RHEL 8 - 用OpenSCAP工具对容器镜像进行漏洞安全合规扫描，并修复-CSDN博客

本文链接：https://blog.csdn.net/weixin_43902588/article/details/117793517

《OpenShift 4.x HOL教程汇总》
已在 RHEL 8.4 上验证
本文的前置条件：RHEL8 - 配置基于安装 ISO 文件的 YUM Repo

文章目录

准备环境
扫描容器镜像CVE漏洞
扫描容器镜像合规
- 扫描镜像符合PCI-DSS规范情况
- 修复违规风险
参考

准备环境

安装scap扫描工具。

$ yum install -y openscap-utils scap-security-guide wget

安装容器工具

$ yum install -y podman buildah

安装其它工具

$ yum install -y wget

扫描容器镜像CVE漏洞

下载OVAL文件

$ wget -O - https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2 | bzip2 --decompress > rhel-8.oval.xml

扫描容器镜像

下载2个容器镜像“registry.access.redhat.com/ubi8:latest“和”registry.access.redhat.com/ubi8:8.0-126“

$ TAG-NEW=latest
$ TAG-OLD=8.0-126
$ podman pull registry.access.redhat.com/ubi8:${TAG-NEW}
$ podman pull registry.access.redhat.com/ubi8:${TAG-OLD}

查看下载到本地的容器镜像

$ podman images ubi8
REPOSITORY                             TAG      IMAGE ID      CREATED      SIZE
registry.access.redhat.com/ubi8        latest   272209ff0ae5  9 days ago   234 MB
registry.access.redhat.com/ubi8        8.0-126  7ae69d957d8b  2 years ago  216 MB

根据获得的OVAL文件扫描指定的容器镜像ID。

$ ID=$(podman image inspect ubi8:${TAG-NEW} | jq -r .[0].Id)
$ oscap-podman ${ID} oval eval --report /tmp/oval-report-ubi8:${TAG-NEW}.html rhel-8.oval.xml
Definition oval:com.redhat.rhsa:def:20212238: false
Definition oval:com.redhat.rhsa:def:20212235: false
Definition oval:com.redhat.rhsa:def:20212233: false
Definition oval:com.redhat.rhsa:def:20212170: false
W: oscap:     Requested offline mode is not supported by uname probe.
Definition oval:com.redhat.rhsa:def:20212169: false
Definition oval:com.redhat.rhsa:def:20212168: false
Definition oval:com.redhat.rhsa:def:20212165: false
Definition oval:com.redhat.rhsa:def:20212037: false
Definition oval:com.redhat.rhsa:def:20212036: false
Definition oval:com.redhat.rhsa:def:20212034: false
Definition oval:com.redhat.rhsa:def:20211989: false
。。。
 
$ ID=$(podman image inspect ubi8:${TAG-OLD} | jq -r .[0].Id)
$ oscap-podman ${ID} oval eval --report /tmp/oval-report-ubi8:${TAG-OLD}.html rhel-8.oval.xml
Definition oval:com.redhat.rhsa:def:20212238: false
Definition oval:com.redhat.rhsa:def:20212235: false
Definition oval:com.redhat.rhsa:def:20212233: false
Definition oval:com.redhat.rhsa:def:20212170: true
W: oscap:     Requested offline mode is not supported by uname probe.
Definition oval:com.redhat.rhsa:def:20212169: false
Definition oval:com.redhat.rhsa:def:20212168: false
Definition oval:com.redhat.rhsa:def:20212165: false
Definition oval:com.redhat.rhsa:def:20212037: false
Definition oval:com.redhat.rhsa:def:20212036: false
Definition oval:com.redhat.rhsa:def:20212034: false
Definition oval:com.redhat.rhsa:def:20211989: false
。。。

查看容器镜像扫描结果

查看扫描结果文件。

$ ll /tmp/oval-report-ubi8*
-rw-r--r--. 1 root root 557791 Jun 12 10:24 /tmp/oval-report-ubi8:latest.html
-rw-r--r--. 1 root root 557646 Jun 12 11:52 /tmp/oval-report-ubi8:8.0-126.html

用浏览器查看扫描结果文件，以下分别是“ubi8:latest”和“ubi8:8.0-126”的扫描结果（内容太多，只截取了一部分）。可以看出，“ubi8:latest”是基于rhel 8.4最新的镜像，“581”项检测全部绿色通过。而由于“ubi8:8.0-126”是基于比较早rhel8.0的镜像，因此有73项没有通过测试，需要通过补丁解决安全风险，可参照对应的RHSA和CVE修复它们。
“ubi8:latest”镜像扫描

“ubi8:8.0-126”镜像扫描

扫描容器镜像合规

扫描镜像符合PCI-DSS规范情况

基于XCCDF，对"rhel-ubi8:8.0-126"的镜像进行pci-dss规范的扫描。从命令结果可以看出有些扫描项目是pass结果，有些是failed结果，有些是notapplicable结果。

