I have written a script called `oscap-vm` that allows users to evaluate virtual machines and their images. It does not require oscap to be installed inside the virtual machine so it performs the so called "agent-less" SCAP evaluation. The script will be part of the next OpenSCAP 1.2.7 release.
When evaluating it mounts the virtual machine storage in read-only mode and then performs offline oscap evaluation on it. I made the CLI syntax similar to oscap-ssh and oscap-docker so it should feel very familiar.
It is possible to scan virtual machines that are powered off but you can also scan virtual machines while they are running with no risk of data loss!
Examples:
$ wget http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml $ oscap-vm domain rhel7.2 oval eval Red_Hat_Enterprise_Linux_7.xml
$ oscap-vm domain rhel7.2 xccdf eval --profile \ xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream \ /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
$ oscap-vm image /var/lib/libvirt/images/rhel7.2.qcow2 xccdf eval --profile \ xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream \ /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Read more:
http://martin.preisler.me/2015/10/evaluate-virtual-machines-for-scap-complia...
https://github.com/OpenSCAP/openscap/pull/175 https://github.com/OpenSCAP/openscap/blob/maint-1.2/utils/oscap-vm.8
scap-security-guide@lists.fedorahosted.org