NAME

       oscap-vm - Tool for offline SCAP evaluation of virtual machines.

SYNOPSIS

       oscap-vm [--oscap=<oscap_binary>] domain VM_DOMAIN [OSCAP_OPTIONS] INPUT_CONTENT

       oscap-vm [--oscap=<oscap_binary>] image VM_STORAGE_IMAGE [OSCAP_OPTIONS] INPUT_CONTENT

DESCRIPTION

       oscap-vm performs SCAP evaluation of virtual machine domains or virtual machine images.

       The  tool  mounts  the  filesystem of given virtual machine and runs oscap(8) to asses the
       mounted filesystem. The virtual machine is mounted read only, which prevents  damaging  of
       the  virtual machine during the scan. The evaluation is performed offline which means that
       it is performed from the host and no additional  software  is  installed  in  the  virtual
       machine.

       oscap-vm  is  a  convenience  wrapper on the top of the oscap(8) utility. Most of the SCAP
       capabilities provided by oscap(8) are available in oscap-vm as well.

NOTICE

       To  mount  the  virtual  machine  filesystem,  oscap-vm  uses  libguestfs  to  access  the
       filestystem and FUSE (the "filesystem in userspace") to make it a mountable device.

       The  tool  requires bash, guestmount, mktemp and umount to work properly. If guestmount(1)
       command is not present on your system, the  tool  will  try  to  use  older  fusermount(1)
       utility instead.

USAGE

       Usage of the tool mimics usage and options of oscap(8) tool.

       The  type of scan target (either domain or image) has to be specified first. Then identify
       the target by the domain name (name  of  a  named  libvirt  domain)  or  the  image  path,
       respectively.   Domain  UUIDs  can  be  used  instead  of names. Any domains including the
       running domains can be scanned.

       Optionally, as the very first argument, different  oscap(8)  binary  could  be  chosen  to
       perform the scan, like --oscap=<path/to/oscap>.

       The  rest  of  the  options  are  passed  directly  to  oscap(8) utility. For the detailed
       description of its options please refer to oscap(8)  manual  page.  However  some  of  its
       options are not supported in oscap-vm because offline evaluation is used.

       Last argument is SCAP content input file.

       Supported common options are:
         --verbose <verbosity_level>
         --verbose-log-file <file>

   Evaluation of XCCDF content
       xccdf  eval  module evaluates XCCDF files or SCAP source data streams. Result of each rule
       is printed to standard output, including rule title, rule id and security identifier (CVE,
       CCE).

              oscap-vm image VM_STORAGE_IMAGE xccdf eval [options] INPUT_CONTENT
              oscap-vm domain VM_DOMAIN xccdf eval [options] INPUT_CONTENT

       Supported oscap xccdf eval options are:
         --profile <name>
         --rule <name>
         --tailoring-file <file>
         --tailoring-id <component-id>
         --cpe <name> (external OVAL dependencies are not supported yet!)
         --oval-results
         --check-engine-results
         --results <file>
         --results-arf <file>
         --thin-results
         --without-syschar
         --report <file>
         --skip-valid
         --skip-validation
         --fetch-remote-resources
         --local-files
         --progress
         --datastream-id <id>
         --xccdf-id <id>
         --benchmark-id <id>

       Remediation of virtual machines is not supported.

   Evaluation of OVAL content
       oval  eval  module  scans  the system and evaluate definitions from given OVAL Definitions
       file.

              oscap-vm image VM_STORAGE_IMAGE oval eval [options] INPUT_CONTENT
              oscap-vm domain VM_DOMAIN oval eval [options] INPUT_CONTENT

       Supported oscap oval eval options are:
         --id <definition-id>
         --variables <file>
         --directives <file>
         --without-syschar
         --results <file>
         --report <file>
         --skip-valid
         --skip-validation
         --datastream-id <id>
         --oval-id <id>

   Collection of OVAL System Characteristic
       oval collect  module  scans  the  system  and  collects  items  according  to  given  OVAL
       Definitions file.

              oscap-vm image VM_STORAGE_IMAGE oval collect [options] INPUT_CONTENT
              oscap-vm domain VM_DOMAIN oval collect [options] INPUT_CONTENT

       Supported oscap oval collect options are:
         --id <object>
         --syschar <file>
         --variables <file>
         --skip-valid
         --skip-validation

EXAMPLES

       Evaluate a Red Hat Enterprise Linux 7 virtual domain for compliance with the DISA STIG for
       Red Hat Enterprise Linux and generate a report.

              oscap-vm domain rhel7 xccdf eval \
              --report report.html --results results.xml \
              --profile stig-rhel7-disa \
              /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

       Evaluate a Red Hat Enterprise Linux 6 virtual machine image for  software  vulnerabilities
       using OVAL definitions and generate a report.

              oscap-vm image /var/lib/libvirt/images/rhel6.qcow2 oval eval \
              --report report.html --results results.xml \
              com.redhat.rhsa-RHEL6.xml

EXIT STATUS

       Normally,  the  exit  status is 0 when operation finished successfully and 1 otherwise. In
       cases when oscap-vm performs evaluation of the system it may return 2  indicating  success
       of the operation but incompliance of the assessed system.

REPORTING BUGS

       Please report bugs using https://github.com/OpenSCAP/openscap/issues

SEE ALSO

       oscap(8), scap-security-guide(8)

       For detailed information please visit OpenSCAP website: https://www.open-scap.org

AUTHORS

       Martin Preisler <mpreisle@redhat.com>
       Jan Černý <jcerny@redhat.com>