atomic.d/openscap

type: scanner
scanner_name: openscap
image_name: registry.access.redhat.com/rhel7/openscap
default_scan: cve
custom_args: ['-v', '/etc/oscapd:/etc/oscapd:ro']
scans: [ 
      { name: cve,
        args: ['oscapd-evaluate', 'scan',  '--no-standard-compliance', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout', '-j1'],
        description: "Performs a CVE scan based on Red Hat relesead CVE OVAL. !WARNING! This CVE is built into container image and it might be out-of-date. Change config.ini to configure the scanner to fetch latest CVE data"},
      { name: standards_compliance,
        args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout', '--no-cve-scan', '-j1'],
        description: "!DEPRECATED! Performs scan with Standard Profile, as present in SCAP Security Guide shipped in Red Hat Enterprise Linux"
      },
      { name: configuration_compliance,
        args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout', '--no-cve-scan', '-j1'],
        description: "Performs a configuration compliance scan according to selected profile from SCAP Security Guide shipped in Red Hat Enterprise Linux."
      }
]
Implement generic scanning in Atomic As more scanners besides openscap become available, atomic can now begin to leverage them. The new scan function has been broken out into its on file (scan.py). The scan command itself now defaults to openscap but can also be switched to blackduck with --scanner. Atomic now can use a configuration file which is stored in /etc/atomic.conf. The location of the atomic conf file can be overriden with the environment variable 'ATOMIC_CONF'. In the case of the scan function, we need the scanner defined in the configuration file as well as the fully qualified image name and the scan arguments. Optionally, you can provide additional custom docker arguments for the scanner as well 2016-02-25 17:07:24 -06:00			`type: scanner`
			`scanner_name: openscap`
atomic.d/openscap: Change image name to be fully qualified If the openscap file that defines the scanner image name uses the short-name, i.e. rhel7/openscap, the on first use of atomic scan, atomic will pull the scanning image. However, atomic will name the image with its fully qualified name, because it had to look it up. Therefore, in the local dockerd, the scanner will be named with its full name. The next time the scanner is run, it will again attempt to pull down the short-named version. We should just switch to the fq name to avoid this mess. This issue was reported in https://github.com/projectatomic/atomic/issues/797. Closes: #857 Approved by: baude 2017-01-31 13:28:21 -06:00			`image_name: registry.access.redhat.com/rhel7/openscap`
atomic.d/openscap: Do standard compliance scan without CVEs When conducting a compliance scan, we do not want to check CVES as that is done by the default scan. 2016-04-18 13:45:34 -05:00			`default_scan: cve`
atomic.d/openscap - use custom_args to expose config file for openscap-daemon Closes: #413 Approved by: baude 2016-06-06 14:43:54 -04:00			`custom_args: ['-v', '/etc/oscapd:/etc/oscapd:ro']`
Implement generic scanning in Atomic As more scanners besides openscap become available, atomic can now begin to leverage them. The new scan function has been broken out into its on file (scan.py). The scan command itself now defaults to openscap but can also be switched to blackduck with --scanner. Atomic now can use a configuration file which is stored in /etc/atomic.conf. The location of the atomic conf file can be overriden with the environment variable 'ATOMIC_CONF'. In the case of the scan function, we need the scanner defined in the configuration file as well as the fully qualified image name and the scan arguments. Optionally, you can provide additional custom docker arguments for the scanner as well 2016-02-25 17:07:24 -06:00			`scans: [`
atomic.d/openscap: Do standard compliance scan without CVEs When conducting a compliance scan, we do not want to check CVES as that is done by the default scan. 2016-04-18 13:45:34 -05:00			`{ name: cve,`
atomic.d/openscap: Fix race condition (bz #1368896) There is a race condition in oscpd where it sometimes fails to scan because of a threading issue. While that is resolved upstream, we set the max number of threads to 1 to avoid it. This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1368896 Closes: #692 Approved by: rhatdan 2016-10-10 15:46:20 -05:00			`args: ['oscapd-evaluate', 'scan', '--no-standard-compliance', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout', '-j1'],`
atomic.d/opensap: Show how to configure scanner to fetch CVE data Closes: #953 Approved by: baude 2017-03-24 18:28:55 +01:00			`description: "Performs a CVE scan based on Red Hat relesead CVE OVAL. !WARNING! This CVE is built into container image and it might be out-of-date. Change config.ini to configure the scanner to fetch latest CVE data"},`
atomic.d/openscap: Do standard compliance scan without CVEs When conducting a compliance scan, we do not want to check CVES as that is done by the default scan. 2016-04-18 13:45:34 -05:00			`{ name: standards_compliance,`
atomic.d/openscap: Fix race condition (bz #1368896) There is a race condition in oscpd where it sometimes fails to scan because of a threading issue. While that is resolved upstream, we set the max number of threads to 1 to avoid it. This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1368896 Closes: #692 Approved by: rhatdan 2016-10-10 15:46:20 -05:00			`args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout', '--no-cve-scan', '-j1'],`
Add configuration compliance scan to "atomic scan" This commit enables scanning images and containers for configuration compliance with security profiles provided by SCAP Security Guide. Note: This feature requires latest OpenSCAP Daemon from upstream installed in the underlying "rhel7/openscap" container. Closes: #1027 Approved by: baude 2017-06-07 10:26:56 +02:00			`description: "!DEPRECATED! Performs scan with Standard Profile, as present in SCAP Security Guide shipped in Red Hat Enterprise Linux"`
			`},`
			`{ name: configuration_compliance,`
			`args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout', '--no-cve-scan', '-j1'],`
			`description: "Performs a configuration compliance scan according to selected profile from SCAP Security Guide shipped in Red Hat Enterprise Linux."`
Implement generic scanning in Atomic As more scanners besides openscap become available, atomic can now begin to leverage them. The new scan function has been broken out into its on file (scan.py). The scan command itself now defaults to openscap but can also be switched to blackduck with --scanner. Atomic now can use a configuration file which is stored in /etc/atomic.conf. The location of the atomic conf file can be overriden with the environment variable 'ATOMIC_CONF'. In the case of the scan function, we need the scanner defined in the configuration file as well as the fully qualified image name and the scan arguments. Optionally, you can provide additional custom docker arguments for the scanner as well 2016-02-25 17:07:24 -06:00			`}`
			`]`