Chapter 14. Managing vulnerabilities


14.1. Vulnerability management overview

Security vulnerabilities in your environment might be exploited by an attacker to perform unauthorized actions such as carrying out a denial of service attack, executing remote code, or gaining unauthorized access to sensitive data. Therefore, the management of vulnerabilities is a foundational step towards a successful Kubernetes security program.

14.1.1. Vulnerability management process

Vulnerability management is a continuous process to identify and remediate vulnerabilities. Red Hat Advanced Cluster Security for Kubernetes helps you to facilitate a vulnerability management process.

A successful vulnerability management program often includes the following critical tasks:

  • Performing asset assessment
  • Prioritizing the vulnerabilities
  • Assessing the exposure
  • Taking action
  • Continuously reassessing assets

Red Hat Advanced Cluster Security for Kubernetes helps organizations to perform continuous assessments on their OpenShift Container Platform and Kubernetes clusters. It provides organizations with the contextual information they need to prioritize and act on vulnerabilities in their environment more effectively.

14.1.1.1. Performing asset assessment

Performing an assessment of an organization’s assets involve the following actions:

  • Identifying the assets in your environment
  • Scanning these assets to identify known vulnerabilities
  • Reporting on the vulnerabilities in your environment to impacted stakeholders

When you install Red Hat Advanced Cluster Security for Kubernetes on your Kubernetes or OpenShift Container Platform cluster, it first aggregates the assets running inside of your cluster to help you identify those assets. RHACS allows organizations to perform continuous assessments on their OpenShift Container Platform and Kubernetes clusters. RHACS provides organizations with the contextual information to prioritize and act on vulnerabilities in their environment more effectively.

Important assets that should be monitored by the organization’s vulnerability management process using RHACS include:

  • Components: Components are software packages that may be used as part of an image or run on a node. Components are the lowest level where vulnerabilities are present. Therefore, organizations must upgrade, modify or remove software components in some way to remediate vulnerabilities.
  • Images: A collection of software components and code that create an environment to run an executable portion of code. Images are where you upgrade components to fix vulnerabilities.
  • Nodes: A server used to manage and run applications using OpenShift or Kubernetes and the components that make up the OpenShift Container Platform or Kubernetes service.

RHACS groups these assets into the following structures:

  • Deployment: A definition of an application in Kubernetes that may run pods with containers based on one or many images.
  • Namespace: A grouping of resources such as Deployments that support and isolate an application.
  • Cluster: A group of nodes used to run applications using OpenShift or Kubernetes.

RHACS scans the assets for known vulnerabilities and uses the Common Vulnerabilities and Exposures (CVE) data to assess the impact of a known vulnerability.

14.1.1.2. Prioritizing the vulnerabilities

Answer the following questions to prioritize the vulnerabilities in your environment for action and investigation:

  • How important is an affected asset for your organization?
  • How severe does a vulnerability need to be for investigation?
  • Can the vulnerability be fixed by a patch for the affected software component?
  • Does the existence of the vulnerability violate any of your organization’s security policies?

The answers to these questions help security and development teams decide if they want to gauge the exposure of a vulnerability.

Red Hat Advanced Cluster Security for Kubernetes provides you the means to facilitate the prioritization of the vulnerabilities in your applications and components.

14.1.1.3. Assessing the exposure

To assess your exposure to a vulnerability, answer the following questions:

  • Is your application impacted by a vulnerability?
  • Is the vulnerability mitigated by some other factor?
  • Are there any known threats that could lead to the exploitation of this vulnerability?
  • Are you using the software package which has the vulnerability?
  • Is spending time on a specific vulnerability and the software package worth it?

Take some of the following actions based on your assessment:

  • Consider marking the vulnerability as a false positive if you determine that there is no exposure or that the vulnerability does not apply in your environment.
  • Consider if you would prefer to remediate, mitigate or accept the risk if you are exposed.
  • Consider if you want to remove or change the software package to reduce your attack surface.

14.1.1.4. Taking action

Once you have decided to take action on a vulnerability, you can take one of the following actions:

  • Remediate the vulnerability
  • Mitigate and accept the risk
  • Accept the risk
  • Mark the vulnerability as a false positive

You can remediate vulnerabilities by performing one of the following actions:

  • Remove a software package
  • Update a software package to a non-vulnerable version

14.2. Viewing and addressing vulnerabilities

Common vulnerability management tasks involve identifying and prioritizing vulnerabilities, remedying them, and monitoring for new threats.

Historically, RHACS provided a view of vulnerabilities discovered in your system in the vulnerability management dashboard. The dashboard is deprecated in RHACS 4.5 and will be removed in a future release.

For more information about the dashboard, see Using the vulnerability management dashboard.

14.2.1. Prioritizing and managing scanned CVEs across images and deployments

By viewing the Workload CVEs page, you can get information about the vulnerabilities in applications running on clusters in your system. You can view vulnerability information across images and deployments.

The Workload CVEs page provides more advanced filtering capabilities than the dashboard, including the ability to view images and deployments with vulnerabilities and filter based on image, deployment, namespace, cluster, CVE, component, and component source.

Procedure

  1. In the RHACS portal, click Vulnerability Management Workload CVEs.
  2. Choose the appropriate method to navigate through the images and deployments from the drop-down list, which is in the upper left of the page:

    • To view the images and deployments with observed CVEs, select Image vulnerabilities.
    • To view the images and deployments without observed CVEs, select Images without vulnerabilities.
  3. Optional: Choose the appropriate method to re-organize the information in the Workload CVEs page:

    • To sort the table in ascending or descending order, select a column heading.
    • To filter the table, use the filter bar.
    • To select the categories that you want to display in the table, perform the following steps:

      1. Click Manage columns.
      2. Choose the appropriate method to manage the columns:

        • To view all the categories, click Select all.
        • To reset to the default categories, click Reset to default.
        • To view only the selected categories, select the one or more categories that you want to view.
    • To filter CVEs based on an entity, select the appropriate filters and attributes.

      To select multiple entities and attributes, click the right arrow icon to add another criteria. Depending on your choices, enter the appropriate information such as text, or select a date or object.

      The filter entities and attributes are listed in the following table.

      Table 14.1. CVE filtering
      EntityAttributes

      Image

      • Name: The name of the image.
      • Operating system: The operating system of the image.
      • Tag: The tag for the image.
      • Label: The label for the image.
      • Registry: The registry where the image is located.

      CVE

      • Name: The name of the CVE.
      • Discovered time: The date when RHACS discovered the CVE.
      • CVSS: The severity level for the CVE.

        The following values are associated with the severity level for the CVE:

        • is greater than
        • is greater than or equal to
        • is equal to
        • is less than or equal to
        • is less than

      Image Component

      • Name: The name of the image component, for example, activerecord-sql-server-adapter.
      • Source:

        • OS
        • Python
        • Java
        • Ruby
        • Node.js
        • Go
        • Dotnet Core Runtime
        • Infrastructure
      • Version: Version of the image component; for example, 3.4.21. You can use this to search for a specific version of a component, for example, in conjunction with a component name.

      Deployment

      • Name: Name of the deployment.
      • Label: Label for the deployment.
      • Annotation: The annotation for the deployment.

      Namespace

      • Name: The name of the namespace.
      • Label: The label for the namespace.
      • Annotation: The annotation for the namespace.

      Cluster

      • Name: The name of the cluster.
      • Label: The label for the cluster.
      • Type: The cluster type, for example, OCP.
      • Platform type: The platform type, for example, OpenShift 4 cluster.
    • To display a list of namespaces sorted according to the risk priority, click Prioritize by namespace view.

      You can use this view to quickly identify and address the most critical areas.

      In this view, click <number> deployments in a table row to return to the workload CVE list view, with filters applied to show only deployments, images and CVEs for the selected namespace.

    • To apply the default filters, click Default filters.

      You can select filters for CVE severity and CVE status that are automatically applied when you visit the Workload CVEs page.

      These filters only apply to this page, and are applied when you visit the page from another section of the RHACS web portal or from a bookmarked URL. They are saved in the local storage of your browser.

    • To filter the table based on the severity of a CVE, from the CVE severity drop-down list, select one or more severity levels.

