As Red Hat's product portfolio of various products expands, we are offering more delivery options and methods to give customers more flexibility in how they use and consume Red Hat products.
Red Hat Enterprise Linux CoreOS (RHCOS) underpins Red Hat OpenShift, the industry’s leading hybrid cloud application platform powered by Kubernetes. RHCOS demonstrates the flexibility that Red Hat delivers to customers by providing a comprehensive, dedicated and container-optimized base operating system.
As part of our Secure Software Development Lifecycle (Secure SDLC) practices, Red Hat provides granular and accessible security metadata, improving security risk identification across the Red Hat portfolio. This article covers some of the recent improvements in the security data for RHCOS.
What is RHCOS?
RHCOS is a dedicated, container-optimized operating system only available and supported as part of OpenShift. RHCOS is the only supported operating system for the OpenShift control plane or master machines. Traditional Red Hat Enterprise Linux (RHEL) can be used on the OpenShift compute nodes, also known as worker machines, but then users lose access to the RHCOS features for these nodes, including things like controlled immutability, rpm-ostree upgrades, updates through the Machine Config Operator and many more.
A full list of RHCOS features can be found in the RHCOS documentation.
OpenShift RHCOS is a pre-created, container-focused operating system image, built on well-tested RHEL RPM packages with an enhanced security posture. It also includes additional OpenShift and Fast Datapath (FDP) RPM packages necessary for this product. For more information on identifying RPM packages in RHCOS and how to find the necessary security data, see the following articles:
- Obtaining package list for RHEL CoreOS or specific image
- RHEL Versions Utilized by RHEL CoreOS and OCP
- CoreOS Kernel Versions in OCP4
RHCOS is sometimes called CoreOS, but it is important to note that CoreOS (CoreOS Container Linux) was an upstream community project that reached end of life on May 26, 2020; it is now superseded and replaced by Fedora CoreOS. Fedora CoreOS is a freely available, community distribution that is the upstream basis for Red Hat Enterprise Linux CoreOS.
RHCOS delivery method
The RHCOS builds are fully managed by OpenShift updates automation. The OpenShift Update Service (OSUS) provides update recommendations for OpenShift, including RHCOS. To better understand the RHCOS installation, and specifically the update process, refer to the Introduction to OpenShift updates documentation.
The easiest way to check the RHCOS version used in the specific OpenShift version, is to use the OpenShift CLI (oc) tool and run the following command:
$ oc adm release info 4.15.0
--registry-config=path_to_the_pull-secret.txt
Version 4.15.0 is the OpenShift version you want to check. The pull secret can be downloaded from https://console.redhat.com/openshift/downloads.
On top of the output, you will see various metadata about the specific OpenShift version. The RHCOS version information is included in the Component Versions
section. For example:
Component Versions:
kubernetes 1.28.6
machine-os 415.92.202402201450-0 Red Hat Enterprise Linux CoreOS
In the list of the default OpenShift images available in the specific release, there is a machine-os-content
container image, which contains a list of RPM packages installed in the RHCOS used in this version of OpenShift. There are instructions about how to get the necessary information in the Obtaining package list for RHEL CoreOS or specific image article.
Starting from OpenShift 4.16.0, the machine-os-content
container image is no longer shipped. Starting from OpenShift 4.12.0, RHCOS is shipped as a container image and can be found under rhel-coreos
(or rhel-coreos-8
, depending on which version of OpenShift you're using) name. By adding the --pullspecs
option to the above command, you can get the full source repository path where the specific RHCOS image can be downloaded.
Dedicated RHCOS security metadata
Because RHCOS is a composition of selected RPM packages taken from a few of Red Hat’s product repositories, it was challenging to match the included components to the correct Red Hat security data. Collecting all of the necessary data for performing the correct security risk assessment process was time consuming, but at the same time it was a necessary step in the correct vulnerability management process.
The Red Hat Product Security team started publishing dedicated RHCOS security metadata in October 2024. RHCOS is treated as another OpenShift component, similar to OpenShift container images. The entire vulnerability management process, including product-level risk assessment, is done for all RHCOS components. This includes all RPM packages, including the kernel. The scope of this security data improvement includes all vulnerabilities directly impacting the RHCOS components, such as vulnerabilities in the kernel, OpenSSL, or cri-o components. Vulnerabilities that have an indirect impact, such as Golang CVEs, are not in scope of the current data enhancement but we plan to add them in later improvements. Increasing the scope of coverage won't impact how RHCOS security metadata is presented to customers.
Security data representation
RHCOS security data is available in two different formats, human-readable and machine-readable.
Human-readable data format
New security data is available in the human-readable format on Red Hat CVE pages. For example, fixed RHCOS vulnerabilities appear as follows:
https://access.redhat.com/security/cve/CVE-2024-26602
The RHCOS security metadata covers all statuses visible on Red Hat CVE pages depending on the following vulnerability lifecycle:
- Affected
- Not affected
- Under investigation
- Fixed
- Will not fix
- Fix deferred
See the following examples of CVEs that impact RHCOS with different security states:
“Fix Deferred” https://access.redhat.com/security/cve/CVE-2024-45310
“Under investigation” https://access.redhat.com/security/cve/CVE-2024-8418
Note: The security state can change over time, based on the vulnerability lifecycle.
Machine-readable data format
The same security metadata are available in machine-readable formats in official Red Hat CSAF and VEX files. For example, the released patch for CVE-2024-26602 is represented as follows:
The VEX file for CVE-2024-26602.
CSAF advisory with the RHCOS security patch RHSA-2024:1765.
When the particular vulnerability is fixed, the VEX and CSAF files contain detailed information about the RHCOS fixed version, including various architectures and a RHCOS digest SHA in a purl
format. In the associated product level, the "product_tree
": {...}
object provides information about the OpenShift version where a patch is included. For all security statuses other than Fixed (based on the CSAF standard and VEX profile), the RHCOS component is represented by a purl
identifier without version details.
To read more about CSAF and VEX files security data and their implementation please see the following articles:
- CSAF VEX documents now generally available
- Vulnerability Exploitability eXchange (VEX) beta files now available
- Red Hat VEX files for CVEs are now generally available
- Red Hat Security Data Guidelines
Red Hat security data updates
We are continuously improving our security metadata by making it more detailed and specific. This applies not only to vulnerability data, but also to other security-related data, such as the software bill of materials (SBOM) or compliance and attestation data. Changes related to the Red Hat Security Data can be found in the Red Hat Security Data Changelog.
Please contact Red Hat Product Security with any questions regarding security data at secalert@redhat.com, or file an issue in the public SECDATA Jira project.
저자 소개
Przemysław Roguski is a Security Architect at Red Hat who specializes in Cloud Products security aspects. He contributes security analysis work on Red Hat OpenShift and other OpenShift-related products. He also designs security solutions and processes across Red Hat Product Security. He is focused on the security data improvements (various upstream and downstream security initiatives and projects like CWE, Kubernetes, Red Hat Vulnerability Scanner Certification program) to build better understanding of the security issues and improve client satisfaction.
유사한 검색 결과
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.