Security scan a RHEL7 Docker image & container


Scenario

You have a running Docker environment with a RHEL7 base image downloaded and running. The security folks are breathing down your neck for proof that the Docker images and containers are safe. Your challenge...prove it.

We will utilize the Open-Source Security Content Automation Protocol (OSCAP) tool specifically for Docker (oscap-docker).

We will install the packages provided through the Red Hat/CentOS channels but the packages are available at the link below if you prefer to download it direct.
https://github.com/OpenSCAP/container-compliance

Prerequisites

Install the openscap-utils package which contains the oscap-docker command.

# yum install openscap-utils -y

Additionally, install the SCAP Security Guide which provides predefined security policies (i.e. PCI DSS). You can also create custom security policies if you wish.

# yum install scap-security-guide -y

Create a directory where to store your scan results.

# mkdir /oscap

CVE Scans

Perform a Common Vulnerabilities and Exposures (CVE) scan of a Docker image.

# oscap-docker image-cve myprivatedockerregistry:5000/mydockerimage --results /oscap/mydockerimage-results-cve.xml --report /oscap/mydockerimage-report-cve.html

Perform the same CVE scan of a container.

# oscap-docker container-cve mycontainer --results /oscap/mycontainer-results-cve.xml --report /oscap/mycontainer-report-cve.html

PCI DSS Scans

Perform a Payment Card Industry Data Security Standard (PCI DSS) scan of a Docker image.

oscap-docker image myprivatedockerregistry:5000/mydockerimage xccdf eval --results /oscap/mydockerimage-results-pci-dss.xml --report /oscap/mydockerimage-report-pci-dss.html --profile xccdf_org.ssgproject.content_profile_pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Perform the same PCI DSS scan of a container.

oscap-docker container mycontainer xccdf eval --results /oscap/mycontainer-results-pci-dss.xml --report /oscap/mycontainer-report-pci-dss.html --profile xccdf_org.ssgproject.content_profile_pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

The oscap-docker command uses the same switches and parameters as the oscap command.

For additional information, check the man page.

# man oscap-docker

I highly recommend patching your Docker image before running the scans (primarily the CVE scan). An all "green" scan equals a happy security department. To learn how to patch RHEL7 Docker images, click here.