      The following values are associated with the severity of a CVE:

      • Critical
      • Important
      • Moderate
      • Low
    • To filter the table based on the status of a CVE, from the CVE status drop-down list, select one or more statuses.

      The following values are associated with the status of a CVE:

      • Fixable
      • Not fixable
Note

The Filtered view icon indicates that the displayed results were filtered based on the criteria that you selected. You can click Clear filters to remove all filters, or remove individual filters by clicking on them.

In the list of results, click a CVE, image name, or deployment name to view more information about the item. For example, depending on the item type, you can view the following information:

  • Whether a CVE is fixable
  • Whether an image is active
  • The Dockerfile line in the image that contains the CVE
  • External links to information about the CVE in Red Hat and other CVE databases

14.2.1.1. Analyze images and deployments with observed CVEs

When you select Image vulnerabilities, the Workload CVEs page shows the images and deployments in which Red Hat Advanced Cluster Security for Kubernetes (RHACS) has discovered CVEs.

14.2.1.1.1. CVEs tab

The CVEs view organizes information into the following groups:

  • CVE: Displays a unique identifier for Common Vulnerabilities and Exposures (CVE), each representing a specific vulnerability, to track and analyze it in detail.
  • Images by severity: Groups images based on the severity level of the associated vulnerabilities.
  • Top CVSS: Displays the highest CVSS score for each CVE across images to highlight the vulnerabilities with the most severe impact.
  • Top NVD CVSS: Shows the highest severity scores from the National Vulnerability Database (NVD) to enable standardized impact assessments.

    Note

    You can see the Top NVD CVSS column only if you have enabled Scanner V4.

  • Affected images: Displays the number of container images affected by specific CVEs to assess the scope of vulnerabilities.
  • First discovered: Shows the date each vulnerability was first discovered in the environment to measure the duration of its exposure.
  • Published: Indicates when the CVE was publicly disclosed.

To review and triage the details associated with a CVE, click on the CVE.

A window opens with information about the vulnerabilities associated with the CVE.

14.2.1.1.2. Images tab

The images view organizes the information into the following groups:

  • Image: Displays the name or identifier of each container image.
  • CVEs by severity: Groups the vulnerabilities associated with each image based on their severity.
  • Operating system: Highlights the operating system that the image uses and helps identify potential vulnerabilities specific to that operating system.
  • Deployments: Shows all deployments where the image is actively running so you can assess the impact and prioritize remediation based on usage.
  • Age: Shows how long the image has been in use and provides information about potential risks associated with outdated images.
  • Scan time: Shows the timestamp of the last scan.

To review and triage the details associated with an image, click on the image.

A window opens with information about the vulnerabilities associated with the image.

14.2.1.1.3. Deployments tab

The deployments view organizes information into the following groups:

  • Deployment: Indicates the name or identifier of each deployment.
  • CVEs by severity: Groups the vulnerabilities associated with each deployment based on their severity.
  • Cluster: Displays the cluster in which each deployment is located.
  • Namespace: Displays the namespace of each deployment.
  • Images: Displays the container images that the deployment uses.
  • First discovered: Shows the date on which the vulnerabilities associated with a deployment were first discovered.

To review and triage the details associated with a deployment, click on the deployment.

A window opens with information about the vulnerabilities associated with the deployment.

14.2.1.2. Analyze images and deployments without observed CVEs

When you select Images without vulnerabilities, the Workload CVEs page shows the images that meet at least one of the following conditions:

  • Images that do not have CVEs
  • Images that report a scanner error that may result in a false negative of no CVEs
Note

An image that actually contains vulnerabilities can appear in this list inadvertently. For example, if Scanner was able to scan the image and it is known to Red Hat Advanced Cluster Security for Kubernetes (RHACS), but the scan was not successfully completed, RHACS cannot detect vulnerabilities.

This scenario occurs if an image has an operating system that RHACS Scanner does not support. RHACS displays scan errors when you hover over an image in the image list or click the image name for more information.

14.2.1.2.1. Images tab

The images view organizes the information into the following groups:

  • Image: Displays the name or identifier of each container image.
  • Operating system: Highlights the operating system that the image uses and helps identify potential vulnerabilities specific to that operating system.
  • Deployments: Shows all deployments where the image is actively running so you can assess the impact and prioritize remediation based on usage.
  • Age: Shows how long the image has been in use and provides information about potential risks associated with outdated images.
  • Scan time: Shows the timestamp of the last scan.

To review and triage the details associated with an image, click on the image.

A window opens with information about the vulnerabilities associated with the image.

14.2.2. Deployments tab

The deployments view organizes information into the following groups:

  • Deployment: Indicates the name or identifier of each deployment.
  • Cluster: Displays the cluster in which each deployment is located.
  • Namespace: Displays the namespace of each deployment.
  • Images: Displays the container images that the deployment uses.
  • First discovered: Shows the date on which the vulnerabilities associated with a deployment were first discovered.

To review and triage the details associated with a deployment, click on the deployment.

A window opens with information about the vulnerabilities associated with the deployment.

14.2.3. Viewing Node CVEs

You can identify vulnerabilities in your nodes by using RHACS. The vulnerabilities that are identified include the following:

  • Vulnerabilities in core Kubernetes components
  • Vulnerabilities in container runtimes such as Docker, CRI-O, runC, and containerd

For more information about operating systems that RHACS can scan, see "Supported operating systems".

Procedure

  1. In the RHACS portal, click Vulnerability Management Node CVEs.
  2. To view the data, do any of the following tasks:

    • To view a list of all the CVEs affecting all of your nodes, select <number> CVEs.
    • To view a list of nodes that contain CVEs, select <number> Nodes.
  3. Optional: To filter CVEs according to entity, select the appropriate filters and attributes. To add more filtering criteria, follow these steps:

    1. Select the entity or attribute from the list.
    2. Depending on your choices, enter the appropriate information such as text, or select a date or object.
    3. Click the right arrow icon.
    4. Optional: Select additional entities and attributes, and then click the right arrow icon to add them. The filter entities and attributes are listed in the following table.

      Table 14.2. CVE filtering
      EntityAttributes

      Node

      • Name: The name of the node.
      • Operating system: The operating system of the node, for example, Red Hat Enterprise Linux (RHEL).
      • Label: The label of the node.
      • Annotation: The annotation for the node.
      • Scan time: The scan date of the node.

      CVE

      • Name: The name of the CVE.
      • Discovered time: The date when RHACS discovered the CVE.
      • CVSS: The severity level for the CVE.

        The following values are associated with the severity level for the CVE:

        • is greater than
        • is greater than or equal to
        • is equal to
        • is less than or equal to
        • is less than

      Node Component

      • Name: The name of the component.
      • Version: The version of the component, for example, 4.15.0-2024. You can use this to search for a specific version of a component, for example, in conjunction with a component name.

      Cluster

      • Name: The name of the cluster.
      • Label: The label for the cluster.
      • Type: The type of cluster, for example, OCP.
      • Platform type: The type of platform, for example, OpenShift 4 cluster.
  4. Optional: To refine the list of results, do any of the following tasks:

    • Click CVE severity, and then select one or more levels.
    • Click CVE status, and then select Fixable or Not fixable.
  5. Optional: To view the details of the node and information about the CVEs according to the CVSS score and fixable CVEs for that node, click a node name in the list of nodes.

14.2.3.1. Disabling identifying vulnerabilities in nodes

Identifying vulnerabilities in nodes is enabled by default. You can disable it from the RHACS portal.

Procedure

  1. In the RHACS portal, go to Platform Configuration Integrations.
  2. Under Image Integrations, select StackRox Scanner.
  3. From the list of scanners, select StackRox Scanner to view its details.
  4. Click Edit.
  5. To use only the image scanner and not the node scanner, click Image Scanner.
  6. Click Save.

Additional resources

14.2.4. Viewing platform CVEs

The platform CVEs page provides information about vulnerabilities in clusters in your system.

Procedure

  1. Click Vulnerability Management Platform CVEs.
  2. You can filter CVEs by entity by selecting the appropriate filters and attributes. You can select multiple entities and attributes by clicking the right arrow icon to add another criteria. Depending on your choices, enter the appropriate information such as text, or select a date or object. The filter entities and attributes are listed in the following table.

