-
/etc/alpine-release
-
/etc/apt/sources.list
-
/etc/lsb-release
-
/etc/os-release
or/usr/lib/os-release
-
/etc/oracle-release
,/etc/centos-release
,/etc/redhat-release
, or/etc/system-release
-
Other similar system files.
With Red Hat Advanced Cluster Security for Kubernetes you can analyze images for vulnerabilities. Scanner analyzes all image layers to check for known vulnerabilities by comparing them with the Common Vulnerabilities and Exposures (CVEs) list.
When Scanner finds any vulnerabilities, it:
Shows them in the Vulnerability Management view for detailed analysis.
Ranks vulnerabilities according to risk and highlights them in the RHACS portal for risk assessment.
Checks them against enabled security policies.
Scanner inspects the images and identifies the installed components based on the files in the images. It may fail to identify installed components or vulnerabilities if the final images are modified to remove the following files:
Components | Files |
---|---|
Package managers |
|
Language-level dependencies |
|
Application-level dependencies |
|
Central submits image scanning requests to Scanner. Upon receiving these requests, Scanner pulls the image layers from the relevant registry, checks the images, and identifies installed packages in each layer. Then it compares the identified packages and programming language-specific dependencies with the vulnerability lists and sends information back to Central.
You can also integrate Red Hat Advanced Cluster Security for Kubernetes with another vulnerability scanner.
Scanner identifies the vulnerabilities in the:
base image operating system
packages that are installed by the package managers
programming language specific dependencies
programming runtimes and frameworks
When scanning images with Red Hat Advanced Cluster Security for Kubernetes (RHACS), you might see the CVE DATA MAY BE INACCURATE
warning message.
Scanner displays this message when it cannot retrieve complete information about the operating system or other packages in the image.
The following table shows some common Scanner warning messages:
Message | Description | ||
---|---|---|---|
|
Indicates that Scanner does not officially support the base operating system of the image; therefore, it cannot retrieve CVE data for the operating system-level packages. |
||
|
Indicates that the base operating system of the image has reached end-of-life, which means the vulnerability data is outdated. For example, Debian 8 and 9. For more information about the files needed to identify the components in the images, see Examining images for vulnerabilities. |
||
|
Indicates that Scanner scanned the image, but was unable to determine the base operating system used for the image. |
||
|
Indicates that the target registry is unreachable on the network. The cause could be a firewall blocking To analyze the root cause, create a special registry integration for private registries or repositories to get the pod logs for RHACS Central. For instructions on how to do this, see Integrating with image registries. |
||
|
Indicates that Scanner scanned the image, but the image is old and does not fall within the scope of Red Hat Scanner Certification. For more information, see Partner Guide for Red Hat Vulnerability Scanner Certification.
|
Scanner can check for vulnerabilities in images that use the following package formats:
yum
microdnf
apt
apk
dpkg
RPM
Scanner can check for vulnerabilities in dependencies for the following programming languages:
Java
JavaScript
Python
Ruby
Beginning from Red Hat Advanced Cluster Security for Kubernetes 3.0.50 (Scanner version 2.5.0), Scanner identifies vulnerabilities in the following developer platforms:
.NET Core
ASP.NET Core
The supported platforms listed in this section are the distributions in which Scanner identifies vulnerabilities, and it is different from the supported platforms on which you can install Red Hat Advanced Cluster Security for Kubernetes.
Scanner identifies vulnerabilities in images that contain the following Linux distributions:
Distribution | Version |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
You can have isolated container image registries that are only accessible from your secured clusters. The delegated image scanning feature enables you to scan images from any registry in your secured clusters.
Currently, by default, Central Services Scanner performs both indexing (identification of components) and vulnerability matching (enrichment of components with vulnerability data) for images observed in your secured clusters, with the exception of images from the OpenShift Container Platform integrated registry.
For images from the OpenShift Container Platform integrated registry, Scanner-slim installed in your secured cluster performs the indexing, and the Central Services Scanner performs the vulnerability matching.
The delegated image scanning feature extends scanning functionality by allowing Scanner-slim to index images from any registry and then send them to Central for vulnerability matching. To use this feature, ensure that Scanner-slim is installed in your secured clusters. If Scanner-slim is not present, scan requests are sent directly to Central.
A new delegated registry configuration specifies the registries from which image scans are to be delegated. For images observed by Sensor, this configuration allows you to delegate scans from no registries, all registries, or specific registries. To enable delegation of scans using the roxctl
CLI, the Jenkins plugin, or the API, you must also specify a destination cluster and source registry.
Scanner-slim must be installed in the secured cluster to scan images.
Enabling Scanner-slim is supported on OpenShift Container Platform and Kubernetes secured clusters. |
In the RHACS portal, navigate to Platform Configuration → Clusters.
