Scanning Container Images in CloudForms with OpenSCAP
Configuring OpenSCAP in CloudForms for Scanning Container Images
Abstract
1. Overview
OpenSCAP is an auditing tool used for hardening the security of your enterprise. This tool is built upon the knowledge and resources provided by the many experienced security experts active in the upstream OpenSCAP ecosystem. For more information about OpenSCAP, see https://www.open-scap.org/.
Red Hat CloudForms supports OpenSCAP. It provides a built-in OpenSCAP policy profile for managing the security of your container images. These policies ensure that new container images from any provider within CloudForms are scanned against the latest Common Vulnerabilities and Exposures (CVE) content distributed by Red Hat.
- See Red Hat’s Security Data page for more details about this content. In particular, the SCAP source data stream files index provides examples of security advisories used by the built-in OpenSCAP policy profile. Each of these security advisories have a severity ranging from low to critical. With the built-in OpenSCAP policy profile, any image that fails a security check against an advisory with at least a high severity is marked as non-compliant.
- For more information about control and compliance policies, and creating and assigning policy profiles in CloudForms, see the Policies and Profiles Guide.
CloudForms can initiate scanning of container images in the following ways:
- Manual scanning of images via SmartState analysis.
- Scheduled scanning of images using the OpenSCAP policy profile.
- Scanning new images in the registry when an OpenShift Container Platform provider is added.
For image scanning to work, make sure your CloudForms appliance has the SmartProxy and SmartState Analysis roles enabled:
- From the Settings menu, navigate to → .
- Under Server Control, ensure SmartState Analysis and SmartProxy roles are enabled.
2. Scanning Container Images Manually
When running SmartState analysis on container images, scanning containers are created on the target provider. The container image being inspected is pulled, mounted, and analyzed for vulnerabilities.
To run a single scan via SmartState analysis:
- Navigate to → → .
- Select the images to scan and click → .
You can follow the scan status by navigating to
→ from the settings menu.2.1. Viewing Scanning Results
Once complete, you can view the container image scanning results displayed on the summary page for each image.
- Select → → .
- Click the desired image.
- Locate the Configuration section on the container image summary page and select OpenSCAP HTML to view an OpenSCAP HTML report.
3. Scheduling a Scan of Container Images
To fully utilize OpenSCAP scanning in CloudForms for container image compliance, assign the built-in OpenSCAP policy profile to containers providers, then schedule an OpenSCAP compliance check on container images for the assigned providers.
3.1. Assigning the Built-In OpenSCAP Policy Profile to a Container Provider
The OpenSCAP policy profile included with Red Hat CloudForms is not automatically assigned. You still need to assign it to a containers provider.
- Navigate to → → , check the providers you need to assign the OpenSCAP policy profile to.
-
Click
(Policy), and then click
(Manage Policies).
- From the Select Policy Profiles area, click on the triangle next to OpenSCAP profile to expand it and see its member policies.
- Select OpenSCAP profile. It turns blue to show its assignment state has changed.
- Click Save.
3.2. Scheduling an OpenSCAP Compliance Check for Container Images
Once you have assigned the built-in OpenSCAP policy profile to a container provider, you can schedule a compliance check against the policy profile.
- From the settings menu, select Configuration.
- Click the Settings accordion, and select Schedules.
-
Click
(Configuration),
(Add a new Schedule).
- In the Adding a new Schedule area, enter a name and description for the schedule.
- Select Active to enable this scan.
- From the Action list, select Container Image Analysis.
- From the Filter list, select All Container Images for Containers Provider, a new list will appear. From this list, choose the provider where you enabled the OpenSCAP policy profile.
From the Run list, select how often you want the analysis to run. Your options after that depend on which run option you choose.
- Select Once to run the analysis just one time.
- Select Daily to run the analysis on a daily basis. You are prompted to select how many days you want between each analysis.
- Select Hourly to run the analysis hourly. You are prompted to select how many hours you want between each analysis.