    Table 14.3. CVE filtering
    EntityAttributes

    Cluster

    • Name: The name of the cluster.
    • Label: The label for the cluster.
    • Type: The cluster type, for example, OCP.
    • Platform type: The platform type, for example, OpenShift 4 cluster.

    CVE

    • Name: The name of the CVE.
    • Discovered time: The date when RHACS discovered the CVE.
    • CVSS: The severity level for the CVE. You can select from the following options for the severity level:

      • is greater than
      • is greater than or equal to
      • is equal to
      • is less than or equal to
      • is less than
    • Type: The type of CVE:

      • Kubernetes CVE
      • Istio CVE
      • OpenShift CVE
  3. To filter by CVE status, click CVE status and select Fixable or Not fixable.
Note

The Filtered view icon indicates that the displayed results were filtered based on the criteria that you selected. You can click Clear filters to remove all filters, or remove individual filters by clicking on them.

In the list of results, click a CVE to view more information about the item. For example, you can view the following information if it is populated:

  • Documentation for the CVE
  • External links to information about the CVE in Red Hat and other CVE databases
  • Whether the CVE is fixable or unfixable
  • A list of affected clusters

14.2.5. Excluding CVEs

You can exclude or ignore CVEs in RHACS by snoozing node and platform CVEs and deferring or marking node, platform, and image CVEs as false positives. You might want to exclude CVEs if you know that the CVE is a false positive or you have already taken steps to mitigate the CVE. Snoozed CVEs do not appear in vulnerability reports or trigger policy violations.

You can snooze a CVE to ignore it globally for a specified period of time. Snoozing a CVE does not require approval.

Note

Snoozing node and platform CVEs requires that the ROX_VULN_MGMT_LEGACY_SNOOZE environment variable is set to true.

Deferring or marking a CVE as a false positive is done through the exception management workflow. This workflow provides the ability to view pending, approved, and denied deferral and false positive requests. You can scope the CVE exception to a single image, all tags for a single image, or globally for all images.

When approving or denying a request, you must add a comment. A CVE remains in the observed status until the exception request is approved. A pending request for deferral that is denied by another user is still visible in reports, policy violations, and other places in the system, but is indicated by a Pending exception label next to the CVE when visiting Vulnerability Management Workload CVEs.

An approved exception for a deferral or false positive has the following effects:

  • Removes the CVE from the Observed tab in Vulnerability Management Workflow CVEs to either the Deferred or False positive tab
  • Prevents the CVE from triggering policy violations that are related to the CVE
  • Prevents the CVE from showing up in automatically generated vulnerability reports

14.2.5.1. Snoozing platform and node CVEs

You can snooze platform and node CVEs that do not relate to your infrastructure. You can snooze CVEs for 1 day, 1 week, 2 weeks, 1 month, or indefinitely, until you unsnooze them. Snoozing a CVE takes effect immediately and does not require an additional approval step.

Note

The ability to snooze a CVE is not enabled by default in the web portal or in the API. To enable the ability to snooze CVEs, set the runtime environment variable ROX_VULN_MGMT_LEGACY_SNOOZE to true.

Procedure

  1. In the RHACS portal, do any of the following tasks:

    • To view platform CVEs, click Vulnerability Management Platform CVEs.
    • To view node CVEs, click Vulnerability Management Node CVEs.
  2. Select one or more CVEs.
  3. Select the appropriate method to snooze the CVE:

    • If you selected a single CVE, click the overflow menu, kebab , and then select Snooze CVE.
    • If you selected multiple CVEs, click Bulk actions Snooze CVEs.
  4. Select the duration of time to snooze.
  5. Click Snooze CVEs.

    You receive a confirmation that you have requested to snooze the CVEs.

14.2.5.2. Unsnoozing platform and node CVEs

You can unsnooze platform and node CVEs that you have previously snoozed.

Note

The ability to snooze a CVE is not enabled by default in the web portal or in the API. To enable the ability to snooze CVEs, set the runtime environment variable ROX_VULN_MGMT_LEGACY_SNOOZE to true.

Procedure

  1. In the RHACS portal, do any of the following tasks:

    • To view the list of platform CVEs, click Vulnerability Management Platform CVEs.
    • To view the list of node CVEs, click Vulnerability Management Node CVEs.
  2. To view the list of snoozed CVEs, click Show snoozed CVEs in the header view.
  3. Select one or more CVEs from the list of snoozed CVEs.
  4. Select the appropriate method to unsnooze the CVE:

    • If you selected a single CVE, click the overflow menu, kebab , and then select Unsnooze CVE.
    • If you selected multiple CVEs, click Bulk actions Unsnooze CVEs.
  5. Click Unsnooze CVEs again.

    You receive a confirmation that you have requested to unsnooze the CVEs.

14.2.5.3. Viewing snoozed CVEs

You can view a list of platform and node CVEs that have been snoozed.

Note

The ability to snooze a CVE is not enabled by default in the web portal or in the API. To enable the ability to snooze CVEs, set the runtime environment variable ROX_VULN_MGMT_LEGACY_SNOOZE to true.

Procedure

  1. In the RHACS portal, do any of the following tasks:

    • To view the list of platform CVEs, click Vulnerability Management Platform CVEs.
    • To view the list of node CVEs, click Vulnerability Management Node CVEs.
  2. Click Show snoozed CVEs to view the list.

14.2.5.4. Marking a vulnerability as a false positive globally

You can create an exception for a vulnerability by marking it as a false positive globally, or across all images. You must get requests to mark a vulnerability as a false positive approved in the exception management workflow.

Prerequisites

  • You have the write permission for the VulnerabilityManagementRequests resource.

Procedure

  1. In the RHACS portal, click Vulnerability Management Workload CVEs.
  2. Choose the appropriate method to mark the CVEs:

    • If you want to mark a single CVE, perform the following steps:

      1. Find the row which contains the CVE that you want to take action on.
      2. Click the overflow menu, kebab , for the CVE that you identified, and then select Mark as false positive.
    • If you want to mark multiple CVEs, perform the following steps:

      1. Select each CVE.
      2. From the Bulk actions drop-down list, select Mark as false positives.
  3. Enter a rationale for requesting the exception.
  4. Optional: To review the CVEs that are included in the exception request, click CVE selections.
  5. Click Submit request.

    You receive a confirmation that you have requested an exception.

  6. Optional: To copy the approval link and share it with your organization’s exception approver, click the copy icon.
  7. Click Close.

14.2.5.5. Marking a vulnerability as a false positive for an image or image tag

To create an exception for a vulnerability, you can mark it as a false positive for a single image, or across all tags associated with an image. You must get requests to mark a vulnerability as a false positive approved in the exception management workflow.

Prerequisites

  • You have the write permission for the VulnerabilityManagementRequests resource.

Procedure

  1. In the RHACS portal, click Vulnerability Management Workload CVEs.
  2. To view the list of images, click <number> Images.
  3. Find the row that lists the image that you want to mark as a false positive, and click the image name.
  4. Choose the appropriate method to mark the CVEs:

    • If you want to mark a single CVE, perform the following steps:

      1. Find the row which contains the CVE that you want to take action on.
      2. Click the overflow menu, kebab , for the CVE that you identified, and then select Mark as false positive.
    • If you want to mark multiple CVEs, perform the following steps:

      1. Select each CVE.
      2. From the Bulk actions drop-down list, select Mark as false positives.
  5. Select the scope. You can select either all tags associated with the image or only the image.
  6. Enter a rationale for requesting the exception.
  7. Optional: To review the CVEs that are included in the exception request, click CVE selections.
  8. Click Submit request.

    You receive a confirmation that you have requested an exception.

  9. Optional: To copy the approval link and share it with your organization’s exception approver, click the copy icon.
  10. Click Close.

14.2.5.6. Viewing deferred and false positive CVEs

You can view the CVEs that have been deferred or marked as false positives by using the Workload CVEs page.

Procedure

  1. To see CVEs that have been deferred or marked as false positives, with the exceptions approved by an approver, click Vulnerability Management Workload CVEs. Complete any of the following actions:

    • To see CVEs that have been deferred, click the Deferred tab.
    • To see CVEs that have been marked as false positives, click the False positives tab.

