SlideShare a Scribd company logo
1 of 13
Download to read offline
OpenSCAP
SCAP
What is SCAP?
SCAP Components
OpenSCAP
What is OpenSCAP?
OpenSCAP Component
OpenSCAP Base :
OpenSCAP Daemon:
OpenSCAP Workbench:
SCAPTimony
OSCAP Anaconda Add-on
SCAP Security Guide
DEMO - OpenSCAP CLI
0. Test Environment
0.1. Download images RHEL/Centos
0.2. Deploy images
1. Install Necessary OpenSCAP Package
2. Evaluate Image with xccdf
3. Evaluate Image about CVE
4. Evaluate container with xccdf
5. Evaluate container about CVE
6. Useful Commands:
6.1. How to list profiles from xccdf file.
Atomic scan
1. What is ‘atomic scan’?
2. How atomic scan work?
3. atomic scan commands
3.1. Check Scanner
3.2. Evaluation Image/container
3.3. atomic scan help
4. OpenSCAP in Red Hat Projects
4.1. Satellite 6.2
4.2. Cloud Forms 4.1
5.Pros and Cons
5.1. Pros
5.2. Cons
6.TIP
How to start OpenSCAP workbench
Reference
Object :
This documentation is for who look for a good asset that do security scanning. I suppose
audience some knowledge about RHEL/Fedora and docker. It will explain brief SCAP
components such as XCCDF, OVAL but it would not be main topics so it might not meet your
expectation. This doc is more concentrate on how to use OpenSCAP with CLI and Red Hat
Products. In addition, it is especially good for OpenShift Container Platform engineer who have
being asked about docker image security by customer.
Description :
Over the last few years, docker is not a hot topic but also effect changing the development
methodology. It influences developer to use docker image as a part of development. Many
groups and companies have started to create their own images with various libraries. With these
reasons, the scanning container or images are becoming more important to check for known
vulnerabilities and configuration problems. In order to be cope with it, Red Hat has been building
a scanning tool based on OpenSCAP project. Apart from the tried and true OpenSCAP project,
Red Hat also start to build another tool “ atomic scan”. With the understood of the underlying
architecture, it uses OpenSCAP SPC container which mount up read only rootfs from host’s file
system so it could not affect to host system. Only the folder that store result output is writeable.
This doc will describe from SCAP, OpenSCAP, atomic scan to OpenSCAP in Red Hat Projects.
SCAP
What is SCAP?
S​ecurity ​C​ontent ​A​utomation ​P​rotocol is a method for using specific standards to enable the
automated vulnerability management, measurement, and policy compliance evaluation of
systems deployed in an organization, including e.g.,​ ​FISMA​ compliance. The​ ​National
Vulnerability Database​ (NVD) is the U.S. government content repository for SCAP.
- en.wikipedia.org/(http://goo.gl/10MH80)
SCAP Components
● XCCDF: The Extensible Configuration Checklist Description Format
● OVAL®: Open Vulnerability and Assessment Language
● CCE™: Common Configuration Enumeration
● CPE™: Common Platform Enumeration
● CVE®: Common Vulnerabilities and Exposures
● CVSS: Common Vulnerability Scoring System
All components are the vulnerability management systems and they use their own formatted file.
OpenSCAP
What is OpenSCAP?
It is Open Source Security Compliance Solution. In other words, it is implementation to evaluate
VM/Images/Containers using SCAP components. With OpenSCAP, you can easily fulfil security
scanning because it also provide SSG(Scap Security Guide)
● Homepage of the project:​ ​www.open-scap.org
● Manual:​ ​Oscap User Manual
● GitHub: ​https://github.com/OpenSCAP/openscap
OpenSCAP Component
OpenSCAP Base :
OpenSCAP Base provides a ​command line tool
OpenSCAP Daemon:
The Daemon is a service that makes sure your machines and containers are evaluated
according to the ​schedule​.
OpenSCAP Workbench:
This user friendly ​graphical utility​ offers an easy way to tailor​ ​SCAP​ content to your needs,
perform local or remote scans, and export results.
SCAPTimony
SCAPtimony is open source compliance center built on top of SCAP. It gives full testimony
about compliance of your ​infrastructure​. Users are currently advised to use SCAPtimony only
through​ ​foreman_openscap​ which is used in Satellite.
https://github.com/OpenSCAP/scaptimony
OSCAP Anaconda Add-on
An add-on for installer used by Fedora and Red Hat Enterprise Linux 7. It enables you to
enforce a system’s compliance with the targeted security profile before the ​first boot​.
oscap command:
SCAP Security Guide
OpenSCAP ​content​ primarily for Red Hat Enterprise Linux. The Security Guide provides
practical hardening advice and links it to compliance requirements in order to ease deployment
activities such as certification and accreditation.
DEMO - OpenSCAP CLI
0. Test Environment
OpenSCAP Installed OS :
- Fedora 23
- RHEL 7.2
Security Scanning Target OS :
- RHEL 7.2 (VM) → TBD
- RHEL 7.2 (Image)
- CentOS 7 (Image)
- RHEL 7.2 (Container)
- CentOS 7 (Container)
0.1. Download images RHEL/Centos
# docker pull rhel7
# docker pull centos
Note: For RHEL, registry.access.redhat.com/rhel7 and docker.io/centos are downloaded
For Fedora, docker.io/rhel7 and docker.io/centos are downloaded
0.2. Deploy images
# docker run -it registry.access.redhat.com/rhel7 /bin/bash
##Type Ctrl + P + Q
# docker run -it docker.io/centos /bin/bash
## Type Ctrl + P + Q
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c17b32667a26 docker.io/centos "/bin/bash" 15 seconds ago Up 14 seconds evil_meninsky
5e4c4ff04211 registry.access.redhat.com/rhel7 "/bin/bash" 2 minutes ago Up 2 minutes
1. Install Necessary OpenSCAP Package
on Fedara
# dnf install openscap scap-security-guide openscap-containers openscap-utils
openscap-scanner openscap-daemon atomic
on RHEL
yum install openscap openscap-utils scap-security-guide atomic
Note: openscap, scap-security-guide is already installed.
Scap Security Guide Path ​: /usr/share/xml/scap/ssg/content/
Fedora has more files compared to RHEL.
2. Evaluate Image with xccdf
oscap-docker image registry.access.redhat.com/rhel7 xccdf eval --report
result-xccdf-image.html --verbose DEVEL --profile standard
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Result is in SCAP_RESULT folder: result-xccdf-image.html
3. Evaluate Image about CVE
oscap-docker image-cve registry.access.redhat.com/rhel7 --report result-cve-image.html
--verbose DEVEL
Result is in SCAP_RESULT folder: result-cve-image.html
4. Evaluate container with xccdf
oscap-docker container ​5e4c4ff04211​ xccdf eval --report result-xccdf-container.html --verbose
DEVEL --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Result is in SCAP_RESULT folder: result-xccdf-container.html
5. Evaluate container about CVE
oscap-docker container-cve ​5e4c4ff04211​ xccdf eval --report result-xccdf-container.html
--verbose DEVEL --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Result is in SCAP_RESULT folder: result-cve-container.html
6. Useful Commands:
6.1. How to list profiles from xccdf file.
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Document type: XCCDF Checklist
Checklist version: 1.1
Imported: 2015-10-02T06:17:44
Status: draft
Generated: 2015-10-02
Resolved: true
Profiles:
standard
pci-dss
rht-ccp
common
stig-rhel7-server-upstream
Referenced check files:
ssg-rhel7-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Atomic scan
1. What is ‘atomic scan’?
In the world of containers, there is a desperate need to be able to scan container images for
known vulnerabilities and configuration problems, and as we proliferate containers and bundled
applications into the enterprise, many groups and companies have started to build container
scanning tools. Even Red Hat has been building a scanning tool based on the tried and true
OpenSCAP​ project, but there were several problems we saw time and again.
The problems with existing container scanning tools included:
● Either these tools were required to be installed on the host, or if they were installed via a
container they would have to be very privileged; therefore, the containers themselves
could use that authority on the host machine.
● They were being hard coded to only support a single container framework – docker.
● We saw some very slow implementations, where the container scanning tools were
actually copying all of the content out of the container image, then scanning the content,
and finally removing the content. You can image how inefficient this could be for
hundreds or thousands of images or containers.
We decided we wanted to build a tool, ​atomic​ scan, that understood the underlying architecture
and could download and run containers with scanning tools in them. But, we also didn’t want the
scanning tools to be privileged; the atomic tool would be able to mount up read only rootfs from
the host’s file system. These mounted file systems could then be passed onto the scanning
container, along with a writeable directory for the scanner to place its output.
“ Introducing atomic scan
– Container vulnerability detection (http://goo.gl/DRoSmm)”
2. How atomic scan work?
Basically atomic is using OpenSCAP with SPC(Super Privileged Container) but it mounts host
storage with Readable right because, as above blog said, it does not need to write anything
except output result.
The useful blog : http://goo.gl/9eJkgJ
3. atomic scan commands
3.1. Check Scanner
Scanner is pluggable so later, new scanner will be developed.
# atomic scan --list
Scanner: openscap
Image Name: rhel7/openscap
Scan type: cve *
Description: Performs a CVE scan based on known CVE data
Scan type: standards_compliance
Description: Performs a standard scan
* denotes defaults
Configuration file is /etc/atomic.conf
3.2. Evaluation Image/container
registry.access.redhat.com/rhel7/openscap will be downloaded automatically and atomic will
use it as SPC.
# atomic scan registry.access.redhat.com/rhel7
docker run -it --rm -v /etc/localtime:/etc/localtime -v
/run/atomic/2016-08-25-13-49-18-619455:/scanin -v
/var/lib/atomic/openscap/2016-08-25-13-49-18-619455:/scanout:rw,Z -v
/etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance
--targets chroots-in-dir:///scanin --output /scanout
Unable to find image 'rhel7/openscap:latest' locally
Trying to pull repository registry.access.redhat.com/rhel7/openscap ...
latest: Pulling from registry.access.redhat.com/rhel7/openscap
ee4aeaf2fc2d: Already exists
95ce96315363: Pulling fs layer
95ce96315363: Verifying Checksum
95ce96315363: Download complete
95ce96315363: Pull complete
95ce96315363: Pull complete
Digest: sha256:4ceff2a3a57fe8c40c9d5d4c6e73fe3e5955e8281c0cf488d4c385bff1ff6e0d
Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest
registry.access.redhat.com/rhel7 (sha256:4a6b6e1a)
registry.access.redhat.com/rhel7 is not supported for this scan.
Files associated with this scan are in
/var/lib/atomic/openscap/2016-08-25-13-49-18-619455.
Report path : ​/var/lib/atomic/openscap/2016-08-25-13-49-18-619455
Result json:​ ${Image_SHA}/json
/var/lib/atomic/openscap/2016-08-25-13-49-18-619455​/sha256:4a6b6e1a17d70b7f67787aaee
800c1fdb4b145dd3f7ae48959f5d41286eadb0b/json
As for Fedora, sometimes you need to do some more steps to use the SPC
# docker pull docker.io/rhel7/openscap
# atomic install docker.io/rhel7/openscap
3.3. atomic scan help
[root@localhost
sha256:4a6b6e1a17d70b7f67787aaee800c1fdb4b145dd3f7ae48959f5d41286eadb0b]#
atomic scan -h
usage: atomic scan [-h] [--scanner {openscap}] [--scan_type SCAN_TYPE]
[--list] [--verbose] [--rootfs [ROOTFS] | --all | --images
| --containers]
[scan_targets [scan_targets ...]]
positional arguments:
scan_targets container image
optional arguments:
-h, --help show this help message and exit
--scanner {openscap} define the intended scanner
--scan_type SCAN_TYPE
define the intended scanner
--list List available scanners
--verbose Show more output from scanning container
--rootfs [ROOTFS] Rootfs path to scan
--all scan all images (excluding intermediate layers) and
containers
--images scan all images (excluding intermediate layers)
--containers scan all containers
atomic scan <input> scans a container or image for CVEs
3.4. How to cope with vulnerable image?
Q. ​If atomic scan or OpenSCAP find any CVEs on any official images, what is next steps? Should I create
support case for them every time to get new images?
GSS Answer:
Broadly we'd like to handle and track fixes for Red Hat maintained images on a image by image or case by
case basis. That is the recommended flow. Keep in mind that the cloud enablement team will continually be
working to offer updated product images to follow along with general product releases outside of xPaas. You
can refer to this public kcs article for additional information on the goal for xPaas image releases.
https://access.redhat.com/articles/2208321
4. OpenSCAP in Red Hat Projects
4.1. Satellite 6.2
4.2. Cloud Forms 4.1
5.Pros and Cons
5.1. Pros
● OpenSCAP has received a​ NIST​ certification for its support of SCAP 1.2.
● Red Hat sponsor OpenSCAP
● Red Hat support OpenSCAP with RHEL Subscription
● Red Hat Enterprise Linux operating system 7 contains OpenSCAP packages
● OpenSCAP start to support docker image/container*
● Red Hat integrated OpenSCAP with Red Hat Products ( Satellite 6.2 / CloudForms 4.1
)**
* it can scan only RHEL based docker images/containers
** it is officially supported from Satellite 6.2 / CloudForms 4.1
5.2. Cons
- Can evaluate RHEL based image only
6.TIP
How to start OpenSCAP workbench
Reference:
https://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-u
se-case/
Reference
RHEL 7 Document
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Gu
ide/chap-Compliance_and_Vulnerability_Scanning.html#sect-Security_Compliance_in_RHEL
atomic scan and openscap-daemon
https://martin.preisler.me/2015/11/atomic-scan-and-openscap-daemon/
Introducing atomic scan – Container vulnerability detection
http://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-container-vulnerability-de
tection/
SPC
http://developers.redhat.com/blog/2014/11/06/introducing-a-super-privileged-container-concept/

