1oscap-vm(8) System Administration Utilities oscap-vm(8)
2
3
4
6 oscap-vm - Tool for offline SCAP evaluation of virtual machines.
7
8
10 oscap-vm [--oscap=<oscap_binary>] domain VM_DOMAIN [OSCAP_OPTIONS] IN‐
11 PUT_CONTENT
12
13 oscap-vm [--oscap=<oscap_binary>] image VM_STORAGE_IMAGE [OSCAP_OP‐
14 TIONS] INPUT_CONTENT
15
16
18 oscap-vm performs SCAP evaluation of virtual machine domains or virtual
19 machine images.
20
21 The tool mounts the filesystem of given virtual machine and runs os‐
22 cap(8) to asses the mounted filesystem. The virtual machine is mounted
23 read only, which prevents damaging of the virtual machine during the
24 scan. The evaluation is performed offline which means that it is per‐
25 formed from the host and no additional software is installed in the
26 virtual machine.
27
28 oscap-vm is a convenience wrapper on the top of the oscap(8) utility.
29 Most of the SCAP capabilities provided by oscap(8) are available in os‐
30 cap-vm as well.
31
32
34 To mount the virtual machine filesystem, oscap-vm uses libguestfs to
35 access the filestystem and FUSE (the "filesystem in userspace") to make
36 it a mountable device.
37
38 The tool requires bash, guestmount, mktemp and umount to work properly.
39 If guestmount(1) command is not present on your system, the tool will
40 try to use older fusermount(1) utility instead.
41
42
44 Usage of the tool mimics usage and options of oscap(8) tool.
45
46 The type of scan target (either domain or image) has to be specified
47 first. Then identify the target by the domain name (name of a named
48 libvirt domain) or the image path, respectively. Domain UUIDs can be
49 used instead of names. Any domains including the running domains can be
50 scanned.
51
52 Optionally, as the very first argument, different oscap(8) binary could
53 be chosen to perform the scan, like --oscap=<path/to/oscap>.
54
55 The rest of the options are passed directly to oscap(8) utility. For
56 the detailed description of its options please refer to oscap(8) manual
57 page. However some of its options are not supported in oscap-vm because
58 offline evaluation is used.
59
60 Last argument is SCAP content input file.
61
62 Supported common options are:
63 --verbose <verbosity_level>
64 --verbose-log-file <file>
65
66
67 Evaluation of XCCDF content
68 xccdf eval module evaluates XCCDF files or SCAP source data streams.
69 Result of each rule is printed to standard output, including rule ti‐
70 tle, rule id and security identifier (CVE, CCE).
71
72
73 oscap-vm image VM_STORAGE_IMAGE xccdf eval [options] INPUT_CONTENT
74 oscap-vm domain VM_DOMAIN xccdf eval [options] INPUT_CONTENT
75
76 Supported oscap xccdf eval options are:
77 --profile <name>
78 --rule <name>
79 --tailoring-file <file>
80 --tailoring-id <component-id>
81 --cpe <name> (external OVAL dependencies are not supported yet!)
82 --oval-results
83 --check-engine-results
84 --results <file>
85 --results-arf <file>
86 --thin-results
87 --without-syschar
88 --report <file>
89 --skip-valid
90 --skip-validation
91 --fetch-remote-resources
92 --progress
93 --datastream-id <id>
94 --xccdf-id <id>
95 --benchmark-id <id>
96
97 Remediation of virtual machines is not supported.
98
99
100 Evaluation of OVAL content
101 oval eval module scans the system and evaluate definitions from given
102 OVAL Definitions file.
103
104
105 oscap-vm image VM_STORAGE_IMAGE oval eval [options] INPUT_CONTENT
106 oscap-vm domain VM_DOMAIN oval eval [options] INPUT_CONTENT
107
108 Supported oscap oval eval options are:
109 --id <definition-id>
110 --variables <file>
111 --directives <file>
112 --without-syschar
113 --results <file>
114 --report <file>
115 --skip-valid
116 --skip-validation
117 --datastream-id <id>
118 --oval-id <id>
119
120
121 Collection of OVAL System Characteristic
122 oval collect module scans the system and collects items according to
123 given OVAL Definitions file.
124
125
126 oscap-vm image VM_STORAGE_IMAGE oval collect [options] INPUT_CONTENT
127 oscap-vm domain VM_DOMAIN oval collect [options] INPUT_CONTENT
128
129 Supported oscap oval collect options are:
130 --id <object>
131 --syschar <file>
132 --variables <file>
133 --skip-valid
134 --skip-validation
135
136
138 Evaluate a Red Hat Enterprise Linux 7 virtual domain for compliance
139 with the DISA STIG for Red Hat Enterprise Linux and generate a report.
140
141 oscap-vm domain rhel7 xccdf eval \
142 --report report.html --results results.xml \
143 --profile stig-rhel7-disa \
144 /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
145
146 Evaluate a Red Hat Enterprise Linux 6 virtual machine image for soft‐
147 ware vulnerabilities using OVAL definitions and generate a report.
148
149 oscap-vm image /var/lib/libvirt/images/rhel6.qcow2 oval eval \
150 --report report.html --results results.xml \
151 com.redhat.rhsa-RHEL6.xml
152
154 Normally, the exit status is 0 when operation finished successfully and
155 1 otherwise. In cases when oscap-vm performs evaluation of the system
156 it may return 2 indicating success of the operation but incompliance of
157 the assessed system.
158
159
161 Please report bugs using https://github.com/OpenSCAP/openscap/issues
162
163
165 oscap(8), scap-security-guide(8)
166
167 For detailed information please visit OpenSCAP website:
168 https://www.open-scap.org
169
170
172 Martin Preisler <mpreisle@redhat.com>
173 Jan Černý <jcerny@redhat.com>
174
175
176
177Red Hat, Inc. September 2017 oscap-vm(8)