      Note

      To approve, deny, or change deferred or false positive CVEs, click Vulnerability Management Exception Management.

  2. Optional: To view additional information about the deferral or false positive, click View in the Request details column. The Exception Management page is displayed.

14.2.5.7. Deferring CVEs

You can accept risk with or without mitigation and defer CVEs. You must get deferral requests approved in the exception management workflow.

Prerequisites

  • You have write permission for the VulnerabilityManagementRequests resource.

Procedure

  1. In the RHACS portal, click Vulnerability Management Workload CVEs.
  2. Choose the appropriate method to defer a CVE:

    • If you want to defer a single CVE, perfom the following steps:

      1. Find the row which contains the CVE that you want to mark as a false positive.
      2. Click the overflow menu, kebab , for the CVE that you identified, and then click Defer CVE.
    • If you want to defer multiple CVEs, perform the following steps:

      1. Select each CVE.
      2. Click Bulk actions Defer CVEs.
  3. Select the time period for the deferral.
  4. Enter a rationale for requesting the exception.
  5. Optional: To review the CVEs that are included in the exception menu, click CVE selections.
  6. Click Submit request.

    You receive a confirmation that you have requested a deferral.

  7. Optional: To copy the approval link to share it with your organization’s exception approver, click the copy icon.
  8. Click Close.
14.2.5.7.1. Configuring vulnerability exception expiration periods

You can configure the time periods available for vulnerability management exceptions. These options are available when users request to defer a CVE.

Prerequisites

  • You have write permission for the VulnerabilityManagementRequests resource.

Procedure

  1. In the RHACS portal, go to Platform Configuration Exception Configuration.
  2. You can configure expiration times that users can select when they request to defer a CVE. Enabling a time period makes it available to users and disabling it removes it from the user interface.

14.2.5.8. Reviewing and managing an exception request to defer or mark a CVE as false positive

You can review, update, approve, or deny an exception requests for deferring and marking CVEs as false positives.

Prerequisites

  • You have the write permission for the VulnerabilityManagementRequests resource.

Procedure

  1. To view the list of pending requests, do any of the following tasks:

    • Paste the approval link into your browser.
    • Click Vulnerability Management Exception Management, and then click the request name in the Pending requests tab.
  2. Review the scope of the vulnerability and decide whether or not to approve it.
  3. Choose the appropriate option to manage a pending request:

    • If you want to deny the request and return the CVE to observed status, click Deny request.

      Enter a rationale for the denial, and click Deny.

    • If you want to approve the request, click Approve request.

      Enter a rationale for the approval, and click Approve.

  4. To cancel a request that you have created and return the CVE to observed status, click Cancel request. You can only cancel requests that you have created.
  5. To update the deferral time period or rationale for a request that you have created, click Update request. You can only update requests that you have created.

    After you make changes, click Submit request.

    You receive a confirmation that you have submitted a request.

14.2.6. Identifying Dockerfile lines in images that introduced components with CVEs

You can identify specific Dockerfile lines in an image that introduced components with CVEs.

Procedure

To view a problematic line:

  1. In the RHACS portal, click Vulnerability Management Workload CVEs.
  2. Click the tab to view the type of CVEs. The following tabs are available:

    • Observed
    • Deferred
    • False positives
  3. In the list of CVEs, click the CVE name to open the page containing the CVE details. The Affected components column lists the components that include the CVE.
  4. Expand the CVE to display additional information, including the Dockerfile line that introduced the component.

14.2.7. Finding a new component version

The following procedure finds a new component version to upgrade to.

Procedure

  1. In the RHACS portal, click Vulnerability Management Workload CVEs.
  2. Click <number> Images and select an image.
  3. To view additional information, locate the CVE and click the expand icon.

    The additional information includes the component that the CVE is in and the version in which the CVE is fixed, if it is fixable.

  4. Update your image to a later version.

14.2.8. Exporting workload vulnerabilities by using the API

You can export workload vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes by using the API.

For these examples, workloads are composed of deployments and their associated images. The export uses the /v1/export/vuln-mgmt/workloads streaming API. It allows the combined export of deployments and images. The images payload contains the full vulnerability information. The output is streamed and has the following schema:

{"result": {"deployment": {...}, "images": [...]}}
...
{"result": {"deployment": {...}, "images": [...]}}

The following examples assume that these environment variables have been set:

  • ROX_API_TOKEN: API token with view permissions for the Deployment and Image resources
  • ROX_ENDPOINT: Endpoint under which Central’s API is available
  • To export all workloads, enter the following command:

    $ curl -H "Authorization: Bearer $ROX_API_TOKEN" $ROX_ENDPOINT/v1/export/vuln-mgmt/workloads
  • To export all workloads with a query timeout of 60 seconds, enter the following command:

    $ curl -H "Authorization: Bearer $ROX_API_TOKEN" $ROX_ENDPOINT/v1/export/vuln-mgmt/workloads?timeout=60
  • To export all workloads matching the query Deployment:app Namespace:default, enter the following command:

    $ curl -H "Authorization: Bearer $ROX_API_TOKEN" $ROX_ENDPOINT/v1/export/vuln-mgmt/workloads?query=Deployment%3Aapp%2BNamespace%3Adefault

Additional resources

14.2.8.1. Scanning inactive images

Red Hat Advanced Cluster Security for Kubernetes (RHACS) scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions.

You can also configure RHACS to scan inactive (not deployed) images automatically.

Procedure

  1. In the RHACS portal, click Vulnerability Management Workload CVEs.
  2. Click Manage watched images.
  3. In the Image name field, enter the fully-qualified image name that begins with the registry and ends with the image tag, for example, docker.io/library/nginx:latest.
  4. Click Add image to watch list.
  5. Optional: To remove a watched image, locate the image in the Manage watched images window, and click Remove watch.

    Important

    In the RHACS portal, click Platform Configuration System Configuration to view the data retention configuration.

    All the data related to the image removed from the watched image list continues to appear in the RHACS portal for the number of days mentioned on the System Configuration page and is only removed after that period is over.

  6. Click Close to return to the Workload CVEs page.

14.3. Vulnerability reporting

You can create and download an on-demand image vulnerability report from the Vulnerability Management Vulnerability Reporting menu in the RHACS web portal. This report contains a comprehensive list of common vulnerabilities and exposures in images and deployments, referred to as workload CVEs in RHACS.

To share this report with auditors or internal stakeholders, you can schedule emails in RHACS or download the report and share it by using other methods.

14.3.1. Reporting vulnerabilities to teams

As organizations must constantly reassess and report on their vulnerabilities, some organizations find it helpful to have scheduled communications to key stakeholders to help in the vulnerability management process.

You can use Red Hat Advanced Cluster Security for Kubernetes to schedule these reoccurring communications through e-mail. These communications should be scoped to the most relevant information that the key stakeholders need.

For sending these communications, you must consider the following questions:

  • What schedule would have the most impact when communicating with the stakeholders?
  • Who is the audience?
  • Should you only send specific severity vulnerabilities in your report?
  • Should you only send fixable vulnerabilities in your report?

14.3.2. Creating vulnerability management report configurations

RHACS guides you through the process of creating a vulnerability management report configuration. This configuration determines the information that will be included in a report job that runs at a scheduled time or that you run on demand.

Procedure

  1. In the RHACS portal, click Vulnerability Management Vulnerability Reporting.
  2. Click Create report.
  3. In the Configure report parameters page, provide the following information:

    • Report name: Enter a name for your report configuration.
    • Report description: Enter a text describing the report configuration. This is optional.
    • CVE severity: Select the severity of common vulnerabilities and exposures (CVEs) that you want to include in the report configuration.
    • CVE status: Select one or more CVE statuses.

      The following values are associated with the CVE status:

      • Fixable
      • Unfixable
    • Image type: Select one or more image types.

      The following values are associated with image types:

      • Deployed images
      • Watched images
    • CVEs discovered since: Select the time period for which you want to include the CVEs in the report configuration.
    • Optional: Select the Include NVD CVSS checkbox, if you want to include the NVD CVSS column in the report configuration.
    • Configure collection included: To configure at least one collection, do any of the following tasks:

      • Select an existing collection that you want to include.

