Merge pull request #1386 from evgenyz/oscap-vm

utils/oscap-vm: Add ability to run uninstalled oscap-vm.

Author: jan-cerny

utils/oscap-docker.8

@@ -3,19 +3,19 @@
 oscap-docker \- Tool for running oscap within docker container or image
 .SH DESCRIPTION
 oscap-docker tool can asses vulnerabilities or security compliance of running Docker
-containers or cold Docker images. OpenSCAP tool (oscap) is used underneath. Definition
+containers or cold Docker images. OpenSCAP tool \fBoscap(8)\fR is used underneath. Definition
 of vulnerabilities (CVE stream) is downloaded from product vendor.
 
 .SS Compliance scan of Docker image
 Usage: oscap-docker image IMAGE_NAME OSCAP_ARGUMENT [OSCAP_ARGUMENT...]
 
-Run any OpenSCAP (oscap) command within chroot of mounted docker image. Learn more
-about oscap arguments in oscap(8) man page.
+Run any OpenSCAP \fBoscap(8)\fR command within chroot of mounted docker image. Learn more
+about arguments in \fBoscap(8)\fR man page.
 
 .SS Compliance scan of Docker container
 Usage: oscap-docker container CONTAINER_NAME OSCAP_ARGUMENT [OSCAP_ARGUMENT...]
 
-Run any OpenSCAP (oscap) command within chroot of mounted docker container. Result
+Run any OpenSCAP \fBoscap(8)\fR command within chroot of mounted docker container. Result
 of this command may differ from scanning just an image due to defined mount points.
 
 .SS "Vulnerability scan of Docker image"
@@ -30,6 +30,8 @@ Usage: oscap-docker container-cve CONTAINER_NAME [--results oval-results-file.xm
 Chroot to running container, determine OS variant/version, download CVE stream applicable
 to the given OS and finally run a vulnerability scan.
 
+In order to use different \fBoscap(8)\fR binary pass it like --oscap=<path/to/oscap>, as the first argument.
+
 .SH SECURITY POLICIES
 .TP
 \fB SCAP-Security-Guide\fR package contains multiple configuration policies.

utils/oscap-vm

@@ -28,8 +28,8 @@ function usage()
     echo
     echo "Usage:"
     echo
-    echo "$ oscap-vm image VM_STORAGE_IMAGE xccdf eval [options] INPUT_CONTENT"
-    echo "$ oscap-vm domain VM_DOMAIN xccdf eval [options] INPUT_CONTENT"
+    echo "$ oscap-vm [--oscap=<oscap_binary>] image VM_STORAGE_IMAGE xccdf eval [options] INPUT_CONTENT"
+    echo "$ oscap-vm [--oscap=<oscap_binary>] domain VM_DOMAIN xccdf eval [options] INPUT_CONTENT"
     echo
     echo "supported oscap xccdf eval options are:"
     echo "  --profile"
@@ -73,13 +73,18 @@ function usage()
     echo "See \`man oscap\` to learn more about semantics of these options."
 }
 
+OSCAP_BINARY=oscap
+
 if [ $# -lt 1 ]; then
     echo "No arguments provided."
     usage
     die
 elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
     usage
     die
+elif [[ "$1" == --oscap=* ]] && [ $# -gt 3 ]; then
+    OSCAP_BINARY=${1#"--oscap="}
+    shift
 elif [ "$1" == "image" ] && [ $# -gt 2 ]; then
     true
 elif [ "$1" == "domain" ] && [ $# -gt 2 ]; then
@@ -132,7 +137,7 @@ OSCAP_PROBE_ARCHITECTURE="$(uname --hardware-platform)" # TODO
 export OSCAP_EVALUATION_TARGET="oscap-vm $1 $2"
 shift 2
 
-oscap "$@"
+$OSCAP_BINARY "$@"
 EXIT_CODE=$?
 echo "Unmounting '$MOUNTPOINT'..."
 $UNMOUNT_COMMAND "$MOUNTPOINT"

utils/oscap-vm.8

@@ -4,9 +4,9 @@
 oscap-vm \- Tool for offline SCAP evaluation of virtual machines.
 
 .SH SYNOPSIS
-\fBoscap-vm domain\fR \fIVM_DOMAIN [OSCAP_OPTIONS] INPUT_CONTENT
+\fBoscap-vm\fR \fI[--oscap=<oscap_binary>]\fR \fBdomain\fR \fIVM_DOMAIN [OSCAP_OPTIONS] INPUT_CONTENT
 
-\fBoscap-vm image\fR \fIVM_STORAGE_IMAGE [OSCAP_OPTIONS] INPUT_CONTENT
+\fBoscap-vm\fR \fI[--oscap=<oscap_binary>]\fR \fBimage\fR \fIVM_STORAGE_IMAGE [OSCAP_OPTIONS] INPUT_CONTENT
 
 .SH DESCRIPTION
 \fBoscap-vm\fR performs SCAP evaluation of virtual machine domains or virtual machine images.
@@ -26,6 +26,8 @@ Usage of the tool mimics usage and options of \fBoscap(8)\fR tool.
 The type of scan target (either \fIdomain\fR or \fIimage\fR) has to be specified first. Then identify the target by the domain name (name of a named libvirt domain) or the image path, respectively.
 Domain UUIDs can be used instead of names. Any domains including the running domains can be scanned.
 
+Optionally, as the very first argument, different \fBoscap(8)\fR binary could be chosen to perform the scan, like --oscap=<path/to/oscap>.
+
 The rest of the options are passed directly to \fBoscap(8)\fR utility. For the detailed description of its options please refer to \fBoscap(8)\fR manual page. However some of its options are not supported in \fBoscap-vm\fR because offline evaluation is used.
 
 Last argument is SCAP content input file.