oscap-vm(8)

1oscap-vm(8)             System Administration Utilities            oscap-vm(8)
2
3
4

NAME

6       oscap-vm - Tool for offline SCAP evaluation of virtual machines.
7
8

SYNOPSIS

10       oscap-vm domain VM_DOMAIN [OSCAP_OPTIONS] INPUT_CONTENT
11
12       oscap-vm image VM_STORAGE_IMAGE [OSCAP_OPTIONS] INPUT_CONTENT
13
14

DESCRIPTION

16       oscap-vm performs SCAP evaluation of virtual machine domains or virtual
17       machine images.
18
19       The tool mounts the  filesystem  of  given  virtual  machine  and  runs
20       oscap(8)  to  asses  the  mounted  filesystem.  The  virtual machine is
21       mounted read only, which prevents damaging of the virtual machine  dur‐
22       ing  the  scan. The evaluation is performed offline which means that it
23       is performed from the host and no additional software is  installed  in
24       the virtual machine.
25
26       oscap-vm  is  a convenience wrapper on the top of the oscap(8) utility.
27       Most of the SCAP capabilities provided by  oscap(8)  are  available  in
28       oscap-vm as well.
29
30

NOTICE

32       To  mount  the  virtual machine filesystem, oscap-vm uses libguestfs to
33       access the filestystem and FUSE (the "filesystem in userspace") to make
34       it a mountable device.
35
36       The tool requires bash, guestmount, mktemp and umount to work properly.
37       If guestmount(1) command is not present on your system, the  tool  will
38       try to use older fusermount(1) utility instead.
39
40

USAGE

42       Usage of the tool mimics usage and options of oscap(8) tool.
43
44       The  type  of  scan target (either domain or image) has to be specified
45       first. Then identify the target by the domain name  (name  of  a  named
46       libvirt  domain)  or the image path, respectively.  Domain UUIDs can be
47       used instead of names. Any domains including the running domains can be
48       scanned.
49
50       The  rest  of  the options are passed directly to oscap(8) utility. For
51       the detailed description of its options please refer to oscap(8) manual
52       page. However some of its options are not supported in oscap-vm because
53       offline evaluation is used.
54
55       Last argument is SCAP content input file.
56
57       Supported common options are:
58         --verbose <verbosity_level>
59         --verbose-log-file <file>
60
61
62   Evaluation of XCCDF content
63       xccdf eval module evaluates XCCDF files  or  SCAP  source  datastreams.
64       Result  of  each  rule  is  printed  to standard output, including rule
65       title, rule id and security identifier (CVE, CCE).
66
67
68              oscap-vm image VM_STORAGE_IMAGE xccdf eval [options] INPUT_CONTENT
69              oscap-vm domain VM_DOMAIN xccdf eval [options] INPUT_CONTENT
70
71       Supported oscap xccdf eval options are:
72         --profile <name>
73         --rule <name>
74         --tailoring-file <file>
75         --tailoring-id <component-id>
76         --cpe <name> (external OVAL dependencies are not supported yet!)
77         --oval-results
78         --check-engine-results
79         --results <file>
80         --results-arf <file>
81         --thin-results
82         --without-syschar
83         --report <file>
84         --skip-valid
85         --fetch-remote-resources
86         --progress
87         --datastream-id <id>
88         --xccdf-id <id>
89         --benchmark-id <id>
90
91       Remediation of virtual machines is not supported.
92
93
94   Evaluation of OVAL content
95       oval eval module scans the system and evaluate definitions  from  given
96       OVAL Definitions file.
97
98
99              oscap-vm image VM_STORAGE_IMAGE oval eval [options] INPUT_CONTENT
100              oscap-vm domain VM_DOMAIN oval eval [options] INPUT_CONTENT
101
102       Supported oscap oval eval options are:
103         --id <definition-id>
104         --variables <file>
105         --directives <file>
106         --without-syschar
107         --results <file>
108         --report <file>
109         --skip-valid
110         --datastream-id <id>
111         --oval-id <id>
112
113
114   Collection of OVAL System Characteristic
115       oval  collect  module  scans the system and collects items according to
116       given OVAL Definitions file.
117
118
119              oscap-vm image VM_STORAGE_IMAGE oval collect [options] INPUT_CONTENT
120              oscap-vm domain VM_DOMAIN oval collect [options] INPUT_CONTENT
121
122       Supported oscap oval collect options are:
123         --id <object>
124         --syschar <file>
125         --variables <file>
126         --skip-valid
127
128

EXAMPLES

130       Evaluate a Red Hat Enterprise Linux 7  virtual  domain  for  compliance
131       with the DISA STIG for Red Hat Enterprise Linux and generate a report.
132
133              oscap-vm domain rhel7 xccdf eval \
134              --report report.html --results results.xml \
135              --profile stig-rhel7-disa \
136              /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
137
138       Evaluate  a  Red Hat Enterprise Linux 6 virtual machine image for soft‐
139       ware vulnerabilities using OVAL definitions and generate a report.
140
141              oscap-vm image /var/lib/libvirt/images/rhel6.qcow2 oval eval \
142              --report report.html --results results.xml \
143              com.redhat.rhsa-RHEL6.xml
144

EXIT STATUS

146       Normally, the exit status is 0 when operation finished successfully and
147       1  otherwise.  In cases when oscap-vm performs evaluation of the system
148       it may return 2 indicating success of the operation but incompliance of
149       the assessed system.
150
151

REPORTING BUGS

153       Please report bugs using https://github.com/OpenSCAP/openscap/issues
154
155

AUTHORS

164       Martin Preisler <mpreisle@redhat.com>
165       Jan Černý <jcerny@redhat.com>
166
167
168
169Red Hat, Inc.                   September 2017                     oscap-vm(8)