$ ID=$(podman image inspect ubi8:${TAG-OLD} | jq -r .[0].Id)
$ oscap-podman ${ID} xccdf eval --report /tmp/rhel-ubi8:8.0-126-pci-dss.html --profile pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml file which is referenced from XCCDF content
Title   Verify File Hashes with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Ident   CCE-80857-6
Result  pass
  
Title   Verify and Correct File Permissions with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Ident   CCE-80858-4
Result  fail
  
Title   Install AIDE
Rule    xccdf_org.ssgproject.content_rule_package_aide_installed
Ident   CCE-80844-4
Result  notapplicable

用浏览器打开上一步扫描的结果文件，可以看到该镜像整体有12个规则没有通过。

修复违规风险

在页面中找到"Prevent Login to Accounts With Empty Password"，确认该验证没有通过，存在一个高危漏洞。
进入对应的链接，此时可以看到以下的描述页面。其中下方提供了针对该风险的三种修复方法。
将“registry.access.redhat.com/ubi8:8.0-126“镜像获取到本地。

$ buildah from registry.access.redhat.com/ubi8:8.0-126
ubi8-working-container

确认本地已有”ubi8-working-container“

$ buildah containers
CONTAINER ID  BUILDER  IMAGE ID     IMAGE NAME                       CONTAINER NAME
5cb411f02b99     *     7ae69d957d8b registry.access.redhat.com/ub... ubi8-working-container

挂载该容器

$ buildah mount ubi8-working-container
/var/lib/containers/storage/overlay/d0ba6f84fe8e3a06bc26b88baa928f2adac1cb6b7a032600f6f9f6daccce4be5/merged

$ ll
total 0
lrwxrwxrwx.  1 root root   7 Aug 12  2018 bin -> usr/bin
dr-xr-xr-x.  2 root root   6 Aug 12  2018 boot
drwxr-xr-x.  2 root root   6 Jun 11  2019 dev
drwxr-xr-x.  1 root root  25 Jun 11  2019 etc
drwxr-xr-x.  2 root root   6 Aug 12  2018 home
lrwxrwxrwx.  1 root root   7 Aug 12  2018 lib -> usr/lib
lrwxrwxrwx.  1 root root   9 Aug 12  2018 lib64 -> usr/lib64
drwx------.  2 root root   6 Jun 11  2019 lost+found
drwxr-xr-x.  2 root root   6 Aug 12  2018 media
drwxr-xr-x.  2 root root   6 Aug 12  2018 mnt
drwxr-xr-x.  2 root root   6 Aug 12  2018 opt
drwxr-xr-x.  2 root root   6 Jun 11  2019 proc
dr-xr-x---.  1 root root  23 Jun 11  2019 root
drwxr-xr-x.  1 root root  21 Jun 11  2019 run
lrwxrwxrwx.  1 root root   8 Aug 12  2018 sbin -> usr/sbin
drwxr-xr-x.  2 root root   6 Aug 12  2018 srv
drwxr-xr-x.  2 root root   6 Jun 11  2019 sys
drwxrwxrwt.  1 root root   6 Jun 11  2019 tmp
drwxr-xr-x. 12 root root 144 Jun 11  2019 usr
drwxr-xr-x.  1 root root  17 Jun 11  2019 var

根据风险漏洞的修复说明，执行以下命令。注意：由于容器的根目录不是当前系统的根目录，因此需要将建议命令中的“/etc/…”改为“etc/…”。

$ sed --follow-symlinks -i 's/\<nullok\>//g' etc/pam.d/system-auth
$ sed --follow-symlinks -i 's/\<nullok\>//g' etc/pam.d/password-auth

提交本地镜像为新的镜像名“ubi8-my”。

$ buildah commit ubi8-working-container ubi8-my
Getting image source signatures
Copying blob 4144b1ae544b skipped: already exists
Copying blob 77ba31c86fd4 skipped: already exists
Copying blob 0cad3bd8dd71 done
Copying config d6ba863211 done
Writing manifest to image destination
Storing signatures
d6ba86321137604485e693f25cf8d47b2edc865fcb845b602a454bedd350eca8 
 
$ podman images ubi8-my
REPOSITORY         TAG     IMAGE ID      CREATED         SIZE
localhost/ubi8-my  latest  d6ba86321137  41 seconds ago  216 MB

对新的“ubi8-my”进行进行pci-dss扫描，然后查看生成的报告。

$ ID=$(podman image inspect ubi8-my:latest | jq -r .[0].Id)
$ oscap-podman ${ID} xccdf eval --report /tmp/rhel-ubi8-my:latest-pci-dss.html --profile pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml