![Page 1: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/1.jpg)
Inspecting Security of Dockerformatted Container Images
To find Peace of Mind
Ján Lieskovský
[email protected] on #openscap
![Page 2: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/2.jpg)
Docker Concepts - Introductory Notes
![Page 3: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/3.jpg)
Docker Formatted Container ImagesInteresting Application Platform
![Page 4: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/4.jpg)
Docker Formatted Container ImagesInteresting Application Platform
For developers
● Focus on content (rather on build process)● Data aggregation via Docker Image Specification● Simplified release management● Easy customization
![Page 5: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/5.jpg)
Docker Formatted Container ImagesInteresting Application Platform
For users
● Abundance of applications available in official hub● Simple application deployment● Continuous application lifecycle management● Easy customization
![Page 6: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/6.jpg)
Basic Docker TermsDocker image
● Ordered collection of root filesystem changes● Coupled with corresponding execution parameters● Doesn’t have a state● Read-only (never changes)● Set of layers stacked on top of each other
![Page 7: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/7.jpg)
Basic Docker TermsDocker image
● Each image is derived from base image● Transformed to final image through set of steps (instructions)
○ Run a command○ Add a file or directory○ Create an environment variable○ What process to run when launching a container from this image
![Page 8: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/8.jpg)
Docker image vs Docker containerDocker container
● Any (running / stopped) instance of Docker image● Consists of:
○ Docker image○ Execution environment○ Standard set of instructions
● It’s possible to have many running containers of the same image
![Page 10: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/10.jpg)
Virtual Machines vs Containers
![Page 11: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/11.jpg)
Container security. And why it matters
![Page 12: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/12.jpg)
Container Security MattersBasic security bricks of Docker daemon / containers
● Kernel security (updates, support for namespaces, cgroups)
![Page 13: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/13.jpg)
Container Security MattersBasic security bricks of Docker daemon / containers
● Kernel security (updates, support for namespaces, cgroups)● Security of Docker daemon
![Page 14: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/14.jpg)
Container Security MattersBasic security bricks of Docker daemon / containers
● Kernel security (updates, support for namespaces, cgroups)● Security of Docker daemon● Security of specific Dockerfile
![Page 15: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/15.jpg)
Container Security MattersKernel namespaces, cgroups
● Form of isolation● Own network stack per container● Resource mngmt via cgroups
![Page 16: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/16.jpg)
Container Security MattersOther kernel features applied in Docker security
● Linux kernel capabilities● GRSEC, PAX● SELinux, AppArmor
![Page 17: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/17.jpg)
Container Security MattersBasic security bricks of Docker daemon / containers
So far looks reasonable, right?
![Page 18: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/18.jpg)
Container Security MattersBut, what if we overlooked something?
![Page 19: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/19.jpg)
Container Security MattersBut, what if we overlooked something?
22 April 2014 Daniel J Walsh (Red Hat)Containers do not contain
Bottom line:● Running a container not every major kernel subsystem is namespaced
○ SELinux○ Cgroups○ File system under /sys○ /proc/sys, /proc/irq, /proc/bus○ Devices and kernel modules are not namespaced
![Page 20: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/20.jpg)
Container Security MattersBut, what if we overlooked something?
![Page 21: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/21.jpg)
Container Security MattersBut, what if we overlooked something? Meet Shocker!
![Page 22: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/22.jpg)
Container Security MattersBut, what if we overlooked something? Meet Shocker!
![Page 23: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/23.jpg)
Virtual Machines vs Containers
![Page 24: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/24.jpg)
Container Security MattersWhat the wise men have got to say?
22 Jul 2014 Jérôme Petazzoni (Docker Inc.)Is it Safe to Run Applications in Linux Containers?
Bottom line:
● Don't run things as root ● Use seccomp-bpf
● Drop capabilities ● Get a GRSEC kernel
● Enable user namespaces ● Update kernels often
● Get rid of shady SUID binaries ● Mount everything read-only
● Enable SELinux (or AppArmor) ● Ultimately, fence things in VMs
![Page 25: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/25.jpg)
Container Security MattersWhat the wise men have got to say?
03 Sep 2014 Daniel J Walsh (Red Hat)Bringing new security features to Docker
Bottom line:● Only run applications from a trusted source● Run applications on a enterprise quality host● Install updates regularly● Drop privileges as quickly as possible● Run as non-root whenever possible● Watch your logs● setenforce 1
![Page 26: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/26.jpg)
Container Security MattersPlenty of applications from Official Repositories
![Page 27: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/27.jpg)
Container Security Matters(Another) Plenty of applications from Custom Repositories
![Page 28: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/28.jpg)
Container Security MattersWho built these images?