- Select the time zone for the schedule.
- Enter or select a date to begin the schedule in Starting Date.
- Select a starting time based on a 24-hour clock in the selected time zone.
- Click Add.
4. Configuring Image Scanning when Adding an OpenShift Container Platform Provider
When you add an OpenShift Container Platform node as a containers provider, container images from the internal registry are discovered. To enable scanning of newly discovered images in the registry against the latest CVE content distributed by Red Hat, configure the image-inspector settings under advanced settings when adding an OpenShift Container Platform containers provider. These settings control downloading the image-inspector container image from the registry and obtaining the CVE information (for effective scanning) via a proxy.
4.1. Adding an OpenShift Container Platform Provider
- Navigate to → → .
-
Click
(Configuration), then click
(Add a New Containers Provider).
- Enter a Name for the provider.
- From the Type list, select OpenShift Container Platform.
-
Enter the appropriate Zone for the provider. If you do not specify a zone, it is set to
default
. - From the Alerts list, select Prometheus to enable external alerts. Selecting Prometheus adds an Alerts tab to the lower pane to configure the Prometheus service. Alerts are disabled by default.
- From the Metrics list, select Hawkular or Prometheus to collect capacity and utilization data, or leave as Disabled. Selecting Prometheus or Hawkular adds a Metrics tab to the lower pane for further configuration. Metrics are disabled by default.
In the Default tab, configure the following for the OpenShift provider:
Select a Security Protocol method to specify how to authenticate the provider:
- SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.
SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.
NoteYou can obtain your OpenShift Container Platform provider’s CA certificate for all endpoints (default, metrics, alerts) from
/etc/origin/master/ca.crt
. Paste the output (a block of text starting with-----BEGIN CERTIFICATE-----
) into the Trusted CA Certificates field.- SSL without validation: Authenticate the provider insecurely (not recommended).
Enter the Hostname (or IPv4 or IPv6 address) of the provider.
ImportantThe Hostname must use a unique fully qualified domain name.
-
Enter the API Port of the provider. The default port is
8443
. Enter a token for your provider in the Token box.
NoteTo obtain a token for your provider, run the
oc get secret
command on your provider; see Obtaining an OpenShift Container Platform Management Token.For example:
# oc get secret --namespace management-infra management-admin-token-8ixxs --template={{index .data "ca.crt"}} | base64 --decode
- Click Validate to confirm that Red Hat CloudForms can connect to the OpenShift Container Platform provider.
If you selected a metrics service, configure the service details in the Metrics tab:
Select a Security Protocol method to specify how to authenticate the service:
- SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.
SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.
NoteIn OpenShift, the default deployment of the router generates certificates during installation, which can be used with the SSL trusting custom CA option. Connecting a Hawkular endpoint with this option requires the CA certificate that the cluster uses for service certificates, which is stored in
/etc/origin/master/service-signer.crt
on the first master in a cluster.- SSL without validation: Authenticate the provider insecurely using SSL. (Not recommended)
- Enter the Hostname (or IPv4 or IPv6 address) of the provider, or use the Detect button to find the hostname.
-
Enter the API Port if your Hawkular provider uses a non-standard port for access. The default port is
443
. - Click Validate to confirm that Red Hat CloudForms can connect to the metrics endpoint.
For the Prometheus alerts service, add the Prometheus alerts endpoint in the Alerts tab:
Select a Security Protocol method to specify how to authenticate the service:
- SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.
- SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.
- SSL without validation: Authenticate the provider insecurely using SSL. (Not recommended)
- Enter the Hostname (or IPv4 or IPv6 address) or alert Route.
-
Enter the API Port if your Prometheus provider uses a non-standard port for access. The default port is
443
. - Click Validate to confirm that CloudForms can connect to the alerts service.
Click the Advanced tab to add image inspector settings for scanning container images on your provider using OpenSCAP.
Note- These settings control downloading the image inspector container image from the registry and obtaining the Common Vulnerabilities and Exposures (CVE) information (for effective scanning) via a proxy.
