[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic] Using Atomic Scan on CAH

From: Micah Abbott <miabbott redhat com>
To: Steve Poe <steve poe gmail com>
Cc: atomic projectatomic io
Subject: Re: [atomic] Using Atomic Scan on CAH
Date: Thu, 2 Feb 2017 14:10:27 -0500

On 02/02/2017 01:03 PM, Steve Poe wrote:

Micah,

Thank you! That got me a step closer. I originally looked in the blogs
section on the project Atomic site, but I didn't see what you mentioned.

As a test, I downloaded the Centos6 image:
docker.io/centos <http://docker.io/centos>
centos6             8315978ceaaa        3 months ago        195 MB

Ran 'atomic scan 8315978ceaaa' but received  an error:

8315978ceaaa (docker.io/centos:centos6 <http://docker.io/centos:centos6>)
     8315978ceaaa is not supported for this scan.

Yeah, that is a limitation of the 'openscap' scanner right now. OnlyRHEL-based images are supported, AFAIK.

'atomic scan' allows you to define your own scanner, so you couldwrite/define your own.


https://developers.redhat.com/blog/2016/05/20/creating-a-custom-atomic-scan-plug-in/

There is also a scanner from BlackDuck that seems to work almost out ofthe box:


https://hub.docker.com/r/blackducksoftware/atomic_scanner/




On Thu, Feb 2, 2017 at 9:30 AM, Micah Abbott <miabbott redhat com
<mailto:miabbott redhat com>> wrote:

    On 02/02/2017 12:13 PM, Steve Poe wrote:

        I am reading about the ability to scan my images for known
        vulnerabilities.

        On the Atomic host I created, I updated /etc/atomic.conf file
        and added
        the line:
        'default_scanner: openscap'

        However, the change does not work for me:

        atomic scan --list
        There are no scanners configured for this system.

        What am I doing wrong?


        CAH info:
        centos-atomic-continuous:centos-atomic-host/7/x86_64/devel/alpha
               Version: 7.2017.15 (2017-01-31 00:49:10)


    I don't think the 'atomic scan' command will work right out of the
    box with just that configuration.

    You'll need to specify a scanner definition in '/etc/atomic.d/' like
    shown here:

    https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap <https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap>

    That should get you going in the right direction.

Follow-Ups:
- Re: [atomic] Using Atomic Scan on CAH
  - From: Steve Poe

References:
- [atomic] Using Atomic Scan on CAH
  - From: Steve Poe
- Re: [atomic] Using Atomic Scan on CAH
  - From: Micah Abbott
- Re: [atomic] Using Atomic Scan on CAH
  - From: Steve Poe

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]