In the following tutorial we will present way how to perform a SCAP based security scan of RHEL 7 Docker containers and images.
This tutorial will also describe some basic usage of Docker. If you have running RHEL 7 Docker container, you can skip these sections and go directly to Install oscap-docker section.
As official website docker.com says, “Docker is an open platform for building, shipping and running distributed applications”.
Sentence from previous probably doesn’t help you to understand what the Docker is, so I will use some abstraction/simplification to describe it.
Docker is chroot on steroids. It allows you to create a container containing some Linux-based distribution. This container can contains your application and preinstalled dependencies applied settings required by your application. So you can deploy this package as Docker image to your customer.
To get an environment where you can run Docker containers, you can install Red Hat Enterprise Linux 7 (RHEL 7) as a container host. To make docker package available via yum, you have to add RHEL Extras repository. Here step-by-step guide how to install Docker on your RHEL7 host:
# subscription-manager repos --enable=rhel-7-server-extras-rpms # subscription-manager repos --enable=rhel-7-server-optional-rpms
# yum install docker docker-registry # yum install device-mapper-libs device-mapper-event-libs
# systemctl enable docker.service # systemctl start docker.service
# systemctl status docker.service
Docker can be controlled by docker command-line tool
This section should helps you with creation of a RHEL 7 based container which we want to scan.
At first, we have to have get Docker image, it can be downloaded to our computer using command below:
# docker pull rhel7
We can get list of downloaded images by
# docker images
We can see list of downloaded images including required RHEL 7 image.
List of Docker images
We have downloaded required image in previous paragraph, now we want to run container from the image.
# docker run --name "our-rhel7-container" -ti registry.access.redhat.com/rhel7 /bin/bash
This command will start new container called “our-rhel7-container” and gives us interactive interface. We can see, that we have connected from RHEL 7.2 beta host to container with RHEL 7.1. Now, we can exit container by typing exit to shell of the container. You can get list running containers by
# docker psor list of all containers(running and not running) by
# docker ps -a
In Docker container
OpenSCAP tools are separated into several packages which contains multiple utils. We want to use oscap-docker util from package called openscap-utils. You can install it by:
# yum install openscap-utils
The oscap-docker is simple tools providing interface to use oscap in Docker environment. It allows you to scan running Docker images and containers, almost in the same way as scan of local machine.
At this phase, we have installed all required tools and prepared environment for perform security scan.
We need to have running container, but fortunately we can use container from previous sections. To start this container again, we can use this command:
# docker start our-rhel7-container
The usage of oscap-docker is quite simple, command has usually this format:
# oscap-docker <image/container>[-cve] <image/container identifier> <oscap parameters>
Now, we can perform cve scan of our container by running the command below. It will generate OVAL results file and human-readable HTML report.
# oscap-docker container-cve our-rhel7-container
Docker container CVE scan
There is an option to use your custom security-policy to scan container. We would use SSG in this example. At first, we have to install it. It install SSG SCAP security content to “/usr/share/xml/scap/ssg/content/”.
# yum install scap-security-guide
Scan docker container with custom policy
Now, we perform scan using custom content.
# oscap-docker container our-rhel7-container oval eval \ --results oval-results.xml --report report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml
You can also scan Docker images in the same way, you can modify previous command to scan image:
# oscap-docker image registry.access.redhat.com/rhel7 oval eval \ --results oval-results.xml --report report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml
You can get more info about oscap-docker using oscap-docker –help or man oscap-docker.