- CVE URL that CloudForms requires to be open for OpenSCAP scanning: https://www.redhat.com/security/data/metrics/ds/. This information is based on the source code of OpenSCAP.
- Enter the proxy information for the provider in either HTTP, HTTPS, or NO Proxy depending on your environment.
-
Enter the Image-Inspector Repository information. For example,
openshift3/image-inspector
. -
Enter the Image-Inspector Registry information. For example,
registry.access.redhat.com
. - Enter the Image-Inspector Tag value. A tag is a mark used to differentiate images in a repository, typically by the application version stored in the image.
-
Enter
https://www.redhat.com/security/data/metrics/ds/
in CVE location.
- Click Add.
You can also set global default image-inspector settings for all OpenShift providers in the advanced settings menu by editing the values under ems_kubernetes
, instead of setting this for each provider.
For example:
:image_inspector_registry: registry.access.redhat.com :image_inspector_repository: openshift3/image-inspector
With the above configuration:
- New container images discovered will automatically be scanned.
- All OpenShift Container Platform provider images will be scanned as per the schedule you set.
- Images with high severity failures will be marked as non-compliant. Also, OpenShift Container Platform will attempt to label non-compliant images as non-secure and prevent their execution. This requires additional configuration in OpenShift Container Platform, see https://docs.openshift.com/container-platform/3.9/admin_guide/image_policy.html.
You can define additional policies in CloudForms that would be executed once a compliance check failed or succeeded. To do that, copy the OpenSCAP policy profile and create new profiles based on that; see Section 5, “Creating a Customized OpenSCAP Policy Profile”. For example, a user can choose to define all images with any severity failure as non-compliant, creating a very hardened system.
Additionally, to generate a report on container images for failed OpenSCAP rule results, see Section 6, “Generating OpenSCAP Scanning Reports”.
5. Creating a Customized OpenSCAP Policy Profile
The built-in OpenSCAP policy profile cannot be edited. You can, however, assign edited copies of its policies to a new policy profile. This will allow you to create a customized version of the built-in OpenSCAP policy profile.
To do so, you will first have to copy the policy you want to customize:
- Navigate to → .
- Click the Policies accordion, and select Container Image Compliance Policies, then click OpenSCAP.
-
Click
(Configuration), and an option to copy the policy should appear; for example,
(Copy this Container Image Policy).
- Click OK to confirm.
The new policy is created with a prefix of Copy of in its description, and it can be viewed in the Policies accordion.
You can now edit the copied policy. After editing copied policies, you can add them to a new policy profile. For instructions on how to edit policies, create a new policy profile, and add policies to it, see the Policies and Profiles guide. Once you have a customized policy profile, you can assign it to a containers provider.
6. Generating OpenSCAP Scanning Reports
You can output the results of an OpenSCAP scan of images to a report for an overview of the security risk level of images. The Images by Failed OpenSCAP Rule Results is included with CloudForms and shows whether the image has passed or failed OpenSCAP policy criteria, and the security risk.
You can also create a copy of this report and edit it to contain additional information, such as the project name where the image is used, to produce more useful results. See Editing a Report and See Reportable Fields in Red Hat CloudForms in Monitoring, Alerts, and Reporting for instructions on customizing reports.
To create a report showing image compliance:
- Navigate to → .
- Click the → accordion.
- Navigate to → → for a report showing which images have failed the OpenSCAP compliance.
-
Click
Queue.
The report generation is placed in the queue and its status shows in the reports page.
-
Click
(Refresh this page) to update the status.
- Navigate to the Saved Reports accordion, and click the report when it is completed.
Click on the report download buttons for the type of export you want. The report is automatically named with the type of report and date.
-
Click
(Download this report in text format) to download as text.
-
Click
(Download this report in CSV format) to download as a comma-separated file.
-
Click
(Download this report in PDF format) to download as PDF.
-
Click