7.6. Using OpenSCAP with Atomic

To verify all the container images and containers present on the system are free of known CVE vulnerabilities or common misconfigurations, use the OpenSCAP scanning capabilities through the atomic scan command.

Atomic Scan

To install the atomic tool for container management, enter the following command:
# yum install atomic
After the atomic tool is installed, you also need a scanner. Red Hat recommends choosing the OpenSCAP-based rhel7/openscap docker image:
# atomic install rhel7/openscap
Scan the containers and container images using the atomic scan command:
# atomic scan $ID
Where $ID is the ID of the container. If you want to scan all container images or containers, use the --images or --containers directive, respectively. To scan both types, use the --all directive.

The OpenSCAP Scanner

The rhel7/openscap container image as the default scanner of the atomic scan currently supports two scan types targeting Red Hat Enterprise Linux systems only. To list supported scan types, enter the following command:
# atomic scan --scanner openscap --list
The default scan type is CVE scan. Use it for checking the target for known security vulnerabilities as defined in the CVE OVAL definitions released by Red Hat.


The OVAL definitions used by the CVE scan type are bundled in the container image during the build process. Red Hat provides weekly updates of the container image; ensure the definitions are up to date.
The second supported scan type is standards_compliance, where Standard System Security Profile of the SCAP Security Guide is used for evaluation. This is security baseline profile of Red Hat Enterprise Linux.

Example 7.12. Scanning the Container Image with Atomic Scan

The following example of the atomic scan usage shows how to scan a Red Hat Enterprise Linux image and then list of all found vulnerabilities with --verbose directive.
#docker pull rhel7
Using default tag: latest
98a88a8b722a: Download complete
# atomic scan 98a88a8b722a
Container/Image    Cri     Imp     Med     Low
---------------    ---     ---     ---     ---
98a88a8b722a         0       0       0       0
# atomic scan --verbose 98a88a8b722a
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-10-14-06-42-55-991951:/scanin -v /var/lib/atomic/openscap/2016-10-14-06-42-55-991951:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
INFO:OpenSCAP Daemon one-off evaluator 0.1.6
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:[100.00%] Scanned target 'chroot:///scanin/98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861'

98a88a8b722a (registry.access.redhat.com/rhel7:latest)

98a88a8b722a passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2016-10-14-06-42-55-991951.


For a detailed description of the atomic command usage and containers, see the Product Documentation for Red Hat Enterprise Linux Atomic Host. The Red Hat Customer Portal also provides a guide to the Atomic command line interface (CLI).