Openscap scanning Atomic Host

Latest response

Does anyone know how to use openscap (or any scap tool) to scan the atomic host itself? I know how to scan the containers within the Atomic host, but how to scan the host? It won't let me install openscap and you can't scan remotely unless the bare minimum of openscap is installed. FYI, I've also tried SCAP workbench and SCC from IASE.

CG
Log in to join the conversation

Responses

R. Hinton.'s picture Guru 10133 points
29 August 2018 12:22 AM

Hi Chris, I believe this is the path you've been down in this Red Hat document on this topic.

UPDATE I'm checking to see if it will allow scanning of the host. UPDATE 2 apologies, I couldn't find the *scap means to scan atomic host.
Regards,

RJ

R. Hinton.'s picture Guru 10133 points
29 August 2018 12:25 AM

I'll see if I can find anything on that for you.

R. Hinton.'s picture Guru 10133 points
29 August 2018 12:30 AM

Chris, apologies, I can't immediately find anything, I'll dig some more. Perhaps someone else in the community might chime in here, hopefully,

Genuinely curious, what is the error that occurs if/when you attempt to install SCAP of any form on the host? I'm a command line guy, but would the GUI-scap scanner work if you were to install it on another system and ssh to it? I have not been down the path of Atomic Host, so I don't know if that's feasible, I suspect if you are posting here, it might not be. However, what error did your receive?

Regards,

RJ

CG Community Member 30 points
29 August 2018 12:42 AM

Thanks RJ. No matter what RPM I try to install, SCAP or not, it won't install. It says this,

error: can't create transaction lock on /var/lib/rpm/.rpm.lock (No such file or directory)

I read somewhere (I'll try to find it) that you cannot install RPMs in general on Atomic host, its all packaged by Red hat. Red hat makes a container scanner using oscap (see link above), but I don't see a way to scan the host . P.S. It looks like it may be possible to some way edit the docker command that's generated by the

atomic scan --scanner openscap

command.

CG Community Member 30 points
29 August 2018 12:44 AM

When I run the command, the following gets generated:

docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2018-08-29-00-43-03-638738:/scanin -v /var/lib/atomic/openscap/2018-08-29-00-43-03-638738:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1
CG Community Member 30 points
29 August 2018 12:47 AM

I was thinking if I could change the targets, maybe I could get it to scan the host?

R. Hinton.'s picture Guru 10133 points
29 August 2018 1:40 AM

Certainly worth a shot... I've found undocumented means to do things through trial and error. Apologies I haven't experienced Atomic Host. I should give it a whirl.

R. Hinton.'s picture Guru 10133 points
29 August 2018 1:16 AM

Chris,

Forgive and indulge me with the answer to this question, have you tried "sudo -i " or making sure you're root? Kinda taking a wild stab here, maybe examine this https://unix.stackexchange.com/questions/125706/why-cant-i-install-packages-with-rpm-i-get-transaction-lock

R. Hinton.'s picture Guru 10133 points
29 August 2018 1:26 AM

Chris, update, see the posts by PixelDrift here in this discussion https://access.redhat.com/discussions/3248901

CG Community Member 30 points
30 August 2018 5:28 PM

RJ, thanks for that link, I checked it out. But I am logging in as root. Atomic Linux doesn't have all the libraries that RHEL has so I think this is something specific to Atomic.

CG Community Member 30 points
30 August 2018 6:19 PM

update - I'm going over a couple commands, one is:

rpm-ostree install abc123.rpm

The other is:

atomic-pkgplayer

I'll keep you posted.

R. Hinton.'s picture Guru 10133 points
31 August 2018 1:25 AM

Please let us know how it goes; I wondered how it would pan out.

Thanks for updating the discovery on this topic.

Matus Marhefka's picture Red Hat Newbie 5 points
4 September 2018 11:00 AM

Hello,

you can use 'atomic scan' to do this:

$ sudo atomic scan --rootfs / --scan_type configuration_compliance --scanner_args profile=pci-dss

To perform this scan you need to have rhel7/openscap image installed. See https://access.redhat.com/containers/?tab=images#/registry.access.redhat.com/rhel7/openscap

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.