XML

Word

Printable

Type: Feature Request
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: Compliance Workflows, RHACS, Vulnerability Scanning
Labels:
- acs
- cis-benchmark
- compliance
- rfe

Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
Intelligence Requested:
Market:
PX Impact Range:
PX Impact Score:
PX Priority Data:
PX Review Complete:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Business Problem:

While Red Hat Advanced Cluster Security today is able to scan Container Images for vulnerabilities, it would be nice if those capabilities can be enhanced to also scan Container Images for Compliance. The aim should be to detect the component running in the Container and then scan against known compliance benchmark.

Example with Tomcat.

Detect that the Container Image does contain tomcat
Scan the Container Image for Compliance against Apache Tomcat - CIS Benchmark (https://www.cisecurity.org/benchmark/apache_tomcat)

Report the result accordingly and provide similar functionality as to what is available for Vulnerabilities (meaning to take action when certain findings are present, etc.)

Beside the Tomcat example, below is a list containing additional components that are of interst.

Apache HTTP Server
nginx
PostgreSQL
MySQL

Use Cases:

Beside vulnerability management, making sure components are configured in secure and recommended way is key when trying to run a secure Container Platform. Having therefore a way to scan Container Images for well known compliance recommendation will massively enhance the value of Red Hat Advanced Cluster Security as it will help to prevent unsafe/dangerous configuration to be applied and run in production (or at least detect and report on them)

Key Functionality:

Ability to scan Container Images against well known compliance benchmark to make sure configuration are applied according recommendation and best practice to keep environments secure and safe.

Benefits:

Avoiding breaches and other problems unrelated to vulnerabilities but due to unsafe configuration and not following recommended practices

Acceptance criteria:

Having a way to select well known compliance benchmark that shall be evaluated when scanning Container Images and report findings accordingly, while providing same functionality as for vulnerabilities (meaning to block Containers from running, etc.)

Timeline:

Would be nice to have it accepted as a first step and then eventually implemented at some point in time

links to

Compliance scanning for Container Images in Red Hat Advanced Cluster Security

Assignee:: Maria Simon Marcos

Reporter:: Simon Reber

Contributors:: Anjali Telang, Boaz Michaely, Doron Caspin, JP Jung, Maria Simon Marcos, Shubha Badve

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/07/16 10:19 AM

Updated:: 2024/09/03 8:36 AM

Resolved:: 2024/09/03 8:36 AM

Details

Description

Business Problem:

Use Cases:

Key Functionality:

Benefits:

Acceptance criteria:

Timeline:

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates