Iscriviti al feed

As Red Hat's product portfolio of various products expands, we are offering more delivery options and methods to give customers more flexibility in how they use and consume Red Hat products.

Red Hat Enterprise Linux CoreOS (RHCOS) underpins Red Hat OpenShift, the industry’s leading hybrid cloud application platform powered by Kubernetes. RHCOS  demonstrates the flexibility that Red Hat delivers to customers by providing a comprehensive, dedicated and container-optimized base operating system.

As part of our Secure Software Development Lifecycle (Secure SDLC) practices, Red Hat provides granular and accessible security metadata, improving security risk identification across the Red Hat portfolio. This article covers some of the recent improvements in the security data for RHCOS.

What is RHCOS?

RHCOS is a dedicated, container-optimized operating system only available and supported as part of OpenShift. RHCOS is the only supported operating system for the OpenShift control plane or master machines. Traditional Red Hat Enterprise Linux (RHEL) can be used on the OpenShift compute nodes, also known as worker machines, but then users lose access to the RHCOS features for these nodes, including things like controlled immutability, rpm-ostree upgrades, updates through the Machine Config Operator and many more.

A full list of RHCOS features can be found in the RHCOS documentation.

OpenShift RHCOS is a pre-created, container-focused operating system image, built on well-tested RHEL RPM packages with an enhanced security posture. It also includes additional OpenShift and Fast Datapath (FDP) RPM packages necessary for this product. For more information on identifying RPM packages in RHCOS and how to find the necessary security data, see the following articles:

RHCOS is sometimes called CoreOS, but it is important to note that CoreOS (CoreOS Container Linux) was an upstream community project that reached end of life on May 26, 2020; it is now superseded and replaced by Fedora CoreOS. Fedora CoreOS is a freely available, community distribution that is the upstream basis for Red Hat Enterprise Linux CoreOS.

RHCOS delivery method

The RHCOS builds are fully managed by OpenShift updates automation. The OpenShift Update Service (OSUS) provides update recommendations for OpenShift, including RHCOS. To better understand the RHCOS installation, and specifically the update process, refer to the Introduction to OpenShift updates documentation.

The easiest way to check the RHCOS version used in the specific OpenShift version, is to use the OpenShift CLI (oc) tool and run the following command:

$ oc adm release info 4.15.0 
--registry-config=path_to_the_pull-secret.txt

Version 4.15.0 is the OpenShift version you want to check. The pull secret can be downloaded from https://console.redhat.com/openshift/downloads.

On top of the output, you will see various metadata about the specific OpenShift version. The RHCOS version information is included in the Component Versions section.  For example:

Component Versions:
 kubernetes 1.28.6                
 machine-os 415.92.202402201450-0 Red Hat Enterprise Linux CoreOS

In the list of the default OpenShift images available in the specific release, there is a machine-os-content container image, which contains a list of RPM packages installed in the RHCOS used in this version of OpenShift. There are instructions about how to get the necessary information in the Obtaining package list for RHEL CoreOS or specific image article.

Starting from OpenShift 4.16.0, the machine-os-contentcontainer image is no longer shipped. Starting from OpenShift 4.12.0, RHCOS is shipped as a container image and can be found under rhel-coreos(or rhel-coreos-8, depending on which version of OpenShift you're using) name. By adding the --pullspecsoption to the above command, you can get the full source repository path where the specific RHCOS image can be downloaded.

Dedicated RHCOS security metadata

Because RHCOS is a composition of selected RPM packages taken from a few of Red Hat’s product repositories, it was challenging to match the included components to the correct Red Hat security data. Collecting all of the necessary data for performing the correct security risk assessment process was time consuming, but at the same time it was a necessary step in the correct vulnerability management process.

The Red Hat Product Security team started publishing dedicated RHCOS security metadata in October 2024. RHCOS is treated as another OpenShift component, similar to OpenShift container images. The entire vulnerability management process, including product-level risk assessment, is done for all RHCOS components. This includes all RPM packages, including the kernel. The scope of this security data improvement includes all vulnerabilities directly impacting the RHCOS components, such as vulnerabilities in the kernel, OpenSSL, or cri-o components. Vulnerabilities that have an indirect impact, such as Golang CVEs, are not in scope of the current data enhancement but we plan to add them in later improvements. Increasing the scope of coverage won't impact how RHCOS security metadata is presented to customers.

Security data representation

RHCOS security data is available in two different formats, human-readable and machine-readable.

Human-readable data format

New security data is available in the human-readable format on Red Hat CVE pages. For example, fixed RHCOS vulnerabilities appear as follows:

https://access.redhat.com/security/cve/CVE-2024-26602

Human-readable data format

The RHCOS security metadata covers all statuses visible on Red Hat CVE pages depending on the following vulnerability lifecycle:

  • Affected
  • Not affected
  • Under investigation
  • Fixed
  • Will not fix
  • Fix deferred

See the following examples of CVEs that impact RHCOS with different security states:

“Fix Deferred” https://access.redhat.com/security/cve/CVE-2024-45310

Fix Deferred

“Under investigation” https://access.redhat.com/security/cve/CVE-2024-8418

Under investigation

Note: The security state can change over time, based on the vulnerability lifecycle.

Machine-readable data format

The same security metadata are available in machine-readable formats in official Red Hat CSAF and VEX files. For example, the released patch for CVE-2024-26602 is represented as follows:

The VEX file for CVE-2024-26602.

CSAF advisory with the RHCOS security patch RHSA-2024:1765.

When the particular vulnerability is fixed, the VEX and CSAF files contain detailed information about the RHCOS fixed version, including various architectures and a RHCOS digest SHA in a purlformat. In the associated product level, the "product_tree": {...} object provides information about the OpenShift version where a patch is included. For all security statuses other than Fixed (based on the CSAF standard and VEX profile), the RHCOS component is represented by a purl identifier without version details.

To read more about CSAF and VEX files security data and their implementation please see the following articles:


Red Hat security data updates

We are continuously improving our security metadata by making it more detailed and specific. This applies not only to vulnerability data, but also to other security-related data, such as the software bill of materials (SBOM) or compliance and attestation data. Changes related to the Red Hat Security Data can be found in the Red Hat Security Data Changelog.

Please contact Red Hat Product Security with any questions regarding security data at secalert@redhat.com, or file an issue in the public SECDATA Jira project.

Build a foundation for zero trust in Linux environments


Sull'autore

Przemysław Roguski is a Security Architect at Red Hat who specializes in Cloud Products security aspects. He contributes security analysis work on Red Hat OpenShift and other OpenShift-related products. He also designs security solutions and processes across Red Hat Product Security. He is focused on the security data improvements (various upstream and downstream security initiatives and projects like CWE, Kubernetes, Red Hat Vulnerability Scanner Certification program) to build better understanding of the security issues and improve client satisfaction.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

Ricerca per canale

automation icon

Automazione

Novità sull'automazione IT di tecnologie, team e ambienti

AI icon

Intelligenza artificiale

Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque

open hybrid cloud icon

Hybrid cloud open source

Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido

security icon

Sicurezza

Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti

edge icon

Edge computing

Aggiornamenti sulle piattaforme che semplificano l'operatività edge

Infrastructure icon

Infrastruttura

Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale

application development icon

Applicazioni

Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili

Original series icon

Serie originali

Raccontiamo le interessanti storie di leader e creatori di tecnologie pensate per le aziende