One of the main benefits of containers is that the software that makes up a container is separate from the system that it is running on. The container's software is placed in a container image that can easily be distributed and run. From a security perspective, however, this can be a challenge, because many security compliance scanning software utilities are focused only on the host system, and potentially miss security issues that might be present in containers on the system. For example, if a container image contains an outdated and vulnerable package, many compliance scanning utilities would miss that if they only look at the packages installed on the host.
It is important that container images stay up-to-date with security updates, and that the container images also meet required security standards. Without an effective way to scan and evaluate container images, it is easy to get in a position where you are running containers with outdated, vulnerable versions of software, or containers with configurations that don't meet your security standards.
Red Hat Enterprise Linux (RHEL) 8.2 introduced the oscap-podman utility, which allows for container images to be scanned using OpenSCAP and Podman. This utility can both check for missing advisories in a container image, as well as assess security compliance of a container image against a baseline such as PCI-DSS.
I recently published a video, Scanning Containers for Vulnerabilities on RHEL 8.2 With OpenSCAP and Podman, that covers this new utility and demonstrates how to use it.
The video covers the following topics:
- Scanning container images for vulnerabilities with oscap-podman
- Assessing security compliance of a container image with the PCI-DSS baseline with oscap-podman
- Using Buildah, one of the Red Hat Container Tools, to create a new image with one of the OpenSCAP findings remediated
If you are running containers in your environment, and want to do so more securely, try out the oscap-podman utility. In addition to the video, there is also documentation covering scanning the system for configuration compliance and vulnerabilities, which covers oscap-podman in sections 6.10 and 6.11.
[ Getting started with containers? Check out this free course. Deploying containerized applications: A technical overview. ]
Sobre el autor
Brian Smith is a product manager at Red Hat focused on RHEL automation and management. He has been at Red Hat since 2018, previously working with public sector customers as a technical account manager (TAM).
Más como éste
Ford's keyless strategy for managing 200+ Red Hat OpenShift clusters
F5 BIG-IP Virtual Edition is now validated for Red Hat OpenShift Virtualization
Can Kubernetes Help People Find Love? | Compiler
Scaling For Complexity With Container Adoption | Code Comments
Navegar por canal
Automatización
Las últimas novedades en la automatización de la TI para los equipos, la tecnología y los entornos
Inteligencia artificial
Descubra las actualizaciones en las plataformas que permiten a los clientes ejecutar cargas de trabajo de inteligecia artificial en cualquier lugar
Nube híbrida abierta
Vea como construimos un futuro flexible con la nube híbrida
Seguridad
Vea las últimas novedades sobre cómo reducimos los riesgos en entornos y tecnologías
Edge computing
Conozca las actualizaciones en las plataformas que simplifican las operaciones en el edge
Infraestructura
Vea las últimas novedades sobre la plataforma Linux empresarial líder en el mundo
Aplicaciones
Conozca nuestras soluciones para abordar los desafíos más complejos de las aplicaciones
Virtualización
El futuro de la virtualización empresarial para tus cargas de trabajo locales o en la nube
