Red Hat Bugzilla – Bug 1472379
[RFE] Remediate container images so that they are compliant with a security policy
Last modified: 2018-07-01 18:39:53 EDT
Description of problem:
We don't have any automated way to create container images that are compliant with a security policy (eg. STIG, OSPP, PCI-DSS, ..) That means users have to change the images manually to make them security compliant. That's very complicated and time-consuming, especially in large container environments.
Instead, we need to enable users to build hardened images directly. That should be achieved by involving OpenSCAP, SCAP Security Guide and Docker Build together. The idea is based on adding a hardening layer on the top of the image.
Atomic scan should be extended in a way that it doesn't only scan, but also fixes the failing rules, so that the new image passes the scan.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. atomic scan --harden
none, not implemented yet
An image that is compliant with a security policy is built.
I guess instead of mounting the image in as ReadOnly it would be mounted in as ReadWrite and we would need to make sure that the atomic scan container can write to the image.
That isn't necessary. Instead of mounting the image as ReadWrite, we can generate a fix script based on scan results, and then build a new image from the scanned image. During the build process the fix script will be invoked. We can think of it as adding new layer on the original image. This layer will contain all the changes needed to comply with a SCAP profile.
The referenced PR has been reworked in https://github.com/projectatomic/atomic/pull/1090 and merged. Setting to POST.