sfowl/scanning-with-oscap.md

## scanning-with-oscap.md

      
    Raw
  

              scanning-with-oscap.md
            
          
    Requires:


oc, (>= v4) can be obtained from here: https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/
podman and oscap-scanner packages installed (on Fedora or RHEL variant)
pull secret (can be obtained from try.openshift.com, save in ~/.docker/config.json)

Howto

Translate image to friendly name:
$ oc image info -o json quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:03cd77cc134a7bfcaa14c111b76234749b9b8cb0986ab25e2fb2afeb0ba7fb6b | jq -r .config.config.Labels.url
https://access.redhat.com/containers/#/registry.access.redhat.com/openshift/ose-sdn/images/v4.6.0-202011181111.p0

Normally we could use this URL to compare with the scan results on the container catalog. Unfortunately, container health grades are currently hidden due to an issue related to scanning EUS content. We can compare with a local OpenSCAP scan instead.
Pull image:
$ podman pull registry.redhat.io/openshift4/ose-sdn-rhel8:v4.6
$ # OR 
$ podman pull registry.redhat.io/openshift4/ose-sdn-rhel8@sha256:03cd77cc134a7bfcaa14c111b76234749b9b8cb0986ab25e2fb2afeb0ba7fb6b

Prepare container for scanning:
$ container=$(podman create registry.redhat.io/openshift4/ose-sdn-rhel8@sha256:03cd77cc134a7bfcaa14c111b76234749b9b8cb0986ab25e2fb2afeb0ba7fb6b)
$ # Get the mount point
$ mnt=$(podman unshare podman mount $container)
$ # Verify mount point has unpacked filesystem:
$ podman unshare ls $mnt
bin   dev  home  lib64	     media  opt   root	sbin  sys  usr
boot  etc  lib	 lost+found  mnt    proc  run	srv   tmp  var

Grab oval and scan:
$ wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2
$ wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.2-eus.oval.xml.bz2
$ podman unshare oscap-chroot $mnt oval eval --report report.html rhel-8.oval.xml.bz2
$ podman unshare oscap-chroot $mnt oval eval --report report-eus.html rhel-8.2-eus.oval.xml.bz2

Open the .html reports in a browser to view. One will notice that the scan with EUS content reports far fewer missing advisories.
To determine, which OVAL files are required to scan, a container's content manifests can be checked
$ podman unshare cat $mnt/root/buildinfo/content_manifests/ose-node-container-v4.6.0-202011181111.p0.json
{
    "metadata": {
        "icm_version": 1,
        "icm_spec": "https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json",
        "image_layer_index": 4
    },
    "content_sets": [
        "fast-datapath-for-rhel-8-x86_64-rpms",
        "rhel-8-for-x86_64-baseos-eus-rpms",
        "rhel-8-for-x86_64-appstream-eus-rpms",
        "rhocp-4.6-for-rhel-8-x86_64-rpms"
    ],
    "image_contents": []
}

The repositories used to build the container are listed under content_sets. This container was built with EUS repositories so EUS OVAL should be used to scan.