In the Clusters view header, click Manage delegated scanning.
In the Delegated Image Scanning page, provide the following information:
Delegate scanning for: Choose the scope of the image delegation by selecting one of the following options:
None: The default option. This option specifies that no images are scanned by the secured clusters, except for images from the OpenShift Container Platform integrated registry.
All registries: This option indicates that all images are scanned by secured clusters.
Specified registries: This option specifies which images should be scanned by secured clusters based on the registries list.
Select default cluster to delegate to: From the drop-down list, select the name of the default cluster that will process the scan requests coming from the command-line interface (CLI) and API. This is optional and you can select None
if required.
Optional: Click Add registry and specify the source registry and destination cluster details. You can select the destination cluster as None
if the scan requests are not coming from the CLI and API. You can add more than one source registry and destination cluster if required.
Click Save.
Image integrations are now synchronized between Central and Sensor, and Sensor captures pull-secrets from each namespace. Sensor then uses these credentials to authenticate to the image registries.
RHACS Operator installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.
For more information, see Installing RHACS on secured clusters by using the Operator.
Secured Cluster Services Helm chart (secured-cluster-services
) installs a Scanner-slim version on each secured cluster.
In Kubernetes, the secured cluster services include Scanner-slim as an optional component.
On OpenShift Container Platform, however, RHACS installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.
For OpenShift Container Platform installations, see Installing the secured-cluster-services Helm chart without customization.
For non-OpenShift Container Platform installations, such as Amazon Elastic Kubernetes Service (Amazon EKS), Google Kubernetes Engine (Google GKE), and Microsoft Azure Kubernetes Service (Microsoft AKS), see Installing the secured-cluster-services Helm chart without customization.
Verify that the status of the secured cluster indicates that Scanner is present and healthy:
In the RHACS portal, navigate to Platform Configuration → Clusters.
In the Clusters view, select a cluster to view its details.
In the Health Status card, ensure that Scanner is present and is marked as Healthy.
Red Hat Advanced Cluster Security for Kubernetes periodically scans all active images and updates the image scan results to reflect the latest vulnerability definitions. Active images are the images you have deployed in your environment.
From Red Hat Advanced Cluster Security for Kubernetes 3.0.57, you can enable automatic scanning of inactive images by configuring the Watch setting for images. |
Central fetches the image scan results for all active images from Scanner or other integrated image scanners that you use and updates the results every 4 hours.
You can also use the roxctl
CLI to check the image scan results on demand.
Red Hat Advanced Cluster Security for Kubernetes (RHACS) scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions.
You can also configure RHACS to scan inactive (not deployed) images automatically.
On the RHACS portal, navigate to Vulnerability Management > Dashboard.
On the Dashboard view header, select IMAGES.
Click MANAGE WATCHES to manage the scanning of watched images.
In the MANAGE WATCHED IMAGES dialog, enter the inactive image’s name for which you want to enable scanning.
Verify that you enter the name of the image and not the image id
.
Image name is the fully-qualified image name, beginning with the registry and ending with the tag. For example, docker.io/vulnerables/cve-2017-7494:latest
.
Select ADD IMAGE. RHACS then scans the image and shows the error or success message.
(Optional) Click REMOVE WATCH to remove an image from the watchlist.
On the RHACS portal, click Platform Configuration > System Configuration to view the data retention configuration. All the data related to the image removed from the watchlist continues to appear in the RHACS portal for the number of days mentioned on the System Configuration page and is only removed after that period is over. |
Select RETURN TO IMAGE LIST to view the IMAGES page.
In online mode, Central fetches the vulnerability definitions every 5 minutes from a single feed. This feed combines vulnerability definitions from upstream sources that include multiple Linux distributions and the National Vulnerability Database, and it refreshes every hour.
The address of the feed is https://definitions.stackrox.io
.
You can change the default query frequency for Central by setting the ROX_SCANNER_VULN_UPDATE_INTERVAL
environment variable:
$ oc -n stackrox set env deploy/central ROX_SCANNER_VULN_UPDATE_INTERVAL=<value> (1)
1 | If you use Kubernetes, enter kubectl instead of oc . |
Scanner’s configuration map still has an |
In the RHACS portal shows a single Common Vulnerability Scoring System (CVSS) base score for each vulnerability. Red Hat Advanced Cluster Security for Kubernetes shows the CVSS score based on the following criteria:
If a CVSS v3 score is available, Red Hat Advanced Cluster Security for Kubernetes shows the score and lists v3
along with it.
For example, 6.5 (v3)
.
