Use OpenSCAP to Scan Container Images

In this blog we will see what is OpenSCAP and how it can be used in container image hardening workflow.

What is OpenSCAP?

OpenSCAP is an open-source framework to enforce security compliance in IT systems. It is based on Security Content Automation Protocol (SCAP) and is designed to help automate the processes of vulnerability assessment, vulnerability management, and security compliance checking. It provides tools and libraries for managing and enforcing compliance with security policies and is widely used in enterprise environments to ensure that systems meet certain security baselines.

Features of OpenSCAP

Customization: OpenSCAP allows organisations to create custom security policies and checks that fit their unique environment and security requirements.

Vulnerability Scanning: OpenSCAP can perform automated vulnerability scanning of systems by checking for known vulnerabilities and verifying the presence of required patches.

Compliance Checking: It allows for automated compliance checks against various security benchmarks, such as CIS (Center for Internet Security) benchmarks, DISA STIGs (Defense Information Systems Agency Security Technical Implementation Guides), or custom policies defined by an organization.

System Auditing: OpenSCAP can audit system configurations against defined security policies. It checks for misconfigurations and deviations from the desired state.

Reporting: It generates detailed reports based on the results of vulnerability scans and compliance checks. These reports can be in various formats, including HTML, XML, and CSV, allowing for easy integration into existing security information and event management (SIEM) systems.

Remediation: In addition to identifying security issues, OpenSCAP can help remediate them. It can generate remediation scripts or suggest actions to bring a system into compliance with a specified security policy.

Core Components of OpenSCAP

OpenSCAP consists of several components, each serving a specific function:

SCAP Workbench: This is a GUI tool that allows users to easily perform SCAP scans and create tailored security profiles.

oscap: This is the command-line tool provided by OpenSCAP for performing SCAP-based assessments. It can be used for scanning systems, generating reports, and much more.

SCAP Security Guide (SSG): This is a project that provides security baselines in SCAP format for various platforms, including Red Hat Enterprise Linux, CentOS, Fedora, Debian, and more. It includes security policies like CIS, DISA STIGs, and others.

OpenSCAP Daemon (scap-workbench): A graphical interface for OpenSCAP, allowing users to perform security audits and compliance checks without using the command line.

Use Cases of OpenSCAP

Education and Training: OpenSCAP is also used in educational environments to teach students and security professionals about security baselines, compliance, and vulnerability management.

Enterprise Security Compliance: OpenSCAP is widely used in enterprises to ensure that systems comply with security policies, regulatory standards, and best practices. This is critical for industries like finance, healthcare, and government, where compliance is mandatory.

Continuous Monitoring: OpenSCAP can be integrated into a continuous monitoring framework, providing real-time assessments of system security posture. This helps in identifying and addressing security issues before they are exploited.

Vulnerability Management: By regularly scanning systems with OpenSCAP, organizations can identify vulnerabilities, missing patches, and configuration issues, allowing them to prioritize and address these security risks.

Automated Security Checks: OpenSCAP can be integrated into automated deployment pipelines to ensure that newly deployed systems or containers meet security baselines before they are put into production.

How to Use OpenSCAP

Here’s a simple overview of how you might use OpenSCAP in a typical environment:

Install OpenSCAP: Install OpenSCAP on your systems. This can typically be done using the package manager of your Linux distribution (e.g., yum install openscap on Red Hat-based systems or apt-get install openscap-utils on Debian-based systems).

Download SCAP Content: Obtain SCAP content that includes the security policies and benchmarks you want to use. This can be downloaded from the SCAP Security Guide or other sources.

Run Scans: Use the oscap command-line tool to perform scans against your systems using the downloaded SCAP content. For example:bashCopy codeoscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml This command runs an XCCDF evaluation using the “standard” profile from the SCAP content file for Red Hat Enterprise Linux 7.

Review Reports: After running the scans, review the generated reports to identify any vulnerabilities or compliance issues.

Remediate Issues: Based on the scan results, take necessary actions to remediate any identified security issues.

Integrate OpenSCAP in Development Workflow

Using OpenSCAP in your container image hardening workflow is an effective way to ensure that your container images meet security and compliance standards. Container image hardening involves securing the base images, installed packages, and configurations to reduce vulnerabilities and improve security posture

Here’s an example workflow that integrates OpenSCAP scanning into a container build process:

1. Build Container Image:
   • Start by creating a Dockerfile that defines your application and dependencies.
2. Install OpenSCAP:
   • Add steps in your Dockerfile to install OpenSCAP and any required SCAP content.
3. Run OpenSCAP Scan:
   • After the build completes, run an OpenSCAP scan to evaluate the container image against your chosen SCAP profile.
4. Generate and Review Reports:
   • Store the scan results in a persistent location and review the reports for compliance issues or vulnerabilities.
5. Fix Issues and Rebuild:
   • Address any identified security issues, update your Dockerfile as needed, and rebuild the container image.
6. Automate in CI/CD:
   • Integrate this entire process into your CI/CD pipeline to automatically scan and remediate images before they are deployed.

Steps to Use OpenSCAP in Container Image Hardening Workflow:

Regularly update your SCAP content to stay current with new vulnerabilities and security benchmarks.

