openscap overview(security scanning for docker image and container)
Post on 15-Apr-2017
225 Views
Preview:
TRANSCRIPT
OpenSCAPJooho Lee
Senior ConsultantPaaS & DevOps Practices Team
AgendaWhat is SCAP?
What is OpenSCAP?
Give a try - Demo
What is atomic command?
OpenSCAP in Red Hat Products (TBD)- Satellite 6.x- CloudForms 4.x
GoalThis presentation is for who look for a good asset that do security scanning.
Especially, OpenShift Container Platform engineer have being asked about docker image security. Here, I would like to focus on explaining how to use OpenSCAP.
The security components such as XCCDF, OVAL are not the main topics so it doesn’t give a detailed account.
What is SCAP?Security Content Automation Protocol
The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP.
- en.wikipedia.org -
Nice video : http://goo.gl/GBaiIW
SCAP components● XCCDF: The Extensible Configuration Checklist Description Format● OVAL®: Open Vulnerability and Assessment Language● Asset Identification● ARF: Asset Reporting Format● CCE™: Common Configuration Enumeration● CPE™: Common Platform Enumeration● CVE®: Common Vulnerabilities and Exposures● CVSS: Common Vulnerability Scoring System
What is OpenSCAP?Open Source Security Compliance Solution.
The oscap program is a command line tool that allows users to load, scan, validate, edit, and export SCAP documents.
● Homepage of the project: www.open-scap.org● Manual: Oscap User Manual● For new contributors: How to contribute
OpenSCAP is implementation to use SCAP components
Why OpenSCAP is needed?
Security complianceIn the ever-changing world of computer security where new vulnerabilities are being discovered and patched every day, enforcing security compliance must be a continuous process. The OpenSCAP ecosystem provides tools and customizable policies for a quick, cost-effective and flexible implementation
Vulnerability assessmentA timely inspection of software inventory that identifies such vulnerabilities is a must for any organization in the 21st century, and the OpenSCAP project provides tools for automated vulnerability checking, allowing you to take steps to prevent attacks before they happen.
Why OpenSCAP is a good choice?OpenSCAP has received a NIST certification for its support of SCAP 1.2.
Red Hat sponsor OpenSCAP
Red Hat support OpenSCAP with RHEL Subscription
Red Hat Enterprise Linux operating system 7 contains OpenSCAP packages
OpenSCAP start to support docker image/container*
Red Hat integrated OpenSCAP with Red Hat Products ( Satellite 6.2 / CloudForms 4.1 )**
* it can scan only RHEL based docker images/containers** it is officially supported from Satellite 6.2 / CloudForms 4.1
OpenSCAP umbrella projectsOpenSCAP Base
- provide oscap command
OpenSCAP Daemon- evaluate by schedule
SCAP Workbench- graphical utility
SCAPTimony- compliance of your infrastructure.
OSCAP Anaconda Add-on- an add-on for installer used by Fedora and Red Hat Enterprise Linux 7.
SCAP Security Guide- OpenSCAP content primarily for Red Hat Enterprise Linux
Give a try - Demo Image / Conatiner
SCAP component / CVE
Give a try - Demo - image xccdf # sudo yum install openscap -y
# docker pull docker.io/rhel7
## Evaluate image with xccdf
# oscap-docker image docker.io/rhel7 xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Result report is created but some error messages..[root@localhost]/home/jooho/test# oscap-docker image docker.io/rhel7 xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
Command: oscap xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml failed!
Error was:
Command '['oscap', 'xccdf', 'eval', '--report', 'result.html', '--profile', 'standard', '/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml']' returned non-zero exit status 2
Give a try - Demo - image CVE # sudo yum install openscap -y
# docker pull registry.access.redhat.com/rhel7
## Evaluate image about CVE
# oscap-docker image-cve registry.access.redhat.com/rhel7 --report result.html --verbose DEVEL
Result report is generated successfully[root@localhost]/home/jooho/test# oscap-docker image-cve docker.io/rhel7 --report result.html
Definition oval:com.redhat.rhsa:def:20161633: false
Definition oval:com.redhat.rhsa:def:20161632: false
…..
Definition oval:com.redhat.rhsa:def:20140675: false
Evaluation done.
Give a try - Demo - Container xccdf#docker run -it docker.io/rhel7 /bin/bash
CTRL+ P+Q
# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES4c0e74dc5094 docker.io/rhel7 "bin/bash" 55 seconds ago Up 54 seconds amazing_mirzakhani
# oscap-docker container 4c0e74dc5094 xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Result report is created but some error messages..[root@localhost]/home/jooho/test# oscap-docker container 4c0 xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
Command: oscap xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml failed!
Error was:
Command '['oscap', 'xccdf', 'eval', '--report', 'result.html', '--profile', 'standard', '/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml']' returned non-zero exit status 2
Give a try - Demo - Container CVE#docker run -it docker.io/rhel7 /bin/bash
CTRL+ P+Q
# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES4c0e74dc5094 docker.io/rhel7 "bin/bash" 55 seconds ago Up 54 seconds amazing_mirzakhani
# oscap-docker container-cve 4c0e74dc5094 --report result.html
Result report is generated successfully[root@localhost]/home/jooho/test# oscap-docker container-cve 4c0e74dc5094 --report result.html
Definition oval:com.redhat.rhsa:def:20161633: false
Definition oval:com.redhat.rhsa:def:20161632: false
…
Definition oval:com.redhat.rhsa:def:20140675: false
Evaluation done.
Tip: How to find profile from xccdfoscp info /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Tip: Important pathSecurity Content: /usr/share/xml/scap/ssg/content
What is atomic command?The goal of Atomic is to provide a high level, coherent entrypoint to the system, and fill in gaps in Linux container implementations.
There are several command : atomic run/install/uninstall/scan
Here, we will use atomic scan to scan security for docker images/containers.
atomic scan docker images/containerIt uses SPC(Super Privileged Container) using dbuscall from atomic command.
However, atomic tool would be able to mount up read only rootfs from the host’s file system.
These mounted file systems could then be passed onto the scanning container, along with a writeable directory for the scanner to place its output.
http://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-container-vulnerability-detection/
Give a try - Demo (atomic scan image)# yum install atomic
# docker pull registry.access.redhat.com/rhel7/openscap
# atomic install registry.access.redhat.com/rhel7/openscap
# atomic scan docker.io/rhel7
Generated result json file on host successfully.[root@localhost]/home/jooho/test# atomic scan docker.io/rhel7
docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-08-24-15-18-26-150045:/scanin -v /var/lib/atomic/openscap/2016-08-24-15-18-26-150045:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
docker.io/rhel7 (6f7a31562d1ec72)
docker.io/rhel7 passed the scan
Files associated with this scan are in /var/lib/atomic/openscap/2016-08-24-15-18-26-150045.
Result jsoncat /var/lib/atomic/openscap/2016-08-24-15-18-26-150045/6f7a31562d1ec723b2b025c8cf040fd6c0e74cb14fd0abdbd1a9b0dee5dd19f6/json
OpenSCAP in Red Hat Products (need more test)
Satellite 6.2 - Evaluate host
CloudForms 4.2 - Evaluate images
Pros and cons● Pros
○ OpenSCAP has received a NIST certification for its support of SCAP 1.2.○ Red Hat sponsor OpenSCAP○ Red Hat support OpenSCAP with RHEL Subscription
● Cons○ Can evaluate RHEL based image only
Third Party ApplicationBlackduck(https://www.blackducksoftware.com)
Twistlock(https://twistlock.com/)
END
top related