SlideShare a Scribd company logo

OpenSCAP Overview(security scanning for docker image and container)

Jooho Lee
Jooho Lee

OpenSCAP is tool to evaluating vm and docker container/image for security scanning. This doc present openSCAP overview.

Technology
1 of 29
Download to read offline
OpenSCAP Jooho Lee Senior Consultant PaaS & DevOps Practices Team
Agenda What is SCAP? What is OpenSCAP? Give a try - Demo What is atomic command? OpenSCAP in Red Hat Products (TBD) - Satellite 6.x - CloudForms 4.x
Goal This presentation is for who look for a good asset that do security scanning. Especially, OpenShift Container Platform engineer have being asked about docker image security. Here, I would like to focus on explaining how to use OpenSCAP. The security components such as XCCDF, OVAL are not the main topics so it doesn’t give a detailed account.
What is SCAP? Security Content Automation Protocol The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. - en.wikipedia.org - Nice video : http://goo.gl/GBaiIW
SCAP components ● XCCDF: The Extensible Configuration Checklist Description Format ● OVAL®: Open Vulnerability and Assessment Language ● Asset Identification ● ARF: Asset Reporting Format ● CCE™: Common Configuration Enumeration ● CPE™: Common Platform Enumeration ● CVE®: Common Vulnerabilities and Exposures ● CVSS: Common Vulnerability Scoring System
What is OpenSCAP? Open Source Security Compliance Solution. The oscap program is a command line tool that allows users to load, scan, validate, edit, and export SCAP documents. ● Homepage of the project: www.open-scap.org ● Manual: Oscap User Manual ● For new contributors: How to contribute OpenSCAP is implementation to use SCAP components
Why OpenSCAP is needed? Security compliance In the ever-changing world of computer security where new vulnerabilities are being discovered and patched every day, enforcing security compliance must be a continuous process. The OpenSCAP ecosystem provides tools and customizable policies for a quick, cost-effective and flexible implementation Vulnerability assessment A timely inspection of software inventory that identifies such vulnerabilities is a must for any organization in the 21st century, and the OpenSCAP project provides tools for automated vulnerability checking, allowing you to take steps to prevent attacks before they happen.
Why OpenSCAP is a good choice? OpenSCAP has received a NIST certification for its support of SCAP 1.2. Red Hat sponsor OpenSCAP Red Hat support OpenSCAP with RHEL Subscription Red Hat Enterprise Linux operating system 7 contains OpenSCAP packages OpenSCAP start to support docker image/container* Red Hat integrated OpenSCAP with Red Hat Products ( Satellite 6.2 / CloudForms 4.1 )** * it can scan only RHEL based docker images/containers ** it is officially supported from Satellite 6.2 / CloudForms 4.1
OpenSCAP umbrella projects OpenSCAP Base - provide oscap command OpenSCAP Daemon - evaluate by schedule SCAP Workbench - graphical utility SCAPTimony - compliance of your infrastructure. OSCAP Anaconda Add-on - an add-on for installer used by Fedora and Red Hat Enterprise Linux 7. SCAP Security Guide - OpenSCAP content primarily for Red Hat Enterprise Linux
Give a try - Demo Image / Conatiner SCAP component / CVE
Give a try - Demo - image xccdf # sudo yum install openscap -y # docker pull docker.io/rhel7 ## Evaluate image with xccdf # oscap-docker image docker.io/rhel7 xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Result report is created but some error messages.. [root@localhost]/home/jooho/test# oscap-docker image docker.io/rhel7 xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content Command: oscap xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml failed! Error was: Command '['oscap', 'xccdf', 'eval', '--report', 'result.html', '--profile', 'standard', '/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml']' returned non-zero exit status 2
