7.6. Using OpenSCAP with the atomic scan command
atomic scancommand enables users to use OpenSCAP scanning capabilities to scan docker-formatted container images and containers on the system. It is possible to scan for known CVE vulnerabilities or for configuration compliance. Additionaly, users can remediate docker-formatted container images to the specified policy.
atomic scan and OpenSCAP Scanner Image
atomictool for container management, enter the following command:
yum install atomic
atomicinstallation, see the Prerequisites in the Atomic CLI Reference.
atomictool is installed, you also need a scanner, which is used by the
atomic scancommand as a back end for scanning images and containers. Red Hat recommends choosing the OpenSCAP scanner bundled in the rhel7/openscap container image in the registry.access.redhat.com image registry:
atomic scancommand. It currently supports two scan types targeting Red Hat Enterprise Linux systems. To list supported scan types, enter the following command:
7.6.1. Scanning Docker-formatted Images and Containers for Vulnerabilities Using
atomic scancommand in the following form:
--containersdirective, respectively. To scan both types, use the
--alldirective. The list of available command-line options can be obtained using the
atomiccommand usage and containers, see the Product Documentation for Red Hat Enterprise Linux Atomic Host. The Red Hat Customer Portal also provides a guide to the Atomic command line interface (CLI).
atomic scancommand is CVE scan. Use it for checking a target for known security vulnerabilities as defined in the CVE OVAL definitions released by Red Hat.
Example 7.13. Scanning Red Hat Enterprise Linux 7 Container Images for Known Security Vulnerabilities
--verbosedirective provides additional details.
--verboseregistry.access.redhat.com/rhel7:latest docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-11-01-14-55-37-758180:/scanin -v /var/lib/atomic/openscap/2017-11-01-14-55-37-758180:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled. INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist. INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist. INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist. INFO:Evaluated EvaluationSpec, exit_code=0. INFO:Evaluated EvaluationSpec, exit_code=0. INFO:[100.00%] Scanned target 'chroot:///scanin/db7a70a0414e589d7c8c162712b329d4fc670fa47ddde721250fb9fcdbed9cc2' registry.access.redhat.com/rhel7:latest (db7a70a0414e589) registry.access.redhat.com/rhel7:latest passed the scan Files associated with this scan are in /var/lib/atomic/openscap/2017-11-01-14-55-37-758180.
atomic scanregistry.access.redhat.com/rhel7:7.2 docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-11-01-14-49-36-614281:/scanin -v /var/lib/atomic/openscap/2017-11-01-14-49-36-614281:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout registry.access.redhat.com/rhel7:7.2 (98a88a8b722a718) The following issues were found: RHSA-2017:2832: nss security update (Important) Severity: Important RHSA URL: https://access.redhat.com/errata/RHSA-2017:2832 RHSA ID: RHSA-2017:2832-01 Associated CVEs: CVE ID: CVE-2017-7805 CVE URL: https://access.redhat.com/security/cve/CVE-2017-7805 RHSA-2017:2016: curl security, bug fix, and enhancement update (Moderate) Severity: Moderate RHSA URL: https://access.redhat.com/errata/RHSA-2017:2016 RHSA ID: RHSA-2017:2016-01 Associated CVEs: CVE ID: CVE-2016-7167 CVE URL: https://access.redhat.com/security/cve/CVE-2016-7167 RHSA-2017:1931: bash security and bug fix update (Moderate) Severity: Moderate RHSA URL: https://access.redhat.com/errata/RHSA-2017:1931 RHSA ID: RHSA-2017:1931-01 Associated CVEs: CVE ID: CVE-2016-0634 CVE URL: https://access.redhat.com/security/cve/CVE-2016-0634 CVE ID: CVE-2016-7543 CVE URL: https://access.redhat.com/security/cve/CVE-2016-7543 CVE ID: CVE-2016-9401 CVE URL: https://access.redhat.com/security/cve/CVE-2016-9401 ............ Files associated with this scan are in /var/lib/atomic/openscap/2017-11-01-14-49-36-614281.
7.6.2. Scanning and Remediating Configuration Compliance of Docker-formatted Images and Containers Using
Scanning for Configuration Compliance of Docker-formatted Images and Containers Using
atomic scancommand also supports the configuration_compliance scan. Use this type of scanning to evaluate Red Hat Enterprise Linux-based container images and containers with the SCAP content provided by the SCAP Security Guide (SSG) bundled inside the OpenSCAP container image. This enables scanning against any profile provided by the SCAP Security Guide.
............ Files associated with this scan are in /var/lib/atomic/openscap/2017-11-03-13-35-34-296606.
tree/var/lib/atomic/openscap/2017-11-03-13-35-34-296606 /var/lib/atomic/openscap/2017-11-03-13-35-34-296606 ├── db7a70a0414e589d7c8c162712b329d4fc670fa47ddde721250fb9fcdbed9cc2 │ ├── arf.xml │ ├── fix.sh │ ├── json │ └── report.html └── environment.json 1 directory, 5 files
atomic scangenerates a subdirectory with all the results and reports from a scan in the /var/lib/atomic/openscap/ directory. The arf.xml file with results is generated on every scanning for configuration compliance. To generate a human-readable HTML report file, add the
reportsuboption to the
stig-viewersuboption to the
--scanner_argsoption. The results are placed in stig.xml. For more information about DISA STIG Viewer, see Section 7.4.7, “Exporting XCCDF Results for the DISA STIG Viewer”
--scanner_argssuboptions are separated by the comma character. The specific values for the
profilesuboptions, which select an XCCDF component and a profile from the specified datastream file, are taken from the bundled SCAP content in the OpenSCAP image. The datastream file is selected automatically by the OpenSCAP image during scanning based on the target container image or container.
xccdf-idsuboption of the
--scanner_argsoption is omitted, the scanner searches for a profile in the first XCCDF component of the selected datastream file. For more details about datastream files, see Section 7.2.3, “The Data Stream Format”.
Remediating Configuration Compliance of Docker-formatted Images and Containers Using
--remediateoption to the
atomic scancommand when scanning for configuration compliance. The following command builds a new remediated container image compliant with the DISA STIG policy from the Red Hat Enterprise Linux 7 container image:
reportregistry.access.redhat.com/rhel7:latest registry.access.redhat.com/rhel7:latest (db7a70a0414e589) The following issues were found: ............ Configure Time Service Maxpoll Interval Severity: Low XCCDF result: fail Configure LDAP Client to Use TLS For All Transactions Severity: Moderate XCCDF result: fail ............ Remediating rule 43/44: 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll' Remediating rule 44/44: 'xccdf_org.ssgproject.content_rule_ldap_client_start_tls' Successfully built 9bbc7083760e Successfully built remediated image 9bbc7083760e from db7a70a0414e589d7c8c162712b329d4fc670fa47ddde721250fb9fcdbed9cc2. Files associated with this scan are in /var/lib/atomic/openscap/2017-11-06-13-01-42-785000.
atomic scancommand reports a remediated image ID. To make the image easier to remember, tag it with some name, for example: