7.6. Using OpenSCAP with Atomic

The atomic scan command allows users to utilize OpenSCAP scanning capabilities to scan their docker-formatted container images and containers present on the system. It is possible to scan for known CVE vulnerabilities or for configuration compliance.

Atomic Scan and OpenSCAP Scanner Image

To install the atomic tool for container management, enter the following command:
#yum install atomic
After the atomic tool is installed, you also need a scanner which is used by the atomic scan command as a backend for scanning images and containers. Red Hat recommends choosing the OpenSCAP scanner bundled in the rhel7/openscap container image which is located in the registry.access.redhat.com image registry:
#atomic install registry.access.redhat.com/rhel7/openscap
The registry.access.redhat.com/rhel7/openscap container image is used as the default scanner by the atomic scan command. It currently supports two scan types targeting Red Hat Enterprise Linux systems. To list supported scan types, enter the following command:
#atomic scan --scanner openscap --list
Scan the containers and container images using the atomic scan command:
#atomic scan [OPTIONS] $ID
Where $ID is the ID of the container image or container. If you want to scan all container images or containers, use the --images or --containers directive, respectively. To scan both types, use the --all directive. The list of available command-line options can be obtained using atomic scan --help command.

Note

For a detailed description of the atomic command usage and containers, see the Product Documentation for Red Hat Enterprise Linux Atomic Host. The Red Hat Customer Portal also provides a guide to the Atomic command line interface (CLI).

7.6.1. Scanning Docker Images and Containers for Vulnerabilities Using Atomic

The default scan type of the atomic scan command is CVE scan. Use it for checking the target for known security vulnerabilities as defined in the CVE OVAL definitions released by Red Hat.

Warning

The OVAL definitions used by the CVE scan type are bundled in the container image during the build process. Red Hat provides weekly updates of the container image. Always use the latest OpenSCAP container image to ensure the definitions are up to date. To find out version of the installed OpenSCAP container image run:
#atomic help registry.access.redhat.com/rhel7/openscap | grep version
To scan the Red Hat Enterprise Linux 7 container image for known security vulnerabilities use the following commands (you can also see the difference in verbosity when running with the --verbose directive and without it):
#atomic scan --verbose registry.access.redhat.com/rhel7:latest
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-11-01-14-55-37-758180:/scanin -v /var/lib/atomic/openscap/2017-11-01-14-55-37-758180:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:[100.00%] Scanned target 'chroot:///scanin/db7a70a0414e589d7c8c162712b329d4fc670fa47ddde721250fb9fcdbed9cc2'

registry.access.redhat.com/rhel7:latest (db7a70a0414e589)

registry.access.redhat.com/rhel7:latest passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2017-11-01-14-55-37-758180.

#atomic scan registry.access.redhat.com/rhel7:7.2
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-11-01-14-49-36-614281:/scanin -v /var/lib/atomic/openscap/2017-11-01-14-49-36-614281:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout

registry.access.redhat.com/rhel7:7.2 (98a88a8b722a718)

The following issues were found:

     RHSA-2017:2832: nss security update (Important)
     Severity: Important
       RHSA URL: https://access.redhat.com/errata/RHSA-2017:2832
       RHSA ID: RHSA-2017:2832-01
       Associated CVEs:
           CVE ID: CVE-2017-7805
           CVE URL: https://access.redhat.com/security/cve/CVE-2017-7805

     RHSA-2017:2016: curl security, bug fix, and enhancement update (Moderate)
     Severity: Moderate
       RHSA URL: https://access.redhat.com/errata/RHSA-2017:2016
       RHSA ID: RHSA-2017:2016-01
       Associated CVEs:
           CVE ID: CVE-2016-7167
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-7167

     RHSA-2017:1931: bash security and bug fix update (Moderate)
     Severity: Moderate
       RHSA URL: https://access.redhat.com/errata/RHSA-2017:1931
       RHSA ID: RHSA-2017:1931-01
       Associated CVEs:
           CVE ID: CVE-2016-0634
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-0634
           CVE ID: CVE-2016-7543
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-7543
           CVE ID: CVE-2016-9401
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-9401

............

Files associated with this scan are in /var/lib/atomic/openscap/2017-11-01-14-49-36-614281.

As you can see, the CVE scan of the latest Red Hat Enterprise Linux 7 container image does not contain any known security vulnerabilities while the older version of this container image (version 7.2) contains multiple of them. By using the CVE scan feature of the atomic scan command you can easily discover if your container images contain known security vulnerabilities.

