
105 --directives <file>
106 --without-syschar
107 --results <file>
108 --report <file>
109 --skip-valid
110 --datastream-id <id>
111 --oval-id <id>
112
113
114 Collection of OVAL System Characteristic
115 oval collect module scans the system and collects items according to
116 given OVAL Definitions file.
117
118
119 oscap-vm image VM_STORAGE_IMAGE oval collect [options] INPUT_CONTENT
120 oscap-vm domain VM_DOMAIN oval collect [options] INPUT_CONTENT
121
122 Supported oscap oval collect options are:
123 --id <object>
124 --syschar <file>
125 --variables <file>
126 --skip-valid
127
128
130 Evaluate a Red Hat Enterprise Linux 7 virtual domain for compliance
131 with the DISA STIG for Red Hat Enterprise Linux and generate a report.
132
133 oscap-vm domain rhel7 xccdf eval \
134 --report report.html --results results.xml \
135 --profile stig-rhel7-disa \
136 /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
137
138 Evaluate a Red Hat Enterprise Linux 6 virtual machine image for soft‐
139 ware vulnerabilities using OVAL definitions and generate a report.
140
141 oscap-vm image /var/lib/libvirt/images/rhel6.qcow2 oval eval \
142 --report report.html --results results.xml \
143 com.redhat.rhsa-RHEL6.xml
144
146 Normally, the exit status is 0 when operation finished successfully and
147 1 otherwise. In cases when oscap-vm performs evaluation of the system
148 it may return 2 indicating success of the operation but incompliance of
149 the assessed system.
150
151
153 Please report bugs using https://github.com/OpenSCAP/openscap/issues
154
155
157 oscap(8), scap-security-guide(8)
158
159 For detailed information please visit OpenSCAP website:
160 https://www.open-scap.org
161
162
164 Martin Preisler <mpreisle@redhat.com>
165 Jan Černý <jcerny@redhat.com>
166
167
168
169Red Hat, Inc. September 2017 oscap-vm(8)