The document discusses atomic scan with OpenSCAP, focusing on identifying software vulnerabilities and configuration flaws in containers. It explains how atomic scan operates by detecting operating systems, fetching CVE feeds, and parsing results using OpenSCAP, along with references to notable vulnerabilities like Heartbleed and Shellshock. It also highlights the role of SCAP in compliance and security management, including tools and resources for scanning and maintaining secure systems.

1. Atomic scan
With OpenSCAP

2. $whoami
● Lalatendu Mohanty
● Twitter: @lalatenduM
● lalatendu.org

3. System security (Software)
● Software vulnerabilities
● Configuration flaws

4. Configuration flaws
● Not following security policies
○ Example: Weak password settings
● Not using correct access control

5. Software vulnerabilities
● Undiscovered vulnerabilities
● Known vulnerabilities
○ Common Vulnerabilities and Exposures (CVE®)

6. Common Vulnerabilities and Exposures (CVE®)
● Publicly known cybersecurity vulnerabilities
● Example:
○ Heartbleed : CVE-2014-0160
■ OpenSSL
○ Shellshock: CVE-2014-6271
■ GNU Bash

7. atomic scan
● Scan a container or container
image for CVEs.
● Can scan all images or
containers at once.
● Plugin architecture for scan
tool.
From atomic CLI

8. How does this work?
● Detect the operating system
● Get the appropriate CVE feed from vendor
● Check the image or container with OpenSCAP
● Parse the results

9. atomic scan options

10. Demo
$ atomic scan rhel

11. CVE®
● CVE List is maintained The MITRE Corporation (not for profit)
● Sponsored by United States Computer Emergency Readiness Team.
● National Vulnerability Database (NVD):
○ Superset of CVE list.
○ Contains additional analysis, database and fine-grained search engine
○ Maintained by US National Institute of Standards and Technology (NIST)
○ Data represented using Security Content Automation Protocol (SCAP)

12. Heartbleed CVE page
● https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160

13. Heartbleed CVE in NVD
● https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

14. SCAP
● SCAP is a line of compliance standards managed by NIST.
● Provide a standardized approach to security e.g.
○ Automatically verifying the presence of patches
○ Checking system security configuration settings
○ Examining systems for signs of compromise

15. OpenSCAP
● Create a framework of libraries to improve the accessibility of SCAP and
enhance the usability of the information it represents.
● Awarded the SCAP 1.2 certification by NIST in 2014.

17. Demo SCAP Workbench
On Fedora 23
● $ sudo dnf install scap-security-guide
● $ sudo dnf install scap-workbench

18. References:
● http://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-
container-vulnerability-detection/
● https://access.redhat.com/documentation/en-
US/Red_Hat_Network_Satellite/5.5/html/User_Guide/chap-
Red_Hat_Network_Satellite-User_Guide-OpenSCAP.html
● https://cve.mitre.org/about/
● https://www.youtube.com/watch?v=DxMd0T9_apo

19. Questions?
Collaborate : https://github.com/projectatomic/atomic