[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic] Using Atomic Scan on CAH

From: Micah Abbott <miabbott redhat com>
To: Steve Poe <steve poe gmail com>
Cc: atomic projectatomic io
Subject: Re: [atomic] Using Atomic Scan on CAH
Date: Fri, 3 Feb 2017 10:52:41 -0500

On 02/02/2017 06:57 PM, Steve Poe wrote:

Micah,

Thanks again for the info. I guess I am mistaken, I thought CentOS is
RHEL-based, so it should have been able to scan the container image.

Yes, CentOS is built using the source code provided by Red Hat, but itis technically not a Red Hat product. I believe there are a fewmodifications made to differentiate the two, which is why you have thesuggested workarounds below. :)

Then I read on https://gist.github.com/gregelin/f94ba31f004ca4acea87
"

So why does OpenSCAP run SCAP-Security-Guide on CentOS, but the results
come back "not applicable?" Two reasons:

 1. Because the XCCDF in RHEL refers to CPE XML file that specifies RHEL
    and not CentOS.
 2. Because CPE platform string is verified with an OVAL test that
    checks the RPMs for platform identification.

"

I also found https://www.centos.org/forums/viewtopic.php?t=50462 which
mentions:

To fix this you need to add centos to the profile section.

Open /usr/share/xml/scap/ssg/rhel6/ssg-rhel6-ds.xml in a text editor and
search for
|  <platform idref="cpe:/o:redhat:enterprise_linux:6"/>
|

and add a line just after that with
|  <platform idref="cpe:/o:centos:centos:6"/>
|

I'll take a look at BlackDuck, but I hope the OpenSCAP container will be
updated to better recognize CentOS.

It probably wouldn't hurt to open an issue upstream with the OpenSCAPproject:


https://github.com/OpenSCAP/openscap-daemon

They should know the best way to enable CentOS container scanning.

||
|

|




On Thu, Feb 2, 2017 at 11:10 AM, Micah Abbott <miabbott redhat com
<mailto:miabbott redhat com>> wrote:

    On 02/02/2017 01:03 PM, Steve Poe wrote:

        Micah,

        Thank you! That got me a step closer. I originally looked in the
        blogs
        section on the project Atomic site, but I didn't see what you
        mentioned.

        As a test, I downloaded the Centos6 image:
        docker.io/centos <http://docker.io/centos> <http://docker.io/centos>
        centos6             8315978ceaaa        3 months ago        195 MB

        Ran 'atomic scan 8315978ceaaa' but received  an error:

        8315978ceaaa (docker.io/centos:centos6
        <http://docker.io/centos:centos6>
        <http://docker.io/centos:centos6 <http://docker.io/centos:centos6>>)
             8315978ceaaa is not supported for this scan.


    Yeah, that is a limitation of the 'openscap' scanner right now.
    Only RHEL-based images are supported, AFAIK.


    'atomic scan' allows you to define your own scanner, so you could
    write/define your own.

    https://developers.redhat.com/blog/2016/05/20/creating-a-custom-atomic-scan-plug-in/
    <https://developers.redhat.com/blog/2016/05/20/creating-a-custom-atomic-scan-plug-in/>


    There is also a scanner from BlackDuck that seems to work almost out
    of the box:

    https://hub.docker.com/r/blackducksoftware/atomic_scanner/
    <https://hub.docker.com/r/blackducksoftware/atomic_scanner/>




        On Thu, Feb 2, 2017 at 9:30 AM, Micah Abbott
        <miabbott redhat com <mailto:miabbott redhat com>
        <mailto:miabbott redhat com <mailto:miabbott redhat com>>> wrote:

            On 02/02/2017 12:13 PM, Steve Poe wrote:

                I am reading about the ability to scan my images for known
                vulnerabilities.

                On the Atomic host I created, I updated /etc/atomic.conf
        file
                and added
                the line:
                'default_scanner: openscap'

                However, the change does not work for me:

                atomic scan --list
                There are no scanners configured for this system.

                What am I doing wrong?


                CAH info:

        centos-atomic-continuous:centos-atomic-host/7/x86_64/devel/alpha
                       Version: 7.2017.15 (2017-01-31 00:49:10)


            I don't think the 'atomic scan' command will work right out
        of the
            box with just that configuration.

            You'll need to specify a scanner definition in
        '/etc/atomic.d/' like
            shown here:


        https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap
        <https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap>
        <https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap
        <https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap>>

            That should get you going in the right direction.

References:
- [atomic] Using Atomic Scan on CAH
  - From: Steve Poe
- Re: [atomic] Using Atomic Scan on CAH
  - From: Micah Abbott
- Re: [atomic] Using Atomic Scan on CAH
  - From: Steve Poe
- Re: [atomic] Using Atomic Scan on CAH
  - From: Micah Abbott
- Re: [atomic] Using Atomic Scan on CAH
  - From: Steve Poe

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]