Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate oscap-podman check in Preflight to allow certification of images in restricted-network registries #730

Open
tkrishtop opened this issue Jul 15, 2022 · 5 comments
Open

Integrate oscap-podman check in Preflight to allow certification of images in restricted-network registries #730

tkrishtop opened this issue Jul 15, 2022 · 5 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@tkrishtop
Copy link
Contributor

Is your feature request related to a problem? Please describe.

This problem is not related to a Preflight tool. That's a feature request to integrate oscap-podman (health check) within Preflight.

We have a partner who hosts their images in a private registry within the restricted network. To their clients, they sell images packed in 6GB tarball, they never provide external access to this registry. This partner wants to certify the images. It's impossible by design because of how health-check is implemented in cert UI. It tries to connect to a restricted network from outside and that's for sure impossible.

The workaround that we were told to use is to manually execute oscap-podman tool on each container, and send those reports to the certification team.

Describe the solution you'd like.

The long-term solution would be to incorporate the functionality of oscap-podman into Preflight so that the initial health grading is performed on the partner's system during the cert process.
@tkrishtop tkrishtop added the kind/feature Categorizes issue or PR as related to a new feature. label Jul 15, 2022
@tkrishtop
Copy link
Contributor Author

Here is a list of commands to automate - validated it with John F.

# it's important - become sudo
sudo -i
mkdir health_check_test && cd health_check_test
yum -y install openscap-utils
wget -O - https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2 | bzip2 --decompress > rhel-8.oval.xml
podman pull <image_to_check>
# get image ID from the previous command output and use this ID in the following command
oscap-podman <image id like bacfd16290fb> oval eval --report oval-report-nats.html rhel-8.oval.xml

@lslebodn
Copy link 

yum -y install openscap-utils
wget -O - https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2 | bzip2 --decompress > rhel-8.oval.xml

@tkrishtop this step is problematic. The image can be based on rhel9 and in theory also on rhel7.
But it can be based also on some layered products e.g. openstack and they can be based on EUS version of RHEL(8.2, 8.4, 9.0 ...) .
EUS are supported just for layered products.

You will need to always choose a different oval feed otherwise you might get either false positives or false negatives.
The identification of the right based image (and associated oval feeds) is not trivial.
Ideally you should do the same as clair. Which might be problematic if you are in the restricted network.

@tkrishtop
Copy link
Contributor Author

tkrishtop commented Jul 19, 2022
edited
Loading

Hi @lslebodn, it's just a proposal for the moment and an invitation to the discussion, it's not a complete design.
We do have a problem, and currently, we're addressing it by running a health check by DCI. That's not ideal, it's better to have it within Preflight.

You will need to always choose a different oval feed otherwise you might get either false positives or false negatives.

We do an automated platform detection in DCI, but I'm curious about how it's done by Pyxis. Do you have a link on how Clair's code is used in the Pyxis backend?

Which might be problematic if you are in the restricted network.

A restricted network here means that you could go outside, call API, and have an access to the external world. Typically, only from one machine - jumpbox, and the cluster and its registry have no direct outside access. So outside -> inside access to the registry is impossible.

@jfrancin
Copy link
Contributor

Pyxis doesn't do the platform detection; it's done inside Clair (or perhaps Clair-Wrapper). Clair/Clair-Wrapper is not a part of Pyxis; it sends results to Pyxis. And @lslebodn is absolutely right - the choice of actual OVAL file(s) to pull is not trivial, and it might actually take multiple file pulls and more complex code in OpenSCAP to do the whole thing correctly. This is why it's an investigation.

@tkrishtop
Copy link
Contributor Author

the choice of actual OVAL file(s) to pull is not trivial

Maybe I got it wrong, but it seems like we only have to get a major distribution version, here is how we did it in DCI.

I'm quite sure there is a nice way to do it in Go, but if not a simple shell should work here

// code
out, _ := exec.Command("cat", "/etc/redhat-release").Output()
re := regexp.MustCompile("[0-9]{1,2}")

fmt.Println("Current release:", string(out))
fmt.Println("Major version:", re.FindAllString(string(out), -1)[0])

// output
Current release: Red Hat Enterprise Linux release 8.6 (Ootpa)
Major version: 8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lslebodn @jfrancin @tkrishtop