More Related Content

What's hot

Dissecting the rabbit: RabbitMQ Internal Architecture
Dissecting the rabbit: RabbitMQ Internal ArchitectureDissecting the rabbit: RabbitMQ Internal Architecture
Dissecting the rabbit: RabbitMQ Internal ArchitectureAlvaro Videla
 
Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.Yurii Bychenok
 
Scylla Summit 2022: ScyllaDB Embraces Wasm
Scylla Summit 2022: ScyllaDB Embraces WasmScylla Summit 2022: ScyllaDB Embraces Wasm
Scylla Summit 2022: ScyllaDB Embraces WasmScyllaDB
 
Operating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesOperating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesJonathan Katz
 
Linux - Hedi Magroun - AUF - 2008
Linux -  Hedi Magroun - AUF - 2008Linux -  Hedi Magroun - AUF - 2008
Linux - Hedi Magroun - AUF - 2008Hedi Magroun
 
Linux or unix interview questions
Linux or unix interview questionsLinux or unix interview questions
Linux or unix interview questionsTeja Bheemanapally
 
Producer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaProducer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaJiangjie Qin
 
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)Jean-Paul Azar
 
Measuring the CPU Performance of Android Apps at Lyft
Measuring the CPU Performance of Android Apps at LyftMeasuring the CPU Performance of Android Apps at Lyft
Measuring the CPU Performance of Android Apps at LyftScyllaDB
 
