Re: [atomic-devel] No Openscap for Fedora Atomic?

[Brent Baude <bbaude redhat com>]

On Tue, 2016-06-28 at 09:41 -0400, Micah Abbott wrote:
> On 06/27/2016 06:32 PM, Josh Berkus wrote:
> > Folks,
> > 
> > Unlike RHEL and CentOS, Fedora Atomic seems to be missing the
> > Openscap
> > service required to run atomic scan.  What's involved in getting
> > this
> > added in?
> > 
> 
> I don't believe OpenSCAP is included in either RHEL or CentOS AH
> (see 
> below).
> 
> I believe the way to get started with OpenSCAP is with a container:
> 
> https://hub.docker.com/r/openscap/openscap-daemon-f23/
> 
> 
> This is the prescribed method for the RHEL AH hosts, combined with 
> 'atomic scan':
> 
> https://access.redhat.com/errata/RHEA-2016:1327
> 
> 
> -Micah
> 
> 
> -bash-4.2# rpm-ostree status
>    TIMESTAMP (UTC)         VERSION        ID             OSNAME 
>         REFSPEC
> * 2016-04-04 21:25:34     7.20160404     e39c28570a 
> centos-atomic-host 
> centos-atomic-host:centos-atomic-host/7/x86_64/standard
> 
> GPG: Found 1 signature on the booted deployment (*):
> 
>    Signature made Mon 04 Apr 2016 09:33:10 PM UTC using RSA key ID 
> F17E745691BA8335
>    Good signature from "CentOS Atomic SIG <security centos org>"
> -bash-4.2# rpm -qa | grep openscap
> -bash-4.2#
> 
> 
> -bash-4.2# rpm-ostree status
>    TIMESTAMP (UTC)         VERSION     ID             OSNAME 
>    REFSPEC
> * 2016-06-06 18:12:07     7.2.5       4bf265cf86     rhel-atomic-
> host 
>   rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
> -bash-4.2# rpm -qa | grep openscap
> -bash-4.2#
> 

Josh,

I have a Fedora version of the openscap image on docker.io.  It is
docker.io/fedora/atomic_scan_openscap.  This will allow you to scan
RHEL content on Fedora.  

However, remember, only RHEL provides the openscap CVE input data so
while you can run this on Fedora or CentOS, you will still only be able
to scan RHEL-based images.