Can oscap tool be run on a container to scan the host VM?

serverisfaulting

4/10/24, 7:52 PM

Can the openscap's oscap tool be run on a container to scan the host VM?

NOTE: It runs fine on the RHEL container (after install)

Dockerfile

FROM registry.access.redhat.com/ubi8/ubi:latest

RUN yum -y update
RUN yum -y install -y openscap-scanner 

COPY benchmark.xml benchmark.xml

1 + 0

openscap

Score:0

Server

Jan Cerny

4/11/24, 7:29 AM

Theoretically, it could work, somehow. But I haven't tried that and I haven't heard about anyone using it this way. The container would need to have mounted the host filesystem mounted in some directory. That's something you usually don't want to do in a typical container scenario. Then, oscap needs to be executed with the OSCAP_PROBE_ROOT environment variable set to the path of that mount directory. The OSCAP_PROBE_ROOT environment variable is used to modify the chroot of the scanner, but it is normally used for scanning containers from the host. I assume there will be various issues with permissions, capabilities, access rights, etc.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can oscap tool be run on a container to scan the host VM?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.