×

For OpenShift Container Platform, Red Hat Enterprise Linux CoreOS (RHCOS) is the only supported operating system for control plane. For node hosts, OpenShift Container Platform supports both RHCOS and Red Hat Enterprise Linux (RHEL). With Red Hat Advanced Cluster Security for Kubernetes (RHACS), you can scan RHCOS nodes for vulnerabilities and detect potential security threats.

RHACS scans RHCOS RPMs installed on the node host, as part of the RHCOS installation, for any known vulnerabilities.

First, RHACS analyzes and detects RHCOS components. Then it matches vulnerabilities for identified components by using RHEL and the following data streams:

  • OpenShift 4.X Open Vulnerability and Assessment Language (OVAL) v2 security data streams is used if StackRox Scanner is used for node scanning.

  • Red Hat Common Security Advisory Framework (CSAF) Vulnerability Exploitability eXchange (VEX) is used if Scanner V4 is used for node scanning.

  • If you installed RHACS by using the roxctl CLI, you must manually enable the RHCOS node scanning features. When you use Helm or Operator installation methods on OpenShift Container Platform, this feature is enabled by default.

Enabling RHCOS node scanning with the StackRox Scanner

If you use OpenShift Container Platform, you can enable scanning of Red Hat Enterprise Linux CoreOS (RHCOS) nodes for vulnerabilities by using Red Hat Advanced Cluster Security for Kubernetes (RHACS).

Prerequisites
Procedure
  1. Run one of the following commands to update the compliance container.

    • For a default compliance container with metrics disabled, run the following command:

      $ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"name":"compliance","env":[{"name":"ROX_METRICS_PORT","value":"disabled"},{"name":"ROX_NODE_SCANNING_ENDPOINT","value":"127.0.0.1:8444"},{"name":"ROX_NODE_SCANNING_INTERVAL","value":"4h"},{"name":"ROX_NODE_SCANNING_INTERVAL_DEVIATION","value":"24m"},{"name":"ROX_NODE_SCANNING_MAX_INITIAL_WAIT","value":"5m"},{"name":"ROX_RHCOS_NODE_SCANNING","value":"true"},{"name":"ROX_CALL_NODE_INVENTORY_ENABLED","value":"true"}]}]}}}}'
    • For a compliance container with Prometheus metrics enabled, run the following command:

      $ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"name":"compliance","env":[{"name":"ROX_METRICS_PORT","value":":9091"},{"name":"ROX_NODE_SCANNING_ENDPOINT","value":"127.0.0.1:8444"},{"name":"ROX_NODE_SCANNING_INTERVAL","value":"4h"},{"name":"ROX_NODE_SCANNING_INTERVAL_DEVIATION","value":"24m"},{"name":"ROX_NODE_SCANNING_MAX_INITIAL_WAIT","value":"5m"},{"name":"ROX_RHCOS_NODE_SCANNING","value":"true"},{"name":"ROX_CALL_NODE_INVENTORY_ENABLED","value":"true"}]}]}}}}'
  2. Update the Collector DaemonSet (DS) by taking the following steps:

    1. Add new volume mounts to Collector DS by running the following command:

      $ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"volumes":[{"name":"tmp-volume","emptyDir":{}},{"name":"cache-volume","emptyDir":{"sizeLimit":"200Mi"}}]}}}}'
    2. Add the new NodeScanner container by running the following command:

