RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1342047 - atomic scan doesn't work with default or explicit openscap scanner configuration
Summary: atomic scan doesn't work with default or explicit openscap scanner configuration
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: atomic
Version: 7.4
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Brent Baude
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-02 10:35 UTC by Alex Jia
Modified: 2016-11-04 09:06 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 09:06:01 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2628 0 normal SHIPPED_LIVE atomic bug fix and enhancement update 2016-11-03 18:17:14 UTC

Description Alex Jia 2016-06-02 10:35:51 UTC
Description of problem:
atomic scan doesn't work with openscap scanner configuration in /etc/atomic.conf. 

Version-Release number of selected component (if applicable):

$ rpm -q atomic docker kernel
atomic-1.10.3-1.el7.x86_64
docker-1.10.3-26.el7.x86_64
kernel-3.10.0-327.el7.x86_64

$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.2 (Maipo)


How reproducible:
always

Steps to Reproduce:
1. yum install atomic
2. edit /etc/atomic.conf with openscap scanner
3. restart docker service (it may be not necessary)
4. atomic scan --list

Actual results:

$ cat /etc/atomic.conf 
# Atomic CLI configuration file

default_scanner: openscap
default_docker: docker

# default_storage: ostree
# ostree_repository: /ostree/repo
# checkout_path: /var/lib/containers/atomic

$ sudo systemctl restart docker

$ sudo atomic scan --list
No scanners are configured for your system.

Expected results:


Additional info:

I got a question, the new atomic scanner doesn't require oscapd is running on the host, right? I also tried to run oscapd firstly, the testing result is the same to above.

When I manually create /etc/atomic.d/ directory and copy openscap into /etc/atomic.d/, the atomic scan --list works, but I can't still scan a local or remote container image, the details as follows.

$ cat /etc/atomic.d/openscap 
type: scanner
scanner_name: openscap
image_name: openscap
default_scan: cve
scans: [ 
      { name: cve,
        args: ['oscapd-evaluate', 'scan',  '--no-standard-compliance', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout'],
        description: "Performs a CVE scan based on known CVE data"},
      { name: standards_compliance,
        args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout', '--no-cve-scan'],
        description: "Performs a standard scan"
      }
]
    
$ sudo atomic scan --list
Scanner: openscap * 
  Image Name: openscap
     Scan type: cve * 
     Description: Performs a CVE scan based on known CVE data

     Scan type: standards_compliance 
     Description: Performs a standard scan


* denotes defaults

$ sudo atomic images

  REPOSITORY                                           TAG              IMAGE ID       CREATED            VIRTUAL SIZE     
  registry.access.redhat.com/rhel7                     latest           sha256:bf203   2016-05-05 12:43   203.43 MB     
  docker.io/busybox                                    latest           sha256:47bcc   2016-03-18 14:22   1.11 MB       

$ sudo atomic scan registry.access.redhat.com/rhel7
sha256-bf203442783741aad6d82b528bcfecd45f40e63c83d981eb5e644a2fa6356e60 did not match any image or container.

$ sudo atomic scan registry.access.redhat.com/rhel7/rhel-tools
Unable to associate 'registry.access.redhat.com/rhel7/rhel-tools' with an image or container

Comment 3 Daniel Walsh 2016-08-19 22:07:40 UTC
Brent any update on this one?

Comment 4 Alex Jia 2016-08-21 14:03:47 UTC
It works well now, the openscap image will be automatically downloaded from registry.access.redhat.com/rhel7 if it doesn't exist on the local host.

Comment 5 Daniel Walsh 2016-08-22 10:39:21 UTC
Fixed in atomic-1.11

Comment 7 Alex Jia 2016-09-18 03:23:20 UTC
Moving to VERIFIED status per Comment 4.

Comment 9 errata-xmlrpc 2016-11-04 09:06:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2628.html


Note You need to log in before you can comment on or make changes to this bug.