Give a try - Demo - image CVE # sudo yum install openscap -y # docker pull registry.access.redhat.com/rhel7 ## Evaluate image about CVE # oscap-docker image-cve registry.access.redhat.com/rhel7 --report result.html --verbose DEVEL
Result report is generated successfully [root@localhost]/home/jooho/test# oscap-docker image-cve docker.io/rhel7 --report result.html Definition oval:com.redhat.rhsa:def:20161633: false Definition oval:com.redhat.rhsa:def:20161632: false ….. Definition oval:com.redhat.rhsa:def:20140675: false Evaluation done.
Give a try - Demo - Container xccdf #docker run -it docker.io/rhel7 /bin/bash CTRL+ P+Q # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4c0e74dc5094 docker.io/rhel7 "bin/bash" 55 seconds ago Up 54 seconds amazing_mirzakhani # oscap-docker container 4c0e74dc5094 xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Result report is created but some error messages.. [root@localhost]/home/jooho/test# oscap-docker container 4c0 xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content Command: oscap xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml failed! Error was: Command '['oscap', 'xccdf', 'eval', '--report', 'result.html', '--profile', 'standard', '/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml']' returned non-zero exit status 2
Give a try - Demo - Container CVE #docker run -it docker.io/rhel7 /bin/bash CTRL+ P+Q # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4c0e74dc5094 docker.io/rhel7 "bin/bash" 55 seconds ago Up 54 seconds amazing_mirzakhani # oscap-docker container-cve 4c0e74dc5094 --report result.html
Result report is generated successfully [root@localhost]/home/jooho/test# oscap-docker container-cve 4c0e74dc5094 --report result.html Definition oval:com.redhat.rhsa:def:20161633: false Definition oval:com.redhat.rhsa:def:20161632: false … Definition oval:com.redhat.rhsa:def:20140675: false Evaluation done.
Tip: How to find profile from xccdf oscp info /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Tip: Important path Security Content: /usr/share/xml/scap/ssg/content
What is atomic command? The goal of Atomic is to provide a high level, coherent entrypoint to the system, and fill in gaps in Linux container implementations. There are several command : atomic run/install/uninstall/scan Here, we will use atomic scan to scan security for docker images/containers.
atomic scan docker images/container It uses SPC(Super Privileged Container) using dbus call from atomic command. However, atomic tool would be able to mount up read only rootfs from the host’s file system. These mounted file systems could then be passed onto the scanning container, along with a writeable directory for the scanner to place its output. http://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-container-vulnerability-detection/
Give a try - Demo (atomic scan image) # yum install atomic # docker pull registry.access.redhat.com/rhel7/openscap # atomic install registry.access.redhat.com/rhel7/openscap # atomic scan docker.io/rhel7
Generated result json file on host successfully. [root@localhost]/home/jooho/test# atomic scan docker.io/rhel7 docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-08-24-15-18-26-150045:/scanin -v /var/lib/atomic/openscap/2016-08-24-15-18-26-150045:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning. docker.io/rhel7 (6f7a31562d1ec72) docker.io/rhel7 passed the scan Files associated with this scan are in /var/lib/atomic/openscap/2016-08-24-15-18-26-150045.
Result json cat /var/lib/atomic/openscap/2016-08-24-15-18-26-150045/6f7a31562d1ec723b2b025c8cf040fd6c0e74cb14fd0abdbd1a9b0dee 5dd19f6/json
OpenSCAP in Red Hat Products (need more test) Satellite 6.2 - Evaluate host CloudForms 4.2 - Evaluate images
Pros and cons ● Pros ○ OpenSCAP has received a NIST certification for its support of SCAP 1.2. ○ Red Hat sponsor OpenSCAP ○ Red Hat support OpenSCAP with RHEL Subscription ● Cons ○ Can evaluate RHEL based image only
Third Party Application Blackduck(https://www.blackducksoftware.com) Twistlock(https://twistlock.com/)
END

