Advice and guidance to users on laser scanning in archaeology and architecture.
In this work, review of various well known algorithms for image denoising is carried out and their performances with their methodologies are comparatively assessed. A new algorithm based on the orthonormal wavelet transform OWT is developed. In this
Full description
Docker, web Development
Descripción: sistemas
Container management with Docker.
Docker -for-Rails by Rob Isenberg
Environmental ScanningFull description
Descrição: Docker para Desenvolvedores
ACT for Body Image DissatisfactionFull description
MS for office containersFull description
Container architectureFull description
Is this the future of affordable housing? Stadard containers retail for approx $2,500 USD!
Is this the future of affordable housing? Stadard containers retail for approx $2,500 USD!
KDXKFKCDSNHKJHVKJBKJFull description
ship types - merchant navy.
OpenSCAP SCAP What is SCAP? SCAP? SCAP Components Components OpenSCAP Ope nSCAP What is OpenSCAP? OpenSCAP Component Compo nent OpenSCAP Base Base : OpenSCAP Daemon: Daemon: OpenSCAP Workbench: Workbenc h: SCAPTimony SCAPTi mony OSCAP Anaconda Add-on A dd-on SCAP Security Guide DEMO - OpenSC AP CLI 0. Test Environment Environm ent 0.1. Download Download images RHEL/Centos 0.2. Deploy Deplo y images 1. Install Necessary Necessary OpenSCAP Package 2. Evaluate Evaluate Image with xccdf 3. Evaluate Image about CVE 4. Evaluate Evaluate container with xccdf 5. Evaluate container about CVE 6. Useful Commands: 6.1. How to list profiles from xccdf file. Atomic scan scan 1. What is ‘atomic scan’? 2. How atomic scan work? 3. atomic scan commands 3.1. Check Scanner 3.2. Evaluation Image/container 3.3. atomic scan help 4. OpenSCAP in Red Hat Projects 4.1. Satellite 6.2 4.2. Cloud Forms 4.1 5.Pros and Cons 5.1. Pros 5.2. Cons 6.TIP
How to start OpenSCAP workbench Reference
Object : This documentation is for who look for a good asset that do security scanning. I suppose audience some knowledge about RHEL/Fedora and docker. It will explain brief SCAP components such as XCCDF, OVAL but it would not be main topics so it might not meet your expectation. This doc is more concentrate on how to use OpenSCAP with CLI and Red Hat Products. In addition, it is especially good for OpenShift Container Platform engineer who have being asked about docker image security by customer.
Description : Over the last few years, docker is not a hot topic but also effect changing the development methodology. It influences developer to use docker image as a part of development. Many groups and companies have started to create their own images with various libraries. With these reasons, the scanning container or images are becoming more important to check for known vulnerabilities and configuration problems. In order to be cope with it, Red Hat has been building a scanning tool based on OpenSCAP project. Apart from the tried and true OpenSCAP project, Red Hat also start to build another tool “ atomic scan”. With the understood of the underlying architecture, it uses OpenSCAP SPC container which mount up read only rootfs from host’s file system so it could not affect to host system. Only the folder that store result output is writeable. This doc will describe from SCAP, OpenSCAP, atomic scan to OpenSCAP in Red Hat Projects.
SCAP What is SCAP? Security Content Automation Protocol is a method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. - en.wikipedia.org/(http://goo.gl/10MH80)
SCAP Components ● ● ● ● ● ●
XCCDF: The Extensible Configuration Checklist Description Format OVAL®: Open Vulnerability and Assessment Language CCE™: Common Configuration Enumeration CPE™: Common Platform Enumeration CVE®: Common Vulnerabilities and Exposures CVSS: Common Vulnerability Scoring System
All components are the vulnerability management systems and they use their own formatted file.
OpenSCAP What is OpenSCAP? It is Open Source Security Compliance Solution. In other words, it is implementation to evaluate VM/Images/Containers using SCAP components. With OpenSCAP, you can easily fulfil security scanning because it also provide SSG(Scap Security Guide)
●
Homepage of the project: www.open-scap.org
●
Manual: Oscap User Manual
●
GitHub: https://github.com/OpenSCAP/openscap
OpenSCAP Component OpenSCAP Base : OpenSCAP Base provides a command line tool
OpenSCAP Daemon: The Daemon is a service that makes sure your machines and containers are evaluated according to the schedule.
