Introduction to OpenSCAP project and atomic CLI from Project Atomic to scan Linux containers and images for CVEs.

1. Atomic scan
With OpenSCAP

2. $whoami
● Lalatendu Mohanty
● Twitter: @lalatenduM
● lalatendu.org

3. System security (Software)
● Software vulnerabilities
● Configuration flaws

4. Configuration flaws
● Not following security policies
○ Example: Weak password settings
● Not using correct access control

5. Software vulnerabilities
● Undiscovered vulnerabilities
● Known vulnerabilities
○ Common Vulnerabilities and Exposures (CVE®)

6. Common Vulnerabilities and Exposures (CVE®)
● Publicly known cybersecurity vulnerabilities
● Example:
○ Heartbleed : CVE-2014-0160
■ OpenSSL
○ Shellshock: CVE-2014-6271
■ GNU Bash

7. atomic scan
● Scan a container or container
image for CVEs.
● Can scan all images or
containers at once.
● Plugin architecture for scan
tool.
From atomic CLI

8. How does this work?
● Detect the operating system
● Get the appropriate CVE feed from vendor
● Check the image or container with OpenSCAP
● Parse the results

9. atomic scan options

10. Demo
$ atomic scan rhel

11. CVE®
● CVE List is maintained The MITRE Corporation (not for profit)
● Sponsored by United States Computer Emergency Readiness Team.
● National Vulnerability Database (NVD):
○ Superset of CVE list.
○ Contains additional analysis, database and fine-grained search engine
○ Maintained by US National Institute of Standards and Technology (NIST)
○ Data represented using Security Content Automation Protocol (SCAP)

12. Heartbleed CVE page
● https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160

13. Heartbleed CVE in NVD
● https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

14. SCAP
● SCAP is a line of compliance standards managed by NIST.
● Provide a standardized approach to security e.g.
○ Automatically verifying the presence of patches
○ Checking system security configuration settings
○ Examining systems for signs of compromise

15. OpenSCAP
● Create a framework of libraries to improve the accessibility of SCAP and
enhance the usability of the information it represents.
● Awarded the SCAP 1.2 certification by NIST in 2014.

17. Demo SCAP Workbench
On Fedora 23
● $ sudo dnf install scap-security-guide
● $ sudo dnf install scap-workbench

18. References:
● http://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-
container-vulnerability-detection/
● https://access.redhat.com/documentation/en-
US/Red_Hat_Network_Satellite/5.5/html/User_Guide/chap-
Red_Hat_Network_Satellite-User_Guide-OpenSCAP.html
● https://cve.mitre.org/about/
● https://www.youtube.com/watch?v=DxMd0T9_apo

19. Questions?
Collaborate : https://github.com/projectatomic/atomic