How Dashtable Helps Dragonfly Maintain Low Latency
How Dashtable Helps Dragonfly Maintain Low LatencyHow Dashtable Helps Dragonfly Maintain Low Latency
How Dashtable Helps Dragonfly Maintain Low LatencyScyllaDB
 
Managing 2000 Node Cluster with Ambari
Managing 2000 Node Cluster with AmbariManaging 2000 Node Cluster with Ambari
Managing 2000 Node Cluster with AmbariDataWorks Summit
 
How is Kafka so Fast?
How is Kafka so Fast?How is Kafka so Fast?
How is Kafka so Fast?Ricardo Paiva
 
OpenStack Best Practices and Considerations - terasky tech day
OpenStack Best Practices and Considerations  - terasky tech dayOpenStack Best Practices and Considerations  - terasky tech day
OpenStack Best Practices and Considerations - terasky tech dayArthur Berezin
 
Slideshare - linux crypto
Slideshare - linux cryptoSlideshare - linux crypto
Slideshare - linux cryptoJin Wu
 
Microservices with Apache Camel
Microservices with Apache CamelMicroservices with Apache Camel
Microservices with Apache CamelClaus Ibsen
 
APACHE KAFKA / Kafka Connect / Kafka Streams
APACHE KAFKA / Kafka Connect / Kafka StreamsAPACHE KAFKA / Kafka Connect / Kafka Streams
APACHE KAFKA / Kafka Connect / Kafka StreamsKetan Gote
 
Fast Userspace OVS with AF_XDP, OVS CONF 2018
Fast Userspace OVS with AF_XDP, OVS CONF 2018Fast Userspace OVS with AF_XDP, OVS CONF 2018
Fast Userspace OVS with AF_XDP, OVS CONF 2018Cheng-Chun William Tu
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 

What's hot (20)

Dissecting the rabbit: RabbitMQ Internal Architecture
Dissecting the rabbit: RabbitMQ Internal ArchitectureDissecting the rabbit: RabbitMQ Internal Architecture
Dissecting the rabbit: RabbitMQ Internal Architecture
 
Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.
 
Scylla Summit 2022: ScyllaDB Embraces Wasm
Scylla Summit 2022: ScyllaDB Embraces WasmScylla Summit 2022: ScyllaDB Embraces Wasm
Scylla Summit 2022: ScyllaDB Embraces Wasm
 
Operating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesOperating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with Kubernetes
 
Linux - Hedi Magroun - AUF - 2008
Linux -  Hedi Magroun - AUF - 2008Linux -  Hedi Magroun - AUF - 2008
Linux - Hedi Magroun - AUF - 2008
 
Linux or unix interview questions
Linux or unix interview questionsLinux or unix interview questions
Linux or unix interview questions
 
Producer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaProducer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache Kafka
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX Container
 
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
 
Measuring the CPU Performance of Android Apps at Lyft
Measuring the CPU Performance of Android Apps at LyftMeasuring the CPU Performance of Android Apps at Lyft
Measuring the CPU Performance of Android Apps at Lyft
 
SystemV vs systemd
SystemV vs systemdSystemV vs systemd
SystemV vs systemd
 
How Dashtable Helps Dragonfly Maintain Low Latency
How Dashtable Helps Dragonfly Maintain Low LatencyHow Dashtable Helps Dragonfly Maintain Low Latency
How Dashtable Helps Dragonfly Maintain Low Latency
 
Managing 2000 Node Cluster with Ambari
Managing 2000 Node Cluster with AmbariManaging 2000 Node Cluster with Ambari
Managing 2000 Node Cluster with Ambari
 
How is Kafka so Fast?
How is Kafka so Fast?How is Kafka so Fast?
How is Kafka so Fast?
 
OpenStack Best Practices and Considerations - terasky tech day
OpenStack Best Practices and Considerations  - terasky tech dayOpenStack Best Practices and Considerations  - terasky tech day
OpenStack Best Practices and Considerations - terasky tech day
 
Slideshare - linux crypto
Slideshare - linux cryptoSlideshare - linux crypto
Slideshare - linux crypto
 
Microservices with Apache Camel
Microservices with Apache CamelMicroservices with Apache Camel
Microservices with Apache Camel
 
APACHE KAFKA / Kafka Connect / Kafka Streams
APACHE KAFKA / Kafka Connect / Kafka StreamsAPACHE KAFKA / Kafka Connect / Kafka Streams
APACHE KAFKA / Kafka Connect / Kafka Streams
 
Fast Userspace OVS with AF_XDP, OVS CONF 2018
Fast Userspace OVS with AF_XDP, OVS CONF 2018Fast Userspace OVS with AF_XDP, OVS CONF 2018
Fast Userspace OVS with AF_XDP, OVS CONF 2018
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
 

Similar to OpenSCAP Overview(security scanning for docker image and container)

OSDC 2017 | Do you trust your containers? by Erez Freiberger
OSDC 2017 | Do you trust your containers? by Erez FreibergerOSDC 2017 | Do you trust your containers? by Erez Freiberger
OSDC 2017 | Do you trust your containers? by Erez FreibergerNETWAYS
 