Recommended

OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
Jooho Lee
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
Knoldus Inc.
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
Michelle Holley
 
vmware_cloud_foundation_on_vxrail_technical_customer_presentation.pptx
vmware_cloud_foundation_on_vxrail_technical_customer_presentation.pptxvmware_cloud_foundation_on_vxrail_technical_customer_presentation.pptx
vmware_cloud_foundation_on_vxrail_technical_customer_presentation.pptx
VitNguyn252054
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
Suresh Kumar
 
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
OpenStack Korea Community
 
네트워크 가상화 보안현황 및 보안연관성
네트워크 가상화 보안현황 및 보안연관성네트워크 가상화 보안현황 및 보안연관성
네트워크 가상화 보안현황 및 보안연관성
NAIM Networks, Inc.
 
Configuration Management in Ansible
Configuration Management in Ansible Configuration Management in Ansible
Configuration Management in Ansible
Bangladesh Network Operators Group
 

Recommended

OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
Jooho Lee
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
Knoldus Inc.
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
Michelle Holley
 
vmware_cloud_foundation_on_vxrail_technical_customer_presentation.pptx
vmware_cloud_foundation_on_vxrail_technical_customer_presentation.pptxvmware_cloud_foundation_on_vxrail_technical_customer_presentation.pptx
vmware_cloud_foundation_on_vxrail_technical_customer_presentation.pptx
VitNguyn252054
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
Suresh Kumar
 
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
OpenStack Korea Community
 
네트워크 가상화 보안현황 및 보안연관성
네트워크 가상화 보안현황 및 보안연관성네트워크 가상화 보안현황 및 보안연관성
네트워크 가상화 보안현황 및 보안연관성
NAIM Networks, Inc.
 
Configuration Management in Ansible
Configuration Management in Ansible Configuration Management in Ansible
Configuration Management in Ansible
Bangladesh Network Operators Group
 
Unik Slides
Unik SlidesUnik Slides
Unik Slides
Idit Levine
 
Hardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio GreggiHardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio Greggi
ContainerDay Security 2023
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
ssuser0cc9131
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
Sreenivas Makam
 
DevOps - Interview Question.pdf
DevOps - Interview Question.pdfDevOps - Interview Question.pdf
DevOps - Interview Question.pdf
MinhTrnNht7
 
OpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-ServiceOpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-Service
Ramon Acedo Rodriguez
 
The NFS Version 4 Protocol
The NFS Version 4 ProtocolThe NFS Version 4 Protocol
The NFS Version 4 Protocol
Kelum Senanayake
 
Ansible
AnsibleAnsible
Ansible
Rahul Bajaj
 
Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!
Jaskaran Narula
 
오픈소스로 구축하는 클라우드 이야기
오픈소스로 구축하는 클라우드 이야기오픈소스로 구축하는 클라우드 이야기
오픈소스로 구축하는 클라우드 이야기Nalee Jang
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
Ansible
AnsibleAnsible
Ansible
Knoldus Inc.
 
Infrastructure as Code for Network
Infrastructure as Code for NetworkInfrastructure as Code for Network
Infrastructure as Code for Network
Damien Garros
 
Accelerating with Ansible
Accelerating with AnsibleAccelerating with Ansible
Accelerating with Ansible
Global Knowledge Training
 
Seven Habits of Highly Effective Jenkins Users (2014 edition!)
Seven Habits of Highly Effective Jenkins Users (2014 edition!)Seven Habits of Highly Effective Jenkins Users (2014 edition!)
Seven Habits of Highly Effective Jenkins Users (2014 edition!)
Andrew Bayer
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
Akihiro Suda
 
Hands on ansible
Hands on ansibleHands on ansible
Hands on ansible
sumit23kumar
 
Tutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting routerTutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting router
Shu Sugimoto
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
Rayed Alrashed
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
lcplcp1
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
Robert Bohne
 
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfOpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
ssuser9e06a61
 

More Related Content

What's hot

Unik Slides
Unik SlidesUnik Slides
Unik Slides
Idit Levine
 
Hardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio GreggiHardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio Greggi
ContainerDay Security 2023
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
ssuser0cc9131
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
Sreenivas Makam
 
DevOps - Interview Question.pdf
DevOps - Interview Question.pdfDevOps - Interview Question.pdf
DevOps - Interview Question.pdf
MinhTrnNht7
 
OpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-ServiceOpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-Service
Ramon Acedo Rodriguez
 
The NFS Version 4 Protocol
The NFS Version 4 ProtocolThe NFS Version 4 Protocol
The NFS Version 4 Protocol
Kelum Senanayake
 
Ansible
AnsibleAnsible
Ansible
Rahul Bajaj
 
Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!
Jaskaran Narula
 
오픈소스로 구축하는 클라우드 이야기
오픈소스로 구축하는 클라우드 이야기오픈소스로 구축하는 클라우드 이야기
오픈소스로 구축하는 클라우드 이야기Nalee Jang
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
Ansible
AnsibleAnsible
Ansible
Knoldus Inc.
 
