atomic cli scan
TRANSCRIPT
Configuration flaws● Not following security policies
○ Example: Weak password settings
● Not using correct access control
Software vulnerabilities● Undiscovered vulnerabilities● Known vulnerabilities
○ Common Vulnerabilities and Exposures (CVE®)
Common Vulnerabilities and Exposures (CVE®)● Publicly known cybersecurity vulnerabilities● Example:
○ Heartbleed : CVE-2014-0160■ OpenSSL
○ Shellshock: CVE-2014-6271■ GNU Bash
atomic scan
● Scan a container or container image for CVEs.
● Can scan all images or containers at once.
● Plugin architecture for scan tool.
From atomic CLI
How does this work?● Detect the operating system● Get the appropriate CVE feed from vendor● Check the image or container with OpenSCAP● Parse the results
CVE® ● CVE List is maintained The MITRE Corporation (not for profit)● Sponsored by United States Computer Emergency Readiness Team.● National Vulnerability Database (NVD):
○ Superset of CVE list.
○ Contains additional analysis, database and fine-grained search engine
○ Maintained by US National Institute of Standards and Technology (NIST)
○ Data represented using Security Content Automation Protocol (SCAP)
SCAP● SCAP is a line of compliance standards managed by NIST. ● Provide a standardized approach to security e.g.
○ Automatically verifying the presence of patches
○ Checking system security configuration settings
○ Examining systems for signs of compromise
OpenSCAP● Create a framework of libraries to improve the accessibility of SCAP and
enhance the usability of the information it represents.● Awarded the SCAP 1.2 certification by NIST in 2014.
Demo SCAP WorkbenchOn Fedora 23
● $ sudo dnf install scap-security-guide● $ sudo dnf install scap-workbench
References:● http://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-
container-vulnerability-detection/● https://access.redhat.com/documentation/en-
US/Red_Hat_Network_Satellite/5.5/html/User_Guide/chap-Red_Hat_Network_Satellite-User_Guide-OpenSCAP.html
● https://cve.mitre.org/about/● https://www.youtube.com/watch?v=DxMd0T9_apo