I am attempting to scan a virtual machine generated off of a RHEL7 kickstart with some in-house configuration. Since the machine in question is still in testing, it's not yet authorized to connect out to the internet, only to its host. I'm using oscap-ssh to scan it from the host and generate a compliance report based on SCAP Security Guide.
Problem:
The SSG RHEL7 XCCDF profile has external references that it uses to evaluate some of the items on the list. oscap-ssh seems to try to resolve these from the context of the machine being scanned rather than the machine doing the scanning. As a result, it fails to load the external references and skips those items.
Question:
Is there any clean way to tell oscap an alternate location for references and provide it through the file system or network in some way? Worst case plan is to copy the xccdf files and edit the reference to something local... but I'd really like to avoid doing that if possible!
