Openscap scanning Atomic Host

Latest response

Does anyone know how to use openscap (or any scap tool) to scan the atomic host itself? I know how to scan the containers within the Atomic host, but how to scan the host? It won't let me install openscap and you can't scan remotely unless the bare minimum of openscap is installed. FYI, I've also tried SCAP workbench and SCC from IASE.

Responses

Hi Chris, I believe this is the path you've been down in this Red Hat document on this topic.

UPDATE I'm checking to see if it will allow scanning of the host. UPDATE 2 apologies, I couldn't find the *scap means to scan atomic host.
Regards,

RJ

I'll see if I can find anything on that for you.

Chris, apologies, I can't immediately find anything, I'll dig some more. Perhaps someone else in the community might chime in here, hopefully,

Genuinely curious, what is the error that occurs if/when you attempt to install SCAP of any form on the host? I'm a command line guy, but would the GUI-scap scanner work if you were to install it on another system and ssh to it? I have not been down the path of Atomic Host, so I don't know if that's feasible, I suspect if you are posting here, it might not be. However, what error did your receive?

Regards,

RJ

Thanks RJ. No matter what RPM I try to install, SCAP or not, it won't install. It says this,

error: can't create transaction lock on /var/lib/rpm/.rpm.lock (No such file or directory)

I read somewhere (I'll try to find it) that you cannot install RPMs in general on Atomic host, its all packaged by Red hat. Red hat makes a container scanner using oscap (see link above), but I don't see a way to scan the host . P.S. It looks like it may be possible to some way edit the docker command that's generated by the

atomic scan --scanner openscap

command.

When I run the command, the following gets generated:

docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2018-08-29-00-43-03-638738:/scanin -v /var/lib/atomic/openscap/2018-08-29-00-43-03-638738:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1

I was thinking if I could change the targets, maybe I could get it to scan the host?

Certainly worth a shot... I've found undocumented means to do things through trial and error. Apologies I haven't experienced Atomic Host. I should give it a whirl.

Chris,

Forgive and indulge me with the answer to this question, have you tried "sudo -i " or making sure you're root? Kinda taking a wild stab here, maybe examine this https://unix.stackexchange.com/questions/125706/why-cant-i-install-packages-with-rpm-i-get-transaction-lock

RJ, thanks for that link, I checked it out. But I am logging in as root. Atomic Linux doesn't have all the libraries that RHEL has so I think this is something specific to Atomic.

update - I'm going over a couple commands, one is:

rpm-ostree install abc123.rpm

The other is:

atomic-pkgplayer

I'll keep you posted.

Please let us know how it goes; I wondered how it would pan out.

Thanks for updating the discovery on this topic.

Hello,

you can use 'atomic scan' to do this:

$ sudo atomic scan --rootfs / --scan_type configuration_compliance --scanner_args profile=pci-dss

To perform this scan you need to have rhel7/openscap image installed. See https://access.redhat.com/containers/?tab=images#/registry.access.redhat.com/rhel7/openscap

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.