Can the openscap's oscap tool be run on a container to scan the host VM?
NOTE: It runs fine on the RHEL container (after install)
Dockerfile
FROM registry.access.redhat.com/ubi8/ubi:latest
RUN yum -y update
RUN yum -y install -y openscap-scanner
COPY benchmark.xml benchmark.xml
Theoretically, it could work, somehow. But I haven't tried that and I haven't heard about anyone using it this way. The container would need to have mounted the host filesystem mounted in some directory. That's something you usually don't want to do in a typical container scenario. Then, oscap needs to be executed with the OSCAP_PROBE_ROOT environment variable set to the path of that mount directory. The OSCAP_PROBE_ROOT environment variable is used to modify the chroot of the scanner, but it is normally used for scanning containers from the host. I assume there will be various issues with permissions, capabilities, access rights, etc.
