Walkthrough: Scanning containers for SCAP compliance

This topic walks you through the process of analyzing SCAP compliance of Docker containers and images on Red Hat Enterprise Linux (RHEL) servers. The containers can be based on RHEL or CentOS base images. This topic includes the following sections:

Introduction

This topic is intended for system administrators who need to analyze the compliance of Docker containers and images.

The goal of this topic is to analyze SCAP compliance in containers and images in an environment with a relatively small number of containers.

What does this walkthrough show?

This walkthrough shows how to analyze SCAP compliance of containers in a Red Hat environment with a relatively small number of containers (for example: 2 target hosts with a total of 70 containers and images). To do this, we will obtain SCAP 1.2 content and then configure and run an out-of-box Container Scan Job. After running the Container Scan Job, we will view the results in an HTML report that summarizes and aggregates the compliance statuses of all containers, and provides drill-down options to individual containers and images.

What do I need to do before I get started?

To perform SCAP compliance analysis of containers and images, target servers must meet the following requirements:

  • Red Hat Enterprise Linux (RHEL) as the operating system.
  • RSCD agents of version 8.6 or later installed.
  • Docker Daemon installed.
  • OpenSCAP installed.
  • Docker containers on the host servers are based on RHEL or CentOS base images.

For this walkthrough, we have logged on as BLAdmin, the default superuser for BSA. 

How to prepare a smart group for containerized servers

To simplify the choice of target servers later on in the SCAP Container Scan Job, we will first create a smart group that includes all servers on which Docker containers were detected.

 

Step

Example screen

1

Right-click the Servers folder, and select New > Server Smart Group.

newSmartGroup.png

2

For Name, enter a name for the server smart group, such as Containerized Servers.

smartGroupFields.png

 

3

In the list of conditions, define a condition in the first row:

  1. In the first column, select Server.
  2. In the second column, select SERVER_CONTAINER_TYPE.
  3. In the third column, select equals.
  4. In the fourth column, set the property value to "RHEL Docker Container".
  5. Click Apply Changes applyChanges.jpg.

The full condition is now displayed as the following text:
Any Server Where ??SERVER_CONTAINER_TYPE?? equals "RHEL DOCKER Container"

smartGroupCondition.png

container_SG2.jpg

 4

Click Finish.

A new smart group collects all RHEL servers on which Docker containers exist.

 

How to import SCAP content

A custom software package named Container SCAP Policy is provided out-of-the-box in TrueSight Server Automation for the detection and analysis of containers and images. This policy includes sample SCAP 1.2 content. Typically, you will have your own, relevant SCAP 1.2 content for the analysis of your containers and images, so you can replace the sample SCAP content with your own SCAP content.

 

Step

Example screen

1

Under the Depot folder, navigate to Container Compliance > RHEL Container Compliance > RHEL Container SCAP Policy. Right-click this custom software package, and select Open.
Note: In this walkthrough, we will be scanning containers that are based on a RHEL images. A separate folder and software package are available in the depot for containers that are based on a CentOS image.

openPolicy.png

2

In the content editor on the right, in the list of Support Files at the bottom, select the last parameter, __SCAP_DEFINITIONS, and then click Edit Parameter Entry g_V95_UpdateIcon.gif.

editParam.png

3

In the Set File Parameters dialog box, in the File location field, click the Browse button and then select your SCAP 1.2 content file (an XML file) in the Select Param File Location dialog box.

setparams.jpg

4

Click OK in all dialog boxes.

 

How to scan containers and images

To scan your containers and images, you run an NSH Script Job named RHEL Container Scan Job. This job is provided out-of-the-box. Before running the job, you must configure several parameters and specify the target servers. You can then schedule the job to run immediately or at a future time.

 

Step

Example screen

1

Under the Jobs folder, navigate to Container Compliance > RHEL Container Compliance > RHEL Container Scan Job. Right-click the job and select Open.
Note: In this walkthrough, we will be scanning containers that are based on a RHEL images. A separate folder and job are available in the Jobs folder for containers that are based on a CentOS image.

jobTree.jpg

2

In the content editor on the right, click the Targets tab. On this tab, click Add Servers addservers.jpg. Then, in the Select Servers/Groups dialog box, select the Containerized Servers smart group that we prepared earlier.

targetsSet.jpg

3

Click the Parameters tab, and then set values for the following parameters. You can either keep the default values or enter a new value for any of these parameters in the Value column.

  • CONCURRENT_SCANS — The maximum number of containers or images to scan concurrently (that is, in parallel).
  • SCAN_TYPE — The type of scan to perform, that is, which type of objects to scan and analyze. Specify one of the following values: CONTAINER (the default), IMAGE, or BOTH. In this walkthrough, we will set this parameter to scan BOTH.
  • TMP_LOCATION — A path to a temporary location in which the job will untar images. The default is /tmp.

scan_prms.jpg

4

Click the Schedules tab. On this tab, click New Schedule addservers.jpg. Then, in the Scheduling box, schedule a one-time or recurring job run.
For this walkthrough, we are scheduling a one-time job run to execute immediately.

schedules.jpg

5

Save the job to apply all changes.

The Container Scan Job runs and analyzes SCAP compliance of the RHEL containers on the containerized target servers.

 

How to view and analyze the results

Results displayed in the TrueSight Server Automation Console direct you to an HTML report with full details about the compliance statuses of all containers and images, along with drill-down options to individual containers and images. This report is available for display in Internet Explorer (IE) and Firefox browsers.

 

Step

Example screen

1

After the job completes running, navigate to Jobs > Container Compliance > RHEL Container Compliance > RHEL Container Scan Job. Right-click the job and select Show Results.

jobResults.png

2

In the Job Results pane on the right, right-click a successful job run and select Show Log.

jobResults.jpg

3

In the log (towards the top), find the log message that tells you where to find the web-based report for this job run on the file server. Make a note of this location. If you want, you can right-click the log message and select Copy to Clipboard.

logmsg.jpg

4

On the host computer of the file server, navigate to the location specified in the log message. You can either open the report on that computer or copy the whole folder to your own desktop and open the report there. To display the report, open the Home file in your Internet Explorer or Firefox browser.

reportDirs.jpg

5

When browsing the report, you have the following options for navigating the report and drilling down into more specific details:

 

 

a. The home page lists the host computers that were scanned, and provides the numbers of containers (running, stopped, and paused) and images on each one. To drill down into the details of any specific host computer, click the host name.

report_home.png

 

b. When you drill down into a host computer, details are first displayed regarding the containers on that host.
Containers are divided into three categories — running, stopped, and paused. When you first enter the page, the table on this page displays a summary of details for the running containers. To switch to details for the containers in the other categories (stopped or paused), click View Details in the relevant colored box at the top of the page.

report_containers.png

 

c. In the list of running containers or paused container (but not in the list of stopped containers), you can drill down into full details about the SCAP results for any specific container. This includes a list of the rules that were used in the scan and an indication of which rules failed and which passed.

 

 

d. For details about the images on the host, click the Images link at the top of the page.

report_images.png

 

e. In the list of images, you can drill down into full details about the SCAP results for any specific image (similar to the results displayed for running or paused containers). This includes a list of the rules that were used in the scan and an indication of which rules failed and which passed.

report_imgDetails.png

Wrapping it up

Congratulations! You have successfully scanned the containers and images in your environment. You can now use the information from the results of your Container Scan Job to troubleshoot issues in your containers and images.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*