Chapter 1. Overview

OpenSCAP is an auditing tool used for hardening the security of your enterprise. This tool is built upon the knowledge and resources provided by the many experienced security experts active in the upstream OpenSCAP ecosystem. For more information about OpenSCAP, see https://www.open-scap.org/.

Red Hat CloudForms supports OpenSCAP. It provides a built-in OpenSCAP policy profile for managing the security of your container images. These policies ensure that new container images from any provider within CloudForms are scanned against the latest Common Vulnerabilities and Exposures (CVE) content distributed by Red Hat.

Note
  • See Red Hat’s Security Data page for more details about this content. In particular, the SCAP source data stream files index provides examples of security advisories used by the built-in OpenSCAP policy profile. Each of these security advisories have a severity ranging from low to critical. With the built-in OpenSCAP policy profile, any image that fails a security check against an advisory with at least a high severity is marked as non-compliant.
  • For more information about control and compliance policies, and creating and assigning policy profiles in CloudForms, see the Policies and Profiles Guide.

CloudForms can initiate scanning of container images in the following ways:

  • Manual scanning of images via SmartState analysis.
  • Scheduled scanning of images using the OpenSCAP policy profile.
  • Scanning new images in the registry when an OpenShift Container Platform provider is added.
Important

For image scanning to work, make sure your CloudForms appliance has the SmartProxy and SmartState Analysis roles enabled:

  1. From the Settings menu, navigate to ConfigurationServer.
  2. Under Server Control, ensure SmartState Analysis and SmartProxy roles are enabled.