Show Table of Contents
7.6.1. Scanning Docker-formatted Images and Containers for Vulnerabilities Using
7.6.2. Scanning and Remediating Configuration Compliance of Docker-formatted Images and Containers Using
Scanning for Configuration Compliance of Docker-formatted Images and Containers Using
Remediating Configuration Compliance of Docker-formatted Images and Containers Using
7.6. Using OpenSCAP with the atomic scan command
The
atomic scan command enables users to use OpenSCAP scanning capabilities to scan docker-formatted container images and containers on the system. It is possible to scan for known CVE vulnerabilities or for configuration compliance. Additionaly, users can remediate docker-formatted container images to the specified policy.
atomic scan and OpenSCAP Scanner Image
To install the
atomic tool for container management, enter the following command:
#yum install atomic
For more information the
atomic installation, see the Prerequisites in the Atomic CLI Reference.
After the
atomic tool is installed, you also need a scanner, which is used by the atomic scan command as a back end for scanning images and containers. Red Hat recommends choosing the OpenSCAP scanner bundled in the rhel7/openscap container image in the registry.access.redhat.com image registry:
#atomic installregistry.access.redhat.com/rhel7/openscap
The registry.access.redhat.com/rhel7/openscap container image is used as the default scanner by the
atomic scan command. It currently supports two scan types targeting Red Hat Enterprise Linux systems. To list supported scan types, enter the following command:
#atomic scan--scanneropenscap--list
7.6.1. Scanning Docker-formatted Images and Containers for Vulnerabilities Using atomic scan
To scan the containers and container images, use the
atomic scan command in the following form:
#atomic scan[OPTIONS][ID]
where ID is the ID of the container image or container. To scan all container images or containers, use the
--images or --containers directive, respectively. To scan both types, use the --all directive. The list of available command-line options can be obtained using the atomic scan --help command.
Note
For a detailed description of the
atomic command usage and containers, see the Product Documentation for Red Hat Enterprise Linux Atomic Host. The Red Hat Customer Portal also provides a guide to the Atomic command line interface (CLI).
The default scan type of the
atomic scan command is CVE scan. Use it for checking a target for known security vulnerabilities as defined in the CVE OVAL definitions released by Red Hat.
Warning
The OVAL definitions used by the CVE scan type are bundled in the container image during the build process. Red Hat provides weekly updates of the container image. Always use the latest OpenSCAP container image to ensure the definitions are up to date. To find out version of the installed OpenSCAP container image:
#atomic helpregistry.access.redhat.com/rhel7/openscap| grepversion
Example 7.13. Scanning Red Hat Enterprise Linux 7 Container Images for Known Security Vulnerabilities
The following command scans the Red Hat Enterprise Linux 7 container image for known security vulnerabilities. The
--verbose directive provides additional details.
#atomic scan--verboseregistry.access.redhat.com/rhel7:latest docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-11-01-14-55-37-758180:/scanin -v /var/lib/atomic/openscap/2017-11-01-14-55-37-758180:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled. INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist. INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist. INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist. INFO:Evaluated EvaluationSpec, exit_code=0. INFO:Evaluated EvaluationSpec, exit_code=0. INFO:[100.00%] Scanned target 'chroot:///scanin/db7a70a0414e589d7c8c162712b329d4fc670fa47ddde721250fb9fcdbed9cc2' registry.access.redhat.com/rhel7:latest (db7a70a0414e589) registry.access.redhat.com/rhel7:latest passed the scan Files associated with this scan are in /var/lib/atomic/openscap/2017-11-01-14-55-37-758180.
The following command scans the Red Enterprise Linux 7.2 container image with several known security vulnerabilities:
#atomic scanregistry.access.redhat.com/rhel7:7.2 docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-11-01-14-49-36-614281:/scanin -v /var/lib/atomic/openscap/2017-11-01-14-49-36-614281:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout registry.access.redhat.com/rhel7:7.2 (98a88a8b722a718) The following issues were found: RHSA-2017:2832: nss security update (Important) Severity: Important RHSA URL: https://access.redhat.com/errata/RHSA-2017:2832 RHSA ID: RHSA-2017:2832-01 Associated CVEs: CVE ID: CVE-2017-7805 CVE URL: https://access.redhat.com/security/cve/CVE-2017-7805 RHSA-2017:2016: curl security, bug fix, and enhancement update (Moderate) Severity: Moderate RHSA URL: https://access.redhat.com/errata/RHSA-2017:2016 RHSA ID: RHSA-2017:2016-01 Associated CVEs: CVE ID: CVE-2016-7167 CVE URL: https://access.redhat.com/security/cve/CVE-2016-7167 RHSA-2017:1931: bash security and bug fix update (Moderate) Severity: Moderate RHSA URL: https://access.redhat.com/errata/RHSA-2017:1931 RHSA ID: RHSA-2017:1931-01 Associated CVEs: CVE ID: CVE-2016-0634 CVE URL: https://access.redhat.com/security/cve/CVE-2016-0634 CVE ID: CVE-2016-7543 CVE URL: https://access.redhat.com/security/cve/CVE-2016-7543 CVE ID: CVE-2016-9401 CVE URL: https://access.redhat.com/security/cve/CVE-2016-9401 ............ Files associated with this scan are in /var/lib/atomic/openscap/2017-11-01-14-49-36-614281.