Introduction to JIB and Google Cloud Run
Introduction to JIB and Google Cloud RunIntroduction to JIB and Google Cloud Run
Introduction to JIB and Google Cloud RunSaiyam Pathak
 
Webinar: Creating an Effective Docker Build Pipeline for Java Apps
Webinar: Creating an Effective Docker Build Pipeline for Java AppsWebinar: Creating an Effective Docker Build Pipeline for Java Apps
Webinar: Creating an Effective Docker Build Pipeline for Java AppsCodefresh
 
Riga Dev Day - Automated Android Continuous Integration
Riga Dev Day - Automated Android Continuous IntegrationRiga Dev Day - Automated Android Continuous Integration
Riga Dev Day - Automated Android Continuous IntegrationNicolas Fränkel
 
Openshift cheat rhce_r3v1 rhce
Openshift cheat rhce_r3v1 rhceOpenshift cheat rhce_r3v1 rhce
Openshift cheat rhce_r3v1 rhceDarnette A
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installationRobert Bohne
 
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfOpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfssuser9e06a61
 
Magento infrastructure by OpsWay
Magento infrastructure by OpsWayMagento infrastructure by OpsWay
Magento infrastructure by OpsWayOpsWay
 
Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3kognate
 
Omaha (Google Update) server
Omaha (Google Update) serverOmaha (Google Update) server
Omaha (Google Update) serverDmitry Lyfar
 
How to use_cucumber_rest-assured_api_framework
How to use_cucumber_rest-assured_api_frameworkHow to use_cucumber_rest-assured_api_framework
How to use_cucumber_rest-assured_api_frameworkHarshad Ingle
 
ShipItCon - Continuous Deployment and Multicloud with Ansible and Kubernetes
ShipItCon - Continuous Deployment and Multicloud with Ansible and KubernetesShipItCon - Continuous Deployment and Multicloud with Ansible and Kubernetes
ShipItCon - Continuous Deployment and Multicloud with Ansible and KubernetesMihai Criveti
 
Distributed tracing in OpenStack
Distributed tracing in OpenStackDistributed tracing in OpenStack
Distributed tracing in OpenStackIlya Shakhat
 
maXbox Starter87
maXbox Starter87maXbox Starter87
maXbox Starter87Max Kleiner
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanMihai Criveti
 
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...Felipe Prado
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
[Part 1] automation of home appliances using raspberry pi – software installa...
[Part 1] automation of home appliances using raspberry pi – software installa...[Part 1] automation of home appliances using raspberry pi – software installa...
[Part 1] automation of home appliances using raspberry pi – software installa...Azilen Technologies Pvt. Ltd.
 
Commit to excellence - Java in containers
Commit to excellence - Java in containersCommit to excellence - Java in containers
Commit to excellence - Java in containersRed Hat Developers
 

Similar to OpenSCAP Overview(security scanning for docker image and container) (20)

OSDC 2017 | Do you trust your containers? by Erez Freiberger
OSDC 2017 | Do you trust your containers? by Erez FreibergerOSDC 2017 | Do you trust your containers? by Erez Freiberger
OSDC 2017 | Do you trust your containers? by Erez Freiberger
 
Introduction to JIB and Google Cloud Run
Introduction to JIB and Google Cloud RunIntroduction to JIB and Google Cloud Run
Introduction to JIB and Google Cloud Run
 
Webinar: Creating an Effective Docker Build Pipeline for Java Apps
Webinar: Creating an Effective Docker Build Pipeline for Java AppsWebinar: Creating an Effective Docker Build Pipeline for Java Apps
Webinar: Creating an Effective Docker Build Pipeline for Java Apps
 
Riga Dev Day - Automated Android Continuous Integration
Riga Dev Day - Automated Android Continuous IntegrationRiga Dev Day - Automated Android Continuous Integration
Riga Dev Day - Automated Android Continuous Integration
 
Openshift cheat rhce_r3v1 rhce
Openshift cheat rhce_r3v1 rhceOpenshift cheat rhce_r3v1 rhce
Openshift cheat rhce_r3v1 rhce
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
 
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfOpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
 
Magento infrastructure by OpsWay
Magento infrastructure by OpsWayMagento infrastructure by OpsWay
Magento infrastructure by OpsWay
 
Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3
 
Omaha (Google Update) server
Omaha (Google Update) serverOmaha (Google Update) server
Omaha (Google Update) server
 
How to use_cucumber_rest-assured_api_framework
How to use_cucumber_rest-assured_api_frameworkHow to use_cucumber_rest-assured_api_framework
How to use_cucumber_rest-assured_api_framework
 
ShipItCon - Continuous Deployment and Multicloud with Ansible and Kubernetes
ShipItCon - Continuous Deployment and Multicloud with Ansible and KubernetesShipItCon - Continuous Deployment and Multicloud with Ansible and Kubernetes
ShipItCon - Continuous Deployment and Multicloud with Ansible and Kubernetes
 
Distributed tracing in OpenStack
Distributed tracing in OpenStackDistributed tracing in OpenStack
Distributed tracing in OpenStack
 
maXbox Starter87
maXbox Starter87maXbox Starter87
maXbox Starter87
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with Podman
 
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
[Part 1] automation of home appliances using raspberry pi – software installa...
[Part 1] automation of home appliances using raspberry pi – software installa...[Part 1] automation of home appliances using raspberry pi – software installa...
[Part 1] automation of home appliances using raspberry pi – software installa...
 
