Bug 1472499 - Tracking: Support for Atomic Harden feature in SCAP Security Guide
Tracking: Support for Atomic Harden feature in SCAP Security Guide
Status: ON_QA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide (Show other bugs)
7.4
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Watson Yuuma Sato
BaseOS QE Security Team
Mirek Jahoda
: FutureFeature
Depends On:
Blocks: 1490384 1490353
  Show dependency treegraph
 
Reported: 2017-07-18 19:42 EDT by Marek Haicman
Modified: 2017-11-30 10:18 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
The "OpenSCAP container image" (rhel7/openscap) has been updated to support the "configuration compliance" scan type. The configuration compliance scan type utilizes the SCAP content provided by the SCAP Security Guide (SSG) which is bundled inside the OpenSCAP container image. This new scan type can be utilized by the "atomic scan" command (which uses the OpenSCAP container image for scanning) and allows to: - scan Red Hat Enterprise Linux based container images and containers against any profile provided by the SCAP Security Guide, - remediate Red Hat Enterprise Linux based container images to be compliant with any profile provided by the SCAP Security Guide, - generate HTML report from the scan and remediation. The result of remediation is a container image with altered configuration which is added as a new layer on top of the original container image. It is important to note that the original container image will be kept unchanged and only on the top of it a new layer will be created, forming a new container image, that will contain all the configuration amendments. This means that the remediated container image is no longer signed by Red Hat, but this is expected as it differs from the original because of the remediated layer.
Story Points: ---
Clone Of:
: 1490353 1490384 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marek Haicman 2017-07-18 19:42:55 EDT
Description of problem:
We want SSG to support hardening of atomic container images at least according to main profiles:

- USGCB (ospp-rhel7)
- PCI-DSS (pci-dss)
- DISA STIG (stig-rhel7-disa)

Goal is to be able to harden container to state where all rules are passing.

Note You need to log in before you can comment on or make changes to this bug.