![Page 29: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/29.jpg)
12 Aug 2015 Introduced in Docker v1.8 using The Update Framework
Docker Content Trust Workflow
● Image producer - pushing an image to remote repository, Docker engine signs the content using publisher’s private key
● Image consumer - when pulling an image, Docker engine verifies the content of the image using publisher’s public key. If image tampering is detected, pull fails
Container Security MattersDocker Image Signing and Verification
![Page 30: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/30.jpg)
Two types of keys known by Docker Content Trust
○ Tagging Key■ One such key is created per each new repository the publisher owns■ Intended to be shared with any person / system requiring the ability to
sign content for this repository○ Offline key
■ Can be shared across repositories■ Required to create a new repository or to rotate existing tagging keys
Container Security MattersDocker Image Signing and Verification
![Page 31: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/31.jpg)
Provides
○ Protection against image tampering○ Protection against image replay attacks○ Protection against tagging key compromise
Container Security MattersDocker Image Signing and Verification
![Page 32: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/32.jpg)
Container Security MattersWho built these images?
![Page 33: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/33.jpg)
Container Security MattersWe know the publisher. But how were all these images built?
![Page 34: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/34.jpg)
Docker image (quick recap)
● Each image is derived from base image● Transformed to final image through set of steps (instructions)
Container Security MattersWe know the publisher. But how were all these images built?
![Page 35: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/35.jpg)
Docker image (quick recap)
● Each image is derived from base image● Transformed to final image through set of steps (instructions)
Creating new images
● Update the container (running an image)
Commit the changes to image
● Build a new image from Dockerfile
Container Security MattersHow were all these images built?
![Page 36: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/36.jpg)
Container Security MattersWho can build / update the containers?
![Page 37: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/37.jpg)
Container Security MattersWho can build / update the containers?
Anyone!!!
![Page 38: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/38.jpg)
Container Security MattersWhat we trust into when pulling images?
![Page 39: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/39.jpg)
● The base image the pulled image is derived from was secure
Container Security MattersWhat we trust into when pulling images?
![Page 40: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/40.jpg)
● The base image the pulled image is derived from was secure
● The newly introduced changes were performed in secure way
Container Security MattersWhat we trust into when pulling images?
![Page 41: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/41.jpg)
● The base image the pulled image is derived from was secure● The newly introduced changes were performed in secure way
● When a security flaws was found in base image or the changes, the image available in repository has been
already updated
Container Security MattersWhat we trust into when pulling images?
![Page 42: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/42.jpg)
Ultimate goal:
● Secure container infrastructure
Container Security MattersDocker daemon / container security - Lessons Learned
![Page 43: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/43.jpg)
Ultimate goal:
● Secure container infrastructure
Trust the design:
● We can trust Docker design to be secure
Container Security MattersDocker daemon / container security - Lessons Learned
![Page 44: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/44.jpg)
Ultimate goal:
● Secure container infrastructure
Trust the design:
● We can trust Docker design to be secure
But act responsibly:
● Verify that all of the host, daemon and containers truly are secure
Container Security MattersDocker daemon / container security - Lessons Learned
![Page 45: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/45.jpg)
How to verify (inspect) security of containers / images?
![Page 46: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/46.jpg)
Inspecting Security of Containers /Images
Two separate tasks:
● Inspect presence of security flaws (vulnerability assessment)
● Verify the configuration is secure (security compliance)
![Page 47: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/47.jpg)
Vulnerability Assessment ofContainers / Images
![Page 48: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/48.jpg)
Vulnerability Assessment ofContainers / Images
![Page 49: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/49.jpg)
Vulnerability Assessment ofContainers / Images
● HTML advisories are easy consumable by humans● But not suitable for machine processing
![Page 50: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/50.jpg)
Vulnerability Assessment ofContainers / Images
● We need a standard● Security errata information available in the form of
that standard● Scanner able to perform automated scan
![Page 51: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/51.jpg)
Vulnerability Assessment ofContainers / Images
● We need a standard to○ represent configuration information of systems○ analyze the system for presence of specified
machine state (vulnerability, configuration, …)○ report the results of the assessment back
![Page 52: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/52.jpg)
Vulnerability Assessment ofContainers / Images
Open Vulnerability and Assessment Language
![Page 53: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/53.jpg)
Vulnerability Assessment ofContainers / Images
● We need a standard● Security errata information available in the form of
that standard● Scanner able to perform automated scan
![Page 54: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/54.jpg)
Vulnerability Assessment ofContainers / Images
● We need a standard● Security errata information available in the form of
that standard○ Red Hat OVAL security data○ Ubuntu OVAL security data○ …
![Page 55: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/55.jpg)
Vulnerability Assessment ofContainers / Images
● We need a standard● Security errata information available in the form of
that standard● Scanner able to perform automated scan
![Page 56: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/56.jpg)
Vulnerability Assessment ofContainers / Images
![Page 57: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/57.jpg)
Vulnerability Assessmentof Containers
# dnf -y install openscap-containers
# docker pull richxsl/rhel7
# wget http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml
# docker run -i -t richxsl/rhel7 /bin/bash
![Page 58: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/58.jpg)
Vulnerability Assessmentof Containers
# oscap-docker container-cve richxsl/rhel7Definition oval:com.redhat.rhsa:def:20160695: falseDefinition oval:com.redhat.rhsa:def:20160685: trueDefinition oval:com.redhat.rhsa:def:20160676: falseDefinition oval:com.redhat.rhsa:def:20160650: falseDefinition oval:com.redhat.rhsa:def:20160612: falseDefinition oval:com.redhat.rhsa:def:20160594: falseDefinition oval:com.redhat.rhsa:def:20160534: falseDefinition oval:com.redhat.rhsa:def:20160532: true
...
