Bug 1188570 - [RFE] SCAP Security Guide content for Docker Host
Summary: [RFE] SCAP Security Guide content for Docker Host
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
: 1188587 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-03 09:36 UTC by Shreyank Gupta
Modified: 2019-02-26 17:24 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-26 17:24:03 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Shreyank Gupta 2015-02-03 09:36:19 UTC
Description of problem:

Similar to the 'rht-ccp' profile, we need an SSG profile which deals specifically with Docker content. 

This request is coming from the Certification Team which is interested in including SCAP checks as a part of the Docker Certification Effort.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.19-2.el7

Comment 2 Shawn Wells 2015-02-04 16:13:27 UTC
Two challenges:

(1) Atomic does not include SCAP tooling. We need to lobby for OpenSCAP inclusion in RHEL Atomic (a separate BZ should be opened for this);

(2) Security Requirements for a Docker host. What specifically should be verified? In the Government realm docker is very new, and nobody has sorted what requirements apply. There are the "hypervisor" requirements though, which could give us a base.... here is what VMWare selected:

http://people.redhat.com/swells/esxi5-all.html

If we could create a "Hypervisor Host" SCAP profile, it should be generic enough to cover RHEV-H, KVM, and Docker.... or at least get us started.

Comment 3 Shreyank Gupta 2015-02-05 14:25:12 UTC
(In reply to Shawn Wells from comment #2)
> Two challenges:
> 
> (1) Atomic does not include SCAP tooling. We need to lobby for OpenSCAP
> inclusion in RHEL Atomic (a separate BZ should be opened for this);
> 
This is a blocker only if we plan to scan containers from outside. Since the current certification tooling scans a running docker image, OpenSCAP availability in RHEL platform would suffice.

> (2) Security Requirements for a Docker host. What specifically should be
> verified? In the Government realm docker is very new, and nobody has sorted
> what requirements apply. There are the "hypervisor" requirements though,
> which could give us a base.... here is what VMWare selected:
> 
> http://people.redhat.com/swells/esxi5-all.html
> 
> If we could create a "Hypervisor Host" SCAP profile, it should be generic
> enough to cover RHEV-H, KVM, and Docker.... or at least get us started.

I'm cc-ing Trevor Jay from Docker Security and Navid, who is the maintainer of the Docker Cert tool for their inputs.

Comment 4 Jan Lieskovsky 2015-02-05 14:49:45 UTC
(In reply to Shreyank Gupta from comment #3)
> (In reply to Shawn Wells from comment #2)
> > Two challenges:
> > 
> > (1) Atomic does not include SCAP tooling. We need to lobby for OpenSCAP
> > inclusion in RHEL Atomic (a separate BZ should be opened for this);
> > 
> This is a blocker only if we plan to scan containers from outside. Since the
> current certification tooling scans a running docker image, OpenSCAP
> availability in RHEL platform would suffice.
> 
> > (2) Security Requirements for a Docker host. What specifically should be
> > verified? In the Government realm docker is very new, and nobody has sorted
> > what requirements apply. There are the "hypervisor" requirements though,
> > which could give us a base.... here is what VMWare selected:
> > 
> > http://people.redhat.com/swells/esxi5-all.html
> > 
> > If we could create a "Hypervisor Host" SCAP profile, it should be generic
> > enough to cover RHEV-H, KVM, and Docker.... or at least get us started.
> 
> I'm cc-ing Trevor Jay from Docker Security and Navid, who is the maintainer
> of the Docker Cert tool for their inputs.

Thanks, Shreyank.

