Atomic scanWith OpenSCAP

$whoami● Lalatendu Mohanty● Twitter: @lalatenduM● lalatendu.org

System security (Software)● Software vulnerabilities● Configuration flaws

Configuration flaws● Not following security policies

○ Example: Weak password settings

● Not using correct access control

Software vulnerabilities● Undiscovered vulnerabilities● Known vulnerabilities

○ Common Vulnerabilities and Exposures (CVE®)

Common Vulnerabilities and Exposures (CVE®)● Publicly known cybersecurity vulnerabilities● Example:

○ Heartbleed : CVE-2014-0160■ OpenSSL

○ Shellshock: CVE-2014-6271■ GNU Bash

atomic scan

● Scan a container or container image for CVEs.

● Can scan all images or containers at once.

● Plugin architecture for scan tool.

From atomic CLI

How does this work?● Detect the operating system● Get the appropriate CVE feed from vendor● Check the image or container with OpenSCAP● Parse the results

atomic scan options

Demo

$ atomic scan rhel

CVE® ● CVE List is maintained The MITRE Corporation (not for profit)● Sponsored by United States Computer Emergency Readiness Team.● National Vulnerability Database (NVD):

○ Superset of CVE list.

○ Contains additional analysis, database and fine-grained search engine

○ Maintained by US National Institute of Standards and Technology (NIST)

○ Data represented using Security Content Automation Protocol (SCAP)

Heartbleed CVE page ● https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160

Heartbleed CVE in NVD● https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

SCAP● SCAP is a line of compliance standards managed by NIST. ● Provide a standardized approach to security e.g.

○ Automatically verifying the presence of patches

○ Checking system security configuration settings

○ Examining systems for signs of compromise

OpenSCAP● Create a framework of libraries to improve the accessibility of SCAP and

enhance the usability of the information it represents.● Awarded the SCAP 1.2 certification by NIST in 2014.

Demo SCAP WorkbenchOn Fedora 23

● $ sudo dnf install scap-security-guide● $ sudo dnf install scap-workbench

References:● http://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-

container-vulnerability-detection/● https://access.redhat.com/documentation/en-

US/Red_Hat_Network_Satellite/5.5/html/User_Guide/chap-Red_Hat_Network_Satellite-User_Guide-OpenSCAP.html

● https://cve.mitre.org/about/● https://www.youtube.com/watch?v=DxMd0T9_apo

Questions?

Collaborate : https://github.com/projectatomic/atomic