Red Hat Summit8.11. Scanning and Remediating Configuration Compliance of Container Images and Containers Using atomic scan
8.11.1. Scanning for Configuration Compliance of Container Images and Containers Using atomic scan
Copy linkLink copied to clipboard!
Use this type of scanning to evaluate Red Hat Enterprise Linux-based container images and containers with the SCAP content provided by the SCAP Security Guide (SSG) bundled inside the OpenSCAP container image. This enables scanning against any profile provided by the SCAP Security Guide.
Warning
The
atomic scan functionality is deprecated, and the OpenSCAP container image is no longer updated with the new security compliance content. Therefore, prefer the oscap-docker utility for security compliance scanning purposes.
Note
For a detailed description of the usage of the
atomic command and containers, see the Product Documentation for Red Hat Enterprise Linux Atomic Host 7. The Red Hat Customer Portal also provides a guide to the atomic command-line interface (CLI).
Prerequisites
- You have downloaded and installed the OpenSCAP container image from Red Hat Container Catalog (RHCC) using the
atomic install rhel7/openscapcommand.
Procedure
- List SCAP content provided by the OpenSCAP image for the configuration_compliance scan:
atomic help registry.access.redhat.com/rhel7/openscap
~]# atomic help registry.access.redhat.com/rhel7/openscapCopy to Clipboard Copied! Toggle word wrap Toggle overflow Verify compliance of the latest Red Hat Enterprise Linux 7 container image with the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) policy and generate an HTML report from the scan:atomic scan --scan_type configuration_compliance --scanner_args xccdf-id=scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa,report registry.access.redhat.com/rhel7:latest
~]# atomic scan --scan_type configuration_compliance --scanner_args xccdf-id=scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa,report registry.access.redhat.com/rhel7:latestCopy to Clipboard Copied! Toggle word wrap Toggle overflow The output of the previous command contains the information about files associated with the scan at the end:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Theatomic scangenerates a subdirectory with all the results and reports from a scan in the /var/lib/atomic/openscap/ directory. The arf.xml file with results is generated on every scanning for configuration compliance. To generate a human-readable HTML report file, add thereportsuboption to the--scanner_argsoption. - Optional: To generate XCCDF results readable by DISA STIG Viewer, add the
stig-viewersuboption to the--scanner_argsoption. The results are placed in stig.xml.
Note
When the
xccdf-id suboption of the --scanner_args option is omitted, the scanner searches for a profile in the first XCCDF component of the selected data stream file. For more details about data stream files, see Section 8.3.1, “Configuration Compliance in RHEL 7”.
8.11.2. Remediating Configuration Compliance of Container Images and Containers Using atomic scan
Copy linkLink copied to clipboard!
You can run the configuration compliance scan against the original container image to check its compliance with the DISA STIG policy. Based on the scan results, a fix script containing bash remediations for the failed scan results is generated. The fix script is then applied to the original container image - this is called a remediation. The remediation results in a container image with an altered configuration, which is added as a new layer on top of the original container image.
Important
Note that the original container image remains unchanged and only a new layer is created on top of it. The remediation process builds a new container image that contains all the configuration improvements. The content of this layer is defined by the security policy of scanning - in the previous case, the DISA STIG policy. This also means that the remediated container image is no longer signed by Red Hat, which is expected, because it differs from the original container image by containing the remediated layer.
Warning
The
atomic scan functionality is deprecated, and the OpenSCAP container image is no longer updated with the new security compliance content. Therefore, prefer the oscap-docker utility for security compliance scanning purposes.
Prerequisites
- You have downloaded and installed the OpenSCAP container image from Red Hat Container Catalog (RHCC) using the
atomic install rhel7/openscapcommand.
Procedure
- List SCAP content provided by the OpenSCAP image for the configuration_compliance scan:
atomic help registry.access.redhat.com/rhel7/openscap
~]# atomic help registry.access.redhat.com/rhel7/openscapCopy to Clipboard Copied! Toggle word wrap Toggle overflow - To remediate container images to the specified policy, add the
--remediateoption to theatomic scancommand when scanning for configuration compliance. The following command builds a new remediated container image compliant with the DISA STIG policy from the Red Hat Enterprise Linux 7 container image:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Optional: The output of the
atomic scancommand reports a remediated image ID. To make the image easier to remember, tag it with some name, for example:docker tag 9bbc7083760e rhel7_disa_stig
~]# docker tag 9bbc7083760e rhel7_disa_stigCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}