Also while not being too elaborated / exhaustive yet, hopefully the NIST 800-125 special publication:
  http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf?utm_medium=twitter&utm_source=twitterfeed

could serve as a basis to base initial draft container SCAP content at?
(see mainly sections 4.1 up to 4.4 of that)

Comment 5 Jan Lieskovsky 2015-02-05 15:14:20 UTC
> Also while not being too elaborated / exhaustive yet, hopefully the NIST
> 800-125 special publication:
>  
> http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.
> pdf?utm_medium=twitter&utm_source=twitterfeed
> 
> could serve as a basis to base initial draft container SCAP content at?
> (see mainly sections 4.1 up to 4.4 of that)

Then there's Cloud Controls Matrix (v3.0.1) yet:
  https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/

[recommended by:
* Draft NISTIR 8006 http://csrc.nist.gov/publications/drafts/nistir-8006/draft_nistir_8006.pdf and by
* NIST SP 500 - 291: http://www.nist.gov/itl/cloud/upload/NIST_SP-500-291_Version-2_2013_June18_FINAL.pdf (Table 10 - Security Standards: Security Controls)]

Comment 6 Šimon Lukašík 2015-04-10 13:52:19 UTC
Moving to rhel-7.3. Being capacity constrained, we wont be able to add atomic profile into SSG.

Comment 7 Jan Lieskovsky 2016-06-24 14:48:36 UTC
(In reply to Shreyank Gupta from comment #3)

Hello Shreyank,

  thank you for the reply.

> (In reply to Shawn Wells from comment #2)
> > Two challenges:
> > 
> > (1) Atomic does not include SCAP tooling. We need to lobby for OpenSCAP
> > inclusion in RHEL Atomic (a separate BZ should be opened for this);
> > 
> This is a blocker only if we plan to scan containers from outside. Since the
> current certification tooling scans a running docker image, OpenSCAP
> availability in RHEL platform would suffice.
> 
> > (2) Security Requirements for a Docker host. What specifically should be
> > verified? In the Government realm docker is very new, and nobody has sorted
> > what requirements apply. There are the "hypervisor" requirements though,
> > which could give us a base.... here is what VMWare selected:
> > 
> > http://people.redhat.com/swells/esxi5-all.html
> > 
> > If we could create a "Hypervisor Host" SCAP profile, it should be generic
> > enough to cover RHEV-H, KVM, and Docker.... or at least get us started.
> 
> I'm cc-ing Trevor Jay from Docker Security and Navid, who is the maintainer
> of the Docker Cert tool for their inputs.

Recent version of the SCAP Security Guide RPM package introduced the 'standard' profile, which currently for Red Hat Enterprise Linux 7 contains the following rules:
  https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/profiles/standard.xml

Can you clarify which additional Docker host features should be checked / verified, so this request could be considered as complete?

Thank you, Jan.

Comment 8 Shreyank Gupta 2016-06-27 09:40:24 UTC
(In reply to Jan Lieskovsky from comment #7)
[..]
> 
> Recent version of the SCAP Security Guide RPM package introduced the
> 'standard' profile, which currently for Red Hat Enterprise Linux 7 contains
> the following rules:
>  
> https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/
> profiles/standard.xml
> 
> Can you clarify which additional Docker host features should be checked /
> verified, so this request could be considered as complete?
> 
> Thank you, Jan.

Hello,

Kaustubh, who's working on the Container Certification stream, will be looking into this, and revert. 

Please give us a couple of days for the same.

Regards,
Shreyank.

Comment 9 Jan Lieskovsky 2016-06-27 09:42:44 UTC
Brilliant. Thank you, Shreyank!

Comment 10 Jan Lieskovsky 2016-06-30 12:25:34 UTC
*** Bug 1188587 has been marked as a duplicate of this bug. ***

Comment 12 Watson Yuuma Sato 2017-03-02 13:22:34 UTC
Postponing to RHEL7.5 as we are focusing on docker container and container images profiles in RHEL7.4.

Comment 13 Watson Yuuma Sato 2017-11-16 13:31:05 UTC
During RHEL 7.5 our efforts continued on content for container and container images.

Comment 14 Shawn Wells 2018-11-26 17:28:05 UTC
Suggest closing this as WONTFIX. 

There is now (upstream) OpenShift content [0] and future work will be against CRI-O vs legacy Docker.


[0] https://github.com/ComplianceAsCode/content/tree/master/applications/openshift

Comment 15 Marek Haicman 2019-02-26 17:24:03 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.


Note You need to log in before you can comment on or make changes to this bug.