-
/etc/alpine-release
-
/etc/apt/sources.list
-
/etc/lsb-release
-
/etc/os-release
or/usr/lib/os-release
-
/etc/oracle-release
,/etc/centos-release
,/etc/redhat-release
, or/etc/system-release
-
Other similar system files.
With Red Hat Advanced Cluster Security for Kubernetes, you can analyze images for vulnerabilities using the RHACS scanners, or you can configure an integration to use another supported scanner.
The scanners in RHACS analyze each image layer to find packages and match them against known vulnerabilities by comparing them with a vulnerability database populated from different sources. Depending on the scanner used, sources include the National Vulnerability Database (NVD), the Open Source Vulnerabilities (OSV) database, and operating system vulnerability feeds.
The RHACS Scanner V4 uses the OSV database available at OSV.dev under this license. |
RHACS contains two scanners: the StackRox Scanner and Scanner V4.
The StackRox Scanner originates from a fork of the Clair v2 open source scanner and is the default scanner. In version 4.4, RHACS introduced Scanner V4, built on ClairCore, which provides additional image scanning features.
This documentation uses the term "RHACS scanner" or "Scanner" to refer to the combined scanning capabilities provided by the two scanners: the StackRox Scanner and Scanner V4. When referring to the capabilities of a specific scanner, the name of the specific scanner is used. |
When the RHACS scanner finds any vulnerabilities, it performs the following actions:
Shows them in the Vulnerability Management view for detailed analysis
Ranks vulnerabilities according to risk and highlights them in the RHACS portal for risk assessment
Checks them against enabled security policies
The RHACS scanner inspects the images and identifies the installed components based on the files in the images. It might fail to identify installed components or vulnerabilities if the final images are modified to remove the following files:
Components | Files |
---|---|
Package managers |
|
Language-level dependencies |
|
Application-level dependencies |
|
RHACS provides its own scanner, or you can configure an integration to use RHACS with another vulnerability scanner.
Beginning with version 4.4, Scanner V4, built on ClairCore, provides scanning for language and operating system-specific image components. For version 4.4, RHACS also uses the StackRox Scanner to provide some scanning functionality until that functionality is implemented in a future release.
For version 4.4, RHACS provides two scanners: the StackRox Scanner and Scanner V4. Both scanners can examine images in secured clusters connected in your network. Secured cluster scanning is enabled by default in Red Hat OpenShift environments deployed by using the Operator or when delegated scanning is used. See "Accessing delegated image scanning" for more information.
When using the StackRox Scanner, RHACS performs the following actions:
Central submits image scanning requests to the StackRox Scanner.
Upon receiving these requests, the StackRox Scanner pulls the image layers from the relevant registry, checks the images, and identifies installed packages in each layer. Then it compares the identified packages and programming language-specific dependencies with the vulnerability lists and sends information back to Central
The StackRox Scanner identifies the vulnerabilities in the following areas:
Base image operating system
Packages that are installed by the package managers
Programming language specific dependencies
Programming runtimes and frameworks
When using Scanner V4, RHACS performs the following actions:
Central requests the Scanner V4 Indexer to download and index (analyze) given images.
Scanner V4 Indexer pulls image metadata from registries to determine the layers of the image, and downloads each previously unindexed layer.
Scanner V4 Indexer requests mapping files from Central that assist the indexing process. Scanner V4 Indexer produces in an index report.
Central requests that Scanner V4 Matcher match given images to known vulnerabilities. This process results in the final scan result: a vulnerability report. Scanner V4 Matcher requests the latest vulnerabilities from Central.
Scanner V4 Matcher requests the results of the image indexing, the index report, from Scanner V4 Indexer. It then uses the report to determine relevant vulnerabilities. This interaction occurs only when the image is indexed in the Central cluster. This interaction does not occur when Scanner V4 is matching vulnerabilities for images indexed in secured clusters.
The Indexer stores data in the Scanner V4 DB that is related to the indexing results to ensure that image layers are only downloaded and indexed once. This prevents unnecessary network traffic and other resource utilization.
When secured cluster scanning is enabled, Sensor requests Scanner V4 to index images. Scanner V4 Indexer requests mapping files from Sensor that assist the indexing process unless Central exists in the same namespace. In that case, Central is contacted instead.
When scanning images with Red Hat Advanced Cluster Security for Kubernetes (RHACS), you might see the CVE DATA MAY BE INACCURATE
warning message.
Scanner displays this message when it cannot retrieve complete information about the operating system or other packages in the image.