![Page 59: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/59.jpg)
Vulnerability Assessmentof Containers
# oscap-docker container-cve richxsl/rhel7Definition oval:com.redhat.rhsa:def:20160695: falseDefinition oval:com.redhat.rhsa:def:20160685: trueDefinition oval:com.redhat.rhsa:def:20160676: falseDefinition oval:com.redhat.rhsa:def:20160650: falseDefinition oval:com.redhat.rhsa:def:20160612: falseDefinition oval:com.redhat.rhsa:def:20160594: falseDefinition oval:com.redhat.rhsa:def:20160534: falseDefinition oval:com.redhat.rhsa:def:20160532: true
...
![Page 60: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/60.jpg)
Vulnerability Assessmentof Images
Running untrusted containers might be dangerous!
![Page 61: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/61.jpg)
Vulnerability Assessmentof Images
Running untrusted containers might be dangerous!
Let’s scan the images instead !!!
![Page 62: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/62.jpg)
Vulnerability Assessmentof Containers
# oscap-docker image-cve richxsl/rhel7Definition oval:com.redhat.rhsa:def:20160695: falseDefinition oval:com.redhat.rhsa:def:20160685: trueDefinition oval:com.redhat.rhsa:def:20160676: falseDefinition oval:com.redhat.rhsa:def:20160650: falseDefinition oval:com.redhat.rhsa:def:20160612: falseDefinition oval:com.redhat.rhsa:def:20160594: falseDefinition oval:com.redhat.rhsa:def:20160534: falseDefinition oval:com.redhat.rhsa:def:20160532: true
...
![Page 63: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/63.jpg)
Vulnerability Assessmentof Containers
# oscap-docker image-cve richxsl/rhel7Definition oval:com.redhat.rhsa:def:20160695: falseDefinition oval:com.redhat.rhsa:def:20160685: trueDefinition oval:com.redhat.rhsa:def:20160676: falseDefinition oval:com.redhat.rhsa:def:20160650: falseDefinition oval:com.redhat.rhsa:def:20160612: falseDefinition oval:com.redhat.rhsa:def:20160594: falseDefinition oval:com.redhat.rhsa:def:20160534: falseDefinition oval:com.redhat.rhsa:def:20160532: true
...
![Page 64: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/64.jpg)
Vulnerability Assessmentof Containers
# oscap-docker image-cve richxsl/rhel7Definition oval:com.redhat.rhsa:def:20160695: falseDefinition oval:com.redhat.rhsa:def:20160685: trueDefinition oval:com.redhat.rhsa:def:20160676: falseDefinition oval:com.redhat.rhsa:def:20160650: falseDefinition oval:com.redhat.rhsa:def:20160612: falseDefinition oval:com.redhat.rhsa:def:20160594: falseDefinition oval:com.redhat.rhsa:def:20160534: falseDefinition oval:com.redhat.rhsa:def:20160532: true
...
![Page 65: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/65.jpg)
Inspecting Security of Containers /Images
Two separate tasks:
● Inspect presence of security flaws (vulnerability assessment)
● Verify the configuration is secure (security compliance)
![Page 66: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/66.jpg)
Verification if Configuration ofContainers / Images is Secure?
![Page 67: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/67.jpg)
Verification if Configuration ofContainers / Images is Secure?
# dnf -y install scap-security-guide
![Page 68: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/68.jpg)
Verification if Configuration ofContainers / Images is Secure?
# oscap-docker image richxsl/rhel7 xccdf eval \--profile standard --report /tmp/report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
![Page 69: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/69.jpg)
Verification if Configuration ofContainers / Images is Secure?
# oscap-docker image richxsl/rhel7 xccdf eval \--profile standard --report /tmp/report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
![Page 70: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/70.jpg)
Verification if Configuration ofContainers / Images is Secure?
![Page 71: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/71.jpg)
Questions?
http://www.open-scap.org/tools/https://github.com/OpenSCAP
(We are hiring)Ján Lieskovský[email protected] on #openscap
![Page 72: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/72.jpg)
![Page 73: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/73.jpg)
Slightly Advanced Topics
Customizing security policy for particular use case
Example use case:● Detect unauthorised SUID binaries present in the
container
![Page 74: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/74.jpg)
Slightly Advanced Topics
Example use case:● Detect unauthorised SUID binaries present in the
container
Modify standard SCAP Security Guide profile to contain just:
"file_permissions_unauthorized_suid"
rule
![Page 75: Inspecting Security of Docker formatted Container Images](https://reader034.vdocument.in/reader034/viewer/2022051319/586b345f1a28ab6d678ba394/html5/thumbnails/75.jpg)
Slightly Advanced Topics
● Modify standard SCAP Security Guide profile to contain just:
"file_permissions_unauthorized_suid"
rule
● Rescan the image