OpenSCAP Workbench: This user friendly graphical utility offers an easy way to tailor SCAP content to your needs, perform local or remote scans, and export results.
SCAPTimony SCAPtimony is open source compliance center built on top of SCAP. It gives full testimony about compliance of your infrastructure. Users are currently advised to use SCAPtimony only through foreman_openscap which is used in Satellite. https://github.com/OpenSCAP/scaptimony
OSCAP Anaconda Add-on An add-on for installer used by Fedora and Red Hat Enterprise Linux 7. It enables you to enforce a system’s compliance with the targeted security profile before the first boot . oscap command:
SCAP Security Guide OpenSCAP content primarily for Red Hat Enterprise Linux. The Security Guide provides practical hardening advice and links it to compliance requirements in order to ease deployment activities such as certification and accreditation.
0.1. Download images RHEL/Centos # docker pull rhel7 # docker pull centos Note: For RHEL, registry.access.redhat.com/rhel7 and docker.io/centos are downloaded For Fedora, docker.io/rhel7 and docker.io/centos are downloaded
0.2. Deploy images # docker run -it registry.access.redhat.com/rhel7 /bin/bash ##Type Ctrl + P + Q # docker run -it docker.io/centos /bin/bash ## Type Ctrl + P + Q # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c17b32667a26 docker.io/centos "/bin/bash" 15 seconds ago Up 14 seconds evil_meninsky 5e4c4ff04211 registry.access.redhat.com/rhel7 "/bin/bash" 2 minutes ago Up 2 minutes
Scap Security Guide Path : /usr/share/xml/scap/ssg/content/ Fedora has more files compared to RHEL.
2. Evaluate Image with xccdf oscap-docker image registry.access.redhat.com/rhel7 xccdf eval --report result-xccdf-image.html --verbose DEVEL --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml Result is in SCAP_RESULT folder: result-xccdf-image.html
3. Evaluate Image about CVE oscap-docker image-cve registry.access.redhat.com/rhel7 --report result-cve-image.html --verbose DEVEL Result is in SCAP_RESULT folder: result-cve-image.html
4. Evaluate container with xccdf oscap-docker container 5e4c4ff04211 xccdf eval --report result-xccdf-container.html --verbose DEVEL --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml Result is in SCAP_RESULT folder: result-xccdf-container.html
5. Evaluate container about CVE oscap-docker container-cve 5e4c4ff04211 xccdf eval --report result-xccdf-container.html --verbose DEVEL --profile standard /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml Result is in SCAP_RESULT folder: result-cve-container.html
6. Useful Commands: 6.1. How to list profiles from xccdf file. # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml Document type: XCCDF Checklist Checklist version: 1.1 Imported: 2015-10-02T06:17:44 Status: draft Generated: 2015-10-02 Resolved: true Profiles: standard pci-dss rht-ccp common stig-rhel7-server-upstream Referenced check files: ssg-rhel7-oval.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Atomic scan 1. What is ‘atomic scan’? In the world of containers, there is a desperate need to be able to scan container images for known vulnerabilities and configuration problems, and as we proliferate containers and bundled applications into the enterprise, many groups and companies have started to build container scanning tools. Even Red Hat has been building a scanning tool based on the tried and true OpenSCAP project, but there were several problems we saw time and again. The problems with existing container scanning tools included: ● Either these tools were required to be installed on the host, or if they were installed via a container they would have to be very privileged; therefore, the containers themselves could use that authority on the host machine.