        To view the collection information, edit the collection, and get a preview of collection results, click View.

        When viewing the collection, entering text in the field searches for collections matching that text string.

      • To create a new collection, click Create collection.

        Note

        For more information about collections, see "Creating and using deployment collections".

  4. To configure the delivery destinations and optionally set up a schedule for delivery, click Next.

14.3.2.1. Configuring delivery destinations and scheduling

Configuring destinations and delivery schedules for vulnerability reports is optional, unless on the previous page, you selected the option to include CVEs that were discovered since the last scheduled report. If you selected that option, configuring destinations and delivery schedules for vulnerability reports is required.

Procedure

  1. To configure destinations for delivery, in the Configure delivery destinations section, you can add a delivery destination and set up a schedule for reporting.
  2. To email reports, you must configure at least one email notifier. Select an existing notifier or create a new email notifier to send your report by email. For more information about creating an email notifier, see "Configuring the email plugin" in the "Additional resources" section.

    When you select a notifier, the email addresses configured in the notifier as Default recipients appear in the Distribution list field. You can add additional email addresses that are separated by a comma.

  3. A default email template is automatically applied. To edit this default template, perform the following steps:

    1. Click the edit icon and enter a customized subject and email body in the Edit tab.
    2. Click the Preview tab to see your proposed template.
    3. Click Apply to save your changes to the template.

      Note

      When reviewing the report jobs for a specific report, you can see whether the default template or a customized template was used when creating the report.

  4. In the Configure schedule section, select the frequency and day of the week for the report.
  5. Click Next to review your vulnerability report configuration and finish creating it.

14.3.2.2. Reviewing and creating the report configuration

You can review the details of your vulnerability report configuration before creating it.

Procedure

  1. In the Review and create section, you can review the report configuration parameters, delivery destination, email template that is used if you selected email delivery, delivery schedule, and report format. To make any changes, click Back to go to the previous section and edit the fields that you want to change.
  2. Click Create to create the report configuration and save it.

14.3.3. Vulnerability report permissions

The ability to create, view, and download reports depends on the access control settings, or roles and permission sets, for your user account.

For example, you can only view, create, and download reports for data that your user account has permission to access. In addition, the following restrictions apply:

  • You can only download reports that you have generated; you cannot download reports generated by other users.
  • Report permissions are restricted depending on the access settings for user accounts. If the access settings for your account change, old reports do not reflect the change. For example, if you are given new permissions and want to view vulnerability data that is now allowed by those permissions, you must create a new vulnerability report.

14.3.4. Editing vulnerability report configurations

You can edit existing vulnerability report configurations from the list of report configurations, or by selecting an individual report configuration first.

Procedure

  1. In the RHACS web portal, click Vulnerability Management Vulnerability Reporting.
  2. To edit an existing vulnerability report configuration, complete any of the following actions:

    • Locate the report configuration that you want to edit in the list of report configurations. Click the overflow menu, kebab , and then select Edit report.
    • Click the report configuration name in the list of report configurations. Then, click Actions and select Edit report.
  3. Make changes to the report configuration and save.

14.3.5. Downloading vulnerability reports

You can generate an on-demand vulnerability report and then download it.

Note

You can only download reports that you have generated; you cannot download reports generated by other users.

Procedure

  1. In the RHACS web portal, click Vulnerability Management Vulnerability Reporting.
  2. In the list of report configurations, locate the report configuration that you want to use to create the downloadable report.
  3. Generate the vulnerability report by using one of the following methods:

    • To generate the report from the list:

      1. Click the overflow menu, kebab , and then select Generate download. The My active job status column displays the status of your report creation. After the Processing status goes away, you can download the report.
    • To generate the report from the report window:

      1. Click the report configuration name to open the configuration detail window.
      2. Click Actions and select Generate download.
  4. To download the report, if you are viewing the list of report configurations, click the report configuration name to open it.
  5. Click All report jobs from the menu on the header.
  6. If the report is completed, click the Ready for download link in the Status column. The report is in .csv format and is compressed into a .zip file for download.

14.3.6. Sending vulnerability reports on-demand

You can send vulnerability reports immediately, rather than waiting for the scheduled send time.

Procedure

  1. In the RHACS web portal, click Vulnerability Management Vulnerability Reporting.
  2. In the list of report configurations, locate the report configuration for the report that you want to send.
  3. Click the overflow menu, kebab , and then select Send report now.

14.3.7. Cloning vulnerability report configurations

You can make copies of vulnerability report configurations by cloning them. This is useful when you want to reuse report configurations with minor changes, such as reporting vulnerabilities in different deployments or namespaces.

Procedure

  1. In the RHACS web portal, click Vulnerability Management Vulnerability Reporting.
  2. Locate the report configuration that you want to clone in the list of report configurations.
  3. Click Clone report.
  4. Make any changes that you want to the report parameters and delivery destinations.
  5. Click Create.

14.3.8. Deleting vulnerability report configurations

Deleting a report configuration deletes the configuration and any reports that were previously run using this configuration.

Procedure

  1. In the RHACS web portal, click Vulnerability Management Vulnerability Reporting.
  2. Locate the report configuration that you want to delete in the list of reports.
  3. Click the overflow menu, kebab , and then select Delete report.

14.3.9. Configuring vulnerability management report job retention settings

You can configure settings that determine when vulnerability report job requests expire and other retention settings for report jobs.

Note

These settings do not affect the following vulnerability report jobs:

  • Jobs in the WAITING or PREPARING state (unfinished jobs)
  • The last successful scheduled report job
  • The last successful on-demand emailed report job
  • The last successful downloadable report job
  • Downloadable report jobs for which the report file has not been deleted by either manual deletion or by configuring the downloadable report pruning settings

Procedure

  1. In the RHACS web portal, go to Platform Configuration System Configuration. You can configure the following settings for vulnerability report jobs:

    • Vulnerability report run history retention: The number of days that a record is kept of vulnerability report jobs that have been run. This setting controls how many days that report jobs are listed in the All report jobs tab under Vulnerability Management Vulnerability Reporting when a report configuration is selected. The entire report history after the exclusion date is deleted, with the exception of the following jobs:

      • Unfinished jobs.
      • Jobs for which prepared downloadable reports still exist in the system.
      • The last successful report job for each job type (scheduled email, on-demand email, or download). This ensures users have information about the last run job for each type.
    • Prepared downloadable vulnerability reports retention days: The number of days that prepared, on-demand downloadable vulnerability report jobs are available for download on the All report jobs tab under Vulnerability Management Vulnerability Reporting when a report configuration is selected.
    • Prepared downloadable vulnerability reports limit: The limit, in MB, of space allocated to prepared downloadable vulnerability report jobs. After the limit is reached, the oldest report job in the download queue is removed.
  2. To change these values, click Edit, make your changes, and then click Save.

14.3.10. Additional resources

14.4. Using the vulnerability management dashboard (deprecated)

Historically, RHACS has provided a view of vulnerabilities discovered in your system in the vulnerability management dashboard. With the dashboard, you can view vulnerabilities by image, node, or platform. You can also view vulnerabilities by clusters, namespaces, deployments, node components, and image components. The dashboard is deprecated in RHACS 4.5 and will be removed in a future release.

Important

To perform actions on vulnerabilities, such as view additional information about a vulnerability, defer a vulnerability, or mark a vulnerability as a false positive, click Vulnerability Management Workload CVEs. To review requests for deferring and marking CVEs as false positives, click Vulnerability Management Exception Management.

14.4.1. Viewing application vulnerabilities by using the dashboard

You can view application vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes by using the dashboard.

Procedure

  1. In the RHACS portal, go to Vulnerability Management Dashboard.
  2. On the Dashboard view header, select Application & Infrastructure Namespaces or Deployments.
  3. From the list, search for and select the Namespace or Deployment you want to review.
  4. To get more information about the application, select an entity from Related entities on the right.

14.4.2. Viewing image vulnerabilities by using the dashboard

You can view image vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes by using the dashboard.

