Este contenido no está disponible en el idioma seleccionado.
8.9. Scanning Containers and Container Images for Vulnerabilities
Use these procedures to find security vulnerabilities in a container or a container image.
You can use either the
oscap-docker command-line utility or the atomic scan command-line utility to find security vulnerabilities in a container or a container image.
With
oscap-docker, you can use the oscap program to scan container images and containers.
With
atomic scan, you can use OpenSCAP scanning capabilities to scan container images and containers on the system. You can scan for known CVE vulnerabilities and for configuration compliance. Additionally, you can remediate container images to the specified policy.
8.9.1. Scanning Container Images and Containers for Vulnerabilities Using oscap-docker
You can scan containers and container images using the
oscap-docker utility.
Note
The
oscap-docker command requires root privileges and the ID of a container is the second argument.
Prerequisites
- The openscap-containers package is installed.
Procedure
- Find the ID of a container or a container image, for example:
~]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry.access.redhat.com/ubi7/ubi latest 096cae65a207 7 weeks ago 239 MB - Scan the container or the container image for vulnerabilities and save results to the vulnerability.html file:
~]#oscap-docker image-cve 096cae65a207 --report vulnerability.htmlImportant
To scan a container, replace theimage-cveargument withcontainer-cve.
Verification
- Inspect the results in a browser of your choice, for example:
~]$firefox vulnerability.html &
Additional Resources
- For more information, see the
oscap-docker(8)andoscap(8)man pages.
8.9.2. Scanning Container Images and Containers for Vulnerabilities Using atomic scan
With the
atomic scan utility, you can scan containers and container images for known security vulnerabilities as defined in the CVE OVAL definitions released by Red Hat. The atomic scan command has the following form:
~]#atomic scan[OPTIONS][ID]
where ID is the ID of the container image or container you want to scan.
Warning
The
atomic scan functionality is deprecated, and the OpenSCAP container image is no longer updated for new vulnerabilities. Therefore, prefer the oscap-docker utility for vulnerability scanning purposes.
Use cases
- To scan all container images, use the
--imagesdirective. - To scan all containers, use the
--containersdirective. - To scan both types, use the
--alldirective. - To list all available command-line options, use the
atomic scan--helpcommand.
The default scan type of the
atomic scan command is CVE scan. Use it for checking a target for known security vulnerabilities as defined in the CVE OVAL definitions released by Red Hat.
Prerequisites
- You have downloaded and installed the OpenSCAP container image from Red Hat Container Catalog (RHCC) using the
atomic install rhel7/openscapcommand.
Procedure
- Verify you have the latest OpenSCAP container image to ensure the definitions are up to date:
~]#atomic help registry.access.redhat.com/rhel7/openscap| grepversion - Scan a RHEL 7.2 container image with several known security vulnerabilities:
~]#atomic scan registry.access.redhat.com/rhel7:7.2 docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-11-01-14-49-36-614281:/scanin -v /var/lib/atomic/openscap/2017-11-01-14-49-36-614281:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout registry.access.redhat.com/rhel7:7.2 (98a88a8b722a718) The following issues were found: RHSA-2017:2832: nss security update (Important) Severity: Important RHSA URL: https://access.redhat.com/errata/RHSA-2017:2832 RHSA ID: RHSA-2017:2832-01 Associated CVEs: CVE ID: CVE-2017-7805 CVE URL: https://access.redhat.com/security/cve/CVE-2017-7805 ...
Additional Resources
- Product Documentation for Red Hat Enterprise Linux Atomic Host contains a detailed description of the
atomiccommand usage and containers. - The Red Hat Customer Portal provides a guide to the Atomic command-line interface (CLI).
