Support OpenSCAP in network-isolated clusters #18
Comments
|
@simon3z This is the RFE bugzilla for signed CVE feeds: https://bugzilla.redhat.com/show_bug.cgi?id=1253622 |
|
@enoodle @pweil- we should also consider a mitigation meanwhile, for example: don't fail hard in case we can't download the definitions. Just report the error in the Rest-API. (It could be that it is the case already, but we should verify that it is working). So that the regular SmartState Analysis (WebDAV of image content) can work anyway. |
|
Do we want image-inspector to ship with default CVE's in its image or get them when started? |
Check out https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/atomic_scan_openscap/Dockerfile for inspiration. |
This is not interesting unless we plan to constantly rebuild the image with the updated rules. (Which is something I'd like to avoid).
@enoodle this options is better, although I don't like the idea of attaching a volume. I like the ability to specify a custom URL from where to download the rules. |
|
@enoodle can we close this? |
|
Yes, #22 Fixes this |
It should be possible to run OpenSCAP scans even in network-isolated clusters. Maybe by defining an internal URL from which to take the CVE definitions.
(This may be dependent on our ability that the CVE definitions can be trusted, there should be a BZ somewhere, @mpreisler should be able help us here).
@enoodle @pweil- it may be worth start brainstorming on this.
cc @smarterclayton @deads2k
The text was updated successfully, but these errors were encountered: