ManageIQ is an open source management platform for Hybrid IT. It can manage small and large environments and supports multiple technologies such as virtual machines, public clouds and containers.
Openshift is Red Hat's Paas container solution, managed by a dedicated provider in ManageIQ. It provides inventory reports, metrics collection and visualization, logs, usage reports, cluster deployment operations and security scanning for container images.
As container images may come from various sources, there's a growing need of an analyzing tool. With ManageIQ one is given the option to scan the images and report security vulnerabilities. We will scan Openshift container images using ManageIQ and study the reports generated by OpenSCAP and Smartstate Analysis. We will talk about the image-inspector tool that is used to inspect the images, how it integrates with Openshift as a container and how ManageIQ is connecting to it through Openshift.
3. Agenda
● What is a Container Image
○ Why should you suspect your images?
● How to Scan a Container Image
○ SCAP
○ OpenSCAP
○ Image Inspector
● Managing a secure containers cluster
○ Openshift
○ ManageIQ
○ Scanning images from ManageIQ
○ ManageIQ Policies
5. What is a Container Image
The OCI image-spec https://github.com/opencontainers/image-spec/blob/master/spec.md
Manifests, Layers compressed changes, Digests
6. What is a Container Image
A mini Linux OS
Layers of files
7. What is a Container Image
A mini Linux OS
Layers of files
Created using packages and other images
8. What is a Container Image
A mini Linux OS
Layers of files
Created using packages and other images
Current implementations are “Lazy” on updating packages
9. Why should you suspect an Image?
Did the vendor of the base image test it thoroughly?
10. Why should you suspect an Image?
Did the vendor of the base image test it thoroughly?
Are you using the most updated version of everything?
11. Why should you suspect an Image?
Did the vendor of the base image test it thoroughly?
Are you using the most updated version of everything?
New threats can pop up anytime:
13. SCAP
SCAP - “Is a method for using specific standards to enable the automated
vulnerability management, measurement, and policy compliance evaluation
of systems deployed in an organization”
14. SCAP
SCAP - “Is a method for using specific standards to enable the automated
vulnerability management, measurement, and policy compliance evaluation
of systems deployed in an organization”
Super Standard: CVE, CPE, XCCDF, OVAL…
Using a catalogue of known security issues SCAP can evaluate a given
System.
15. OpenSCAP
An Open Source implementation of SCAP protocol
Reads the different file standards of SCAP, evaluates systems based on
them and generates reports
Maintained by Red Hat
16. OpenSCAP
On fedora:
sudo oscap xccdf eval --profile common --report
/var/www/html/report.html --results /var/www/html/results.xml
/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml
17. A Look at an OpenSCAP report
file:///home/efreiber/Downloads/openscap_result%20(1).html
22. Image-Inspector
Tool for running scans on container images
Pulls, Extracts, Run OpenSCAP
docker run docker.io/openshift/image-inspector --image=.. --scan-type openscap --serve 0.0.0.0:8080
23. Image-Inspector
Tool for running scans on container images
Pulls, Extracts, Run OpenSCAP
Serves the scan results and the image metadata
Webdav server for the image contents
docker run docker.io/openshift/image-inspector --image=.. --scan-type openscap --serve 0.0.0.0:8080
github.com/openshift/image-inspector
25. Openshift (Container Platform)
Built on top of Kubernetes
A Container PAAS - Users, Projects, Templates, Deployments, Builds, Routes,
Image Streams
Built-in services: Image Registry, Logs And Metrics Collection
github.com/openshift/origin
28. ManageIQ
Single Pane of Glass
Providers - Plugins to manage specific type of resource
Monitoring and Management
Policies, Alerts, Reports, Automation
Cross linking between providers
29. ManageIQ
Openshift Provider: Metrics collection and Visualization, Reports, Inventory,
Deployment, Security scanning for images
github.com/ManageIQ/manageiq
34. Image-Inspector Future
More systems with CVEs
CRI-O support
Job Mode to run as a Kubernetes Job
ManageIQ: Security Dashboard and Compliance Reports