1oscap-vm(8)             System Administration Utilities            oscap-vm(8)
2
3
4

NAME

6       oscap-vm - Tool for offline SCAP evaluation of virtual machines.
7
8

SYNOPSIS

10       oscap-vm   [--oscap=<oscap_binary>]  domain  VM_DOMAIN  [OSCAP_OPTIONS]
11       INPUT_CONTENT
12
13       oscap-vm      [--oscap=<oscap_binary>]      image      VM_STORAGE_IMAGE
14       [OSCAP_OPTIONS] INPUT_CONTENT
15
16

DESCRIPTION

18       oscap-vm performs SCAP evaluation of virtual machine domains or virtual
19       machine images.
20
21       The tool mounts the  filesystem  of  given  virtual  machine  and  runs
22       oscap(8)  to  asses  the  mounted  filesystem.  The  virtual machine is
23       mounted read only, which prevents damaging of the virtual machine  dur‐
24       ing  the  scan. The evaluation is performed offline which means that it
25       is performed from the host and no additional software is  installed  in
26       the virtual machine.
27
28       oscap-vm  is  a convenience wrapper on the top of the oscap(8) utility.
29       Most of the SCAP capabilities provided by  oscap(8)  are  available  in
30       oscap-vm as well.
31
32

NOTICE

34       To  mount  the  virtual machine filesystem, oscap-vm uses libguestfs to
35       access the filestystem and FUSE (the "filesystem in userspace") to make
36       it a mountable device.
37
38       The tool requires bash, guestmount, mktemp and umount to work properly.
39       If guestmount(1) command is not present on your system, the  tool  will
40       try to use older fusermount(1) utility instead.
41
42

USAGE

44       Usage of the tool mimics usage and options of oscap(8) tool.
45
46       The  type  of  scan target (either domain or image) has to be specified
47       first. Then identify the target by the domain name  (name  of  a  named
48       libvirt  domain)  or the image path, respectively.  Domain UUIDs can be
49       used instead of names. Any domains including the running domains can be
50       scanned.
51
52       Optionally, as the very first argument, different oscap(8) binary could
53       be chosen to perform the scan, like --oscap=<path/to/oscap>.
54
55       The rest of the options are passed directly to  oscap(8)  utility.  For
56       the detailed description of its options please refer to oscap(8) manual
57       page. However some of its options are not supported in oscap-vm because
58       offline evaluation is used.
59
60       Last argument is SCAP content input file.
61
62       Supported common options are:
63         --verbose <verbosity_level>
64         --verbose-log-file <file>
65
66
67   Evaluation of XCCDF content
68       xccdf  eval  module  evaluates  XCCDF files or SCAP source datastreams.
69       Result of each rule is  printed  to  standard  output,  including  rule
70       title, rule id and security identifier (CVE, CCE).
71
72
73              oscap-vm image VM_STORAGE_IMAGE xccdf eval [options] INPUT_CONTENT
74              oscap-vm domain VM_DOMAIN xccdf eval [options] INPUT_CONTENT
75
76       Supported oscap xccdf eval options are:
77         --profile <name>
78         --rule <name>
79         --tailoring-file <file>
80         --tailoring-id <component-id>
81         --cpe <name> (external OVAL dependencies are not supported yet!)
82         --oval-results
83         --check-engine-results
84         --results <file>
85         --results-arf <file>
86         --thin-results
87         --without-syschar
88         --report <file>
89         --skip-valid
90         --fetch-remote-resources
91         --progress
92         --datastream-id <id>
93         --xccdf-id <id>
94         --benchmark-id <id>
95
96       Remediation of virtual machines is not supported.
97
98
99   Evaluation of OVAL content
100       oval  eval  module scans the system and evaluate definitions from given
101       OVAL Definitions file.
102
103
104              oscap-vm image VM_STORAGE_IMAGE oval eval [options] INPUT_CONTENT
105              oscap-vm domain VM_DOMAIN oval eval [options] INPUT_CONTENT
106
107       Supported oscap oval eval options are:
108         --id <definition-id>
109         --variables <file>
110         --directives <file>
111         --without-syschar
112         --results <file>
113         --report <file>
114         --skip-valid
115         --datastream-id <id>
116         --oval-id <id>
117
118
119   Collection of OVAL System Characteristic
120       oval collect module scans the system and collects  items  according  to
121       given OVAL Definitions file.
122
123
124              oscap-vm image VM_STORAGE_IMAGE oval collect [options] INPUT_CONTENT
125              oscap-vm domain VM_DOMAIN oval collect [options] INPUT_CONTENT
126
127       Supported oscap oval collect options are:
128         --id <object>
129         --syschar <file>
130         --variables <file>
131         --skip-valid
132
133

EXAMPLES

135       Evaluate  a  Red  Hat  Enterprise Linux 7 virtual domain for compliance
136       with the DISA STIG for Red Hat Enterprise Linux and generate a report.
137
138              oscap-vm domain rhel7 xccdf eval \
139              --report report.html --results results.xml \
140              --profile stig-rhel7-disa \
141              /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
142
143       Evaluate a Red Hat Enterprise Linux 6 virtual machine image  for  soft‐
144       ware vulnerabilities using OVAL definitions and generate a report.
145
146              oscap-vm image /var/lib/libvirt/images/rhel6.qcow2 oval eval \
147              --report report.html --results results.xml \
148              com.redhat.rhsa-RHEL6.xml
149

EXIT STATUS

151       Normally, the exit status is 0 when operation finished successfully and
152       1 otherwise. In cases when oscap-vm performs evaluation of  the  system
153       it may return 2 indicating success of the operation but incompliance of
154       the assessed system.
155
156

REPORTING BUGS

158       Please report bugs using https://github.com/OpenSCAP/openscap/issues
159
160

SEE ALSO

162       oscap(8), scap-security-guide(8)
163
164       For   detailed   information    please    visit    OpenSCAP    website:
165       https://www.open-scap.org
166
167

AUTHORS

169       Martin Preisler <mpreisle@redhat.com>
170       Jan Černý <jcerny@redhat.com>
171
172
173
174Red Hat, Inc.                   September 2017                     oscap-vm(8)
Impressum