7.6.2. Scanning and Remediating Configuration Compliance of Docker Images and Containers Using Atomic

The second supported scan type of the atomic scan command is configuration_compliance scan, where you can use the SCAP content provided by the SCAP Security Guide (SSG) bundled inside the OpenSCAP container image for evaluation. This allows you to scan Red Hat Enterprise Linux based container images and containers against any profile provided by the SCAP Security Guide.
The SCAP content provided by the OpenSCAP image for the configuration_compliance scan can be listed using:
#atomic help registry.access.redhat.com/rhel7/openscap
To verify compliance of the Red Hat Enterprise Linux 7 container image with the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) policy and generate HTML report from the scan, run the following command:
#atomic scan --scan_type configuration_compliance --scanner_args xccdf-id=scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa,report registry.access.redhat.com/rhel7:latest
The output of the previous command will contain the information about files associated with the scan at the end:

............

Files associated with this scan are in /var/lib/atomic/openscap/2017-11-03-13-35-34-296606.

#tree /var/lib/atomic/openscap/2017-11-03-13-35-34-296606
/var/lib/atomic/openscap/2017-11-03-13-35-34-296606
├── db7a70a0414e589d7c8c162712b329d4fc670fa47ddde721250fb9fcdbed9cc2
│   ├── arf.xml
│   ├── fix.sh
│   ├── json
│   └── report.html
└── environment.json

1 directory, 5 files
The atomic scan generates a subdirectory with all the results and reports from the scan in the /var/lib/atomic/openscap/ directory as can be seen in the previous code snippet. The arf.xml XML file with results is generated everytime when scanning for configuration compliance. The humand readable HTML report file (report.html) can be generated by adding the report suboption to the --scanner_args option.
The --scanner_args suboptions are separated by the comma character. The specific values for the xccdf-id and profile suboptions which are selecting an XCCDF component and a profile from selected datastream file are taken from the bundled SCAP content in the OpenSCAP image. The datastream file is selected automatically by the OpenSCAP image during scan based on the target container image or container which is being scanned.

Note

When the xccdf-id suboption of the --scanner_args option is omitted, searching for a profile will be done in the first XCCDF component found in the selected datastream file. More details about datastream files can be found in the Section 7.2.3, “The Data Stream Format”.

Remediating Configuration Compliance of Docker Images and Containers Using Atomic

Remediation of docker-formatted container images to the specified policy can be achieved by adding --remediate option to the atomic scan command when scanning for configuration compliance. The following command builds a new remediated container image compliant with the DISA STIG policy from the Red Hat Enterprise Linux 7 container image:
#atomic scan --remediate --scan_type configuration_compliance --scanner_args profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa,report registry.access.redhat.com/rhel7:latest

registry.access.redhat.com/rhel7:latest (db7a70a0414e589)

The following issues were found:
............
     Configure Time Service Maxpoll Interval
     Severity: Low
       XCCDF result: fail

     Configure LDAP Client to Use TLS For All Transactions
     Severity: Moderate
       XCCDF result: fail
............
Remediating rule 43/44: 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll'
Remediating rule 44/44: 'xccdf_org.ssgproject.content_rule_ldap_client_start_tls'

Successfully built 9bbc7083760e
Successfully built remediated image 9bbc7083760e from db7a70a0414e589d7c8c162712b329d4fc670fa47ddde721250fb9fcdbed9cc2.


Files associated with this scan are in /var/lib/atomic/openscap/2017-11-06-13-01-42-785000.

First, the configuration compliance scan is run against the original container image to check its compliance with the DISA STIG policy. Based on the scan results fix script containing bash remediations for the failed scan results is generated. The fix script is then applied on the original container image, this is referred to as remediation. The result of remediation is a container image with altered configuration which is added as a new layer on top of the original container image. The output of atomic scan command reports the remediated image ID (as highligted in the previous code snippet) which you can tag with some name so it is easy to remember:
#docker tag 9bbc7083760e rhel7_disa_stig
It is important to note that the original container image will be kept unchanged and only on the top of it a new layer will be created, forming a new container image, that will contain all the configuration amendments. The content of this layer is defined by the security policy that we scan, in this case the DISA STIG policy. This also means that the remediated container image is no longer signed by Red Hat, but this is expected as it differs from the original container image because of the remediated layer.