Infrastructure as Code for Network
Infrastructure as Code for NetworkInfrastructure as Code for Network
Infrastructure as Code for Network
Damien Garros
 
Accelerating with Ansible
Accelerating with AnsibleAccelerating with Ansible
Accelerating with Ansible
Global Knowledge Training
 
Seven Habits of Highly Effective Jenkins Users (2014 edition!)
Seven Habits of Highly Effective Jenkins Users (2014 edition!)Seven Habits of Highly Effective Jenkins Users (2014 edition!)
Seven Habits of Highly Effective Jenkins Users (2014 edition!)
Andrew Bayer
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
Akihiro Suda
 
Hands on ansible
Hands on ansibleHands on ansible
Hands on ansible
sumit23kumar
 
Tutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting routerTutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting router
Shu Sugimoto
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
Rayed Alrashed
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
lcplcp1
 

What's hot (20)

Unik Slides
Unik SlidesUnik Slides
Unik Slides
 
Hardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio GreggiHardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio Greggi
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
 
DevOps - Interview Question.pdf
DevOps - Interview Question.pdfDevOps - Interview Question.pdf
DevOps - Interview Question.pdf
 
OpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-ServiceOpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-Service
 
The NFS Version 4 Protocol
The NFS Version 4 ProtocolThe NFS Version 4 Protocol
The NFS Version 4 Protocol
 
Ansible
AnsibleAnsible
Ansible
 
Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!
 
오픈소스로 구축하는 클라우드 이야기
오픈소스로 구축하는 클라우드 이야기오픈소스로 구축하는 클라우드 이야기
오픈소스로 구축하는 클라우드 이야기
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
 
Ansible
AnsibleAnsible
Ansible
 
Infrastructure as Code for Network
Infrastructure as Code for NetworkInfrastructure as Code for Network
Infrastructure as Code for Network
 
Accelerating with Ansible
Accelerating with AnsibleAccelerating with Ansible
Accelerating with Ansible
 
Seven Habits of Highly Effective Jenkins Users (2014 edition!)
Seven Habits of Highly Effective Jenkins Users (2014 edition!)Seven Habits of Highly Effective Jenkins Users (2014 edition!)
Seven Habits of Highly Effective Jenkins Users (2014 edition!)
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
 
Hands on ansible
Hands on ansibleHands on ansible
Hands on ansible
 
Tutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting routerTutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting router
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
 

Similar to OpenSCAP Overview(security scanning for docker image and container)

OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
Robert Bohne
 
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfOpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
ssuser9e06a61
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
Arun prasath
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
[JOI] TOTVS Developers Joinville - Java #1
[JOI] TOTVS Developers Joinville - Java #1[JOI] TOTVS Developers Joinville - Java #1
[JOI] TOTVS Developers Joinville - Java #1
Rubens Dos Santos Filho
 
Omaha (Google Update) server
Omaha (Google Update) serverOmaha (Google Update) server
Omaha (Google Update) server
Dmitry Lyfar
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1
Hajime Tazaki
 
OSDC 2017 | Do you trust your containers? by Erez Freiberger
OSDC 2017 | Do you trust your containers? by Erez FreibergerOSDC 2017 | Do you trust your containers? by Erez Freiberger
OSDC 2017 | Do you trust your containers? by Erez Freiberger
NETWAYS
 
Introduction to JIB and Google Cloud Run
Introduction to JIB and Google Cloud RunIntroduction to JIB and Google Cloud Run
Introduction to JIB and Google Cloud Run
Saiyam Pathak
 
Webinar: Creating an Effective Docker Build Pipeline for Java Apps
Webinar: Creating an Effective Docker Build Pipeline for Java AppsWebinar: Creating an Effective Docker Build Pipeline for Java Apps
Webinar: Creating an Effective Docker Build Pipeline for Java Apps
Codefresh
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
Shawn Wells
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
sparkfabrik
 
