Bug 1472379 - [RFE] Remediate container images so that they are compliant with a security policy [NEEDINFO]
[RFE] Remediate container images so that they are compliant with a security p...
Status: POST
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: atomic (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Lokesh Mandvekar
Mirek Jahoda
: Extras, FutureFeature
Depends On: 1471672
Blocks: 1469954 1477926
  Show dependency treegraph
Reported: 2017-07-18 11:19 EDT by Jan Černý
Modified: 2018-07-01 18:39 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mmarhefk: needinfo? (atomic-bugs)

Attachments (Terms of Use)

  None (edit)
Description Jan Černý 2017-07-18 11:19:11 EDT
Description of problem:

We don't have any automated way to create container images that are compliant with a security policy (eg. STIG, OSPP, PCI-DSS, ..) That means users have to change the images manually to make them security compliant. That's very complicated and time-consuming, especially in large container environments.

Instead, we need to enable users to build hardened images directly. That should be achieved by involving OpenSCAP, SCAP Security Guide and Docker Build together. The idea is based on adding a hardening layer on the top of the image.

Atomic scan should be extended in a way that it doesn't only scan, but also fixes the failing rules, so that the new image passes the scan.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. atomic scan --harden

Actual results:
none, not implemented yet

Expected results:
An image that is compliant with a security policy is built.

Additional info:
Comment 1 Daniel Walsh 2017-07-18 12:09:34 EDT
I guess instead of mounting the image in as ReadOnly it would be mounted in as ReadWrite and we would need to make sure that the atomic scan container can write to the image.
Comment 2 Jan Černý 2017-07-25 09:51:04 EDT
That isn't necessary. Instead of mounting the image as ReadWrite, we can generate a fix script based on scan results, and then build a new image from the scanned image. During the build process the fix script will be invoked. We can think of it as adding new layer on the original image. This layer will contain all the changes needed to comply with a SCAP profile.
Comment 5 Martin Preisler 2017-10-16 13:32:00 EDT
The referenced PR has been reworked in https://github.com/projectatomic/atomic/pull/1090 and merged. Setting to POST.

Note You need to log in before you can comment on or make changes to this bug.