Show Table of Contents
7.5. Using OpenSCAP with Docker
The
oscap-docker command-line utility enables users to use the oscap program to scan their docker-formatted coptisn ntainer images and containers.
The following section:
- explains the installation of
oscap-docker - offers basic examples of usage
To learn more about sub-commands, use the
--help option with the oscap-docker or oscap commands.
Note
Because a container file system is influenced by mount points, results of scanning an image might differ from results of scanning a container created from it. For example, a mount point that provides only data for processes inside the container in a custom path does not affect results of a scan. However, a mount point in a container done to paths, such as /bin, /etc, or /var, providing new binaries or configuration files can cause differences in results of scanning.
To enable the scanning of images and containers, install the docker package. See the Getting Docker in Red Hat Enterprise Linux 7 chapter of the Getting Started with Containers guide for instructions on installing Docker.
Enter the following command to install
oscap-docker:
#yum install openscap-utils
The following examples use the Red Hat Enterprise Linux 7 image.
#docker pull registry.access.redhat.com/rhel7
#docker imagesREPOSITORY TAG IMAGE ID registry.access.redhat.com/rhel7 latest c453594215e4
7.5.1. Scanning Docker-formatted Images and Containers for Vulnerabilities
The
oscap-docker command provides two ways to scan images and containers for vulnerabilities:
- The
image-cveorcontainer-cvesub-commands determine the version of the operating system, download the CVE stream applicable to the given system, and run a vulnerability scan:#oscap-docker image-cve registry.access.redhat.com/rhel7 - Another, more flexible way, enables you to specify OVAL definitions when checking for vulnerabilities. Use the
imageorcontainersub-command together withoscaparguments for an OVAL evaluation. For example, to scan an image using a definitions file downloaded from Red Hat OVAL repository, use the following command:#oscap-docker image registry.access.redhat.com/rhel7 oval eval com.redhat.rhsa-all.xml
7.5.2. Scanning Configuration Compliance of Docker-formatted Images and Containers
To scan for configuration compliance, use the SCAP content provided by the SCAP Security Guide (SSG). Ensure the scap-security-guide package is installed:
#yum install scap-security-guide
To verify compliance of Red Hat Enterprise Linux 7 image with the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) policy, enter the following command:
#oscap-docker image registry.access.redhat.com/rhel7 xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The following command scans the running environment of the container with ID 5ef05eef4a01:
#oscap-docker container 5ef05eef4a01 xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
To get an XML file with results, use the
--results argument and for generating an HTML report of an evaluation, add the --report argument. See the oscap(8) man page for more information.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.