CVSS v3 scores are only available if you are using Scanner version 1.3.5 and newer. |
If a CVSS v3 score is not available, Red Hat Advanced Cluster Security for Kubernetes shows only the CVSS v2 score.
For example, 6.5
.
You can use the API to get the CVSS scores. If CVSS v3 information is available for a Common Vulnerabilities and Exposures (CVE), the response includes both CVSS v3 and CVSS v2 information.
For some CVEs, the Red Hat Security Advisory (RHSA) CVSS score may differ from the CVSS score visible in the RHACS portal. This difference is because one RHSA can contain multiple CVEs, and Red Hat sometimes assigns a different score based on how a vulnerability affects other Red Hat products.
In such cases, Red Hat Advanced Cluster Security for Kubernetes:
Finds the highest-scoring CVE from the National Vulnerability Database (NVD) and shows its score as the CVSS score for the RHSA.
Breaks out each CVE in the RHSA as a separate vulnerability with its original CVSS score (from the NVD), so that you can view each one and create policies for specific CVEs.
With RHACS, you can view the details for all container images in your clusters.
In the RHACS portal, navigate to Vulnerability Management → Dashboard.
To view details for all the images in your cluster, in the Vulnerability Management view header, click Images.
You can also view this information by navigating to Vulnerability Management (2.0) → Workload CVEs. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information.
Use the Vulnerability Management view to find the root cause of vulnerabilities in an image. You can view the Dockerfile and find exactly which command in the Dockerfile introduced the vulnerabilities and all components that are associated with that single command.
The Dockerfile section shows information about:
All the layers in the Dockerfile
The instructions and their value for each layer
The components included in each layer
The number of CVEs in components for each layer
When there are components introduced by a specific layer, you can select the expand icon to see a summary of its components. If there are any CVEs in those components, you can select the expand icon for an individual component to get more details about the CVEs affecting that component.
Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.
Select an image from either the Top Riskiest Images widget or click the Images button at the top of the Dashboard and select an image.
In the Image details view, next to Dockerfile, select the expand icon to see a summary of instructions, values, creation date, and components.
Select the expand icon for an individual component to view more information.
You can also view this information by navigating to Vulnerability Management (2.0) → Workload CVEs. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information.
Use the Vulnerability Management view to identify vulnerable components and the image layer they appear in.
Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.
Select an image from either the Top Riskiest Images widget or click the Images button at the top of the Dashboard and select an image.
In the Image details view, next to Dockerfile, select the expand icon to see a summary of image components.
Select the expand icon for specific components to get more details about the CVEs affecting the selected component.
You can also view this information by navigating to Vulnerability Management (2.0) → Workload CVEs. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information.
You can identify specific Dockerfile lines in an image that introduced components with CVEs.
To view a problematic line:
Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.
Select an image from either the Top Riskiest Images widget or click the Images button at the top of the Dashboard and select an image.
In the Image details view, under Image Findings, CVEs are listed in the Observed CVEs, Deferred CVEs, and False positive CVEs tabs.
Locate the CVE you want to examine further. In the Affected Components column, click on the <number> Components link to view a list of components affected by the CVE. You can perform the following actions in this window:
Click the expand icon next to a specific component to view the Dockerfile line in the image that introduced the CVE. To address the CVE, you need to change this line in the Dockerfile; for example, you can upgrade the component.
Click the name of the component to go to the Component Summary page and view more information about the component.
You can also view this information by navigating to Vulnerability Management (2.0) → Workload CVEs. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information.
Use the Vulnerability Management view to identify the operating system of the base image.
Navigate to the RHACS portal and click Vulnerability Management from the navigation menu.
From the Vulnerability Management view header, select Images.
View the base operating system (OS) and OS version for all images under the Image OS column.
Select an image to view its details. The base operating system is also available under the Image Summary → Details and Metadata section.
Red Hat Advanced Cluster Security for Kubernetes lists the Image OS as unknown when either:
Docker Trusted Registry, Google Container Registry, and Anchore do not provide this information. |
You can also view this information by navigating to Vulnerability Management (2.0) → Workload CVEs. See "Viewing workload CVEs in Vulnerability Management (2.0)" in the "Additional Resources" section for more information.
Scanner identifies the vulnerabilities in the programming language-specific dependencies by default. You can disable the language-specific dependency scanning.
To disable language-specific vulnerability scanning, run the following command:
$ oc -n stackrox set env deploy/scanner \ (1)
ROX_LANGUAGE_VULNS=false (2)
1 | If you use Kubernetes, enter kubectl instead of oc . |
2 | If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.47 or older, replace the environment variable name ROX_LANGUAGE_VULNS with LANGUAGE_VULNS . |
For more information about Common Vulnerabilities and Exposures (CVEs), see the Red Hat CVE Database.