Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Atomic CLI scan

3,857 views

Published on

Introduction to OpenSCAP project and atomic CLI from Project Atomic to scan Linux containers and images for CVEs.

Published in: Technology
  • Be the first to comment

Atomic CLI scan

  1. 1. Atomic scan With OpenSCAP
  2. 2. $whoami ● Lalatendu Mohanty ● Twitter: @lalatenduM ● lalatendu.org
  3. 3. System security (Software) ● Software vulnerabilities ● Configuration flaws
  4. 4. Configuration flaws ● Not following security policies ○ Example: Weak password settings ● Not using correct access control
  5. 5. Software vulnerabilities ● Undiscovered vulnerabilities ● Known vulnerabilities ○ Common Vulnerabilities and Exposures (CVE®)
  6. 6. Common Vulnerabilities and Exposures (CVE®) ● Publicly known cybersecurity vulnerabilities ● Example: ○ Heartbleed : CVE-2014-0160 ■ OpenSSL ○ Shellshock: CVE-2014-6271 ■ GNU Bash
  7. 7. atomic scan ● Scan a container or container image for CVEs. ● Can scan all images or containers at once. ● Plugin architecture for scan tool. From atomic CLI
  8. 8. How does this work? ● Detect the operating system ● Get the appropriate CVE feed from vendor ● Check the image or container with OpenSCAP ● Parse the results
  9. 9. atomic scan options
  10. 10. Demo $ atomic scan rhel
  11. 11. CVE® ● CVE List is maintained The MITRE Corporation (not for profit) ● Sponsored by United States Computer Emergency Readiness Team. ● National Vulnerability Database (NVD): ○ Superset of CVE list. ○ Contains additional analysis, database and fine-grained search engine ○ Maintained by US National Institute of Standards and Technology (NIST) ○ Data represented using Security Content Automation Protocol (SCAP)
  12. 12. Heartbleed CVE page ● https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160
  13. 13. Heartbleed CVE in NVD ● https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
  14. 14. SCAP ● SCAP is a line of compliance standards managed by NIST. ● Provide a standardized approach to security e.g. ○ Automatically verifying the presence of patches ○ Checking system security configuration settings ○ Examining systems for signs of compromise
  15. 15. OpenSCAP ● Create a framework of libraries to improve the accessibility of SCAP and enhance the usability of the information it represents. ● Awarded the SCAP 1.2 certification by NIST in 2014.
  16. 16. Demo SCAP Workbench On Fedora 23 ● $ sudo dnf install scap-security-guide ● $ sudo dnf install scap-workbench
  17. 17. References: ● http://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan- container-vulnerability-detection/ ● https://access.redhat.com/documentation/en- US/Red_Hat_Network_Satellite/5.5/html/User_Guide/chap- Red_Hat_Network_Satellite-User_Guide-OpenSCAP.html ● https://cve.mitre.org/about/ ● https://www.youtube.com/watch?v=DxMd0T9_apo
  18. 18. Questions? Collaborate : https://github.com/projectatomic/atomic

×