On 4/14/16 4:07 AM, Jan Cerny wrote:
Hi Zbyněk,
----- Original Message -----
>From: "Zbynek Moravec"<zmora...@redhat.com>
>To:open-scap-list@redhat.com
>Sent: Wednesday, April 13, 2016 11:47:51 PM
>Subject: [Open-scap] Offline scanning - SCE, probes
>
>Hi
>
>We plan to implement offline scan support for SCE scripts. I would like to
>ask
>for our opinion.
Thanks for sharing this with the community!
+1!
>
>We have two? options how to deal with SCE offline scan support
>- 1] pass new root path to script (env variable)
> - Script will decide how to scan new root, it can use path prefix, chroot..
This approach sounds like delegating the problem to authors of SCE checks
scripts.
Each script will have to support offline scan in its own way.
But I suspect that somewhere in first line of those scripts chroot will be
anyway called.
>- 2] oscap will do chroot before execute script
> - Script don't need to know that it is in different root
I think that we want this second option, because then the SCE scipts
could be simple and universal and everybody will be able to use his old
content to scan his containers and VMs.
Another +1. The same content should work between RHEL deployment models
(bare metal, docker, VMs....).
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