Magento infrastructure by OpsWay
Magento infrastructure by OpsWayMagento infrastructure by OpsWay
Magento infrastructure by OpsWay
OpsWay
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Ricardo Amaro
 
2014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 20142014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 2014
Shawn Wells
 
maXbox Starter87
maXbox Starter87maXbox Starter87
maXbox Starter87
Max Kleiner
 
Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015
Filipe Miranda
 
Riga Dev Day - Automated Android Continuous Integration
Riga Dev Day - Automated Android Continuous IntegrationRiga Dev Day - Automated Android Continuous Integration
Riga Dev Day - Automated Android Continuous Integration
Nicolas Fränkel
 
Maximizing Oracle RAC Uptime
Maximizing Oracle RAC UptimeMaximizing Oracle RAC Uptime
Maximizing Oracle RAC Uptime
Markus Michalewicz
 
Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3
kognate
 

Similar to OpenSCAP Overview(security scanning for docker image and container) (20)

OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
 
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfOpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
[JOI] TOTVS Developers Joinville - Java #1
[JOI] TOTVS Developers Joinville - Java #1[JOI] TOTVS Developers Joinville - Java #1
[JOI] TOTVS Developers Joinville - Java #1
 
Omaha (Google Update) server
Omaha (Google Update) serverOmaha (Google Update) server
Omaha (Google Update) server
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1
 
OSDC 2017 | Do you trust your containers? by Erez Freiberger
OSDC 2017 | Do you trust your containers? by Erez FreibergerOSDC 2017 | Do you trust your containers? by Erez Freiberger
OSDC 2017 | Do you trust your containers? by Erez Freiberger
 
Introduction to JIB and Google Cloud Run
Introduction to JIB and Google Cloud RunIntroduction to JIB and Google Cloud Run
Introduction to JIB and Google Cloud Run
 
Webinar: Creating an Effective Docker Build Pipeline for Java Apps
Webinar: Creating an Effective Docker Build Pipeline for Java AppsWebinar: Creating an Effective Docker Build Pipeline for Java Apps
Webinar: Creating an Effective Docker Build Pipeline for Java Apps
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
Magento infrastructure by OpsWay
Magento infrastructure by OpsWayMagento infrastructure by OpsWay
Magento infrastructure by OpsWay
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
 
2014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 20142014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 2014
 
maXbox Starter87
maXbox Starter87maXbox Starter87
maXbox Starter87
 
Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015
 
Riga Dev Day - Automated Android Continuous Integration
Riga Dev Day - Automated Android Continuous IntegrationRiga Dev Day - Automated Android Continuous Integration
Riga Dev Day - Automated Android Continuous Integration
 
Maximizing Oracle RAC Uptime
Maximizing Oracle RAC UptimeMaximizing Oracle RAC Uptime
Maximizing Oracle RAC Uptime
 
Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3
 

More from Jooho Lee

Quay 3.3 installation
Quay 3.3 installationQuay 3.3 installation
Quay 3.3 installation
Jooho Lee
 
OpenShift4 Installation by UPI on kvm
OpenShift4 Installation by UPI on kvmOpenShift4 Installation by UPI on kvm
OpenShift4 Installation by UPI on kvm
Jooho Lee
 
Hello istio
Hello istioHello istio
Hello istio
Jooho Lee
 
Docker, Atomic Host and Kubernetes.
Docker, Atomic Host and Kubernetes.Docker, Atomic Host and Kubernetes.
Docker, Atomic Host and Kubernetes.
Jooho Lee
 
Tcp summary
Tcp summaryTcp summary
Tcp summary
Jooho Lee
 
Practical byteman sample 20131128
Practical byteman sample 20131128Practical byteman sample 20131128
Practical byteman sample 20131128Jooho Lee
 
Consistent hashing
Consistent hashingConsistent hashing
Consistent hashingJooho Lee
 

More from Jooho Lee (7)

Quay 3.3 installation
Quay 3.3 installationQuay 3.3 installation
Quay 3.3 installation
 
OpenShift4 Installation by UPI on kvm
OpenShift4 Installation by UPI on kvmOpenShift4 Installation by UPI on kvm
OpenShift4 Installation by UPI on kvm
 
Hello istio
Hello istioHello istio
Hello istio
 
Docker, Atomic Host and Kubernetes.
Docker, Atomic Host and Kubernetes.Docker, Atomic Host and Kubernetes.
Docker, Atomic Host and Kubernetes.
 
Tcp summary
Tcp summaryTcp summary
Tcp summary
 
Practical byteman sample 20131128
Practical byteman sample 20131128Practical byteman sample 20131128
Practical byteman sample 20131128
 
Consistent hashing
Consistent hashingConsistent hashing
Consistent hashing
 

Recently uploaded

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 

Recently uploaded (20)

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 

OpenSCAP Overview(security scanning for docker image and container)

  • 2. Agenda What is SCAP? What is OpenSCAP? Give a try - Demo What is atomic command? OpenSCAP in Red Hat Products (TBD) - Satellite 6.x - CloudForms 4.x
  • 3. Goal This presentation is for who look for a good asset that do security scanning. Especially, OpenShift Container Platform engineer have being asked about docker image security. Here, I would like to focus on explaining how to use OpenSCAP. The security components such as XCCDF, OVAL are not the main topics so it doesn’t give a detailed account.
  • 4. What is SCAP? Security Content Automation Protocol The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. - en.wikipedia.org - Nice video : http://goo.gl/GBaiIW
  • 5. SCAP components ● XCCDF: The Extensible Configuration Checklist Description Format ● OVAL®: Open Vulnerability and Assessment Language ● Asset Identification ● ARF: Asset Reporting Format ● CCE™: Common Configuration Enumeration ● CPE™: Common Platform Enumeration ● CVE®: Common Vulnerabilities and Exposures ● CVSS: Common Vulnerability Scoring System
  • 6. What is OpenSCAP? Open Source Security Compliance Solution. The oscap program is a command line tool that allows users to load, scan, validate, edit, and export SCAP documents. ● Homepage of the project: www.open-scap.org ● Manual: Oscap User Manual ● For new contributors: How to contribute OpenSCAP is implementation to use SCAP components
  • 7. Why OpenSCAP is needed? Security compliance In the ever-changing world of computer security where new vulnerabilities are being discovered and patched every day, enforcing security compliance must be a continuous process. The OpenSCAP ecosystem provides tools and customizable policies for a quick, cost-effective and flexible implementation Vulnerability assessment A timely inspection of software inventory that identifies such vulnerabilities is a must for any organization in the 21st century, and the OpenSCAP project provides tools for automated vulnerability checking, allowing you to take steps to prevent attacks before they happen.
  • 8. Why OpenSCAP is a good choice? OpenSCAP has received a NIST certification for its support of SCAP 1.2. Red Hat sponsor OpenSCAP Red Hat support OpenSCAP with RHEL Subscription Red Hat Enterprise Linux operating system 7 contains OpenSCAP packages OpenSCAP start to support docker image/container* Red Hat integrated OpenSCAP with Red Hat Products ( Satellite 6.2 / CloudForms 4.1 )** * it can scan only RHEL based docker images/containers ** it is officially supported from Satellite 6.2 / CloudForms 4.1
  • 9. OpenSCAP umbrella projects OpenSCAP Base - provide oscap command OpenSCAP Daemon - evaluate by schedule SCAP Workbench - graphical utility SCAPTimony - compliance of your infrastructure. OSCAP Anaconda Add-on - an add-on for installer used by Fedora and Red Hat Enterprise Linux 7. SCAP Security Guide - OpenSCAP content primarily for Red Hat Enterprise Linux
  • 10. Give a try - Demo Image / Conatiner SCAP component / CVE
  • 11. Give a try - Demo - image xccdf # sudo yum install openscap -y # docker pull docker.io/rhel7 ## Evaluate image with xccdf # oscap-docker image docker.io/rhel7 xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
  • 12. Result report is created but some error messages.. [root@localhost]/home/jooho/test# oscap-docker image docker.io/rhel7 xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content Command: oscap xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml failed! Error was: Command '['oscap', 'xccdf', 'eval', '--report', 'result.html', '--profile', 'standard', '/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml']' returned non-zero exit status 2
