Bug 1472379
Summary: | [RFE] Remediate container images so that they are compliant with a security policy | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Černý <jcerny> |
Component: | atomic | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
Severity: | unspecified | Docs Contact: | Mirek Jahoda <mjahoda> |
Priority: | unspecified | ||
Version: | 7.5 | CC: | atomic-bugs, bbaude, ddarrah, dwalsh, fkluknav, lsm5, mjahoda, mmarhefk, mpreisle, mthacker, ovasik, weshen |
Target Milestone: | rc | Keywords: | Extras, FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-26 07:47:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1471672 | ||
Bug Blocks: | 1469954, 1477926 |
Description
Jan Černý
2017-07-18 15:19:11 UTC
I guess instead of mounting the image in as ReadOnly it would be mounted in as ReadWrite and we would need to make sure that the atomic scan container can write to the image. That isn't necessary. Instead of mounting the image as ReadWrite, we can generate a fix script based on scan results, and then build a new image from the scanned image. During the build process the fix script will be invoked. We can think of it as adding new layer on the original image. This layer will contain all the changes needed to comply with a SCAP profile. The referenced PR has been reworked in https://github.com/projectatomic/atomic/pull/1090 and merged. Setting to POST. I tested this on atomic-1.22.1-25.git5a342e3.el7.x86_64. I can't figure out how this flag "--remediate" works in a short time, but I think below behavior is not the correct one: 1. atomic pull docker.io/busybox 2. atomic scan --remediate docker.io/busybox result: openscap has no remediation script. Hello Edward, there is a documentation for this feature, please see: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sect-using_openscap_with_atomic#sect-Scanning_and_Remediating_Configuration_Compliance_of_Docker_Images_and_Containers_Using_Atomic Thank you, Matus. This is exactly I want to know. Verified this on atomic-1.22.1-25.git5a342e3.el7.x86_64, it works fine. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2795 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |