8.10. Assessing Configuration Compliance of a Container or a Container Image with a Specific Baseline

PDF

Follow the steps to assess compliance of your container or a container image with a specific security baseline, such as Operating System Protection Profile (OSPP) or Payment Card Industry Data Security Standard (PCI-DSS).

Prerequisites

The openscap-utils and scap-security-guide packages are installed.

Procedure

Find the ID of a container or a container image, for example:

~]# docker images
REPOSITORY                            TAG      IMAGE ID       CREATED       SIZE
registry.access.redhat.com/ubi7/ubi   latest   096cae65a207   7 weeks ago   239 MB

Evaluate the compliance of the container image with the OSPP profile and save scan results in the report.html HTML file.
```
~]$ sudo oscap-docker 096cae65a207 xccdf eval --report report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
```
Replace 096cae65a207 with the ID of your container image and the ospp value with pci-dss if you assess configuration compliance with the PCI-DSS baseline.

Verification

Check the results in a browser of your choice, for example:
```
~]$ firefox report.html &
```

Note

The rules marked as notapplicable are rules that do not apply to containerized systems. These rules apply only to bare-metal or virtualized systems.

Additional Resources

For more information, see the oscap-docker(8) and scap-security-guide(8) man pages.
The SCAP Security Guide documentation installed in the file:///usr/share/doc/scap-security-guide-doc-0.1.46/ directory.

8.10. Assessing Configuration Compliance of a Container or a Container Image with a Specific Baseline

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Red Hat legal and privacy links

Red Hat legal and privacy links