  • 13. Give a try - Demo - image CVE # sudo yum install openscap -y # docker pull registry.access.redhat.com/rhel7 ## Evaluate image about CVE # oscap-docker image-cve registry.access.redhat.com/rhel7 --report result.html --verbose DEVEL
  • 14. Result report is generated successfully [root@localhost]/home/jooho/test# oscap-docker image-cve docker.io/rhel7 --report result.html Definition oval:com.redhat.rhsa:def:20161633: false Definition oval:com.redhat.rhsa:def:20161632: false ….. Definition oval:com.redhat.rhsa:def:20140675: false Evaluation done.
  • 15. Give a try - Demo - Container xccdf #docker run -it docker.io/rhel7 /bin/bash CTRL+ P+Q # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4c0e74dc5094 docker.io/rhel7 "bin/bash" 55 seconds ago Up 54 seconds amazing_mirzakhani # oscap-docker container 4c0e74dc5094 xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
  • 16. Result report is created but some error messages.. [root@localhost]/home/jooho/test# oscap-docker container 4c0 xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content Command: oscap xccdf eval --report result.html --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml failed! Error was: Command '['oscap', 'xccdf', 'eval', '--report', 'result.html', '--profile', 'standard', '/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml']' returned non-zero exit status 2
  • 17. Give a try - Demo - Container CVE #docker run -it docker.io/rhel7 /bin/bash CTRL+ P+Q # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4c0e74dc5094 docker.io/rhel7 "bin/bash" 55 seconds ago Up 54 seconds amazing_mirzakhani # oscap-docker container-cve 4c0e74dc5094 --report result.html
  • 18. Result report is generated successfully [root@localhost]/home/jooho/test# oscap-docker container-cve 4c0e74dc5094 --report result.html Definition oval:com.redhat.rhsa:def:20161633: false Definition oval:com.redhat.rhsa:def:20161632: false … Definition oval:com.redhat.rhsa:def:20140675: false Evaluation done.
  • 19. Tip: How to find profile from xccdf oscp info /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
  • 20. Tip: Important path Security Content: /usr/share/xml/scap/ssg/content
  • 21. What is atomic command? The goal of Atomic is to provide a high level, coherent entrypoint to the system, and fill in gaps in Linux container implementations. There are several command : atomic run/install/uninstall/scan Here, we will use atomic scan to scan security for docker images/containers.
  • 22. atomic scan docker images/container It uses SPC(Super Privileged Container) using dbus call from atomic command. However, atomic tool would be able to mount up read only rootfs from the host’s file system. These mounted file systems could then be passed onto the scanning container, along with a writeable directory for the scanner to place its output. http://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-container-vulnerability-detection/
  • 23. Give a try - Demo (atomic scan image) # yum install atomic # docker pull registry.access.redhat.com/rhel7/openscap # atomic install registry.access.redhat.com/rhel7/openscap # atomic scan docker.io/rhel7
  • 24. Generated result json file on host successfully. [root@localhost]/home/jooho/test# atomic scan docker.io/rhel7 docker run -it --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-08-24-15-18-26-150045:/scanin -v /var/lib/atomic/openscap/2016-08-24-15-18-26-150045:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning. docker.io/rhel7 (6f7a31562d1ec72) docker.io/rhel7 passed the scan Files associated with this scan are in /var/lib/atomic/openscap/2016-08-24-15-18-26-150045.
  • 26. OpenSCAP in Red Hat Products (need more test) Satellite 6.2 - Evaluate host CloudForms 4.2 - Evaluate images
  • 27. Pros and cons ● Pros ○ OpenSCAP has received a NIST certification for its support of SCAP 1.2. ○ Red Hat sponsor OpenSCAP ○ Red Hat support OpenSCAP with RHEL Subscription ● Cons ○ Can evaluate RHEL based image only
  • 29. END