Install OpenSCAP in Your Build Environment:

Ensure OpenSCAP tools are available in your build environment, such as on a local machine, a CI/CD pipeline, or a build server. You can install OpenSCAP using the package manager of your operating system.

For example, on a Red Hat-based system, you can install OpenSCAP using:

sudo yum install -y openscap-scanner scap-security-guide

Obtain SCAP Content for Container Images:

Download or create SCAP content tailored for container image scanning. The SCAP Security Guide (SSG) provides profiles for various operating systems, and you may need to customize these for your specific container images.

SCAP content for containers can be found or generated for specific use cases, like scanning for vulnerabilities or ensuring compliance with benchmarks like CIS.

Integrate OpenSCAP into Your Dockerfile or Build Script:

You can add a step in your Dockerfile or build script to run an OpenSCAP scan during the image build process. This step will evaluate the container image against your SCAP profiles.

An example Dockerfile snippet might look like this: Dockerfile:

FROM your-base-image 
# Install OpenSCAP tools 
RUN yum install -y openscap-scanner scap-security-guide 
# Run OpenSCAP scan 
RUN oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard \ /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml > /tmp/openscap_scan_results.xml || exit 1

Run OpenSCAP Scans on Your Container Images:

During the image build or post-build process, run OpenSCAP scans to ensure that your container images are secure and compliant. Use the oscap command-line tool to evaluate the container images.

If you have a container image already built, you can use the following command:

docker run --rm -v /path/to/scap/content:/scap:ro -v /var/lib/openscap:/var/lib/openscap \ -v /path/to/image:/image:ro openscap/openscap oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard /scap/ssg-docker-ds.xml

Automate Scanning in CI/CD Pipelines:

Integrate OpenSCAP scans into your CI/CD pipeline to automate the security checks. This can be done using tools like Jenkins, GitLab CI, GitHub Actions, or other CI/CD platforms.

Add a pipeline step to run the OpenSCAP scan on the container image after it’s built but before it’s deployed. For example, in a Jenkins pipeline groovy

stage('Security Scan') { 

steps { 
sh ''' docker run --rm -v /path/to/scap/content:/scap:ro -v /var/lib/openscap:/var/lib/openscap \ -v /path/to/image:/image:ro openscap/openscap oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard /scap/ssg-docker-ds.xml ''' 
} 
}

Review Scan Results and Remediate:

After running the OpenSCAP scan, review the generated reports for any identified vulnerabilities or compliance issues.

Based on the findings, modify your container images or configurations to address any detected issues, such as updating vulnerable packages, removing unnecessary services, or tightening security settings.

Create Custom SCAP Content if Needed:

If the standard SCAP profiles don’t fully meet your security requirements, consider creating custom SCAP content tailored to your specific environment and security policies.

Custom profiles can be created by modifying existing profiles or writing new XCCDF and OVAL definitions to suit your needs.

Repeat and Improve:

Continuously run OpenSCAP scans as part of your container lifecycle management to ensure ongoing compliance and security.

Selecting a Profile for Container Images

When using OpenSCAP to secure container images, consider profiles that target container environments and address container-specific security concerns.

Recommended Profiles for Container Images:

Key Checks: Custom profiles allow you to define specific checks, such as verifying FastAPI application configurations, ensuring that only necessary ports are exposed, and confirming the use of secure communication protocols.

CIS Docker Benchmark Profile:

Why Use It: The CIS Docker Benchmark is specifically designed to secure Docker environments. It focuses on Docker daemon configurations, container image security, and runtime security, making it highly relevant for containers running FastAPI applications.

Key Checks: It includes checks for Docker daemon configuration, container image scanning, least privilege practices, resource limits, and logging practices. These checks ensure your Docker environment and containers are as secure as possible.

DISA STIG for Docker:

Why Use It: If you are operating in a government or military environment or have stringent security requirements, the DISA STIG profile for Docker ensures that containers are configured securely according to high standards.

Key Checks: It includes comprehensive checks for Docker configurations, focusing on reducing attack surfaces and hardening Docker itself, rather than the application layer.

Custom Profiles:

Why Use It: If none of the existing profiles fully meet your needs, or if you have specific security policies, you can create a custom OpenSCAP profile tailored to your environment.

Example OpenSCAP Command for Docker Profile:

To use the CIS Docker Benchmark profile with OpenSCAP, you can run a command like this:

oscap-docker image your-container-image-name xccdf eval \
--profile xccdf_org.cisecurity.benchmarks_profile_docker /usr/share/xml/scap/ssg/content/ssg-docker-ds.xml

By integrating OpenSCAP into your container image hardening workflow, you can automate the process of vulnerability scanning and compliance checking, ensuring that your container images are secure and meet your organization’s security policies. Regularly scanning container images helps to maintain a strong security posture and reduces the risk of deploying vulnerable or non-compliant applications.

Conclusion:

OpenSCAP is a powerful tool for maintaining system security by automating the processes of vulnerability scanning, compliance checking, and security auditing. It is particularly valuable for organizations that need to comply with strict security standards or regulatory requirements. By providing a standardized approach to security assessments, OpenSCAP helps ensure that systems are secure, compliant, and up to date.