7.10. Assessing Configuration Compliance of a Container or a Container Image with a Specific Baseline

Follow the steps to assess compliance of your container or a container image with a specific security baseline, such as Operating System Protection Profile (OSPP) or Payment Card Industry Data Security Standard (PCI-DSS).

Prerequisites

  • The openscap-utils and scap-security-guide packages are installed.

Procedure

  1. Find the ID of a container or a container image, for example:
    ~]# docker images
    REPOSITORY                            TAG      IMAGE ID       CREATED       SIZE
    registry.access.redhat.com/ubi7/ubi   latest   096cae65a207   7 weeks ago   239 MB
  2. Evaluate the compliance of the container image with the OSPP profile and save scan results in the report.html HTML file.
    ~]$ sudo oscap-docker 096cae65a207 xccdf eval --report report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
    Replace 096cae65a207 with the ID of your container image and the ospp value with pci-dss if you assess configuration compliance with the PCI-DSS baseline.

Verification

  1. Check the results in a browser of your choice, for example:
    ~]$ firefox report.html &

Note

The rules marked as notapplicable are rules that do not apply to containerized systems. These rules apply only to bare-metal or virtualized systems.

Additional Resources