Академический Документы
Профессиональный Документы
Культура Документы
SCAP
What is SCAP?
SCAP Components
OpenSCAP
What is OpenSCAP?
OpenSCAP Component
OpenSCAP Base :
OpenSCAP Daemon:
OpenSCAP Workbench:
SCAPTimony
OSCAP Anaconda Add-on
SCAP Security Guide
DEMO - OpenSCAP CLI
0. Test Environment
0.1. Download images RHEL/Centos
0.2. Deploy images
1. Install Necessary OpenSCAP Package
2. Evaluate Image with xccdf
3. Evaluate Image about CVE
4. Evaluate container with xccdf
5. Evaluate container about CVE
6. Useful Commands:
6.1. How to list profiles from xccdf file.
Atomic scan
1. What is ‘atomic scan’?
2. How atomic scan work?
3. atomic scan commands
3.1. Check Scanner
3.2. Evaluation Image/container
3.3. atomic scan help
4. OpenSCAP in Red Hat Projects
4.1. Satellite 6.2
4.2. Cloud Forms 4.1
5.Pros and Cons
5.1. Pros
5.2. Cons
6.TIP
How to start OpenSCAP workbench
Reference
Object :
This documentation is for who look for a good asset that do security scanning. I suppose
audience some knowledge about RHEL/Fedora and docker. It will explain brief SCAP
components such as XCCDF, OVAL but it would not be main topics so it might not meet your
expectation. This doc is more concentrate on how to use OpenSCAP with CLI and Red Hat
Products. In addition, it is especially good for OpenShift Container Platform engineer who have
being asked about docker image security by customer.
Description :
Over the last few years, docker is not a hot topic but also effect changing the development
methodology. It influences developer to use docker image as a part of development. Many
groups and companies have started to create their own images with various libraries. With these
reasons, the scanning container or images are becoming more important to check for known
vulnerabilities and configuration problems. In order to be cope with it, Red Hat has been building
a scanning tool based on OpenSCAP project. Apart from the tried and true OpenSCAP project,
Red Hat also start to build another tool “ atomic scan”. With the understood of the underlying
architecture, it uses OpenSCAP SPC container which mount up read only rootfs from host’s file
system so it could not affect to host system. Only the folder that store result output is writeable.
This doc will describe from SCAP, OpenSCAP, atomic scan to OpenSCAP in Red Hat Projects.
SCAP
What is SCAP?
Security Content Automation Pr otocol is a method for using specific standards to enable the
automated vulnerability management, measurement, and policy compliance evaluation of
systems deployed in an organization, including e.g., FISMA compliance. The National
Vulnerability Database (NVD) is the U.S. government content repository for SCAP.
- en.wikipedia.org/(http://goo.gl/10MH80)
SCAP Components
● XCCDF: The Extensible Configuration Checklist Description Format
● OVAL®: Open Vulnerability and Assessment Language
● CCE™: Common Configuration Enumeration
● CPE™: Common Platform Enumeration
● CVE®: Common Vulnerabilities and Exposures
● CVSS: Common Vulnerability Scoring System
All components are the vulnerability management systems and they use their own formatted file.
OpenSCAP
What is OpenSCAP?
It is Open Source Security Compliance Solution. In other words, it is implementation to evaluate
VM/Images/Containers using SCAP components. With OpenSCAP, you can easily fulfil security
scanning because it also provide SSG(Scap Security Guide)
OpenSCAP Component
OpenSCAP Base :
OpenSCAP Base provides a command line tool
OpenSCAP Daemon:
The Daemon is a service that makes sure your machines and containers are evaluated
according to the schedule.
OpenSCAP Workbench:
This user friendly graphical utility offers an easy way to tailor SCAP content to your needs,
perform local or remote scans, and export results.
SCAPTimony
SCAPtimony is open source compliance center built on top of SCAP. It gives full testimony
about compliance of your infrastructure. Users are currently advised to use SCAPtimony only
through foreman_openscap which is used in Satellite.
https://github.com/OpenSCAP/scaptimony
0. Test Environment
OpenSCAP Installed OS :
- Fedora 23
- RHEL 7.2
Security Scanning Target OS :
- RHEL 7.2 (VM) → TBD
- RHEL 7.2 (Image)
- CentOS 7 (Image)
- RHEL 7.2 (Container)
- CentOS 7 (Container)
##Type Ctrl + P + Q
## Type Ctrl + P + Q
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c17b32667a26 docker.io/centos "/bin/bash" 15 seconds ago Up 14 seconds evil_meninsky
5e4c4ff04211 registry.access.redhat.com/rhel7 "/bin/bash" 2 minutes ago Up 2 minutes
on RHEL
yum install openscap openscap-utils scap-security-guide atomic
Note: openscap, scap-security-guide is already installed.
Scap Security Guide Path : /usr/share/xml/scap/ssg/content/
Fedora has more files compared to RHEL.
Atomic scan
* denotes defaults
Configuration file is /etc/atomic.conf
As for Fedora, sometimes you need to do some more steps to use the SPC
[root@localhost
sha256:4a6b6e1a17d70b7f67787aaee800c1fdb4b145dd3f7ae48959f5d41286eadb0b]#
atomic scan -h
usage: atomic scan [-h] [--scanner {openscap}] [--scan_type SCAN_TYPE]
[--list] [--verbose] [--rootfs [ROOTFS] | --all | --images
| --containers]
[scan_targets [scan_targets ...]]
positional arguments:
scan_targets container image
optional arguments:
-h, --help show this help message and exit
--scanner {openscap} define the intended scanner
--scan_type SCAN_TYPE
define the intended scanner
--list List available scanners
--verbose Show more output from scanning container
--rootfs [ROOTFS] Rootfs path to scan
--all scan all images (excluding intermediate layers) and
containers
--images scan all images (excluding intermediate layers)
--containers scan all containers
GSS Answer:
Broadly we'd like to handle and track fixes for Red Hat maintained images on a image by image or case by
case basis. That is the recommended flow. Keep in mind that the cloud enablement team will continually be
working to offer updated product images to follow along with general product releases outside of xPaas. You
can refer to this public kcs article for additional information on the goal for xPaas image releases.
https://access.redhat.com/articles/2208321
5.1. Pros
● OpenSCAP has received a NIST certification for its support of SCAP 1.2.
● Red Hat sponsor OpenSCAP
● Red Hat support OpenSCAP with RHEL Subscription
● Red Hat Enterprise Linux operating system 7 contains OpenSCAP packages
● OpenSCAP start to support docker image/container*
● Red Hat integrated OpenSCAP with Red Hat Products ( Satellite 6.2 / CloudForms 4.1
)**
* it can scan only RHEL based docker images/containers
** it is officially supported from Satellite 6.2 / CloudForms 4.1
5.2. Cons
- Can evaluate RHEL based image only
6.TIP
Reference
RHEL 7 Document
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Gu
ide/chap-Compliance_and_Vulnerability_Scanning.html#sect-Security_Compliance_in_RHEL