One of the main benefits of containers is that the software that makes up a container is separate from the system that it is running on. The container's software is placed in a container image that can easily be distributed and run. From a security perspective, however, this can be a challenge, because many security compliance scanning software utilities are focused only on the host system, and potentially miss security issues that might be present in containers on the system. For example, if a container image contains an outdated and vulnerable package, many compliance scanning utilities would miss that if they only look at the packages installed on the host.
It is important that container images stay up-to-date with security updates, and that the container images also meet required security standards. Without an effective way to scan and evaluate container images, it is easy to get in a position where you are running containers with outdated, vulnerable versions of software, or containers with configurations that don't meet your security standards.
Red Hat Enterprise Linux (RHEL) 8.2 introduced the oscap-podman utility, which allows for container images to be scanned using OpenSCAP and Podman. This utility can both check for missing advisories in a container image, as well as assess security compliance of a container image against a baseline such as PCI-DSS.
I recently published a video, Scanning Containers for Vulnerabilities on RHEL 8.2 With OpenSCAP and Podman, that covers this new utility and demonstrates how to use it.
The video covers the following topics:
- Scanning container images for vulnerabilities with oscap-podman
- Assessing security compliance of a container image with the PCI-DSS baseline with oscap-podman
- Using Buildah, one of the Red Hat Container Tools, to create a new image with one of the OpenSCAP findings remediated
If you are running containers in your environment, and want to do so more securely, try out the oscap-podman utility. In addition to the video, there is also documentation covering scanning the system for configuration compliance and vulnerabilities, which covers oscap-podman in sections 6.10 and 6.11.
[ Getting started with containers? Check out this free course. Deploying containerized applications: A technical overview. ]
À propos de l'auteur
Brian Smith is a product manager at Red Hat focused on RHEL automation and management. He has been at Red Hat since 2018, previously working with public sector customers as a technical account manager (TAM).
Plus de résultats similaires
Red Hat and Sylva unify the future for telco cloud
Bridging the gap: Secure virtual and container workloads with Red Hat OpenShift and Palo Alto Networks
Can Kubernetes Help People Find Love? | Compiler
Scaling For Complexity With Container Adoption | Code Comments
Parcourir par canal
Automatisation
Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Cloud hybride ouvert
Découvrez comment créer un avenir flexible grâce au cloud hybride
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Virtualisation
L'avenir de la virtualisation d'entreprise pour vos charges de travail sur site ou sur le cloud
