jmarin / container_sec

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Container Security with OpenSCAP

Introduction

This repository includes a proof of concept for assessing the compliance of Docker images through the SCAP standard. A full virtual host is prepared with Docker installed, so a user can pull down a Docker image and run a compliance check on it, according to several different profiles included by default. The OpenSCAP ecosystem allows for customization of these profiles as required by the end user.

Running

This project requires Vagrant, Virtualbox and Ansible to run. It has been tested with Vagrant 1.7.2, VirtualBox 4.3.20 and Ansible 1.8.3, but newer versions should work. Older versions may or may not work.

In order to bring up the sample VM, from the root directory of this repository:

vagrant up

This will boot the virtual machine, which is configured with CentOS 7 as the host operating system. The ansible build script will install some dependencies as well as the OpenSCAP tools, including the OpenSCAP Security Guide. It will also copy recent files from building the Scap Security Guide from source code (see reference down below)

Once the virtual machine is done building, you can connect to it with vagrant ssh and make sure the proper path environment variable is set up:

sudo su
export PATH:$PATH:/usr/local/bin

To test compliance of the host operating system, you can run the following:

oscap xccdf eval --profile stig-rhel7-server-upstream ssg-centos7-xccdf.xml

You will see many fail messages since this virtual machine has not been hardened according to the Red Hat Draft STIG for RHEL7

The process for scanning Docker images is very similar. The rest of the commands need to be run as root by default (to be able to access docker commands).

To test for image/container compliance, first pull down a CentOS/RHEL based image:

docker pull rhel7.1

Confirm that the image has been pulled by checking the output of docker images

Scan the image by issuing the following command.

oscap-docker image rhel7.1 xccdf eval --profile stig-rhel7-server-upstream --report /tmp/rhel7syslog.html ssg-rhel7-xccdf.xml

This checks against the Pre-release Draft STIG for Red Hat Enterprise Linux 7 Server profile. In order to see a list of available profiles you can run:

oscap info "ssg-rhel7-xccdf.xml"

References

The following resources have been helpful in putting together this proof of concept

About