oscap-vm - Tool for offline SCAP evaluation of virtual machines.

       Martin Preisler <mpreisle@redhat.com>
       Jan Černý <jcerny@redhat.com>

Red Hat, Inc.                                    September 2017                                      oscap-vm(8)

oscap-vm performs SCAP evaluation of virtual machine domains or virtual machine images.

       The  tool  mounts  the  filesystem  of  given  virtual  machine  and  runs  oscap(8) to asses the mounted
       filesystem. The virtual machine is mounted read only, which prevents  damaging  of  the  virtual  machine
       during  the  scan. The evaluation is performed offline which means that it is performed from the host and
       no additional software is installed in the virtual machine.

       oscap-vm is a convenience wrapper on the top of the oscap(8)  utility.  Most  of  the  SCAP  capabilities
       provided by oscap(8) are available in oscap-vm as well.

       Evaluate a Red Hat Enterprise Linux 7 virtual domain for compliance  with  the  DISA  STIG  for  Red  Hat
       Enterprise Linux and generate a report.

              oscap-vm domain rhel7 xccdf eval \
              --report report.html --results results.xml \
              --profile stig-rhel7-disa \
              /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

       Evaluate  a  Red  Hat  Enterprise  Linux  6 virtual machine image for software vulnerabilities using OVAL
       definitions and generate a report.

              oscap-vm image /var/lib/libvirt/images/rhel6.qcow2 oval eval \
              --report report.html --results results.xml \
              com.redhat.rhsa-RHEL6.xml

       Normally, the exit status is 0 when operation finished successfully and 1 otherwise. In cases when oscap-
       vm performs evaluation of the system it may return 2 indicating success of the operation but incompliance
       of the assessed system.

       oscap-vm - Tool for offline SCAP evaluation of virtual machines.

       To mount the virtual machine filesystem, oscap-vm uses libguestfs to access the filestystem and FUSE (the
       "filesystem in userspace") to make it a mountable device.

       The  tool  requires bash, guestmount, mktemp and umount to work properly. If guestmount(1) command is not
       present on your system, the tool will try to use older fusermount(1) utility instead.

       Please report bugs using https://github.com/OpenSCAP/openscap/issues

oscap(8), scap-security-guide(8)

       For detailed information please visit OpenSCAP website: https://www.open-scap.org

oscap-vm[--oscap=<oscap_binary>]domainVM_DOMAIN[OSCAP_OPTIONS]INPUT_CONTENToscap-vm[--oscap=<oscap_binary>]imageVM_STORAGE_IMAGE[OSCAP_OPTIONS]INPUT_CONTENT

       Usage of the tool mimics usage and options of oscap(8) tool.

       The type of scan target (either domain or image) has to be specified first. Then identify the  target  by
       the  domain  name  (name of a named libvirt domain) or the image path, respectively.  Domain UUIDs can be
       used instead of names. Any domains including the running domains can be scanned.

       Optionally, as the very first argument, different oscap(8) binary could be chosen to  perform  the  scan,
       like --oscap=<path/to/oscap>.

       The  rest  of  the  options  are passed directly to oscap(8) utility. For the detailed description of its
       options please refer to oscap(8) manual page. However some of its options are not supported  in  oscap-vm
       because offline evaluation is used.

       Last argument is SCAP content input file.

       Supported common options are:
         --verbose <verbosity_level>
         --verbose-log-file <file>

   EvaluationofXCCDFcontentxccdfeval  module  evaluates XCCDF files or SCAP source data streams. Result of each rule is printed to
       standard output, including rule title, rule id and security identifier (CVE, CCE).

              oscap-vmimageVM_STORAGE_IMAGExccdfeval[options]INPUT_CONTENToscap-vmdomainVM_DOMAINxccdfeval[options]INPUT_CONTENT

       Supported oscap xccdf eval options are:
         --profile <name>
         --rule <name>
         --tailoring-file <file>
         --tailoring-id <component-id>
         --cpe <name> (external OVAL dependencies are not supported yet!)
         --oval-results
         --check-engine-results
         --results <file>
         --results-arf <file>
         --thin-results
         --without-syschar
         --report <file>
         --skip-validation
         --fetch-remote-resources
         --local-files
         --progress
         --datastream-id <id>
         --xccdf-id <id>
         --benchmark-id <id>

       Remediation of virtual machines is not supported.

   EvaluationofOVALcontentovaleval module scans the system and evaluate definitions from given OVAL Definitions file.

              oscap-vmimageVM_STORAGE_IMAGEovaleval[options]INPUT_CONTENToscap-vmdomainVM_DOMAINovaleval[options]INPUT_CONTENT

       Supported oscap oval eval options are:
         --id <definition-id>
         --variables <file>
         --directives <file>
         --without-syschar
         --results <file>
         --report <file>
         --skip-validation
         --datastream-id <id>
         --oval-id <id>

   CollectionofOVALSystemCharacteristicovalcollect module scans the system and collects items according to given OVAL Definitions file.

              oscap-vmimageVM_STORAGE_IMAGEovalcollect[options]INPUT_CONTENToscap-vmdomainVM_DOMAINovalcollect[options]INPUT_CONTENT

       Supported oscap oval collect options are:
         --id <object>
         --syschar <file>
         --variables <file>
         --skip-validation