In December 2016, a major vulnerability, CVE-2016-9962 (“on-entry vulnerability”), was found in the Docker engine which allowed local root users in a container to gain access to file-descriptors of a process launched or moved into the container from another namespace. In a Banyan security report, they found that over 30% of official images in Docker Hub contain high priority security vulnerabilities. And FlawCheck surveyed enterprises asking for their top security concern regarding containers in production environments. “Vulnerabilities and malware,” at 42%, was the top security concern among those surveyed. Clearly security is a top concern for organizations that are looking to run containers in production.
At Red Hat, we are continuously improving our security capabilities and introduced a new container scanning feature with CloudForms 4.2 and OpenShift 3.4. This new feature allows CloudForms to flag images in the container registry in which it has found vulnerabilities, and OpenShift to deny execution of that image the next time someone tries to run that image.
CloudForms has multiple capabilities on how a container scan can be initiated:
- A scheduled scan of the registry
- An automatic scan based on newly discovered images in the registry
- A manual execution of the scan via Smart-tate Analysis
Having this unique scanning feature with native integration in OpenShift is a milestone in container security as it provides near real time monitoring of your images within the OpenShift environment.
The following diagram illustrates the flow happening when an automatic scan is performed.
- CloudForms monitors the OpenShift Provider and checks for new images in the registry. If it finds a new image, CloudForms triggers a scan.
- CloudForms makes a secure call to OpenShift and requests a scanning container to be scheduled.
- OpenShift schedules a new pod on an available node.
- The scanning container is started.
- The scanning container pulls down a copy of the image to scan.
- The image to scan is unpacked and its software contents (RPMs) are sent to CloudForms.
- CloudForms may also initiate an OpenSCAP scan of the container.
- Once the OpenSCAP scan finishes, the results are uploaded and a report is generated from the CloudForms UI.
- If the scan found any vulnerabilities, CloudForms calls OpenShift to flag the image and prevent it from running.
The next time someone tries to start the vulnerable image, OpenShift alerts the user that the image execution was blocked based on the policy set by CloudForms.
As you can see, Red Hat CloudForms can be used as part of your IT security and compliance management to assist in identifying and validating that workloads are secure across your infrastructure stack, starting with hosts and virtual machines, instances in the cloud, or containers.