We will use the the
oscap-docker tool from package
openscap-containers. First we need to make sure that we need to install related packages:
$ sudo apt-get install atomic docker python-docker-py
After the installation of the related packages, you run the following to install
$ sudo apt-get install openscap-containers
oscap-docker is a simple tool providing interface to use oscap in Docker environment. It allows you to scan running Docker containers and images almost in the same way as scan of local machine.
The usage of oscap-docker is quite simple, command has usually this format:
$ oscap-docker <image/container>[-cve] <image/container identifier> <oscap parameters>
First, you need to bring up the Mininet by the following commend line:
$ sudo ./topo.py
Now, we can perform CVE scan of our container by running the command below. It will generate OVAL results file and human-readable HTML report.
$ oscap-docker container-cve our-rhel7-container
There is an option to use your custom security-policy to scan container. We would use SSG in this example. At first, we have to install it. It install SSG SCAP security content to “/usr/share/xml/scap/ssg/content/”.
$ sudo apt-get install scap-security-guide
Now, we perform scan using custom content.
$ oscap-docker container our-rhel7-container xccdf eval --profile ospp --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
You can also scan Docker images in the same way. In the following example, we will scan against a profile of our choice.
$ oscap-docker image registry.access.redhat.com/rhel7 xccdf eval --profile ospp --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml