Micah, Thanks again for the info. I guess I am mistaken, I thought CentOS is RHEL-based, so it should have been able to scan the container image. Then I read on https://gist.github.com/gregelin/f94ba31f004ca4acea87 "
So why does OpenSCAP run SCAP-Security-Guide on CentOS, but the results come back "not applicable?" Two reasons: 1. Because the XCCDF in RHEL refers to CPE XML file that specifies RHEL and not CentOS. 2. Because CPE platform string is verified with an OVAL test that checks the RPMs for platform identification. " I also found https://www.centos.org/forums/viewtopic.php?t=50462 which mentions: To fix this you need to add centos to the profile section. Open /usr/share/xml/scap/ssg/rhel6/ssg-rhel6-ds.xml in a text editor and search for <platform idref="cpe:/o:redhat:enterprise_linux:6"/> and add a line just after that with <platform idref="cpe:/o:centos:centos:6"/> I'll take a look at BlackDuck, but I hope the OpenSCAP container will be updated to better recognize CentOS. On Thu, Feb 2, 2017 at 11:10 AM, Micah Abbott <[email protected]> wrote: > On 02/02/2017 01:03 PM, Steve Poe wrote: > >> Micah, >> >> Thank you! That got me a step closer. I originally looked in the blogs >> section on the project Atomic site, but I didn't see what you mentioned. >> >> As a test, I downloaded the Centos6 image: >> docker.io/centos <http://docker.io/centos> >> centos6 8315978ceaaa 3 months ago 195 MB >> >> Ran 'atomic scan 8315978ceaaa' but received an error: >> >> 8315978ceaaa (docker.io/centos:centos6 <http://docker.io/centos:centos6>) >> 8315978ceaaa is not supported for this scan. >> > > Yeah, that is a limitation of the 'openscap' scanner right now. Only > RHEL-based images are supported, AFAIK. > > > 'atomic scan' allows you to define your own scanner, so you could > write/define your own. > > https://developers.redhat.com/blog/2016/05/20/creating-a-cus > tom-atomic-scan-plug-in/ > > > There is also a scanner from BlackDuck that seems to work almost out of > the box: > > https://hub.docker.com/r/blackducksoftware/atomic_scanner/ > > >> >> >> On Thu, Feb 2, 2017 at 9:30 AM, Micah Abbott <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 02/02/2017 12:13 PM, Steve Poe wrote: >> >> I am reading about the ability to scan my images for known >> vulnerabilities. >> >> On the Atomic host I created, I updated /etc/atomic.conf file >> and added >> the line: >> 'default_scanner: openscap' >> >> However, the change does not work for me: >> >> atomic scan --list >> There are no scanners configured for this system. >> >> What am I doing wrong? >> >> >> CAH info: >> centos-atomic-continuous:centos-atomic-host/7/x86_64/devel/alpha >> Version: 7.2017.15 (2017-01-31 00:49:10) >> >> >> I don't think the 'atomic scan' command will work right out of the >> box with just that configuration. >> >> You'll need to specify a scanner definition in '/etc/atomic.d/' like >> shown here: >> >> https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap >> <https://github.com/projectatomic/atomic/blob/master/atomic.d/openscap> >> >> That should get you going in the right direction. >> >> >> >>