Procedure

  1. In the RHACS portal, go to Vulnerability Management Dashboard.
  2. On the Dashboard view header, select <number> Images.
  3. From the list of images, select the image you want to investigate. You can also filter the list by performing one of the following steps:

    1. Enter Image in the search bar and then select the Image attribute.
    2. Enter the image name in the search bar.
  4. In the image details view, review the listed CVEs and prioritize taking action to address the impacted components.
  5. Select Components from Related entities on the right to get more information about all the components that are impacted by the selected image. Or select Components from the Affected components column under the Image findings section for a list of components affected by specific CVEs.

14.4.3. Viewing cluster vulnerabilities by using the dashboard

You can view vulnerabilities in clusters by using Red Hat Advanced Cluster Security for Kubernetes.

Procedure

  1. In the RHACS portal, go to Vulnerability Management Dashboard.
  2. On the Dashboard view header, select Application & Infrastructure Clusters.
  3. From the list of clusters, select the cluster you want to investigate.
  4. Review the cluster’s vulnerabilities and prioritize taking action on the impacted nodes on the cluster.

14.4.4. Viewing node vulnerabilities by using the dashboard

You can view vulnerabilities in specific nodes by using Red Hat Advanced Cluster Security for Kubernetes.

Procedure

  1. In the RHACS portal, go to Vulnerability Management Dashboard.
  2. On the Dashboard view header, select Nodes.
  3. From the list of nodes, select the node you want to investigate.
  4. Review vulnerabilities for the selected node and prioritize taking action.
  5. To get more information about the affected components in a node, select Components from Related entities on the right.

14.4.5. Finding the most vulnerable image components by using the dashboard

Use the Vulnerability Management view for identifying highly vulnerable image components.

Procedure

  1. Go to the RHACS portal and click Vulnerability Management Dashboard from the navigation menu.
  2. From the Vulnerability Management view header, select Application & Infrastructure Image Components.
  3. In the Image Components view, select the Image CVEs column header to arrange the components in descending order (highest first) based on the CVEs count.

14.4.6. Viewing details only for fixable CVEs by using the dashboard

Use the Vulnerability Management view to filter and show only the fixable CVEs.

Procedure

  1. In the RHACS portal, go to Vulnerability Management Dashboard.
  2. From the Vulnerability Management view header, under Filter CVEs, click Fixable.

14.4.7. Identifying the operating system of the base image by using the dashboard

Use the Vulnerability Management view to identify the operating system of the base image.

Procedure

  1. Go to the RHACS portal and click Vulnerability Management Dashboard from the navigation menu.
  2. From the Vulnerability Management view header, select Images.
  3. View the base operating system (OS) and OS version for all images under the Image OS column.
  4. Select an image to view its details. The base operating system is also available under the Image Summary Details and Metadata section.
Note

Red Hat Advanced Cluster Security for Kubernetes lists the Image OS as unknown when either:

  • The operating system information is not available, or
  • If the image scanner in use does not provide this information.

Docker Trusted Registry, Google Container Registry, and Anchore do not provide this information.

14.4.8. Identifying top risky objects by using the dashboard

Use the Vulnerability Management view for identifying the top risky objects in your environment. The Top Risky widget displays information about the top risky images, deployments, clusters, and namespaces in your environment. The risk is determined based on the number of vulnerabilities and their CVSS scores.

Procedure

  1. Go to the RHACS portal and click Vulnerability Management Dashboard from the navigation menu.
  2. Select the Top Risky widget header to choose between riskiest images, deployments, clusters, and namespaces.

    The small circles on the chart represent the chosen object (image, deployment, cluster, namespace). Hover over the circles to see an overview of the object they represent. And select a circle to view detailed information about the selected object, its related entities, and the connections between them.

    For example, if you are viewing Top Risky Deployments by CVE Count and CVSS score, each circle on the chart represents a deployment.

    • When you hover over a deployment, you see an overview of the deployment, which includes deployment name, name of the cluster and namespace, severity, risk priority, CVSS, and CVE count (including fixable).
    • When you select a deployment, the Deployment view opens for the selected deployment. The Deployment view shows in-depth details of the deployment and includes information about policy violations, common vulnerabilities, CVEs, and riskiest images for that deployment.
  3. Select View All on the widget header to view all objects of the chosen type. For example, if you chose Top Risky Deployments by CVE Count and CVSS score, you can select View All to view detailed information about all deployments in your infrastructure.

14.4.9. Identifying top riskiest images and components by using the dashboard

Similar to the Top Risky, the Top Riskiest widget lists the names of the top riskiest images and components. This widget also includes the total number of CVEs and the number of fixable CVEs in the listed images.

Procedure

  1. Go to the RHACS portal and click Vulnerability Management from the navigation menu.
  2. Select the Top Riskiest Images widget header to choose between the riskiest images and components. If you are viewing Top Riskiest Images:

    • When you hover over an image in the list, you see an overview of the image, which includes image name, scan time, and the number of CVEs along with severity (critical, high, medium, and low).
    • When you select an image, the Image view opens for the selected image. The Image view shows in-depth details of the image and includes information about CVEs by CVSS score, top riskiest components, fixable CVEs, and Dockerfile for the image.
  3. Select View All on the widget header to view all objects of the chosen type. For example, if you chose Top Riskiest Components, you can select View All to view detailed information about all components in your infrastructure.

14.4.10. Viewing the Dockerfile for an image by using the dashboard

Use the Vulnerability Management view to find the root cause of vulnerabilities in an image. You can view the Dockerfile and find exactly which command in the Dockerfile introduced the vulnerabilities and all components that are associated with that single command.

The Dockerfile section shows information about:

  • All the layers in the Dockerfile
  • The instructions and their value for each layer
  • The components included in each layer
  • The number of CVEs in components for each layer

When there are components introduced by a specific layer, you can select the expand icon to see a summary of its components. If there are any CVEs in those components, you can select the expand icon for an individual component to get more details about the CVEs affecting that component.

Procedure

  1. In the RHACS portal, go to Vulnerability Management Dashboard.
  2. Select an image from either the Top Riskiest Images widget or click the Images button at the top of the dashboard and select an image.
  3. In the Image details view, next to Dockerfile, select the expand icon to see a summary of instructions, values, creation date, and components.
  4. Select the expand icon for an individual component to view more information.

14.4.11. Identifying the container image layer that introduces vulnerabilities by using the dashboard

You can use the Vulnerability Management dashboard to identify vulnerable components and the image layer they appear in.

Procedure

  1. Go to the RHACS portal and click Vulnerability Management Dashboard from the navigation menu.
  2. Select an image from either the Top Riskiest Images widget or click the Images button at the top of the dashboard and select an image.
  3. In the Image details view, next to Dockerfile, select the expand icon to see a summary of image components.
  4. Select the expand icon for specific components to get more details about the CVEs affecting the selected component.

14.4.12. Viewing recently detected vulnerabilities by using the dashboard

The Recently Detected Vulnerabilities widget on the Vulnerability Management Dashboard view shows a list of recently discovered vulnerabilities in your scanned images, based on the scan time and CVSS score. It also includes information about the number of images affected by the CVE and its impact (percentage) on your environment.

  • When you hover over a CVE in the list, you see an overview of the CVE, which includes scan time, CVSS score, description, impact, and whether it’s scored by using CVSS v2 or v3.
  • When you select a CVE, the CVE details view opens for the selected CVE. The CVE details view shows in-depth details of the CVE and the components, images, and deployments and deployments in which it appears.
  • Select View All on the Recently Detected Vulnerabilities widget header to view a list of all the CVEs in your infrastructure. You can also filter the list of CVEs.

14.4.13. Viewing the most common vulnerabilities by using the dashboard

The Most Common Vulnerabilities widget on the Vulnerability Management Dashboard view shows a list of vulnerabilities that affect the largest number of deployments and images arranged by their CVSS score.

  • When you hover over a CVE in the list, you see an overview of the CVE which includes, scan time, CVSS score, description, impact, and whether it is scored by using CVSS v2 or v3.
  • When you select a CVE, the CVE details view opens for the selected CVE. The CVE details view shows in-depth details of the CVE and the components, images, and deployments and deployments in which it appears.
  • Select View All on the Most Common Vulnerabilities widget header to view a list of all the CVEs in your infrastructure. You can also filter the list of CVEs. To export the CVEs as a CSV file, select Export Download CVES as CSV.

