-
/etc/alpine-release
-
/etc/apt/sources.list
-
/etc/lsb-release
-
/etc/os-release
or/usr/lib/os-release
-
/etc/oracle-release
,/etc/centos-release
,/etc/redhat-release
, or/etc/system-release
-
Other similar system files.
With Red Hat Advanced Cluster Security for Kubernetes you can analyze images for vulnerabilities. Scanner analyzes all image layers to check for known vulnerabilities by comparing them with the Common Vulnerabilities and Exposures (CVEs) list.
When Scanner finds any vulnerabilities, it:
Shows them in the Vulnerability Management view for detailed analysis.
Ranks vulnerabilities according to risk and highlights them in the RHACS portal for risk assessment.
Checks them against enabled security policies.
Scanner inspects the images and identifies the installed components based on the files in the images. It may fail to identify installed components or vulnerabilities if the final images are modified to remove the following files:
Components | Files |
---|---|
Package managers |
|
Language-level dependencies |
|
Application-level dependencies |
|
Central submits image scanning requests to Scanner. Upon receiving these requests, Scanner pulls the image layers from the relevant registry, checks the images, and identifies installed packages in each layer. Then it compares the identified packages and programming language-specific dependencies with the vulnerability lists and sends information back to Central.
You can also integrate Red Hat Advanced Cluster Security for Kubernetes with another vulnerability scanner.
Scanner identifies the vulnerabilities in the:
base image operating system
packages that are installed by the package managers
programming language specific dependencies
programming runtimes and frameworks
Scanner can check for vulnerabilities in images that use the following package formats:
yum
microdnf
apt
apk
dpkg
rpm
Scanner can check for vulnerabilities in depnendencies for the following programming languages:
Java
JavaScript
Python
Ruby
Beginning from Red Hat Advanced Cluster Security for Kubernetes 3.0.50 (Scanner version 2.5.0), Scanner identifies vulnerabilities in the following developer platforms:
.NET Core
ASP.NET Core
The supported platforms listed in this section are the distributions in which Scanner identifies vulnerabilities, and it is different from the supported platforms on which you can install Red Hat Advanced Cluster Security for Kubernetes.
Scanner identifies vulnerabilities in images that contain the following Linux distributions:
Distribution | Version |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Red Hat Advanced Cluster Security for Kubernetes periodically scans all active images and updates the image scan results to reflect the latest vulnerability definitions. Active images are the images you have deployed in your environment.
From Red Hat Advanced Cluster Security for Kubernetes 3.0.57, you can enable automatic scanning of inactive images by configuring the Watch setting for images. |
Central fetches the image scan results for all active images from Scanner or other integrated image scanners that you use and updates the results every 4 hours.
You can also use the roxctl
CLI to check the image scan results on demand.
Red Hat Advanced Cluster Security for Kubernetes scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions.
You can also configure Red Hat Advanced Cluster Security for Kubernetes to scan inactive (not deployed) images automatically.
Select Images on the Vulnerability Management view header to view a list of all the images.
On the Images view header, select Watch Images.
In the Manage Inactive Images dialog, enter the inactive image’s name (and not the image id
) for which you want to enable scanning.
Select Add Image. Red Hat Advanced Cluster Security for Kubernetes then scans the image and shows the error or success message.
Select Return to Image list to view the Images view.
In online mode, Central fetches the vulnerability definitions every 5 minutes from a single feed. This feed combines vulnerability definitions from upstream sources that include multiple Linux distributions and the National Vulnerability Database, and it refreshes every hour.
The address of the feed is https://definitions.stackrox.io
.
You can change the default query frequency for Central by setting the ROX_SCANNER_VULN_UPDATE_INTERVAL
environment variable:
$ oc -n stackrox set env deploy/central ROX_SCANNER_VULN_UPDATE_INTERVAL=<value> (1)
1 | If you use Kubernetes, enter kubectl instead of oc . |
Scanner’s configuration map still has an |
In the RHACS portal shows a single Common Vulnerability Scoring System (CVSS) base score for each vulnerability. Red Hat Advanced Cluster Security for Kubernetes shows the CVSS score based on the following criteria:
If a CVSS v3 score is available, Red Hat Advanced Cluster Security for Kubernetes shows the score and lists v3
along with it.
For example, 6.5 (v3)
.
CVSS v3 scores are only available if you are using Scanner version 1.3.5 and newer. |
If a CVSS v3 score is not available, Red Hat Advanced Cluster Security for Kubernetes shows only the CVSS v2 score.
For example, 6.5
.
You can use the API to get the CVSS scores. If CVSS v3 information is available for a Common Vulnerabilities and Exposures (CVE), the response includes both CVSS v3 and CVSS v2 information.
For some CVEs, the Red Hat Security Advisory (RHSA) CVSS score may differ from the CVSS score visible in the RHACS portal. This difference is because one RHSA can contain multiple CVEs, and Red Hat sometimes assigns a different score based on how a vulnerability affects other Red Hat products.
In such cases, Red Hat Advanced Cluster Security for Kubernetes:
Finds the highest-scoring CVE from the National Vulnerability Database (NVD) and shows its score as the CVSS score for the RHSA.
Breaks out each CVE in the RHSA as a separate vulnerability with its original CVSS score (from the NVD), so that you can view each one and create policies for specific CVEs.
With Red Hat Advanced Cluster Security for Kubernetes you can view the details for all container images in your clusters.
Navigate to the RHACS portal and click Vulnerability Management from the left-hand navigation menu.
To view details for all the images in your cluster, select Images on the Vulnerability Management view header.
Use the Vulnerability Management view to find the root cause of vulnerabilities in an image. You can view the Dockerfile and find exactly which command in the Dockerfile introduced the vulnerabilities and all components that are associated with that single command.
The Dockerfile tab shows information about:
All the layers in the Dockerfile
The instructions and their value for each layer
The components included in each layer
The number of CVEs in components for each layer
When there are components introduced by a specific layer, you can select the expand icon to see a summary of its components. If there are any CVEs in those components, you can select the expand icon for an individual component to get more details about the CVEs affecting that component.
Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.
Select an image from the Top Riskiest Images widget.
In the Image details view, select the Dockerfile tab under the Image Findings section.
Use the Vulnerability Management view to identify vulnerable components and the image layer they appear in.
Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.
Select an image from the Top Riskiest Images widget.
In the Image details view, select the Dockerfile tab under the Image Findings section.
In the Dockerfile tab under the Image Findings section, select the expand icon to see a summary of image components.
Select the expand icon for specific components to get more details about the CVEs affecting the selected component.
Use the Vulnerability Management view to identify the operating system of the base image.
Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.
From the Vulnerability Management view header, select Images.
View the base operating system (OS) and OS version for all images under the Image OS column.
Select an image to view its details. The base operating system is also available under the Image Summary → Details and Metadata section.
Red Hat Advanced Cluster Security for Kubernetes lists the Image OS as unknown when either:
Docker Trusted Registry, Google Container Registry, and Anchore do not provide this information. |
Scanner identifies the vulnerabilities in the programming language-specific dependencies by defalut. You can disable the language-specific dependency scanning.
To disable language-specific vulnerability scanning, run the following command:
$ oc -n stackrox set env deploy/scanner \ (1)
ROX_LANGUAGE_VULNS=false (2)
1 | If you use Kubernetes, enter kubectl instead of oc . |
2 | If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.47 or older, replace the environment variable name ROX_LANGUAGE_VULNS with LANGUAGE_VULNS . |
For more information about Common Vulnerabilities and Exposures (CVEs), see the Red Hat CVE Database.