      $ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"command":["/scanner","--nodeinventory","--config=",""],"env":[{"name":"ROX_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"ROX_CLAIR_V4_SCANNING","value":"true"},{"name":"ROX_COMPLIANCE_OPERATOR_INTEGRATION","value":"true"},{"name":"ROX_CSV_EXPORT","value":"false"},{"name":"ROX_DECLARATIVE_CONFIGURATION","value":"false"},{"name":"ROX_INTEGRATIONS_AS_CONFIG","value":"false"},{"name":"ROX_NETPOL_FIELDS","value":"true"},{"name":"ROX_NETWORK_DETECTION_BASELINE_SIMULATION","value":"true"},{"name":"ROX_NETWORK_GRAPH_PATTERNFLY","value":"true"},{"name":"ROX_NODE_SCANNING_CACHE_TIME","value":"3h36m"},{"name":"ROX_NODE_SCANNING_INITIAL_BACKOFF","value":"30s"},{"name":"ROX_NODE_SCANNING_MAX_BACKOFF","value":"5m"},{"name":"ROX_PROCESSES_LISTENING_ON_PORT","value":"false"},{"name":"ROX_QUAY_ROBOT_ACCOUNTS","value":"true"},{"name":"ROX_ROXCTL_NETPOL_GENERATE","value":"true"},{"name":"ROX_SOURCED_AUTOGENERATED_INTEGRATIONS","value":"false"},{"name":"ROX_SYSLOG_EXTRA_FIELDS","value":"true"},{"name":"ROX_SYSTEM_HEALTH_PF","value":"false"},{"name":"ROX_VULN_MGMT_WORKLOAD_CVES","value":"false"}],"image":"registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.1","imagePullPolicy":"IfNotPresent","name":"node-inventory","ports":[{"containerPort":8444,"name":"grpc","protocol":"TCP"}],"volumeMounts":[{"mountPath":"/host","name":"host-root-ro","readOnly":true},{"mountPath":"/tmp/","name":"tmp-volume"},{"mountPath":"/cache","name":"cache-volume"}]}]}}}}'

Enabling RHCOS node scanning with Scanner V4

If you use OpenShift Container Platform, you can enable scanning of Red Hat Enterprise Linux CoreOS (RHCOS) nodes for vulnerabilities by using Red Hat Advanced Cluster Security for Kubernetes (RHACS).

RHCOS node scanning with Scanner V4 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Prerequisites
Procedure

To enable node indexing, also known as node scanning, by using Scanner V4:

  1. In the Central pod, on the central container, set the ROX_NODE_INDEX_ENABLED variable to true by running the following command on the Central cluster:

    $ kubectl -n stackrox set env deployment/central ROX_NODE_INDEX_ENABLED=true (1)
    1 For OpenShift Container Platform, use oc instead of kubectl.
  2. In the Collector Daemonset, in the compliance container, set the ROX_NODE_INDEX_ENABLED variable to true by running the following command on the secured cluster:

    $ kubectl -n stackrox set env daemonset/collector ROX_NODE_INDEX_ENABLED=true (1)
    1 For OpenShift Container Platform, use oc instead of kubectl.
  3. To verify that node scanning is working, examine the Central logs for the following message:

    Scanned index report and found <number> components for node <node_name>.

    where:

    <number>

    Specifies the number of discovered components.

    <node_name>

    Specifies the name of the node.

Analysis and detection

When you use RHACS with OpenShift Container Platform, RHACS creates two coordinating containers for analysis and detection, the Compliance container and the Node-inventory container. The Compliance container was already a part of earlier RHACS versions. However, the Node-inventory container is new with RHACS 4.0 and works only with OpenShift Container Platform cluster nodes.

Upon start-up, the Compliance and Node-inventory containers begin the first inventory scan of Red Hat Enterprise Linux CoreOS (RHCOS) software components within five minutes. Next, the Node-inventory container scans the node’s file system to identify installed RPM packages and report on RHCOS software components. Afterward, inventory scanning occurs at periodic intervals, typically every four hours. You can customize the default interval by configuring the ROX_NODE_SCANNING_INTERVAL environment variable for the Compliance container.

Vulnerability matching on RHCOS nodes

Central services, which include Central and Scanner, perform vulnerability matching. Node scanning is performed using the following scanners:

  • StackRox Scanner: This is the default scanner. StackRox Scanner uses Red Hat’s Open Vulnerability and Assessment Language (OVAL) v2 security data streams to match vulnerabilities on Red Hat Enterprise Linux CoreOS (RHCOS) software components.

  • Scanner V4: Scanner V4 is available for node scanning as a Technology Preview feature. Scanner V4 must be explicitly enabled. See the documentation in "Additional resources" for more information.

When scanning RHCOS nodes, RHACS releases after 4.0 no longer use the Kubernetes node metadata to find the kernel and container runtime versions. Instead, RHACS uses the installed RHCOS RPMs to assess that information.

Related environment variables

You can use the following environment variables to configure RHCOS node scanning on RHACS.

Table 1. Node-inventory configuration
Environment Variable Description

ROX_NODE_SCANNING_CACHE_TIME

The time after which a cached inventory is considered outdated. Defaults to 90% of ROX_NODE_SCANNING_INTERVAL that is 3h36m.