● ●
They were being hard coded to only support a single container framework – docker. We saw some very slow implementations, where the container scanning tools were actually copying all of the content out of the container image, then scanning the content, and finally removing the content. You can image how inefficient this could be for hundreds or thousands of images or containers. We decided we wanted to build a tool, atomic scan, that understood the underlying architecture and could download and run containers with scanning tools in them. But, we also didn’t want the scanning tools to be privileged; the atomic tool would be able to mount up read only rootfs from the host’s file system. These mounted file systems could then be passed onto the scanning container, along with a writeable directory for the scanner to place its output. “ Introducing atomic scan – Container vulnerability detection (http://goo.gl/DRoSmm)”
2. How atomic scan work? Basically atomic is using OpenSCAP with SPC(Super Privileged Container) but it mounts host storage with Readable right because, as above blog said, it does not need to write anything except output result.
The useful blog : http://goo.gl/9eJkgJ
3. atomic scan commands 3.1. Check Scanner Scanner is pluggable so later, new scanner will be developed. # atomic scan --list Scanner: openscap Image Name: rhel7/openscap Scan type: cve * Description: Performs a CVE scan based on known CVE data Scan type: standards_compliance Description: Performs a standard scan
* denotes defaults Configuration file is /etc/atomic.conf
3.2. Evaluation Image/container registry.access.redhat.com/rhel7/openscap will be downloaded automatically and atomic will use it as SPC.
registry.access.redhat.com/rhel7 (sha256:4a6b6e1a) registry.access.redhat.com/rhel7 is not supported for this scan. Files associated with this scan are in /var/lib/atomic/openscap/2016-08-25-13-49-18-619455. Report path : /var/lib/atomic/openscap/2016-08-25-13-49-18-619455 Result json: ${Image_SHA}/json /var/lib/atomic/openscap/2016-08-25-13-49-18-619455 /sha256:4a6b6e1a17d70b7f67787aaee 800c1fdb4b145dd3f7ae48959f5d41286eadb0b/json
As for Fedora, sometimes you need to do some more steps to use the SPC # docker pull docker.io/rhel7/openscap # atomic install docker.io/rhel7/openscap
3.3. atomic scan help [root@localhost sha256:4a6b6e1a17d70b7f67787aaee800c1fdb4b145dd3f7ae48959f5d41286eadb0b]# atomic scan -h usage: atomic scan [-h] [--scanner {openscap}] [--scan_type SCAN_TYPE] [--list] [--verbose] [--rootfs [ROOTFS] | --all | --images | --containers] [scan_targets [scan_targets ...]] positional arguments: scan_targets container image optional arguments: -h, --help show this help message and exit --scanner {openscap} define the intended scanner --scan_type SCAN_TYPE define the intended scanner --list List available scanners --verbose Show more output from scanning container --rootfs [ROOTFS] Rootfs path to scan --all scan all images (excluding intermediate layers) and
containers --images scan all images (excluding intermediate layers) --containers scan all containers
atomic scan scans a container or image for CVEs
3.4. How to cope with vulnerable image? Q. If atomic scan or OpenSCAP find any CVEs on any official images, what is next steps? Should I create support case for them every time to get new images? GSS Answer: Broadly we'd like to handle and track fixes for Red Hat maintained images on a image by i mage or case by case basis. That is the recommended flow. Keep in mind that the cloud enablement team will continually be working to offer updated product images to follow along with general product releases outside of xPaas. You can refer to this public kcs article for additional information on the goal for xPaas image releases. https://access.redhat.com/articles/2208321
4. OpenSCAP in Red Hat Projects 4.1. Satellite 6.2
4.2. Cloud Forms 4.1
5.Pros and Cons 5.1. Pros ● ● ●
OpenSCAP has received a NIST certification for its support of SCAP 1.2. Red Hat sponsor OpenSCAP Red Hat support OpenSCAP with RHEL Subscription
● ● ●
Red Hat Enterprise Linux operating system 7 contains OpenSCAP packages OpenSCAP start to support docker image/container* Red Hat integrated OpenSCAP with Red Hat Products ( Satellite 6.2 / CloudForms 4.1 )** * it can scan only RHEL based docker images/containers ** it is officially supported from Satellite 6.2 / CloudForms 4.1
5.2. Cons - Can evaluate RHEL based image only
6.TIP How to start OpenSCAP workbench Reference: https://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-u se-case/
