One of the main benefits of containers is that the software that makes up a container is separate from the system that it is running on. The container's software is placed in a container image that can easily be distributed and run. From a security perspective, however, this can be a challenge, because many security compliance scanning software utilities are focused only on the host system, and potentially miss security issues that might be present in containers on the system. For example, if a container image contains an outdated and vulnerable package, many compliance scanning utilities would miss that if they only look at the packages installed on the host.
It is important that container images stay up-to-date with security updates, and that the container images also meet required security standards. Without an effective way to scan and evaluate container images, it is easy to get in a position where you are running containers with outdated, vulnerable versions of software, or containers with configurations that don't meet your security standards.
Red Hat Enterprise Linux (RHEL) 8.2 introduced the oscap-podman utility, which allows for container images to be scanned using OpenSCAP and Podman. This utility can both check for missing advisories in a container image, as well as assess security compliance of a container image against a baseline such as PCI-DSS.
I recently published a video, Scanning Containers for Vulnerabilities on RHEL 8.2 With OpenSCAP and Podman, that covers this new utility and demonstrates how to use it.
The video covers the following topics:
- Scanning container images for vulnerabilities with oscap-podman
- Assessing security compliance of a container image with the PCI-DSS baseline with oscap-podman
- Using Buildah, one of the Red Hat Container Tools, to create a new image with one of the OpenSCAP findings remediated
If you are running containers in your environment, and want to do so more securely, try out the oscap-podman utility. In addition to the video, there is also documentation covering scanning the system for configuration compliance and vulnerabilities, which covers oscap-podman in sections 6.10 and 6.11.
[ Getting started with containers? Check out this free course. Deploying containerized applications: A technical overview. ]
Sull'autore
Brian Smith is a product manager at Red Hat focused on RHEL automation and management. He has been at Red Hat since 2018, previously working with public sector customers as a technical account manager (TAM).
Altri risultati simili a questo
Simplify Red Hat Enterprise Linux provisioning in image builder with new Red Hat Lightspeed security and management integrations
F5 BIG-IP Virtual Edition is now validated for Red Hat OpenShift Virtualization
Scaling For Complexity With Container Adoption | Code Comments
Kubernetes and the quest for a control plane | Technically Speaking
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Virtualizzazione
Il futuro della virtualizzazione negli ambienti aziendali per i carichi di lavoro on premise o nel cloud
