Using OpenSCAP for scanning containers in RHEL 8

Environment

Red Hat Enterprise Linux 8.1 and 8.0

Problem

The oscap-podman command is available in RHEL 8.2 and newer, but RHEL 8.0 and 8.1 do not contain this utility, used to scan containers and container images. However, if you want to perform a scan of a container on RHEL 8.0 or 8.1, despite the known limitations in results, this article provides a workaround using an oscap-podman helper script, attached below.

Solution

The oscap-podman script feeds initial environment variables into the scanner process and prepare the container for scanning. It is attached to the article. Save this script to your home directory, rename it to oscap-podman and make it executable. Ensure that that you have the openscap-scanner and scap-security-guide packages installed on the system.

To scan a podman container or image named “ubi8” (which is a RHEL 8 image), use the following command:

$ sudo ./oscap-podman ubi8 xccdf eval --datastream-id scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml --fetch-remote-resources --xccdf-id scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml --profile xccdf_org.ssgproject.content_profile_ospp --oval-results --results xccdf-results-off.xml --results-arf arf-off.xml --report report-off-ospp.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml

The following sections in the RHEL 8 Security hardening title provide more information on usage of this script:

• Scanning container and container images for vulnerabilities
• Assessing security compliance of a container or a container image with a specific baseline

Limitations

Known limitations are also similar to the limitations of the RHEL 7 scanner:

• system information in the report might be misleading;
• environment variables checks are not supported;
• RPM probe could not verify access rights.

Other problems can be encountered depending on the security content.