Skip to content
This repository has been archived by the owner on Dec 9, 2022. It is now read-only.

Support OpenSCAP in network-isolated clusters #18

Closed
simon3z opened this issue Jun 3, 2016 · 7 comments
Closed

Support OpenSCAP in network-isolated clusters #18

simon3z opened this issue Jun 3, 2016 · 7 comments
Milestone
Image Inspector 2...

Comments

@simon3z
Copy link

simon3z commented Jun 3, 2016

It should be possible to run OpenSCAP scans even in network-isolated clusters. Maybe by defining an internal URL from which to take the CVE definitions.
(This may be dependent on our ability that the CVE definitions can be trusted, there should be a BZ somewhere, @mpreisler should be able help us here).

@enoodle @pweil- it may be worth start brainstorming on this.
cc @smarterclayton @deads2k
@mpreisler
Copy link

@simon3z This is the RFE bugzilla for signed CVE feeds: https://bugzilla.redhat.com/show_bug.cgi?id=1253622

@simon3z
Copy link
Author

simon3z commented Jun 3, 2016

@enoodle @pweil- we should also consider a mitigation meanwhile, for example: don't fail hard in case we can't download the definitions. Just report the error in the Rest-API. (It could be that it is the case already, but we should verify that it is working).

So that the regular SmartState Analysis (WebDAV of image content) can work anyway.

@enoodle
Copy link

enoodle commented Jun 4, 2016

Do we want image-inspector to ship with default CVE's in its image or get them when started?
We can work something out to download them while building the docker image or have them statically in the git repo.
Another option is to add some option to get a default CVE file from outside the image when starting it. This can be done through attaching a volume with the file and passing the file name as an argument.

@mpreisler
Copy link

We can work something out to download them while building the docker image or have them statically in the git repo.

Check out https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/atomic_scan_openscap/Dockerfile for inspiration.

@enoodle enoodle mentioned this issue Jun 30, 2016
Closed
@simon3z
Copy link
Author

simon3z commented Jul 12, 2016

Do we want image-inspector to ship with default CVE's in its image or get them when started?

This is not interesting unless we plan to constantly rebuild the image with the updated rules. (Which is something I'd like to avoid).

Another option is to add some option to get a default CVE file from outside the image when starting it.

@enoodle this options is better, although I don't like the idea of attaching a volume. I like the ability to specify a custom URL from where to download the rules.

@enoodle enoodle mentioned this issue Jul 17, 2016
Merged
@cben cben mentioned this issue Oct 11, 2016
Merged
@simon3z simon3z added this to the Image Inspector 2.2 Release milestone Jun 8, 2017
@simon3z
Copy link
Author

simon3z commented Jul 5, 2017

@enoodle can we close this?

@enoodle
Copy link

enoodle commented Jul 5, 2017

Yes, #22 Fixes this

@simon3z simon3z closed this as completed Jul 5, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Image Inspector 2.2 Release
Development

No branches or pull requests
3 participants
@simon3z @mpreisler @enoodle