The following table shows some common Scanner warning messages:
Message | Description | ||
---|---|---|---|
|
Indicates that Scanner does not officially support the base operating system of the image; therefore, it cannot retrieve CVE data for the operating system-level packages. |
||
|
Indicates that the base operating system of the image has reached end-of-life, which means the vulnerability data is outdated. For example, Debian 8 and 9. For more information about the files needed to identify the components in the images, see Examining images for vulnerabilities. |
||
|
Indicates that Scanner scanned the image, but was unable to determine the base operating system used for the image. |
||
|
Indicates that the target registry is unreachable on the network. The cause could be a firewall blocking To analyze the root cause, create a special registry integration for private registries or repositories to get the pod logs for RHACS Central. For instructions on how to do this, see Integrating with image registries. |
||
|
Indicates that Scanner scanned the image, but the image is old and does not fall within the scope of Red Hat Scanner Certification. For more information, see Partner Guide for Red Hat Vulnerability Scanner Certification.
|
Scanner can check for vulnerabilities in images that use the following package formats:
apt
apk
dpkg
rpm
Scanner can check for vulnerabilities in dependencies for the following programming languages:
Go (Scanner V4 only)
Binaries: The standard library version used to build the binary is analyzed. If the binaries are built with module support (go.mod), then the dependencies are also analyzed.
Java
JAR
WAR
EAR
JavaScript
Node.js
npm package.json
Python
egg and wheel formats
Ruby
gem
Beginning from Red Hat Advanced Cluster Security for Kubernetes 3.0.50 (Scanner version 2.5.0), the StackRox Scanner identifies vulnerabilities in the following developer platforms:
.NET Core
ASP.NET Core
These are not supported by Scanner V4.
The supported platforms listed in this section are the distributions in which Scanner identifies vulnerabilities, and it is different from the supported platforms on which you can install Red Hat Advanced Cluster Security for Kubernetes.
Scanner identifies vulnerabilities in images that contain the following Linux distributions. For more information about the vulnerability databases used, see "Vulnerability sources" in "RHACS Architecture".
Distribution | Version |
---|---|
|
|
|
|
CentOS |
|
|
|
|
|
|
|
|
|
|
|
The following vulnerability sources are not updated by the vendor:
|
Only supported in the StackRox Scanner.
Only supported in Scanner V4.
Images older than June 2020 are not supported in Scanner V4.
|
Red Hat Advanced Cluster Security for Kubernetes (RHACS) supports scanning images from registry mirrors that you have configured by using one of the following OpenShift Container Platform custom resources (CRs):
ImageContentSourcePolicy
(ICSP)
ImageDigestMirrorSet
(IDMS)
ImageTagMirrorSet
(ITMS)
For more information about how to configure image registry repository mirroring, see "Configuring image registry repository mirroring".
You can automatically scan images from registry mirrors by using delegated image scanning.
For more information about how to configure delegated image scanning, see "Scanning images by using secured clusters".
You can have isolated container image registries that are only accessible from your secured clusters. The delegated image scanning feature enables you to scan images from any registry in your secured clusters.
Currently, by default, Central Services Scanner performs both indexing (identification of components) and vulnerability matching (enrichment of components with vulnerability data) for images observed in your secured clusters, with the exception of images from the OpenShift Container Platform integrated registry.
For images from the OpenShift Container Platform integrated registry, Scanner-slim installed in your secured cluster performs the indexing, and the Central Services Scanner performs the vulnerability matching.
The delegated image scanning feature extends scanning functionality by allowing Scanner-slim to index images from any registry and then send them to Central for vulnerability matching. To use this feature, ensure that Scanner-slim is installed in your secured clusters. If Scanner-slim is not present, scan requests are sent directly to Central.
To scan images by using the secured clusters instead of the Central services, you can use the delegated image scanning feature.
A new delegated scanning configuration specifies the registries from which you can delegate image scans. For images that Sensor observes, you can use the delegated registry configuration to delegate scans from no registries, all registries, or specific registries.
To enable delegation of scans by using the roxctl
CLI, Jenkins plugin, or API, you must also specify a destination cluster and source registry.
You have installed Scanner in the secured cluster to scan images.
Enabling Scanner is supported on OpenShift Container Platform and Kubernetes secured clusters. |
In the RHACS portal, click Platform Configuration → Clusters.
In the Clusters view header, click Delegated scanning.
In the Delegated Image Scanning page, provide the following information:
Delegate scanning for: To choose the scope of the image delegation, select one of the following options:
None: The default option. This option specifies that the secured clusters do not scan any images, except for images from the integrated OpenShift image registry.
All registries: This option indicates that the secured clusters scan all the images.
Specified registries: This option specifies the images that secured clusters should scan based on the registries list.
Select default cluster to delegate to: From the drop-down list, select the name of the default cluster. The default cluster processes the scan requests coming from the command-line interface (CLI) and API. This is optional and you can select None
if required.
Optional: To specify the source registry and destination cluster details, click Add registry.
For example, specify the source registry as example.com
, and select remote
from the drop-down list for the destination cluster. You can add more than one source registry and destination cluster if required.
You can select the destination cluster as |
Click Save.
Image integrations are now synchronized between Central and Sensor, and Sensor captures pull secrets from each namespace. Sensor then uses these credentials to authenticate to the image registries.
RHACS Operator installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.
For more information, see Installing RHACS on secured clusters by using the Operator.
Secured Cluster Services Helm chart (secured-cluster-services
) installs a Scanner-slim version on each secured cluster.
In Kubernetes, the secured cluster services include Scanner-slim as an optional component.
