One of the main benefits of containers is that the software that makes up a container is separate from the system that it is running on. The container's software is placed in a container image that can easily be distributed and run. From a security perspective, however, this can be a challenge, because many security compliance scanning software utilities are focused only on the host system, and potentially miss security issues that might be present in containers on the system. For example, if a container image contains an outdated and vulnerable package, many compliance scanning utilities would miss that if they only look at the packages installed on the host.
It is important that container images stay up-to-date with security updates, and that the container images also meet required security standards. Without an effective way to scan and evaluate container images, it is easy to get in a position where you are running containers with outdated, vulnerable versions of software, or containers with configurations that don't meet your security standards.
Red Hat Enterprise Linux (RHEL) 8.2 introduced the oscap-podman utility, which allows for container images to be scanned using OpenSCAP and Podman. This utility can both check for missing advisories in a container image, as well as assess security compliance of a container image against a baseline such as PCI-DSS.
I recently published a video, Scanning Containers for Vulnerabilities on RHEL 8.2 With OpenSCAP and Podman, that covers this new utility and demonstrates how to use it.
The video covers the following topics:
- Scanning container images for vulnerabilities with oscap-podman
- Assessing security compliance of a container image with the PCI-DSS baseline with oscap-podman
- Using Buildah, one of the Red Hat Container Tools, to create a new image with one of the OpenSCAP findings remediated
If you are running containers in your environment, and want to do so more securely, try out the oscap-podman utility. In addition to the video, there is also documentation covering scanning the system for configuration compliance and vulnerabilities, which covers oscap-podman in sections 6.10 and 6.11.
[ Getting started with containers? Check out this free course. Deploying containerized applications: A technical overview. ]
Sobre o autor
Brian Smith is a product manager at Red Hat focused on RHEL automation and management. He has been at Red Hat since 2018, previously working with public sector customers as a technical account manager (TAM).
Mais como este
Red Hat and Sylva unify the future for telco cloud
Bridging the gap: Secure virtual and container workloads with Red Hat OpenShift and Palo Alto Networks
Can Kubernetes Help People Find Love? | Compiler
Scaling For Complexity With Container Adoption | Code Comments
Navegue por canal
Automação
Últimas novidades em automação de TI para empresas de tecnologia, equipes e ambientes
Inteligência artificial
Descubra as atualizações nas plataformas que proporcionam aos clientes executar suas cargas de trabalho de IA em qualquer ambiente
Nuvem híbrida aberta
Veja como construímos um futuro mais flexível com a nuvem híbrida
Segurança
Veja as últimas novidades sobre como reduzimos riscos em ambientes e tecnologias
Edge computing
Saiba quais são as atualizações nas plataformas que simplificam as operações na borda
Infraestrutura
Saiba o que há de mais recente na plataforma Linux empresarial líder mundial
Aplicações
Conheça nossas soluções desenvolvidas para ajudar você a superar os desafios mais complexos de aplicações
Virtualização
O futuro da virtualização empresarial para suas cargas de trabalho on-premise ou na nuvem
