[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic] Using Atomic Scan on CAH

Micah,

Thanks again for the info. I guess I am mistaken, I thought CentOS is RHEL-based, so it should have been able to scan the container image. Then I read on https://gist.github.com/gregelin/f94ba31f004ca4acea87
"

So why does OpenSCAP run SCAP-Security-Guide on CentOS, but the results come back "not applicable?" Two reasons:

  1. Because the XCCDF in RHEL refers to CPE XML file that specifies RHEL and not CentOS.
  2. Because CPE platform string is verified with an OVAL test that checks the RPMs for platform identification.
"

I also found https://www.centos.org/forums/viewtopic.php?t=50462 which mentions:

To fix this you need to add centos to the profile section.

Open /usr/share/xml/scap/ssg/rhel6/ssg-rhel6-ds.xml in a text editor and search for
  <platform idref="cpe:/o:redhat:enterprise_linux:6"/>

and add a line just after that with
  <platform idref="cpe:/o:centos:centos:6"/>


I'll take a look at BlackDuck, but I hope the OpenSCAP container will be updated to better recognize CentOS.






On Thu, Feb 2, 2017 at 11:10 AM, Micah Abbott <miabbott redhat com> wrote:
On 02/02/2017 01:03 PM, Steve Poe wrote:
Micah,

Thank you! That got me a step closer. I originally looked in the blogs
section on the project Atomic site, but I didn't see what you mentioned.

As a test, I downloaded the Centos6 image:
docker.io/centos <http://docker.io/centos>
centos6             8315978ceaaa        3 months ago        195 MB

Ran 'atomic scan 8315978ceaaa' but received  an error:

 8315978ceaaa (docker.io/centos:centos6 <http://docker.io/centos:centos6>)
     8315978ceaaa is not supported for this scan.

Yeah, that is a limitation of the 'openscap' scanner right now.  Only RHEL-based images are supported, AFAIK.


'atomic scan' allows you to define your own scanner, so you could write/define your own.

https://developers.redhat.com/blog/2016/05/20/creating-a-custom-atomic-scan-plug-in/


There is also a scanner from BlackDuck that seems to work almost out of the box:

https://hub.docker.com/r/blackducksoftware/atomic_scanner/




On Thu, Feb 2, 2017 at 9:30 AM, Micah Abbott <miabbott redhat com
 <mailto:miabbott redhat com>> wrote:

    On 02/02/2017 12:13 PM, Steve Poe wrote:

        I am reading about the ability to scan my images for known
        vulnerabilities.

        On the Atomic host I created, I updated /etc/atomic.conf file
        and added
        the line:
        'default_scanner: openscap'

        However, the change does not work for me:

        atomic scan --list
        There are no scanners configured for this system.

        What am I doing wrong?


        CAH info:
        centos-atomic-continuous:centos-atomic-host/7/x86_64/devel/alpha
               Version: 7.2017.15 (2017-01-31 00:49:10)


    I don't think the 'atomic scan' command will work right out of the
    box with just that configuration.

    You'll need to specify a scanner definition in '/etc/atomic.d/' like
    shown here:

     https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap <https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap>

    That should get you going in the right direction.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]