8.10. Assessing Configuration Compliance of a Container or a Container Image with a Specific Baseline
Follow the steps to assess compliance of your container or a container image with a specific security baseline, such as Operating System Protection Profile (OSPP) or Payment Card Industry Data Security Standard (PCI-DSS).
Prerequisites
- The openscap-utils and scap-security-guide packages are installed.
Procedure
- Find the ID of a container or a container image, for example:
~]#
docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry.access.redhat.com/ubi7/ubi latest 096cae65a207 7 weeks ago 239 MB - Evaluate the compliance of the container image with the OSPP profile and save scan results in the report.html HTML file.
~]$
sudo oscap-docker 096cae65a207 xccdf eval --report report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xmlReplace 096cae65a207 with the ID of your container image and the ospp value with pci-dss if you assess configuration compliance with the PCI-DSS baseline.
Verification
- Check the results in a browser of your choice, for example:
~]$
firefox report.html &
Note
The rules marked as notapplicable are rules that do not apply to containerized systems. These rules apply only to bare-metal or virtualized systems.
Additional Resources
- For more information, see the
oscap-docker(8)
andscap-security-guide(8)
man pages. - The
SCAP Security Guide
documentation installed in thefile:///usr/share/doc/scap-security-guide-doc-0.1.46/
directory.