7.6.2. Scanning and Remediating Configuration Compliance of Docker-formatted Images and Containers Using atomic scan
Scanning for Configuration Compliance of Docker-formatted Images and Containers Using atomic scan
The
atomic scan command also supports the configuration_compliance scan. Use this type of scanning to evaluate Red Hat Enterprise Linux-based container images and containers with the SCAP content provided by the SCAP Security Guide (SSG) bundled inside the OpenSCAP container image. This enables scanning against any profile provided by the SCAP Security Guide.
To list the SCAP content provided by the OpenSCAP image for the configuration_compliance scan, enter the following command:
#atomic helpregistry.access.redhat.com/rhel7/openscap
To verify compliance of the latest Red Hat Enterprise Linux 7 container image with the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) policy and generate an HTML report from the scan:
#atomic scan--scan_typeconfiguration_compliance--scanner_argsxccdf-id=scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa,reportregistry.access.redhat.com/rhel7:latest
The output of the previous command contains the information about files associated with the scan at the end:
............ Files associated with this scan are in /var/lib/atomic/openscap/2017-11-03-13-35-34-296606.#tree/var/lib/atomic/openscap/2017-11-03-13-35-34-296606 /var/lib/atomic/openscap/2017-11-03-13-35-34-296606 ├── db7a70a0414e589d7c8c162712b329d4fc670fa47ddde721250fb9fcdbed9cc2 │ ├── arf.xml │ ├── fix.sh │ ├── json │ └── report.html └── environment.json 1 directory, 5 files
The
atomic scan generates a subdirectory with all the results and reports from a scan in the /var/lib/atomic/openscap/ directory. The arf.xml file with results is generated on every scanning for configuration compliance. To generate a human-readable HTML report file, add the report suboption to the --scanner_args option.
To generate XCCDF results readable by DISA STIG Viewer, add the
stig-viewer suboption to the --scanner_args option. The results are placed in stig.xml. For more information about DISA STIG Viewer, see Section 7.4.7, “Exporting XCCDF Results for the DISA STIG Viewer”
The
--scanner_args suboptions are separated by the comma character. The specific values for the xccdf-id and profile suboptions, which select an XCCDF component and a profile from the specified datastream file, are taken from the bundled SCAP content in the OpenSCAP image. The datastream file is selected automatically by the OpenSCAP image during scanning based on the target container image or container.
Note
When the
xccdf-id suboption of the --scanner_args option is omitted, the scanner searches for a profile in the first XCCDF component of the selected datastream file. For more details about datastream files, see Section 7.2.3, “The Data Stream Format”.
Remediating Configuration Compliance of Docker-formatted Images and Containers Using atomic scan
To remediate docker-formatted container images to the specified policy, add the
--remediate option to the atomic scan command when scanning for configuration compliance. The following command builds a new remediated container image compliant with the DISA STIG policy from the Red Hat Enterprise Linux 7 container image:
#atomic scan--remediate--scan_typeconfiguration_compliance--scanner_argsprofile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa,reportregistry.access.redhat.com/rhel7:latest registry.access.redhat.com/rhel7:latest (db7a70a0414e589) The following issues were found: ............ Configure Time Service Maxpoll Interval Severity: Low XCCDF result: fail Configure LDAP Client to Use TLS For All Transactions Severity: Moderate XCCDF result: fail ............ Remediating rule 43/44: 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll' Remediating rule 44/44: 'xccdf_org.ssgproject.content_rule_ldap_client_start_tls' Successfully built 9bbc7083760e Successfully built remediated image 9bbc7083760e from db7a70a0414e589d7c8c162712b329d4fc670fa47ddde721250fb9fcdbed9cc2. Files associated with this scan are in /var/lib/atomic/openscap/2017-11-06-13-01-42-785000.
The configuration compliance scan is run against the original container image to check its compliance with the DISA STIG policy. Based on the scan results, a fix script containing bash remediations for the failed scan results is generated. The fix script is then applied to the original container image - this is called a remediation. The remediation results in a container image with an altered configuration, which is added as a new layer on top of the original container image. The output of the
atomic scan command reports a remediated image ID. To make the image easier to remember, tag it with some name, for example:
#dockertag9bbc7083760e rhel7_disa_stig
Important
Note that the original container image remains unchanged and only a new layer is created on top of it. The remediation process builds a new container image that contains all the configuration improvements. The content of this layer is defined by the security policy of scanning - in the previous case, the DISA STIG policy. This also means that the remediated container image is no longer signed by Red Hat, which is expected, since it differs from the original container image by containing the remediated layer.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.