Configuring and running a Container Scan Job
To scan your containers and images, you run an NSH Script Job named RHEL Container Scan Job or CentOS Container Scan Job (depending on the type of containers and images that you want to scan). This job is provided out-of-the-box. Before running the job, you must configure several parameters and specify the target servers. You can then schedule the job to run immediately or at a future time.
Before you begin
To perform SCAP compliance analysis of containers and images, target servers must meet the following requirements:
- Red Hat Enterprise Linux (RHEL) as the operating system.
- RSCD agents of version 8.6 or later installed.
- Docker Daemon installed.
- OpenSCAP installed.
- Docker containers on the host servers are based on RHEL 6.x or CentOS 6.x base images.
To scan containers and images for SCAP compliance
- Under the Jobs folder, navigate to Container Compliance > OS Container Compliance, where OS is either RHEL or CentOS.
- In this folder, right click the Container Scan Job, and select Open.
Job settings are displayed in a group of tabs in the content editor on the right. You can keep the defaults for many of these settings. The following steps focus on the settings that you need (or might want) to customize.
On the Targets tab, click Add Servers . Then, in the Select Servers/Groups dialog box, select the target servers where you want to analyze the compliance of containers or images.
To simplify the choice of target servers, you can prepare a smart group that groups together servers that have containers, based on the server property SERVER_CONTAINER_TYPE. For example, you can define the following conditions:
- Any Server Where ??SERVER_CONTAINER_TYPE?? equals "RHEL DOCKER Container"
- Any Server Where ??SERVER_CONTAINER_TYPE?? equals "CentOS DOCKER Container"
On the Parameters tab, set values for NSH script parameters. You can either keep the default values or enter a new value for any of these parameters in the Value column.
Parameter Description CONCURRENT_SCANS The maximum number of containers or images to scan concurrently (that is, in parallel). SCAN_TYPE
The type of scan to perform, that is, which type of objects to scan and analyze. Specify one of the following values: CONTAINER (the default), IMAGE, or BOTH.
TMP_LOCATION A path to a temporary location in which the job will untar images. The default is /tmp.
It is not recommended that you modify any of the other NSH script parameters. These parameters include references to another auxiliary Deploy Job (controlled by the JOB_FOLDER and JOB_NAME properties) and to the custom software package (the CUSTOM_SOFTWARE_FOLDER and CUSTOM_SOFTWARE_NAME properties).
- On the Schedules tab, click New Schedule . Then, in the Scheduling box, schedule a one-time or recurring job run.
- Save the job to apply all changes.
The Container Scan Job runs according to the defined schedule and analyzes SCAP compliance of the containers or images on the containerized target servers.