8.10. Assessing Configuration Compliance of a Container or a Container Image with a Specific Baseline
Follow the steps to assess compliance of your container or a container image with a specific security baseline, such as Operating System Protection Profile (OSPP) or Payment Card Industry Data Security Standard (PCI-DSS).
- The openscap-utils and scap-security-guide packages are installed.
- Find the ID of a container or a container image, for example:
~]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry.access.redhat.com/ubi7/ubi latest 096cae65a207 7 weeks ago 239 MB
- Evaluate the compliance of the container image with the OSPP profile and save scan results in the report.html HTML file.
~]$sudo oscap-docker 096cae65a207 xccdf eval --report report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xmlReplace 096cae65a207 with the ID of your container image and the ospp value with pci-dss if you assess configuration compliance with the PCI-DSS baseline.
- Check the results in a browser of your choice, for example:
~]$firefox report.html &
The rules marked as notapplicable are rules that do not apply to containerized systems. These rules apply only to bare-metal or virtualized systems.
- For more information, see the
SCAP Security Guidedocumentation installed in the