Commit to excellence - Java in containers
Commit to excellence - Java in containersCommit to excellence - Java in containers
Commit to excellence - Java in containers
 

More from Jooho Lee

Quay 3.3 installation
Quay 3.3 installationQuay 3.3 installation
Quay 3.3 installationJooho Lee
 
OpenShift4 Installation by UPI on kvm
OpenShift4 Installation by UPI on kvmOpenShift4 Installation by UPI on kvm
OpenShift4 Installation by UPI on kvmJooho Lee
 
Docker, Atomic Host and Kubernetes.
Docker, Atomic Host and Kubernetes.Docker, Atomic Host and Kubernetes.
Docker, Atomic Host and Kubernetes.Jooho Lee
 
Practical byteman sample 20131128
Practical byteman sample 20131128Practical byteman sample 20131128
Practical byteman sample 20131128Jooho Lee
 
Consistent hashing
Consistent hashingConsistent hashing
Consistent hashingJooho Lee
 

More from Jooho Lee (7)

Quay 3.3 installation
Quay 3.3 installationQuay 3.3 installation
Quay 3.3 installation
 
OpenShift4 Installation by UPI on kvm
OpenShift4 Installation by UPI on kvmOpenShift4 Installation by UPI on kvm
OpenShift4 Installation by UPI on kvm
 
Hello istio
Hello istioHello istio
Hello istio
 
Docker, Atomic Host and Kubernetes.
Docker, Atomic Host and Kubernetes.Docker, Atomic Host and Kubernetes.
Docker, Atomic Host and Kubernetes.
 
Tcp summary
Tcp summaryTcp summary
Tcp summary
 
Practical byteman sample 20131128
Practical byteman sample 20131128Practical byteman sample 20131128
Practical byteman sample 20131128
 
Consistent hashing
Consistent hashingConsistent hashing
Consistent hashing
 

Recently uploaded

Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 

Recently uploaded (20)

Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 

OpenSCAP Overview(security scanning for docker image and container)

