Bug 1253279 - [easy] Document oscap-docker in RHEL7
[easy] Document oscap-docker in RHEL7
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: doc-Security_Guide (Show other bugs)
7.3
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Mirek Jahoda
ecs-bugs
: Documentation
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-13 08:00 EDT by Zbynek Moravec
Modified: 2016-06-06 05:48 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-06 05:48:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Zbynek Moravec 2015-08-13 08:00:29 EDT
Document URL: 

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

Additional information:
Comment 2 Zbynek Moravec 2015-08-13 08:10:15 EDT
Document URL: 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Compliance_and_Vulnerability_Scanning.html

Section Number and Name: 
Chapter 6. Compliance and Vulnerability Scanning with OpenSCAP

Describe the issue: 
Missing oscap-docker section

Suggestions for improvement:
Please add following text between "6.4. Using oscap" and "6.5. Using OpenSCAP with Red Hat Satellite".

6.5 Using OpenSCAP with Docker
------------------------------
The **oscap-docker** command-line utility allows users to use **oscap** to scan their **docker** images and containers almost in the same way as their local systems.

The following sections explain installation of **oscap-docker** and basic examples of usage. To learn more about sub-commands, use the _--help_ option with **oscap-docker** or **oscap** commands.
[source, bash]
# yum install openscap-utils
 
This command will install *oscap-docker* tool. To enable scanning of images and containers you need to have *docker* package installed too.

Example 6.5 Getting help with a specific oscap-docker operations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[source, bash]
oscap-docker scan_target[-cve] target_identifier [oscap-arguments]

where _scan_target_ is an image or a container to scan, and _target_identifier_ represents a name or an ID of the target.

[source, bash]
----
# docker images
REPOSITORY            TAG             IMAGE ID    
docker.io/rhel7       latest          275be1d3d070

# oscap-docker image-cve docker.io/rhel7
----
This command will attach docker image, determine OS variant/version, download CVE stream applicable to the given OS, and finally run vulnerability scan.

[source, bash]
----
# docker ps
CONTAINER ID    IMAGE            COMMAND       NAMES
5ef05eef4a01    docker.io/rhel7  "/bin/bash"   sleepy_kirch 

# oscap-docker container 5ef05eef4a01 oval eval com.redhat.rhsa-all.xml

----
Run OpenSCAP scan within chroot of running docker container. This may differ from scanning docker image due to defined mount points.
Comment 4 Robert Krátký 2016-01-29 13:06:49 EST
This slipped through the net (assigned to an inactive person). Switching to 7.3.
Comment 5 Mirek Jahoda 2016-05-09 05:14:05 EDT
Hello, could you please check the insertion of the section 6.5 Using OpenSCAP with Docker [1]? (I was not sure with some DocBook tags). Thank you.
[1] http://jenkinscat.gsslab.pnq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-7-Security_Guide%20%28html-single%29/lastStableBuild/artifact/tmp/en-US/html-single/index.html#sect-Using_OpenSCAP_with_Red_Hat_Satellite
Comment 6 Robert Krátký 2016-05-13 08:29:04 EDT
Hi Mirek,

Thanks for taking care of this. I fixed some minor things.

Zbynek, could you please have a look at the result:

http://jenkinscat.gsslab.pnq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-7-Security_Guide%20%28html-single%29/lastStableBuild/artifact/tmp/en-US/html-single/index.html#sect-Using_OpenSCAP_with_Docker
Comment 8 Zbynek Moravec 2016-05-31 11:44:06 EDT
LGTM. Only one minor "issue".
Could you try to align output under "# docker ps"?

E.g. put "/bin/bash" right under "COMMAND" - to be more like a table.
Comment 9 Mirek Jahoda 2016-06-01 04:22:15 EDT
(In reply to Zbynek Moravec from comment #8)
> LGTM. Only one minor "issue".
> Could you try to align output under "# docker ps"?
> 
> E.g. put "/bin/bash" right under "COMMAND" - to be more like a table.

Thank you for the check. I have just opened the section in Firefox (and then in Chrome) and I see all columns in output properly aligned. I would like to ask Petr for his precious check. Thank you.
Comment 10 Zbynek Moravec 2016-06-01 05:57:17 EDT
Hi again.

Very sorry. I've just realized that I've made a mistake.

My changes are valid for rhel7.3, in current RHEL is we still use quite old openscap release and there wasn't atomic dependency.

I've updated draft again. Please store current version to next RHEL release.

Sorry again for problems caused by me.
Comment 11 Mirek Jahoda 2016-06-01 07:39:54 EDT
(In reply to Zbynek Moravec from comment #10)
> Hi again.
> 
> Very sorry. I've just realized that I've made a mistake.
> 
> My changes are valid for rhel7.3, in current RHEL is we still use quite old
> openscap release and there wasn't atomic dependency.
> 
> I've updated draft again. Please store current version to next RHEL release.
> 
> Sorry again for problems caused by me.

Not sure I was able to realize all changes in the draft, but I stored the previous version (for future release) and published updated one: http://jenkinscat.gsslab.pnq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-7-Security_Guide%20%28html-single%29/lastStableBuild/artifact/tmp/en-US/html-single/index.html#sect-Using_OpenSCAP_with_Docker
Comment 12 Mirek Jahoda 2016-06-06 05:48:58 EDT
The solution is published on the Red Hat Customer Portal: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Security_Guide/index.html#sect-Using_OpenSCAP_with_Docker (closing the bug)

Note You need to log in before you can comment on or make changes to this bug.