7.6. Using OpenSCAP with Atomic

To verify all the container images and containers present on the system are free of known CVE vulnerabilities or common misconfigurations, use the OpenSCAP scanning capabilities through the atomic scan command.

Atomic Scan

To install the atomic tool on your system for container management, enter the following command as root:
# yum install atomic
After the atomic tool is installed, you also need a scanner. Red Hat recommends choosing the OpenSCAP-based rhel7/openscap docker image. Install it by running the following command as root:
# atomic install rhel7/openscap
Once the OpenSCAP docker image is in place, you can issue atomic scan commands. Scan the containers and container images by running the following command as root:
# atomic scan $ID
Where $ID is the ID of the container. If you want to scan all container images or containers, use the --images or --containers directive, respectively. To scan both types, use the --all directive.

The OpenSCAP Scanner

The rhel7/openscap container image as the default scanner of the atomic scan currently supports two scan types targeting Red Hat Enterprise Linux systems only. Supported scan types can be listed by running the following command as root:
# atomic scan --scanner openscap --list
The default scan type is CVE scan. Use it for checking the target for known security vulnerabilities as defined in the CVE OVAL definitions released by Red Hat.

Warning

The OVAL definitions used by the CVE scan type are bundled in the container image during the build process, and as such are not always up-to-date.
The second supported scan type is standards_compliance, where Standard System Security Profile of the bundled SCAP Security Guide is used for evaluation. This is security baseline profile of Red Hat Enterprise Linux.

Example 7.13. Scanning the Container Image with Atomic Scan

The following example of the atomic scan usage shows how to scan a Red Hat Enterprise Linux image and then list of all found vulnerabilities with --verbose directive.
#docker pull rhel7
Using default tag: latest
98a88a8b722a: Download complete
# atomic scan 98a88a8b722a
Container/Image    Cri     Imp     Med     Low
---------------    ---     ---     ---     ---
98a88a8b722a         0       0       0       0
# atomic scan --verbose 98a88a8b722a
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-10-14-06-42-55-991951:/scanin -v /var/lib/atomic/openscap/2016-10-14-06-42-55-991951:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
INFO:OpenSCAP Daemon one-off evaluator 0.1.6
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:[100.00%] Scanned target 'chroot:///scanin/98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861'

98a88a8b722a (registry.access.redhat.com/rhel7:latest)

98a88a8b722a passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2016-10-14-06-42-55-991951.

Note

A detailed description of the atomic command usage and containers is found in the Product Documentation for Red Hat Enterprise Linux Atomic Host. The Red Hat Customer Portal also provides a guide to the Atomic command line interface (CLI).