  • 1. OpenSCAP SCAP What is SCAP? SCAP Components OpenSCAP What is OpenSCAP? OpenSCAP Component OpenSCAP Base : OpenSCAP Daemon: OpenSCAP Workbench: SCAPTimony OSCAP Anaconda Add-on SCAP Security Guide DEMO - OpenSCAP CLI 0. Test Environment 0.1. Download images RHEL/Centos 0.2. Deploy images 1. Install Necessary OpenSCAP Package 2. Evaluate Image with xccdf 3. Evaluate Image about CVE 4. Evaluate container with xccdf 5. Evaluate container about CVE 6. Useful Commands: 6.1. How to list profiles from xccdf file. Atomic scan 1. What is ‘atomic scan’? 2. How atomic scan work? 3. atomic scan commands 3.1. Check Scanner 3.2. Evaluation Image/container 3.3. atomic scan help 4. OpenSCAP in Red Hat Projects 4.1. Satellite 6.2 4.2. Cloud Forms 4.1 5.Pros and Cons 5.1. Pros 5.2. Cons 6.TIP
  • 2. How to start OpenSCAP workbench Reference Object : This documentation is for who look for a good asset that do security scanning. I suppose audience some knowledge about RHEL/Fedora and docker. It will explain brief SCAP components such as XCCDF, OVAL but it would not be main topics so it might not meet your expectation. This doc is more concentrate on how to use OpenSCAP with CLI and Red Hat Products. In addition, it is especially good for OpenShift Container Platform engineer who have being asked about docker image security by customer. Description : Over the last few years, docker is not a hot topic but also effect changing the development methodology. It influences developer to use docker image as a part of development. Many groups and companies have started to create their own images with various libraries. With these reasons, the scanning container or images are becoming more important to check for known vulnerabilities and configuration problems. In order to be cope with it, Red Hat has been building a scanning tool based on OpenSCAP project. Apart from the tried and true OpenSCAP project, Red Hat also start to build another tool “ atomic scan”. With the understood of the underlying architecture, it uses OpenSCAP SPC container which mount up read only rootfs from host’s file system so it could not affect to host system. Only the folder that store result output is writeable. This doc will describe from SCAP, OpenSCAP, atomic scan to OpenSCAP in Red Hat Projects. SCAP What is SCAP? S​ecurity ​C​ontent ​A​utomation ​P​rotocol is a method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g.,​ ​FISMA​ compliance. The​ ​National Vulnerability Database​ (NVD) is the U.S. government content repository for SCAP. - en.wikipedia.org/(http://goo.gl/10MH80)
  • 3. SCAP Components ● XCCDF: The Extensible Configuration Checklist Description Format ● OVAL®: Open Vulnerability and Assessment Language ● CCE™: Common Configuration Enumeration ● CPE™: Common Platform Enumeration ● CVE®: Common Vulnerabilities and Exposures ● CVSS: Common Vulnerability Scoring System All components are the vulnerability management systems and they use their own formatted file. OpenSCAP What is OpenSCAP? It is Open Source Security Compliance Solution. In other words, it is implementation to evaluate VM/Images/Containers using SCAP components. With OpenSCAP, you can easily fulfil security scanning because it also provide SSG(Scap Security Guide) ● Homepage of the project:​ ​www.open-scap.org ● Manual:​ ​Oscap User Manual ● GitHub: ​https://github.com/OpenSCAP/openscap OpenSCAP Component OpenSCAP Base : OpenSCAP Base provides a ​command line tool OpenSCAP Daemon: The Daemon is a service that makes sure your machines and containers are evaluated according to the ​schedule​.
  • 4. OpenSCAP Workbench: This user friendly ​graphical utility​ offers an easy way to tailor​ ​SCAP​ content to your needs, perform local or remote scans, and export results. SCAPTimony SCAPtimony is open source compliance center built on top of SCAP. It gives full testimony about compliance of your ​infrastructure​. Users are currently advised to use SCAPtimony only through​ ​foreman_openscap​ which is used in Satellite. https://github.com/OpenSCAP/scaptimony OSCAP Anaconda Add-on An add-on for installer used by Fedora and Red Hat Enterprise Linux 7. It enables you to enforce a system’s compliance with the targeted security profile before the ​first boot​. oscap command: SCAP Security Guide OpenSCAP ​content​ primarily for Red Hat Enterprise Linux. The Security Guide provides practical hardening advice and links it to compliance requirements in order to ease deployment activities such as certification and accreditation. DEMO - OpenSCAP CLI 0. Test Environment OpenSCAP Installed OS : - Fedora 23 - RHEL 7.2 Security Scanning Target OS : - RHEL 7.2 (VM) → TBD - RHEL 7.2 (Image) - CentOS 7 (Image)
  • 5. - RHEL 7.2 (Container) - CentOS 7 (Container) 0.1. Download images RHEL/Centos # docker pull rhel7 # docker pull centos Note: For RHEL, registry.access.redhat.com/rhel7 and docker.io/centos are downloaded For Fedora, docker.io/rhel7 and docker.io/centos are downloaded 0.2. Deploy images # docker run -it registry.access.redhat.com/rhel7 /bin/bash ##Type Ctrl + P + Q # docker run -it docker.io/centos /bin/bash ## Type Ctrl + P + Q # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c17b32667a26 docker.io/centos "/bin/bash" 15 seconds ago Up 14 seconds evil_meninsky 5e4c4ff04211 registry.access.redhat.com/rhel7 "/bin/bash" 2 minutes ago Up 2 minutes 1. Install Necessary OpenSCAP Package on Fedara # dnf install openscap scap-security-guide openscap-containers openscap-utils openscap-scanner openscap-daemon atomic on RHEL yum install openscap openscap-utils scap-security-guide atomic Note: openscap, scap-security-guide is already installed.
  • 6. Scap Security Guide Path ​: /usr/share/xml/scap/ssg/content/ Fedora has more files compared to RHEL. 2. Evaluate Image with xccdf oscap-docker image registry.access.redhat.com/rhel7 xccdf eval --report result-xccdf-image.html --verbose DEVEL --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml Result is in SCAP_RESULT folder: result-xccdf-image.html 3. Evaluate Image about CVE oscap-docker image-cve registry.access.redhat.com/rhel7 --report result-cve-image.html --verbose DEVEL Result is in SCAP_RESULT folder: result-cve-image.html 4. Evaluate container with xccdf oscap-docker container ​5e4c4ff04211​ xccdf eval --report result-xccdf-container.html --verbose DEVEL --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml Result is in SCAP_RESULT folder: result-xccdf-container.html 5. Evaluate container about CVE oscap-docker container-cve ​5e4c4ff04211​ xccdf eval --report result-xccdf-container.html --verbose DEVEL --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml Result is in SCAP_RESULT folder: result-cve-container.html