On OpenShift Container Platform, however, RHACS installs a Scanner-slim version on each secured cluster to scan images in the OpenShift Container Platform integrated registry and optionally other registries.
For OpenShift Container Platform installations, see Installing the secured-cluster-services Helm chart without customization.
For non-OpenShift Container Platform installations, such as Amazon Elastic Kubernetes Service (Amazon EKS), Google Kubernetes Engine (Google GKE), and Microsoft Azure Kubernetes Service (Microsoft AKS), see Installing the secured-cluster-services Helm chart without customization.
Verify that the status of the secured cluster indicates that Scanner is present and healthy:
In the RHACS portal, go to Platform Configuration → Clusters.
In the Clusters view, select a cluster to view its details.
In the Health Status card, ensure that Scanner is present and is marked as Healthy.
You can scan images stored in a cluster specific OpenShift Container Platform integrated image registry by using roxctl
CLI, Jenkins, and API. You can specify the appropriate cluster in the delegated scanning configuration or use the cluster parameter available in roxctl
CLI, Jenkins, and API.
For more information about how to scan images by using the roxctl
CLI, see Image scanning by using the roxctl CLI.
You can configure settings for scanning, such as automatic scanning of active and inactive images.
Red Hat Advanced Cluster Security for Kubernetes periodically scans all active images and updates the image scan results to reflect the latest vulnerability definitions. Active images are the images you have deployed in your environment.
From Red Hat Advanced Cluster Security for Kubernetes 3.0.57, you can enable automatic scanning of inactive images by configuring the Watch setting for images. |
Central fetches the image scan results for all active images from Scanner or other integrated image scanners that you use and updates the results every 4 hours.
You can also use the roxctl
CLI to check the image scan results on demand.
Red Hat Advanced Cluster Security for Kubernetes (RHACS) scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions.
You can also configure RHACS to scan inactive (not deployed) images automatically.
In the RHACS portal, click Vulnerability Management → Workload CVEs.
Click Manage watched images.
In the Image name field, enter the fully-qualified image name that begins with the registry and ends with the image tag, for example, docker.io/library/nginx:latest
.
Click Add image to watch list.
Optional: To remove a watched image, locate the image in the Manage watched images window, and click Remove watch.
In the RHACS portal, click Platform Configuration → System Configuration to view the data retention configuration. All the data related to the image removed from the watched image list continues to appear in the RHACS portal for the number of days mentioned on the System Configuration page and is only removed after that period is over. |
Click Close to return to the Workload CVEs page.
RHACS fetches vulnerability definitions and updates from multiple vulnerability feeds. These feeds are both general in nature, such as NVD, or distribution-specific, such as Alpine, Debian, and Ubuntu. For more information on viewing and addressing vulnerabilities that are found, see Vulnerability management.
In online mode, Central fetches the vulnerability definitions every 5 minutes from a single feed. This feed combines vulnerability definitions from upstream sources, and it refreshes every 3 hours.
The address of the feed is https://definitions.stackrox.io
.
You can change the default query frequency for Central and the StackRox Scanner by setting the ROX_SCANNER_VULN_UPDATE_INTERVAL
environment variable:
$ oc -n stackrox set env deploy/central ROX_SCANNER_VULN_UPDATE_INTERVAL=<value> (1)
1 | If you use Kubernetes, enter kubectl instead of oc . |
Note the following guidance:
The StackRox Scanner’s configuration map still has an updater.interval
parameter for configuring the scanner’s updating frequency, but it no longer includes the fetchFromCentral
parameter.
Setting this environment variable is not supported for Scanner V4.
For more information about the vulnerability sources that RHACS uses, see "Vulnerability sources" in "Red Hat Advanced Cluster Security for Kubernetes architecture".
The vulnerability management dashboard in the Red Hat Advanced Cluster Security for Kubernetes portal shows a single Common Vulnerability Scoring System (CVSS) base score for each vulnerability. RHACS shows the CVSS score based on the following criteria:
If a CVSS v3 score is available, RHACS shows the score and lists v3
along with it.
For example, 6.5 (v3)
.
CVSS v3 scores are only available if you are using the StackRox Scanner version 1.3.5 and later or Scanner V4. |
If a CVSS v3 score is not available, RHACS might show only the CVSS v2 score.
For example, 6.5
.
You can use the API to get the CVSS scores. If CVSS v3 information is available for a vulnerability, the response might include both CVSS v3 and CVSS v2 information.
For a Red Hat Security Advisory (RHSA), the CVSS score is set to the highest CVSS score among all the related CVEs. One RHSA can contain multiple CVEs, and Red Hat sometimes assigns a different score based on how a vulnerability affects other Red Hat products.
Scanner identifies the vulnerabilities in the programming language-specific dependencies by default. You can disable the language-specific dependency scanning.
To disable language-specific vulnerability scanning, run the following command:
$ oc -n stackrox set env deploy/scanner \ (1)
ROX_LANGUAGE_VULNS=false (2)
1 | If you use Kubernetes, enter kubectl instead of oc . |
2 | If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.47 or older, replace the environment variable name ROX_LANGUAGE_VULNS with LANGUAGE_VULNS . |