Menu Close

Chapter 7. Container Image Scanning

7.1. Configuring Image Scanning

Red Hat CloudForms manages vulnerability scanning of container images. When an OpenShift provider is added, OpenShift images from the internal registry are discovered. To enable image scanning, perform the following configuration steps:

  1. Navigate to ComputeContainersProviders.
  2. Select the checkboxes of the OpenShift providers on which to enable scanning.
  3. From the Policy pull-down menu, click Manage Policies.
  4. Select the OpenSCAP profile checkbox.
  5. Click Save.

This action will trigger a SmartState analysis, or scan, of all images referenced by the OpenShift provider. The initial scan may take several hours to complete, depending on the number and size of images. The scan occurs in the OpenShift provider, which CloudForms receives and records in the database. OpenShift limits the number of scanning pods; only three images can be scanned simultaneously.

7.2. Scheduling A Recurring Scan

Software vulnerability databases are updated frequently. To apply these updates, a rescan is required. To schedule a recurring scan of container images:

schedule openscap scan
  1. Click config gear (Configuration).
  2. From SettingsZones in the left pane of the appliance, select Schedules.
  3. From the drop-down menu, click ConfigurationAdd a new Schedule.
  4. Type an arbitrary Name.
  5. Type an arbitrary Description.
  6. Ensure the Active checkbox is selected.
  7. In Action, select Container Image Analysis.
  8. In Filter, select All Container Images for Containers Provider, OpenShift.
  9. In Run, set the schedule as desired.
  10. Set the Time Zone, Starting Date, and Starting Time.
  11. Click Add.

7.3. Working with Images

7.3.1. Viewing Results

Image scanning results are displayed in each image summary page.

  1. Select ComputeContainersContainer Images.
  2. Click the desired image.

For an OpenSCAP HTML report, locate the Configuration section and select OpenSCAP HTML.

container configuration

For compliance and scanning history information, locate the Compliance section and note the Status field or select Available from the History field.

container scan history

7.3.2. Manual Scanning

SmartState analysis scanning may be initiated manually for images. From an image summary page, select ConfigurationPerform SmartState Analysis. Refreshing the image page will reflect the latest scan results and compliance history.

7.3.3. Evaluating Compliance

If the image scan policy has been updated since the last scan, compliance conditions may be re-evaluated. From an image summary page, select PolicyCheck Compliance of Last Known Configuration. Refreshing the image page will reflect the latest compliance history.

7.3.4. Generating a Report on Images

You can output the results of an OpenSCAP scan of images to a report for an overview of the security risk level of images. The Images by Failed OpenSCAP Rule Results is included with CloudForms and shows whether the image has passed or failed OpenSCAP policy criteria, and the security risk.

Note

You can also create a copy of this report and edit it to contain additional information, such as the project name where the image is used, to produce more useful results. See Editing a Report and See Reportable Fields in Red Hat CloudForms in Monitoring, Alerts, and Reporting for instructions on customizing reports.

To create a report showing image compliance:

  1. Navigate to OverviewReports.
  2. Click the ReportsAll Reports accordion.
  3. Navigate to Configuration ManagementContainersImages by Failed OpenSCAP Rule Results for a report showing which images have failed the OpenSCAP compliance.
  4. Click play arrow Queue.
  5. The report generation is placed in the queue and its status shows in the reports page.

    failedimagescan

  6. Click reload (Refresh this page) to update the status.
  7. Navigate to the Saved Reports accordion, and click the report when it is completed.
  8. Click on the report download buttons for the type of export you want. The report is automatically named with the type of report and date.

    • Click textImage (Download this report in text format) to download as text.
    • Click textImage (Download this report in CSV format) to download as a comma-separated file.
    • Click 2134 (Download this report in PDF format) to download as PDF.

7.4. OpenSCAP Policy Profile

Red Hat CloudForms is pre-configured with a default scanning policy profile. This includes conditions to scan and identify compliance, as well as annotate compliance failure. SmartState analysis is performed when new images are added to OpenShift.

7.4.1. Customizing the Scanning Policy Profile

The built-in OpenSCAP policy profile cannot be edited. You can, however, assign edited copies of its policies to a new policy profile. This will allow you to create a customized version of the built-in OpenSCAP policy profile.

To do so, you will first have to copy the policy you want to customize:

  1. Navigate to ControlExplorer.
  2. Click the Policies accordion, and select Container Image Compliance Policies, then click OpenSCAP.
  3. Click image (Configuration), and an option to copy the policy should appear; for example, image (Copy this Container Image Policy).
  4. Click OK to confirm.

The new policy is created with a prefix of Copy of in its description, and it can be viewed in the Policies accordion.

image

You can now edit the copied policy. After editing copied policies, you can add them to a new policy profile. For instructions on how to edit policies, create a new policy profile, and add policies to it, see the Policies and Profiles guide. Once you have a customized policy profile, you can assign it to a containers provider.

7.5. Controlling OpenShift Pod Execution

Through the default policy profile, non-compliant images receive the control policy action Mark as Non-Compliant. This action annotates the image object (not to be confused with the imagestream object) with images.openshift.io/deny-execution=true. This annotation may be used to prevent nodes from running non-compliant images. Refer to the OpenShift Container Platform Image Policy documentation for configuration details.

7.6. Reference

More information about OpenSCAP, see visit the OpenSCAP web site.