  • 7. 6. Useful Commands: 6.1. How to list profiles from xccdf file. # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml Document type: XCCDF Checklist Checklist version: 1.1 Imported: 2015-10-02T06:17:44 Status: draft Generated: 2015-10-02 Resolved: true Profiles: standard pci-dss rht-ccp common stig-rhel7-server-upstream Referenced check files: ssg-rhel7-oval.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 Atomic scan 1. What is ‘atomic scan’? In the world of containers, there is a desperate need to be able to scan container images for known vulnerabilities and configuration problems, and as we proliferate containers and bundled applications into the enterprise, many groups and companies have started to build container scanning tools. Even Red Hat has been building a scanning tool based on the tried and true OpenSCAP​ project, but there were several problems we saw time and again. The problems with existing container scanning tools included: ● Either these tools were required to be installed on the host, or if they were installed via a container they would have to be very privileged; therefore, the containers themselves could use that authority on the host machine.
  • 8. ● They were being hard coded to only support a single container framework – docker. ● We saw some very slow implementations, where the container scanning tools were actually copying all of the content out of the container image, then scanning the content, and finally removing the content. You can image how inefficient this could be for hundreds or thousands of images or containers. We decided we wanted to build a tool, ​atomic​ scan, that understood the underlying architecture and could download and run containers with scanning tools in them. But, we also didn’t want the scanning tools to be privileged; the atomic tool would be able to mount up read only rootfs from the host’s file system. These mounted file systems could then be passed onto the scanning container, along with a writeable directory for the scanner to place its output. “ Introducing atomic scan – Container vulnerability detection (http://goo.gl/DRoSmm)” 2. How atomic scan work? Basically atomic is using OpenSCAP with SPC(Super Privileged Container) but it mounts host storage with Readable right because, as above blog said, it does not need to write anything except output result.
  • 9. The useful blog : http://goo.gl/9eJkgJ 3. atomic scan commands 3.1. Check Scanner Scanner is pluggable so later, new scanner will be developed. # atomic scan --list Scanner: openscap Image Name: rhel7/openscap Scan type: cve * Description: Performs a CVE scan based on known CVE data Scan type: standards_compliance Description: Performs a standard scan * denotes defaults Configuration file is /etc/atomic.conf 3.2. Evaluation Image/container registry.access.redhat.com/rhel7/openscap will be downloaded automatically and atomic will use it as SPC. # atomic scan registry.access.redhat.com/rhel7 docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-08-25-13-49-18-619455:/scanin -v /var/lib/atomic/openscap/2016-08-25-13-49-18-619455:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout Unable to find image 'rhel7/openscap:latest' locally Trying to pull repository registry.access.redhat.com/rhel7/openscap ... latest: Pulling from registry.access.redhat.com/rhel7/openscap ee4aeaf2fc2d: Already exists 95ce96315363: Pulling fs layer 95ce96315363: Verifying Checksum 95ce96315363: Download complete 95ce96315363: Pull complete 95ce96315363: Pull complete Digest: sha256:4ceff2a3a57fe8c40c9d5d4c6e73fe3e5955e8281c0cf488d4c385bff1ff6e0d Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest
  • 10. registry.access.redhat.com/rhel7 (sha256:4a6b6e1a) registry.access.redhat.com/rhel7 is not supported for this scan. Files associated with this scan are in /var/lib/atomic/openscap/2016-08-25-13-49-18-619455. Report path : ​/var/lib/atomic/openscap/2016-08-25-13-49-18-619455 Result json:​ ${Image_SHA}/json /var/lib/atomic/openscap/2016-08-25-13-49-18-619455​/sha256:4a6b6e1a17d70b7f67787aaee 800c1fdb4b145dd3f7ae48959f5d41286eadb0b/json As for Fedora, sometimes you need to do some more steps to use the SPC # docker pull docker.io/rhel7/openscap # atomic install docker.io/rhel7/openscap 3.3. atomic scan help [root@localhost sha256:4a6b6e1a17d70b7f67787aaee800c1fdb4b145dd3f7ae48959f5d41286eadb0b]# atomic scan -h usage: atomic scan [-h] [--scanner {openscap}] [--scan_type SCAN_TYPE] [--list] [--verbose] [--rootfs [ROOTFS] | --all | --images | --containers] [scan_targets [scan_targets ...]] positional arguments: scan_targets container image optional arguments: -h, --help show this help message and exit --scanner {openscap} define the intended scanner --scan_type SCAN_TYPE define the intended scanner --list List available scanners --verbose Show more output from scanning container --rootfs [ROOTFS] Rootfs path to scan --all scan all images (excluding intermediate layers) and
  • 11. containers --images scan all images (excluding intermediate layers) --containers scan all containers atomic scan <input> scans a container or image for CVEs 3.4. How to cope with vulnerable image? Q. ​If atomic scan or OpenSCAP find any CVEs on any official images, what is next steps? Should I create support case for them every time to get new images? GSS Answer: Broadly we'd like to handle and track fixes for Red Hat maintained images on a image by image or case by case basis. That is the recommended flow. Keep in mind that the cloud enablement team will continually be working to offer updated product images to follow along with general product releases outside of xPaas. You can refer to this public kcs article for additional information on the goal for xPaas image releases. https://access.redhat.com/articles/2208321 4. OpenSCAP in Red Hat Projects 4.1. Satellite 6.2 4.2. Cloud Forms 4.1 5.Pros and Cons 5.1. Pros ● OpenSCAP has received a​ NIST​ certification for its support of SCAP 1.2. ● Red Hat sponsor OpenSCAP ● Red Hat support OpenSCAP with RHEL Subscription
  • 12. ● Red Hat Enterprise Linux operating system 7 contains OpenSCAP packages ● OpenSCAP start to support docker image/container* ● Red Hat integrated OpenSCAP with Red Hat Products ( Satellite 6.2 / CloudForms 4.1 )** * it can scan only RHEL based docker images/containers ** it is officially supported from Satellite 6.2 / CloudForms 4.1 5.2. Cons - Can evaluate RHEL based image only 6.TIP How to start OpenSCAP workbench Reference: https://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-u se-case/ Reference RHEL 7 Document https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Gu ide/chap-Compliance_and_Vulnerability_Scanning.html#sect-Security_Compliance_in_RHEL atomic scan and openscap-daemon https://martin.preisler.me/2015/11/atomic-scan-and-openscap-daemon/ Introducing atomic scan – Container vulnerability detection http://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-container-vulnerability-de tection/