Continuous Security
Atomic Scan
Simple Signing


Daniel J Walsh

Consulting Engineer

Twitter: @rhatdan

Blog: danwalsh.livejournal.com

Email: dwalsh@redhat.com

Chapter 4

How do you furnish the pigs apartment?

How do I secure content inside container?

LINUX 1999

Where did you go to get software?

Go to yahoo.com or AltaVista.com
and google it?

I found it on rpmfind.net, download and install.

Hey I hear there is a big Security vulnerability in Zlib.

How many copies of the Zlib vulnerability to you have?

I have no clue!!!

Red Hat to the rescue

Red Hat Enterprise Linux solved this problem

Certified software and hardware platforms

People have no idea of quality of software in docker images

Or they are building them themselves?

Lets Talk About DEV/OPS

Containers move the responsibility for security updates from the Operator to the Developer.

Do you trust developers to
fix security issues in their images?

What happens when the next Shell Shock hits

RHEL Certified Images

Introducing Atomic Scan

https://www.youtube.com/watch?v=jBgOW8mCrUk

Problems I see with scanners

Everyone is doing one

Each scanner wants access to /var/run/docker.sock

What happens if my container runtime is not docker?
(Shameless plug for CRI-O)

Can I use my scanner to scan other rootfs?

Atomic Scan Container Vulnerability Detection

https://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-container-vulnerability-detection

Atomic Scan and the OpenScap Daemon

https://martin.preisler.me/2015/11/atomic-scan-and-openscap-daemon/

Using the Atomic Scan CLI to Scan Vms

http://www.projectatomic.io/blog/2016/05/using-the-atomic-cli-to-scan-vms

Creating a Custom Atomic Scan Plugin

https://developers.redhat.com/blog/2016/05/20/creating-a-custom-atomic-scan-plug-in

Integration of scanning with OpenShift

Ongoing work

Scans hightlight images with problems

Admin chooses to have OpenShift quarantee these images

Where do your developers get their images?

How do you define trust?

How can I sign the images?

Managing Registry Trust With Atomic CLI

https://www.youtube.com/watch?v=93-71phWiOg

Signing Images

Must support multiple signatures?

Must not be tied to one registry?

Must be based on common standards?

Must be easy to understand?

Must support Offline Verification

Introducing Simple Signing

Container Image Signing Integration Guide

https://access.redhat.com/articles/2750891

Signing Images with Atomic CLI

https://www.youtube.com/watch?v=0yoQu-YylwA

Push and Sign container images with Atomic CLI

https://www.youtube.com/watch?v=xr-5kKj22gs&t=12s

Trust auto discovery with simple signing

https://www.youtube.com/watch?v=kaTaZ4VzoSI

OpenShift

Don't let this be you.

Questions?