14.4.14. Finding clusters with most Kubernetes and Istio vulnerabilities by using the dashboard

You can identify the clusters with most Kubernetes, Red Hat OpenShift, and Istio vulnerabilities (deprecated) in your environment by using the vulnerability management dashboard.

Procedure

  1. In the RHACS portal, click Vulnerability ManagementDashboard. The Clusters with most orchestrator and Istio vulnerabilities widget shows a list of clusters, ranked by the number of Kubernetes, Red Hat OpenShift, and Istio vulnerabilities (deprecated) in each cluster. The cluster on top of the list is the cluster with the highest number of vulnerabilities.
  2. Click on one of the clusters from the list to view details about the cluster. The Cluster view includes:

    • Cluster Summary section, which shows cluster details and metadata, top risky objects (deployments, namespaces, and images), recently detected vulnerabilities, riskiest images, and deployments with the most severe policy violations.
    • Cluster Findings section, which includes a list of failing policies and list of fixable CVEs.
    • Related Entities section, which shows the number of namespaces, deployments, policies, images, components, and CVEs the cluster contains. You can select these entities to view more details.
  3. Click View All on the widget header to view the list of all clusters.

14.4.15. Identifying vulnerabilities in nodes by using the dashboard

You can use the Vulnerability Management view to identify vulnerabilities in your nodes. The identified vulnerabilities include vulnerabilities in core Kubernetes components and container runtimes such as Docker, CRI-O, runC, and containerd. For more information on operating systems that RHACS can scan, see "Supported operating systems".

Procedure

  1. In the RHACS portal, go to Vulnerability Management Dashboard.
  2. Select Nodes on the header to view a list of all the CVEs affecting your nodes.
  3. Select a node from the list to view details of all CVEs affecting that node.

    1. When you select a node, the Node details panel opens for the selected node. The Node view shows in-depth details of the node and includes information about CVEs by CVSS score and fixable CVEs for that node.
    2. Select View All on the CVEs by CVSS score widget header to view a list of all the CVEs in the selected node. You can also filter the list of CVEs.
    3. To export the fixable CVEs as a CSV file, select Export as CSV under the Node Findings section.

Additional resources

14.4.16. Creating policies to block specific CVEs by using the dashboard

You can create new policies or add specific CVEs to an existing policy from the Vulnerability Management view.

Procedure

  1. Click CVEs from the Vulnerability Management view header.
  2. You can select the checkboxes for one or more CVEs, and then click Add selected CVEs to Policy (add icon) or move the mouse over a CVE in the list, and select the Add icon.
  3. For Policy Name:

    • To add the CVE to an existing policy, select an existing policy from the drop-down list box.
    • To create a new policy, enter the name for the new policy, and select Create <policy_name>.
  4. Select a value for Severity, either Critical, High, Medium, or Low.
  5. Choose the Lifecycle Stage to which your policy is applicable, from Build, or Deploy. You can also select both life-cycle stages.
  6. Enter details about the policy in the Description box.
  7. Turn off the Enable Policy toggle if you want to create the policy but enable it later. The Enable Policy toggle is on by default.
  8. Verify the listed CVEs which are included in this policy.
  9. Click Save Policy.

14.5. Scanning RHCOS node hosts

For OpenShift Container Platform, Red Hat Enterprise Linux CoreOS (RHCOS) is the only supported operating system for control plane. For node hosts, OpenShift Container Platform supports both RHCOS and Red Hat Enterprise Linux (RHEL). With Red Hat Advanced Cluster Security for Kubernetes (RHACS), you can scan RHCOS nodes for vulnerabilities and detect potential security threats.

RHACS scans RHCOS RPMs installed on the node host, as part of the RHCOS installation, for any known vulnerabilities.

First, RHACS analyzes and detects RHCOS components. Then it matches vulnerabilities for identified components by using RHEL and the following data streams:

  • OpenShift 4.X Open Vulnerability and Assessment Language (OVAL) v2 security data streams is used if StackRox Scanner is used for node scanning.
  • Red Hat Common Security Advisory Framework (CSAF) Vulnerability Exploitability eXchange (VEX) is used if Scanner V4 is used for node scanning.
Note
  • If you installed RHACS by using the roxctl CLI, you must manually enable the RHCOS node scanning features. When you use Helm or Operator installation methods on OpenShift Container Platform, this feature is enabled by default.

14.5.1. Enabling RHCOS node scanning with the StackRox Scanner

If you use OpenShift Container Platform, you can enable scanning of Red Hat Enterprise Linux CoreOS (RHCOS) nodes for vulnerabilities by using Red Hat Advanced Cluster Security for Kubernetes (RHACS).

Prerequisites

Procedure

  1. Run one of the following commands to update the compliance container.

    • For a default compliance container with metrics disabled, run the following command:

      $ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"name":"compliance","env":[{"name":"ROX_METRICS_PORT","value":"disabled"},{"name":"ROX_NODE_SCANNING_ENDPOINT","value":"127.0.0.1:8444"},{"name":"ROX_NODE_SCANNING_INTERVAL","value":"4h"},{"name":"ROX_NODE_SCANNING_INTERVAL_DEVIATION","value":"24m"},{"name":"ROX_NODE_SCANNING_MAX_INITIAL_WAIT","value":"5m"},{"name":"ROX_RHCOS_NODE_SCANNING","value":"true"},{"name":"ROX_CALL_NODE_INVENTORY_ENABLED","value":"true"}]}]}}}}'
    • For a compliance container with Prometheus metrics enabled, run the following command:

      $ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"name":"compliance","env":[{"name":"ROX_METRICS_PORT","value":":9091"},{"name":"ROX_NODE_SCANNING_ENDPOINT","value":"127.0.0.1:8444"},{"name":"ROX_NODE_SCANNING_INTERVAL","value":"4h"},{"name":"ROX_NODE_SCANNING_INTERVAL_DEVIATION","value":"24m"},{"name":"ROX_NODE_SCANNING_MAX_INITIAL_WAIT","value":"5m"},{"name":"ROX_RHCOS_NODE_SCANNING","value":"true"},{"name":"ROX_CALL_NODE_INVENTORY_ENABLED","value":"true"}]}]}}}}'
  2. Update the Collector DaemonSet (DS) by taking the following steps:

    1. Add new volume mounts to Collector DS by running the following command:

      $ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"volumes":[{"name":"tmp-volume","emptyDir":{}},{"name":"cache-volume","emptyDir":{"sizeLimit":"200Mi"}}]}}}}'
    2. Add the new NodeScanner container by running the following command:

      $ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"command":["/scanner","--nodeinventory","--config=",""],"env":[{"name":"ROX_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"ROX_CLAIR_V4_SCANNING","value":"true"},{"name":"ROX_COMPLIANCE_OPERATOR_INTEGRATION","value":"true"},{"name":"ROX_CSV_EXPORT","value":"false"},{"name":"ROX_DECLARATIVE_CONFIGURATION","value":"false"},{"name":"ROX_INTEGRATIONS_AS_CONFIG","value":"false"},{"name":"ROX_NETPOL_FIELDS","value":"true"},{"name":"ROX_NETWORK_DETECTION_BASELINE_SIMULATION","value":"true"},{"name":"ROX_NETWORK_GRAPH_PATTERNFLY","value":"true"},{"name":"ROX_NODE_SCANNING_CACHE_TIME","value":"3h36m"},{"name":"ROX_NODE_SCANNING_INITIAL_BACKOFF","value":"30s"},{"name":"ROX_NODE_SCANNING_MAX_BACKOFF","value":"5m"},{"name":"ROX_PROCESSES_LISTENING_ON_PORT","value":"false"},{"name":"ROX_QUAY_ROBOT_ACCOUNTS","value":"true"},{"name":"ROX_ROXCTL_NETPOL_GENERATE","value":"true"},{"name":"ROX_SOURCED_AUTOGENERATED_INTEGRATIONS","value":"false"},{"name":"ROX_SYSLOG_EXTRA_FIELDS","value":"true"},{"name":"ROX_SYSTEM_HEALTH_PF","value":"false"},{"name":"ROX_VULN_MGMT_WORKLOAD_CVES","value":"false"}],"image":"registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.1","imagePullPolicy":"IfNotPresent","name":"node-inventory","ports":[{"containerPort":8444,"name":"grpc","protocol":"TCP"}],"volumeMounts":[{"mountPath":"/host","name":"host-root-ro","readOnly":true},{"mountPath":"/tmp/","name":"tmp-volume"},{"mountPath":"/cache","name":"cache-volume"}]}]}}}}'

14.5.2. Enabling RHCOS node scanning with Scanner V4

If you use OpenShift Container Platform, you can enable scanning of Red Hat Enterprise Linux CoreOS (RHCOS) nodes for vulnerabilities by using Red Hat Advanced Cluster Security for Kubernetes (RHACS).