ROX_NODE_SCANNING_INITIAL_BACKOFF

The initial time in seconds a node scan will be delayed if a backoff file is found. The default value is 30s.

ROX_NODE_SCANNING_MAX_BACKOFF

The upper limit of backoff. The default value is 5m, being 50% of Kubernetes restart policy stability timer.

Table 2. Compliance configuration
Environment Variable Description

ROX_NODE_INDEX_ENABLED

Controls whether node indexing is enabled for this cluster. The default value is false. Set this variable to use Scanner V4-based RHCOS node scanning.

ROX_NODE_SCANNING_INTERVAL

The base value of the interval duration between node scans. The default value is 4h.

ROX_NODE_SCANNING_INTERVAL_DEVIATION

The duration of node scans can differ from the base interval time. However, the maximum value is limited by the ROX_NODE_SCANNING_INTERVAL.

ROX_NODE_SCANNING_MAX_INITIAL_WAIT

The maximum wait time before the first node scan, which is randomly generated. You can set this value to 0 to disable the initial node scanning wait time. The default value is 5m.

Identifying vulnerabilities in nodes by using the dashboard

You can use the Vulnerability Management view to identify vulnerabilities in your nodes. The identified vulnerabilities include vulnerabilities in core Kubernetes components and container runtimes such as Docker, CRI-O, runC, and containerd. For more information on operating systems that RHACS can scan, see "Supported operating systems".

Procedure
  1. In the RHACS portal, go to Vulnerability ManagementDashboard.

  2. Select Nodes on the header to view a list of all the CVEs affecting your nodes.

  3. Select a node from the list to view details of all CVEs affecting that node.

    1. When you select a node, the Node details panel opens for the selected node. The Node view shows in-depth details of the node and includes information about CVEs by CVSS score and fixable CVEs for that node.

    2. Select View All on the CVEs by CVSS score widget header to view a list of all the CVEs in the selected node. You can also filter the list of CVEs.

    3. To export the fixable CVEs as a CSV file, select Export as CSV under the Node Findings section.

Viewing Node CVEs

You can identify vulnerabilities in your nodes by using RHACS. The vulnerabilities that are identified include the following:

  • Vulnerabilities in core Kubernetes components

  • Vulnerabilities in container runtimes such as Docker, CRI-O, runC, and containerd

For more information about operating systems that RHACS can scan, see "Supported operating systems".

Procedure
  1. In the RHACS portal, click Vulnerability ManagementNode CVEs.

  2. To view the data, do any of the following tasks:

    • To view a list of all the CVEs affecting all of your nodes, select <number> CVEs.

    • To view a list of nodes that contain CVEs, select <number> Nodes.

  3. Optional: To filter CVEs according to entity, select the appropriate filters and attributes. To add more filtering criteria, follow these steps:

    1. Select the entity or attribute from the list.

    2. Depending on your choices, enter the appropriate information such as text, or select a date or object.

    3. Click the right arrow icon.

    4. Optional: Select additional entities and attributes, and then click the right arrow icon to add them. The filter entities and attributes are listed in the following table.

      Table 3. CVE filtering
      Entity Attributes

      Node

      • Name: The name of the node.

      • Operating system: The operating system of the node, for example, Red Hat Enterprise Linux (RHEL).

      • Label: The label of the node.

      • Annotation: The annotation for the node.

      • Scan time: The scan date of the node.

      CVE

      • Name: The name of the CVE.

      • Discovered time: The date when RHACS discovered the CVE.

      • CVSS: The severity level for the CVE.

        The following values are associated with the severity level for the CVE:

        • is greater than

        • is greater than or equal to

        • is equal to

        • is less than or equal to

        • is less than

      Node Component

      • Name: The name of the component.

      • Version: The version of the component, for example, 4.15.0-2024. You can use this to search for a specific version of a component, for example, in conjunction with a component name.

      Cluster

      • Name: The name of the cluster.

      • Label: The label for the cluster.

      • Type: The type of cluster, for example, OCP.

      • Platform type: The type of platform, for example, OpenShift 4 cluster.

  4. Optional: To refine the list of results, do any of the following tasks:

    • Click CVE severity, and then select one or more levels.

    • Click CVE status, and then select Fixable or Not fixable.

  5. Optional: To view the details of the node and information about the CVEs according to the CVSS score and fixable CVEs for that node, click a node name in the list of nodes.