WIXLIB

Compliance for Containers usingSCAP ContentWatson SatoSoftware Engineer2018.01.26Gabriel AlfordTechnical Account Manager

SCAPSecurity Content Automation Protocol2

NIST Certified SCAP scanners IBM Big Fix Compliance Nexpose OpenSCAP Qualys SCAP Compliance Checker (SCC) Security Center (Nessus) Secutor Compliance Automation ToolkitSource: https://nvd.nist.gov/scap/validated-tools3

AGENDA4 Scope Scanning containers Remediating containers Challenges Future Plans Q&A

Scope5 OpenSCAP tools to scan and remediate containers Use existing SCAP content Differences between scan/remediate machine and container Not in Scope SCAP standard Write SCAP content

Scanning Containers6

Workflow SCAP Scanner - OpenSCAP SCAP Content 7 CVE Feed - Linux distribution Policy or Standard - SCAP Security Guide (SSG)Containers

Scanning ContainersTools oscap-docker atomic scan 8Wrapper on openscap scanneropenscap scanner containerBased on openscap-daemonTypes of scan Known vulnerabilities Configuration compliance

Scanning Containersoscap-docker Mounts and scan the container image filesystem Offline scan Where to get it? 9openscap-containers packageUsage examples Scan for known vulnerabilities in RHEL7 image Scan for compliance of Fedora against Common Baseline

oscap-docker - known vulnerabilitiesoscap-docker image-cve image sudo oscap-docker nDefinitionDefinition Definition10oval:com.redhat.rhsa:def:20180061: falseoval:com.redhat.rhsa:def:20180029: falseoval:com.redhat.rhsa:def:20180023: falseoval:com.redhat.rhsa:def:20173263: true

oscap-docker - known vulnerabilitiesoscap-docker image image oval eval cve feed wgethttps://www.redhat.com/security/data/oval/Red Hat Enterprise Linux 7.xml sudo oscap-docker imageregistry.access.redhat.com/rhel7 oval eval./Red Hat Enterprise Linux 7.xmlDefinitionDefinitionDefinition Definition11oval:com.redhat.rhsa:def:20180061: falseoval:com.redhat.rhsa:def:20180029: falseoval:com.redhat.rhsa:def:20180023: falseoval:com.redhat.rhsa:def:20173263: true

oscap-docker - configuration complianceoscap-docker image image --profile profile policy sudo oscap-docker image docker.io/library/fedora \xccdf eval --profile common TitleVerify and Correct File Permissions with RPMRulexccdf org.ssgproject.content rule rpm verify permissionsResult fail 12

Scanning Containersatomic scan Mounts and scans the container image filesystemOffline scanSCAP content already bundled withinWhere to get it? 13 docker pull openscap/openscap sudo atomic install openscap/openscapUsage examples Scan for known vulnerabilities in RHEL7 image Scan for compliance of Fedora against Common Baseline

atomic scan - known vulnerabilitiesatomic scan image sudo atomic scan registry.access.redhat.com/rhel7 registry.access.redhat.com/rhel7 (cf55adcfe21a6f2)The following issues were found:RHSA-2017:3263: curl security update (Moderate)Severity: ModerateRHSA ID: RHSA-2017:3263-01RHSA URL: ociated CVEs:CVE ID: CVE-2017-1000257CVE 7-1000257Files associated with this scan are 565.14

atomic scan - configuration complianceatomic scan --scan type configuration compliance--scanner args profile profile image sudo atomic scan --scan type configuration compliance--scanner args profile common docker.io/fedora docker.io/fedora (422dc563ca3260a)The following issues were found: Verify and Correct File Permissions with RPMSeverity: LowXCCDF result: fail Files associated with this scan are 202.15

Remediating Containers16

Remediating ContainersTools atomic scan 17--remediate optionTypes of scan Configuration compliance

Remediating Containersatomic scan --remediate Performs scan of the image Uses SCAP Content bundled in image Builds fix script for failed Rules Generates a new image Original image remains the same Usage example: 18Bring Fedora container into compliance with Common Baseline

atomic scan - remediateatomic scan --scan type configuration compliance--scanner args --remediate image sudo atomic scan --scan type configuration compliance--scanner args profile common --remediate docker.io/fedora docker.io/fedora (422dc563ca3260a)The following issues were found: Verify and Correct File Permissions with RPMSeverity: LowXCCDF result: fail Files associated with this scan are 028.19

atomic scan - remediateatomic scan --scan type configuration compliance--scanner args --remediate image Remediating f4dd208efd82967ff182. Remediating rule 2/39:'xccdf org.ssgproject.content rule rpm verify permissions' Successfully built 30429bccee47Successfully built remediated image 30429bccee47 dd208efd82967ff182.20

Challenges21

Challenges Containers are an image and not a full instance operating system Writing SCAP content for containers 22Physical vs Virtual vs ContainerRulePhysicalVirtualContainerService auditdEnabledApplicableApplicableNot Applicable?Set MinimumPassword LengthApplicableApplicableApplicable?Separate Partitionfor /tmpApplicableApplicableNot Applicable?

Challenges Scanning of images is done in chrooted environment Cannot check session environment variables 23 env grep JBOSS HOMEServices may not existFixes to runtime environment do not make sense Missing services Missing commands

Future Plans24

Future Plans 25Writing content for container infrastructure

Q&A26

THANK YOUplus.google.com/ tVideos

Compliance for Containers using SCAP Content Watson Sato Software Engineer 2018.01.26 Gabriel Alford Technical Account Manager. 2 SCAP Security Content Automation Protocol. NIST Certified SCAP scanners 3 IBM Big Fix Compliance Nexpose OpenSCAP Qualys SCAP Compliance Checker (SCC)