Important

RHCOS node scanning with Scanner V4 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Prerequisites

Procedure

To enable node indexing, also known as node scanning, by using Scanner V4:

  1. In the Central pod, on the central container, set the ROX_NODE_INDEX_ENABLED variable to true by running the following command on the Central cluster:

    $ kubectl -n stackrox set env deployment/central ROX_NODE_INDEX_ENABLED=true 1
    1
    For OpenShift Container Platform, use oc instead of kubectl.
  2. In the Collector Daemonset, in the compliance container, set the ROX_NODE_INDEX_ENABLED variable to true by running the following command on the secured cluster:

    $ kubectl -n stackrox set env daemonset/collector ROX_NODE_INDEX_ENABLED=true 1
    1
    For OpenShift Container Platform, use oc instead of kubectl.
  3. To verify that node scanning is working, examine the Central logs for the following message:

    Scanned index report and found <number> components for node <node_name>.

    where:

    <number>
    Specifies the number of discovered components.
    <node_name>
    Specifies the name of the node.

14.5.3. Analysis and detection

When you use RHACS with OpenShift Container Platform, RHACS creates two coordinating containers for analysis and detection, the Compliance container and the Node-inventory container. The Compliance container was already a part of earlier RHACS versions. However, the Node-inventory container is new with RHACS 4.0 and works only with OpenShift Container Platform cluster nodes.

Upon start-up, the Compliance and Node-inventory containers begin the first inventory scan of Red Hat Enterprise Linux CoreOS (RHCOS) software components within five minutes. Next, the Node-inventory container scans the node’s file system to identify installed RPM packages and report on RHCOS software components. Afterward, inventory scanning occurs at periodic intervals, typically every four hours. You can customize the default interval by configuring the ROX_NODE_SCANNING_INTERVAL environment variable for the Compliance container.

14.5.4. Vulnerability matching on RHCOS nodes

Central services, which include Central and Scanner, perform vulnerability matching. Node scanning is performed using the following scanners:

  • StackRox Scanner: This is the default scanner. StackRox Scanner uses Red Hat’s Open Vulnerability and Assessment Language (OVAL) v2 security data streams to match vulnerabilities on Red Hat Enterprise Linux CoreOS (RHCOS) software components.
  • Scanner V4: Scanner V4 is available for node scanning as a Technology Preview feature. Scanner V4 must be explicitly enabled. See the documentation in "Additional resources" for more information.

When scanning RHCOS nodes, RHACS releases after 4.0 no longer use the Kubernetes node metadata to find the kernel and container runtime versions. Instead, RHACS uses the installed RHCOS RPMs to assess that information.

14.5.5. Related environment variables

You can use the following environment variables to configure RHCOS node scanning on RHACS.

Table 14.4. Node-inventory configuration
Environment VariableDescription

ROX_NODE_SCANNING_CACHE_TIME

The time after which a cached inventory is considered outdated. Defaults to 90% of ROX_NODE_SCANNING_INTERVAL that is 3h36m.

ROX_NODE_SCANNING_INITIAL_BACKOFF

The initial time in seconds a node scan will be delayed if a backoff file is found. The default value is 30s.

ROX_NODE_SCANNING_MAX_BACKOFF

The upper limit of backoff. The default value is 5m, being 50% of Kubernetes restart policy stability timer.

Table 14.5. Compliance configuration
Environment VariableDescription

ROX_NODE_INDEX_ENABLED

Controls whether node indexing is enabled for this cluster. The default value is false. Set this variable to use Scanner V4-based RHCOS node scanning.

ROX_NODE_SCANNING_INTERVAL

The base value of the interval duration between node scans. The default value is 4h.

ROX_NODE_SCANNING_INTERVAL_DEVIATION

The duration of node scans can differ from the base interval time. However, the maximum value is limited by the ROX_NODE_SCANNING_INTERVAL.

ROX_NODE_SCANNING_MAX_INITIAL_WAIT

The maximum wait time before the first node scan, which is randomly generated. You can set this value to 0 to disable the initial node scanning wait time. The default value is 5m.

14.5.6. Identifying vulnerabilities in nodes by using the dashboard

You can use the Vulnerability Management view to identify vulnerabilities in your nodes. The identified vulnerabilities include vulnerabilities in core Kubernetes components and container runtimes such as Docker, CRI-O, runC, and containerd. For more information on operating systems that RHACS can scan, see "Supported operating systems".

Procedure

  1. In the RHACS portal, go to Vulnerability Management Dashboard.
  2. Select Nodes on the header to view a list of all the CVEs affecting your nodes.
  3. Select a node from the list to view details of all CVEs affecting that node.

    1. When you select a node, the Node details panel opens for the selected node. The Node view shows in-depth details of the node and includes information about CVEs by CVSS score and fixable CVEs for that node.
    2. Select View All on the CVEs by CVSS score widget header to view a list of all the CVEs in the selected node. You can also filter the list of CVEs.
    3. To export the fixable CVEs as a CSV file, select Export as CSV under the Node Findings section.

14.5.7. Viewing Node CVEs

You can identify vulnerabilities in your nodes by using RHACS. The vulnerabilities that are identified include the following:

  • Vulnerabilities in core Kubernetes components
  • Vulnerabilities in container runtimes such as Docker, CRI-O, runC, and containerd

For more information about operating systems that RHACS can scan, see "Supported operating systems".

Procedure

  1. In the RHACS portal, click Vulnerability Management Node CVEs.
  2. To view the data, do any of the following tasks:

    • To view a list of all the CVEs affecting all of your nodes, select <number> CVEs.
    • To view a list of nodes that contain CVEs, select <number> Nodes.
  3. Optional: To filter CVEs according to entity, select the appropriate filters and attributes. To add more filtering criteria, follow these steps:

    1. Select the entity or attribute from the list.
    2. Depending on your choices, enter the appropriate information such as text, or select a date or object.
    3. Click the right arrow icon.
    4. Optional: Select additional entities and attributes, and then click the right arrow icon to add them. The filter entities and attributes are listed in the following table.

      Table 14.6. CVE filtering
      EntityAttributes

      Node

      • Name: The name of the node.
      • Operating system: The operating system of the node, for example, Red Hat Enterprise Linux (RHEL).
      • Label: The label of the node.
      • Annotation: The annotation for the node.
      • Scan time: The scan date of the node.

      CVE

      • Name: The name of the CVE.
      • Discovered time: The date when RHACS discovered the CVE.
      • CVSS: The severity level for the CVE.

        The following values are associated with the severity level for the CVE:

        • is greater than
        • is greater than or equal to
        • is equal to
        • is less than or equal to
        • is less than

      Node Component

      • Name: The name of the component.
      • Version: The version of the component, for example, 4.15.0-2024. You can use this to search for a specific version of a component, for example, in conjunction with a component name.

      Cluster

      • Name: The name of the cluster.
      • Label: The label for the cluster.
      • Type: The type of cluster, for example, OCP.
      • Platform type: The type of platform, for example, OpenShift 4 cluster.
  4. Optional: To refine the list of results, do any of the following tasks:

    • Click CVE severity, and then select one or more levels.
    • Click CVE status, and then select Fixable or Not fixable.
  5. Optional: To view the details of the node and information about the CVEs according to the CVSS score and fixable CVEs for that node, click a node name in the list of nodes.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.