1oscap-vm(8)             System Administration Utilities            oscap-vm(8)
2
3
4

NAME

6       oscap-vm - Tool for offline SCAP evaluation of virtual machines.
7
8

SYNOPSIS

10       oscap-vm  [--oscap=<oscap_binary>] domain VM_DOMAIN [OSCAP_OPTIONS] IN‐
11       PUT_CONTENT
12
13       oscap-vm  [--oscap=<oscap_binary>]  image  VM_STORAGE_IMAGE  [OSCAP_OP‐
14       TIONS] INPUT_CONTENT
15
16

DESCRIPTION

18       oscap-vm performs SCAP evaluation of virtual machine domains or virtual
19       machine images.
20
21       The tool mounts the filesystem of given virtual machine  and  runs  os‐
22       cap(8)  to asses the mounted filesystem. The virtual machine is mounted
23       read only, which prevents damaging of the virtual  machine  during  the
24       scan.  The  evaluation is performed offline which means that it is per‐
25       formed from the host and no additional software  is  installed  in  the
26       virtual machine.
27
28       oscap-vm  is  a convenience wrapper on the top of the oscap(8) utility.
29       Most of the SCAP capabilities provided by oscap(8) are available in os‐
30       cap-vm as well.
31
32

NOTICE

34       To  mount  the  virtual machine filesystem, oscap-vm uses libguestfs to
35       access the filestystem and FUSE (the "filesystem in userspace") to make
36       it a mountable device.
37
38       The tool requires bash, guestmount, mktemp and umount to work properly.
39       If guestmount(1) command is not present on your system, the  tool  will
40       try to use older fusermount(1) utility instead.
41
42

USAGE

44       Usage of the tool mimics usage and options of oscap(8) tool.
45
46       The  type  of  scan target (either domain or image) has to be specified
47       first. Then identify the target by the domain name  (name  of  a  named
48       libvirt  domain)  or the image path, respectively.  Domain UUIDs can be
49       used instead of names. Any domains including the running domains can be
50       scanned.
51
52       Optionally, as the very first argument, different oscap(8) binary could
53       be chosen to perform the scan, like --oscap=<path/to/oscap>.
54
55       The rest of the options are passed directly to  oscap(8)  utility.  For
56       the detailed description of its options please refer to oscap(8) manual
57       page. However some of its options are not supported in oscap-vm because
58       offline evaluation is used.
59
60       Last argument is SCAP content input file.
61
62       Supported common options are:
63         --verbose <verbosity_level>
64         --verbose-log-file <file>
65
66
67   Evaluation of XCCDF content
68       xccdf  eval  module  evaluates XCCDF files or SCAP source data streams.
69       Result of each rule is printed to standard output, including  rule  ti‐
70       tle, rule id and security identifier (CVE, CCE).
71
72
73              oscap-vm image VM_STORAGE_IMAGE xccdf eval [options] INPUT_CONTENT
74              oscap-vm domain VM_DOMAIN xccdf eval [options] INPUT_CONTENT
75
76       Supported oscap xccdf eval options are:
77         --profile <name>
78         --rule <name>
79         --tailoring-file <file>
80         --tailoring-id <component-id>
81         --cpe <name> (external OVAL dependencies are not supported yet!)
82         --oval-results
83         --check-engine-results
84         --results <file>
85         --results-arf <file>
86         --thin-results
87         --without-syschar
88         --report <file>
89         --skip-valid
90         --skip-validation
91         --fetch-remote-resources
92         --local-files
93         --progress
94         --datastream-id <id>
95         --xccdf-id <id>
96         --benchmark-id <id>
97
98       Remediation of virtual machines is not supported.
99
100
101   Evaluation of OVAL content
102       oval  eval  module scans the system and evaluate definitions from given
103       OVAL Definitions file.
104
105
106              oscap-vm image VM_STORAGE_IMAGE oval eval [options] INPUT_CONTENT
107              oscap-vm domain VM_DOMAIN oval eval [options] INPUT_CONTENT
108
109       Supported oscap oval eval options are:
110         --id <definition-id>
111         --variables <file>
112         --directives <file>
113         --without-syschar
114         --results <file>
115         --report <file>
116         --skip-valid
117         --skip-validation
118         --datastream-id <id>
119         --oval-id <id>
120
121
122   Collection of OVAL System Characteristic
123       oval collect module scans the system and collects  items  according  to
124       given OVAL Definitions file.
125
126
127              oscap-vm image VM_STORAGE_IMAGE oval collect [options] INPUT_CONTENT
128              oscap-vm domain VM_DOMAIN oval collect [options] INPUT_CONTENT
129
130       Supported oscap oval collect options are:
131         --id <object>
132         --syschar <file>
133         --variables <file>
134         --skip-valid
135         --skip-validation
136
137

EXAMPLES

139       Evaluate  a  Red  Hat  Enterprise Linux 7 virtual domain for compliance
140       with the DISA STIG for Red Hat Enterprise Linux and generate a report.
141
142              oscap-vm domain rhel7 xccdf eval \
143              --report report.html --results results.xml \
144              --profile stig-rhel7-disa \
145              /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
146
147       Evaluate a Red Hat Enterprise Linux 6 virtual machine image  for  soft‐
148       ware vulnerabilities using OVAL definitions and generate a report.
149
150              oscap-vm image /var/lib/libvirt/images/rhel6.qcow2 oval eval \
151              --report report.html --results results.xml \
152              com.redhat.rhsa-RHEL6.xml
153

EXIT STATUS

155       Normally, the exit status is 0 when operation finished successfully and
156       1 otherwise. In cases when oscap-vm performs evaluation of  the  system
157       it may return 2 indicating success of the operation but incompliance of
158       the assessed system.
159
160

REPORTING BUGS

162       Please report bugs using https://github.com/OpenSCAP/openscap/issues
163
164

SEE ALSO

166       oscap(8), scap-security-guide(8)
167
168       For   detailed   information    please    visit    OpenSCAP    website:
169       https://www.open-scap.org
170
171

AUTHORS

173       Martin Preisler <mpreisle@redhat.com>
174       Jan Černý <jcerny@redhat.com>
175
176
177
178Red Hat, Inc.                   September 2017                     oscap-vm(8)
Impressum