Two challenges:

(1) Atomic does not include SCAP tooling. We need to lobby for OpenSCAP inclusion in RHEL Atomic (a separate BZ should be opened for this);

(2) Security Requirements for a Docker host. What specifically should be verified? In the Government realm docker is very new, and nobody has sorted what requirements apply. There are the "hypervisor" requirements though, which could give us a base.... here is what VMWare selected:

http://people.redhat.com/swells/esxi5-all.html

If we could create a "Hypervisor Host" SCAP profile, it should be generic enough to cover RHEV-H, KVM, and Docker.... or at least get us started.

(In reply to Shawn Wells from comment #2)
> Two challenges:
> 
> (1) Atomic does not include SCAP tooling. We need to lobby for OpenSCAP
> inclusion in RHEL Atomic (a separate BZ should be opened for this);
> 
This is a blocker only if we plan to scan containers from outside. Since the current certification tooling scans a running docker image, OpenSCAP availability in RHEL platform would suffice.

> (2) Security Requirements for a Docker host. What specifically should be
> verified? In the Government realm docker is very new, and nobody has sorted
> what requirements apply. There are the "hypervisor" requirements though,
> which could give us a base.... here is what VMWare selected:
> 
> http://people.redhat.com/swells/esxi5-all.html
> 
> If we could create a "Hypervisor Host" SCAP profile, it should be generic
> enough to cover RHEV-H, KVM, and Docker.... or at least get us started.

I'm cc-ing Trevor Jay from Docker Security and Navid, who is the maintainer of the Docker Cert tool for their inputs.

(In reply to Shreyank Gupta from comment #3)
> (In reply to Shawn Wells from comment #2)
> > Two challenges:
> > 
> > (1) Atomic does not include SCAP tooling. We need to lobby for OpenSCAP
> > inclusion in RHEL Atomic (a separate BZ should be opened for this);
> > 
> This is a blocker only if we plan to scan containers from outside. Since the
> current certification tooling scans a running docker image, OpenSCAP
> availability in RHEL platform would suffice.
> 
> > (2) Security Requirements for a Docker host. What specifically should be
> > verified? In the Government realm docker is very new, and nobody has sorted
> > what requirements apply. There are the "hypervisor" requirements though,
> > which could give us a base.... here is what VMWare selected:
> > 
> > http://people.redhat.com/swells/esxi5-all.html
> > 
> > If we could create a "Hypervisor Host" SCAP profile, it should be generic
> > enough to cover RHEV-H, KVM, and Docker.... or at least get us started.
> 
> I'm cc-ing Trevor Jay from Docker Security and Navid, who is the maintainer
> of the Docker Cert tool for their inputs.

Thanks, Shreyank.

Also while not being too elaborated / exhaustive yet, hopefully the NIST 800-125 special publication:
  http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf?utm_medium=twitter&utm_source=twitterfeed

could serve as a basis to base initial draft container SCAP content at?
(see mainly sections 4.1 up to 4.4 of that)

> Also while not being too elaborated / exhaustive yet, hopefully the NIST
> 800-125 special publication:
>  
> http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.
> pdf?utm_medium=twitter&utm_source=twitterfeed
> 
> could serve as a basis to base initial draft container SCAP content at?
> (see mainly sections 4.1 up to 4.4 of that)

Then there's Cloud Controls Matrix (v3.0.1) yet:
  https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/

[recommended by:
* Draft NISTIR 8006 http://csrc.nist.gov/publications/drafts/nistir-8006/draft_nistir_8006.pdf and by
* NIST SP 500 - 291: http://www.nist.gov/itl/cloud/upload/NIST_SP-500-291_Version-2_2013_June18_FINAL.pdf (Table 10 - Security Standards: Security Controls)]

Moving to rhel-7.3. Being capacity constrained, we wont be able to add atomic profile into SSG.

(In reply to Shreyank Gupta from comment #3)

Hello Shreyank,

  thank you for the reply.

> (In reply to Shawn Wells from comment #2)
> > Two challenges:
> > 
> > (1) Atomic does not include SCAP tooling. We need to lobby for OpenSCAP
> > inclusion in RHEL Atomic (a separate BZ should be opened for this);
> > 
> This is a blocker only if we plan to scan containers from outside. Since the
> current certification tooling scans a running docker image, OpenSCAP
> availability in RHEL platform would suffice.
> 
> > (2) Security Requirements for a Docker host. What specifically should be
> > verified? In the Government realm docker is very new, and nobody has sorted
> > what requirements apply. There are the "hypervisor" requirements though,
> > which could give us a base.... here is what VMWare selected:
> > 
> > http://people.redhat.com/swells/esxi5-all.html
> > 
> > If we could create a "Hypervisor Host" SCAP profile, it should be generic
> > enough to cover RHEV-H, KVM, and Docker.... or at least get us started.
> 
> I'm cc-ing Trevor Jay from Docker Security and Navid, who is the maintainer
> of the Docker Cert tool for their inputs.

Recent version of the SCAP Security Guide RPM package introduced the 'standard' profile, which currently for Red Hat Enterprise Linux 7 contains the following rules:
  https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/profiles/standard.xml

Can you clarify which additional Docker host features should be checked / verified, so this request could be considered as complete?

Thank you, Jan.

(In reply to Jan Lieskovsky from comment #7)
[..]
> 
> Recent version of the SCAP Security Guide RPM package introduced the
> 'standard' profile, which currently for Red Hat Enterprise Linux 7 contains
> the following rules:
>  
> https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/
> profiles/standard.xml
> 
> Can you clarify which additional Docker host features should be checked /
> verified, so this request could be considered as complete?
> 
> Thank you, Jan.

Hello,

Kaustubh, who's working on the Container Certification stream, will be looking into this, and revert. 

Please give us a couple of days for the same.

Regards,
Shreyank.

Brilliant. Thank you, Shreyank!

*** Bug 1188587 has been marked as a duplicate of this bug. ***

Postponing to RHEL7.5 as we are focusing on docker container and container images profiles in RHEL7.4.

During RHEL 7.5 our efforts continued on content for container and container images.

Suggest closing this as WONTFIX. 

There is now (upstream) OpenShift content [0] and future work will be against CRI-O vs legacy Docker.


[0] https://github.com/ComplianceAsCode/content/tree/master/applications/openshift

This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.